Re: libvirt / CVE-2019-3886

To: Moritz Mühlenhoff <jmm@inutil.org>
Cc: Guido Günther <agx@sigxcpu.org>, debian-lts@lists.debian.org
Subject: Re: libvirt / CVE-2019-3886
From: Brian May <bam@debian.org>
Date: Mon, 29 Apr 2019 17:19:54 +1000
Message-id: <[🔎] 871s1lb7mt.fsf@silverfish.pri>
In-reply-to: <[🔎] 20190411211811.GA14285@pisco.westfalen.local>
References: <[🔎] 87bm1hdjft.fsf@silverfish.pri> <[🔎] 20190408100108.GA10558@bogon.m.sigxcpu.org> <[🔎] 871s2bejhc.fsf@silverfish.pri> <[🔎] 20190411211811.GA14285@pisco.westfalen.local>

Moritz Mühlenhoff <jmm@inutil.org> writes:

> We're tracking at as it's currently assigned by MITRE and it's their usual
> practice to split out secondary angles to a separate CVE ID. As such, you
> should rather reach out to them via https://cveform.mitre.org and request
> a separate ID for the part that affects 1.2.x as well.

Attached is an updated patch using the newly allocated CVE-2016-10746
identifier.
-- 
Brian May <bam@debian.org>

diff -Nru libvirt-1.2.9/debian/changelog libvirt-1.2.9/debian/changelog
--- libvirt-1.2.9/debian/changelog	2018-03-13 06:51:52.000000000 +1100
+++ libvirt-1.2.9/debian/changelog	2019-04-08 17:29:21.000000000 +1000
@@ -1,3 +1,10 @@
+libvirt (1.2.9-9+deb8u6) jessie-security; urgency=high
+
+  * Non-maintainer upload by the LTS Team.
+  * CVE-2016-10746: Ensure get time RPC calls require write access.
+
+ -- Brian May <bam@debian.org>  Mon, 08 Apr 2019 17:29:21 +1000
+
 libvirt (1.2.9-9+deb8u5) jessie-security; urgency=high
 
   * Switch gbp.conf to jessie
diff -Nru libvirt-1.2.9/debian/patches/CVE-2016-10746.patch libvirt-1.2.9/debian/patches/CVE-2016-10746.patch
--- libvirt-1.2.9/debian/patches/CVE-2016-10746.patch	1970-01-01 10:00:00.000000000 +1000
+++ libvirt-1.2.9/debian/patches/CVE-2016-10746.patch	2019-04-08 17:29:21.000000000 +1000
@@ -0,0 +1,21 @@
+--- a/src/libvirt.c
++++ b/src/libvirt.c
+@@ -21229,6 +21229,7 @@
+     virResetLastError();
+ 
+     virCheckDomainReturn(dom, -1);
++    virCheckReadOnlyGoto(dom->conn->flags, error);
+ 
+     if (dom->conn->driver->domainGetTime) {
+         int ret = dom->conn->driver->domainGetTime(dom, seconds,
+--- a/src/remote/remote_protocol.x
++++ b/src/remote/remote_protocol.x
+@@ -5444,7 +5444,7 @@
+ 
+     /**
+      * @generate: none
+-     * @acl: domain:read
++     * @acl: domain:write
+      */
+     REMOTE_PROC_DOMAIN_GET_TIME = 337,
+ 
diff -Nru libvirt-1.2.9/debian/patches/series libvirt-1.2.9/debian/patches/series
--- libvirt-1.2.9/debian/patches/series	2018-03-13 06:00:35.000000000 +1100
+++ libvirt-1.2.9/debian/patches/series	2019-04-08 17:29:21.000000000 +1000
@@ -37,3 +37,4 @@
 upstream/qemu-Specify-format-iff-disk-source-is-not-empty.patch
 security/CVE-2018-5748-qemu-avoid-denial-of-service-reading-from-Q.patch
 security/CVE-2018-1064-qemu-avoid-denial-of-service-reading-from-Q.patch
+CVE-2016-10746.patch

Reply to:

References:
- libvirt / CVE-2019-3886
  - From: Brian May <brian@linuxpenguins.xyz>
- Re: libvirt / CVE-2019-3886
  - From: Guido Günther <agx@sigxcpu.org>
- Re: libvirt / CVE-2019-3886
  - From: Brian May <bam@debian.org>
- Re: libvirt / CVE-2019-3886
  - From: Moritz Mühlenhoff <jmm@inutil.org>

Prev by Date: Re: RFT and RFC: Updates for evolution{,-data-server}
Next by Date: (semi-)automatic unclaim of packages with more than 2 weeks of inactivity
Previous by thread: Re: libvirt / CVE-2019-3886
Next by thread: Fwd: [SECURITY] [DSA 4427-1] samba security update
Index(es):
- Date
- Thread