Re: libvirt 0.4.6-10+lenny1 stable update
On Thu, Jul 29, 2010 at 04:02:53PM +0200, Guido Günther wrote:
> Hi,
> I'd like to upload a new version of libvirt to stable fixing two issues:
>
> * CVE-2010-2242: Apply a source port mapping to virtual network
> masquerading
> * Fix path to hvmloader. (Closes: #573808)
>
> The first fixes a minor security issue, the update is the backport of an
> upstream fix:
>
> http://git.debian.org/?p=pkg-libvirt/libvirt.git;a=commit;h=dcdab940c808defb589559567e38b94ecfebb793
>
> The later one fixes a major annoyance for people using Xen with libvirt
> by fixing the path to the HVM loader:
>
> http://git.debian.org/?p=pkg-libvirt/libvirt.git;a=commit;h=ce08070c680dc3a3deea50cca36d598636ff7aac
>
> The debdiff is attached. O.k. to upload?
Find the debdiff attached now.
-- Guido
diff -u libvirt-0.4.6/debian/changelog libvirt-0.4.6/debian/changelog
--- libvirt-0.4.6/debian/changelog
+++ libvirt-0.4.6/debian/changelog
@@ -1,3 +1,11 @@
+libvirt (0.4.6-10+lenny1) stable; urgency=low
+
+ * [dcdab94] CVE-2010-2242: Apply a source port mapping to virtual network
+ masquerading
+ * [ce08070] Fix path to hvmloader. (Closes: #573808)
+
+ -- Guido Günther <agx@sigxcpu.org> Thu, 29 Jul 2010 15:38:03 +0200
+
libvirt (0.4.6-10) unstable; urgency=low
* [5878698] cherry-pick patch for CVE-2008-5086 from experimental
diff -u libvirt-0.4.6/debian/patches/series libvirt-0.4.6/debian/patches/series
--- libvirt-0.4.6/debian/patches/series
+++ libvirt-0.4.6/debian/patches/series
@@ -11,0 +12,2 @@
+0012-fix-Debian-specific-path-to-hvm-loader.patch
+0013-CVE-2010-2242-Apply-a-source-port-mapping-to-virtual.patch
only in patch2:
unchanged:
--- libvirt-0.4.6.orig/debian/patches/0013-CVE-2010-2242-Apply-a-source-port-mapping-to-virtual.patch
+++ libvirt-0.4.6/debian/patches/0013-CVE-2010-2242-Apply-a-source-port-mapping-to-virtual.patch
@@ -0,0 +1,246 @@
+From: =?UTF-8?q?Guido=20G=C3=BCnther?= <agx@sigxcpu.org>
+Date: Thu, 29 Jul 2010 13:50:19 +0200
+Subject: [PATCH] CVE-2010-2242: Apply a source port mapping to virtual network masquerading
+
+IPtables will seek to preserve the source port unchanged when
+doing masquerading, if possible. NFS has a pseudo-security
+option where it checks for the source port <= 1023 before
+allowing a mount request. If an admin has used this to make the
+host OS trusted for mounts, the default iptables behaviour will
+potentially allow NAT'd guests access too. This needs to be
+stopped.
+
+Origin: vendor, c567853089a2764c964002dd752e09e318524a38
+---
+ src/iptables.c | 64 ++++++++++++++++++++++++++++++++++-------------
+ src/iptables.h | 6 +++-
+ src/qemu_driver.c | 71 ++++++++++++++++++++++++++++++++++++++++++++++++++---
+ 3 files changed, 117 insertions(+), 24 deletions(-)
+
+diff --git a/src/iptables.c b/src/iptables.c
+index 726141a..a1eab96 100644
+--- a/src/iptables.c
++++ b/src/iptables.c
+@@ -1087,23 +1087,47 @@ static int
+ iptablesForwardMasquerade(iptablesContext *ctx,
+ const char *network,
+ const char *physdev,
++ const char *protocol,
+ int action)
+ {
+- if (physdev && physdev[0]) {
+- return iptablesAddRemoveRule(ctx->nat_postrouting,
+- action,
+- "--source", network,
+- "--destination", "!", network,
+- "--out-interface", physdev,
+- "--jump", "MASQUERADE",
+- NULL);
++ if (protocol && protocol[0]) {
++ if (physdev && physdev[0]) {
++ return iptablesAddRemoveRule(ctx->nat_postrouting,
++ action,
++ "--source", network,
++ "-p", protocol,
++ "!", "--destination", network,
++ "--out-interface", physdev,
++ "--jump", "MASQUERADE",
++ "--to-ports", "1024-65535",
++ NULL);
++ } else {
++ return iptablesAddRemoveRule(ctx->nat_postrouting,
++ action,
++ "--source", network,
++ "-p", protocol,
++ "!", "--destination", network,
++ "--jump", "MASQUERADE",
++ "--to-ports", "1024-65535",
++ NULL);
++ }
+ } else {
+- return iptablesAddRemoveRule(ctx->nat_postrouting,
+- action,
+- "--source", network,
+- "--destination", "!", network,
+- "--jump", "MASQUERADE",
+- NULL);
++ if (physdev && physdev[0]) {
++ return iptablesAddRemoveRule(ctx->nat_postrouting,
++ action,
++ "--source", network,
++ "!", "--destination", network,
++ "--out-interface", physdev,
++ "--jump", "MASQUERADE",
++ NULL);
++ } else {
++ return iptablesAddRemoveRule(ctx->nat_postrouting,
++ action,
++ "--source", network,
++ "!", "--destination", network,
++ "--jump", "MASQUERADE",
++ NULL);
++ }
+ }
+ }
+
+@@ -1112,6 +1136,7 @@ iptablesForwardMasquerade(iptablesContext *ctx,
+ * @ctx: pointer to the IP table context
+ * @network: the source network name
+ * @physdev: the physical input device or NULL
++ * @protocol: the network protocol or NULL
+ *
+ * Add rules to the IP table context to allow masquerading
+ * network @network on @physdev. This allow the bridge to
+@@ -1122,9 +1147,10 @@ iptablesForwardMasquerade(iptablesContext *ctx,
+ int
+ iptablesAddForwardMasquerade(iptablesContext *ctx,
+ const char *network,
+- const char *physdev)
++ const char *physdev,
++ const char *protocol)
+ {
+- return iptablesForwardMasquerade(ctx, network, physdev, ADD);
++ return iptablesForwardMasquerade(ctx, network, physdev, protocol, ADD);
+ }
+
+ /**
+@@ -1132,6 +1158,7 @@ iptablesAddForwardMasquerade(iptablesContext *ctx,
+ * @ctx: pointer to the IP table context
+ * @network: the source network name
+ * @physdev: the physical input device or NULL
++ * @protocol: the network protocol or NULL
+ *
+ * Remove rules from the IP table context to stop masquerading
+ * network @network on @physdev. This stops the bridge from
+@@ -1142,9 +1169,10 @@ iptablesAddForwardMasquerade(iptablesContext *ctx,
+ int
+ iptablesRemoveForwardMasquerade(iptablesContext *ctx,
+ const char *network,
+- const char *physdev)
++ const char *physdev,
++ const char *protocol)
+ {
+- return iptablesForwardMasquerade(ctx, network, physdev, REMOVE);
++ return iptablesForwardMasquerade(ctx, network, physdev, protocol, REMOVE);
+ }
+
+ #endif /* WITH_QEMU */
+diff --git a/src/iptables.h b/src/iptables.h
+index 95f07de..87f994a 100644
+--- a/src/iptables.h
++++ b/src/iptables.h
+@@ -90,10 +90,12 @@ int iptablesRemoveForwardRejectIn (iptablesContext *ctx,
+
+ int iptablesAddForwardMasquerade (iptablesContext *ctx,
+ const char *network,
+- const char *physdev);
++ const char *physdev,
++ const char *protocol);
+ int iptablesRemoveForwardMasquerade (iptablesContext *ctx,
+ const char *network,
+- const char *physdev);
++ const char *physdev,
++ const char *protocol);
+
+ #endif /* WITH_QEMU */
+
+diff --git a/src/qemu_driver.c b/src/qemu_driver.c
+index c9bf8d7..9050f96 100644
+--- a/src/qemu_driver.c
++++ b/src/qemu_driver.c
+@@ -1275,18 +1275,73 @@ qemudAddMasqueradingIptablesRules(virConnectPtr conn,
+ goto masqerr2;
+ }
+
+- /* enable masquerading */
++ /*
++ * Enable masquerading.
++ *
++ * We need to end up with 3 rules in the table in this order
++ *
++ * 1. protocol=tcp with sport mapping restricton
++ * 2. protocol=udp with sport mapping restricton
++ * 3. generic any protocol
++ *
++ * The sport mappings are required, because default IPtables
++ * MASQUERADE is maintain port number unchanged where possible.
++ *
++ * NFS can be configured to only "trust" port numbers < 1023.
++ *
++ * Guests using NAT thus need to be prevented from having port
++ * numbers < 1023, otherwise they can bypass the NFS "security"
++ * check on the source port number.
++ *
++ * Since we use '--insert' to add rules to the header of the
++ * chain, we actually need to add them in the reverse of the
++ * order just mentioned !
++ */
++
++ /* First the generic masquerade rule for other protocols */
+ if ((err = iptablesAddForwardMasquerade(driver->iptables,
+ network->def->network,
+- network->def->forwardDev))) {
++ network->def->forwardDev,
++ NULL))) {
+ qemudReportError(conn, NULL, NULL, VIR_ERR_INTERNAL_ERROR,
+ _("failed to add iptables rule to enable masquerading : %s\n"),
+ strerror(err));
+ goto masqerr3;
+ }
++ /* UDP with a source port restriction */
++ if ((err = iptablesAddForwardMasquerade(driver->iptables,
++ network->def->network,
++ network->def->forwardDev,
++ "udp"))) {
++ qemudReportError(conn, NULL, NULL, VIR_ERR_INTERNAL_ERROR,
++ _("failed to add iptables rule to enable UDP masquerading to '%s'"),
++ network->def->forwardDev ? network->def->forwardDev : NULL);
++ goto masqerr4;
++ }
++
++ /* TCP with a source port restriction */
++ if ((err = iptablesAddForwardMasquerade(driver->iptables,
++ network->def->network,
++ network->def->forwardDev,
++ "tcp"))) {
++ qemudReportError(conn, NULL, NULL, VIR_ERR_INTERNAL_ERROR,
++ _("failed to add iptables rule to enable TCP masquerading to '%s'"),
++ network->def->forwardDev ? network->def->forwardDev : NULL);
++ goto masqerr5;
++ }
+
+ return 1;
+
++ masqerr5:
++ iptablesRemoveForwardMasquerade(driver->iptables,
++ network->def->network,
++ network->def->forwardDev,
++ "udp");
++ masqerr4:
++ iptablesRemoveForwardMasquerade(driver->iptables,
++ network->def->network,
++ network->def->forwardDev,
++ NULL);
+ masqerr3:
+ iptablesRemoveForwardAllowRelatedIn(driver->iptables,
+ network->def->network,
+@@ -1449,8 +1504,16 @@ qemudRemoveIptablesRules(struct qemud_driver *driver,
+ if (network->def->forwardType != VIR_NETWORK_FORWARD_NONE) {
+ iptablesRemoveForwardMasquerade(driver->iptables,
+ network->def->network,
+- network->def->forwardDev);
+-
++ network->def->forwardDev,
++ "tcp");
++ iptablesRemoveForwardMasquerade(driver->iptables,
++ network->def->network,
++ network->def->forwardDev,
++ "udp");
++ iptablesRemoveForwardMasquerade(driver->iptables,
++ network->def->network,
++ network->def->forwardDev,
++ NULL);
+ if (network->def->forwardType == VIR_NETWORK_FORWARD_NAT)
+ iptablesRemoveForwardAllowRelatedIn(driver->iptables,
+ network->def->network,
+--
only in patch2:
unchanged:
--- libvirt-0.4.6.orig/debian/patches/0012-fix-Debian-specific-path-to-hvm-loader.patch
+++ libvirt-0.4.6/debian/patches/0012-fix-Debian-specific-path-to-hvm-loader.patch
@@ -0,0 +1,23 @@
+From: =?UTF-8?q?Guido=20G=C3=BCnther?= <agx@sigxcpu.org>
+Date: Thu, 26 Feb 2009 14:29:58 +0100
+Subject: [PATCH] fix Debian specific path to hvm loader
+
+Closes: #517059
+---
+ src/xen_internal.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+diff --git a/src/xen_internal.c b/src/xen_internal.c
+index d80ecfb..d04fb4f 100644
+--- a/src/xen_internal.c
++++ b/src/xen_internal.c
+@@ -2204,7 +2204,7 @@ xenHypervisorBuildCapabilities(virConnectPtr conn,
+ "/usr/lib64/xen/bin/qemu-dm" :
+ "/usr/lib/xen/bin/qemu-dm"),
+ (guest_archs[i].hvm ?
+- "/usr/lib/xen/boot/hvmloader" :
++ "/usr/lib/xen-default/boot/hvmloader" :
+ NULL),
+ 1,
+ machines)) == NULL)
+--
Reply to: