Bug#770701: unblock: libvirt/1.2.9-4
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Please unblock package libvirt
The changes are:
Help package managers and users to cope with the libvirt-bin ->
{libvirt-daemon-system, libvirt-daemon} package split:
 * [fb4bf47] Add suggests to libvirt-daemon-system to libvirt-daemon
   (Closes: #767343)
Clean's up a piuparts error:
 * [e4f03ca] Check if the directories exist before removing them
   rmdir returns nonzero otherwise and this is more strict than just using
   || true. (Closes: #767672)
   
Security fix:
 * [030fd97] CVE-2014-7823: dumpxml: security hole with migratable flag
   (Closes: #769149)
   
To ease backports:   
 * [4cdad47] Allow backported versions of dh-systemd
There are some more pending issues for jessie like bugs in the lxc,
xen and vbox driver but I'd like to give them some more testing before
letting them enter jessie so I'd be awesome to have these changes
already unblocked.
unblock libvirt/1.2.9-4
Cheers,
 -- Guido
-- System Information:
Debian Release: jessie/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'testing-updates'), (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 3.16.0-rc6 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
diff --git a/debian/changelog b/debian/changelog
index cf256c7..a639322 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,16 @@
+libvirt (1.2.9-4) unstable; urgency=medium
+
+  * [4cdad47] Allow backported versions of dh-systemd
+  * [fb4bf47] Add suggests to libvirt-daemon-system to libvirt-daemon
+    (Closes: #767343)
+  * [e4f03ca] Check if the directories exist before removing them
+    rmdir returns nonzero otherwise and this is more strict than just using
+    || true. (Closes: #767672)
+  * [030fd97] CVE-2014-7823: dumpxml: security hole with migratable flag
+    (Closes: #769149)
+
+ -- Guido Günther <agx@sigxcpu.org>  Wed, 12 Nov 2014 08:11:17 +0100
+
 libvirt (1.2.9-3) unstable; urgency=medium
 
   * [28dd361] Remove obsolete conffiles in libvirt-bin too. Depending on the
diff --git a/debian/control b/debian/control
index 59b0910..4e2cd0e 100644
--- a/debian/control
+++ b/debian/control
@@ -5,7 +5,7 @@ Maintainer: Debian Libvirt Maintainers <pkg-libvirt-maintainers@lists.alioth.deb
 Uploaders: Guido Günther <agx@sigxcpu.org>, Laurent Léonard <laurent@open-minds.org>
 Build-Depends:
  debhelper (>= 7),
- dh-systemd (>= 1.18),
+ dh-systemd (>= 1.18~),
  libxml2-dev,
  libncurses5-dev,
  libreadline-dev,
@@ -89,6 +89,8 @@ Depends:
 Section: admin
 Replaces: libvirt-bin (<< 1.2.6-1~)
 Conflicts: libvirt-bin (<< 1.2.6-1~)
+Suggests:
+ libvirt-daemon,
 Description: programs for the libvirt library
  Libvirt is a C toolkit to interact with the virtualization capabilities
  of recent versions of Linux (and other OSes). The library aims at providing
@@ -109,6 +111,8 @@ Recommends:
  qemu-kvm | qemu (>= 0.9.1),
  libxml2-utils,
  netcat-openbsd,
+Suggests:
+ libvirt-daemon-system,
 Description: programs for the libvirt library
  Libvirt is a C toolkit to interact with the virtualization capabilities
  of recent versions of Linux (and other OSes). The library aims at providing
diff --git a/debian/libvirt-daemon-system.postrm b/debian/libvirt-daemon-system.postrm
index 2499c8a..62d9b4b 100644
--- a/debian/libvirt-daemon-system.postrm
+++ b/debian/libvirt-daemon-system.postrm
@@ -37,14 +37,15 @@ case "$1" in
 	rm -rf /var/log/libvirt \
 	       /var/cache/libvirt/qemu/capabilities
 
-	# Clean up created dirs if emtpy, they contain
-	# precious data otherwise
-	rmdir --ignore-fail-on-non-empty   \
-	    /var/lib/libvirt/qemu/save     \
-	    /var/lib/libvirt/qemu/snapshot \
-	    /var/lib/libvirt/qemu/dump     \
-	    /var/lib/libvirt/qemu          \
-	    /var/cache/libvirt/qemu
+	# Clean up created dirs if existend and emtpy, they contain precious
+	# data otherwise
+	for dir in /var/lib/libvirt/qemu/save     \
+		   /var/lib/libvirt/qemu/snapshot \
+		   /var/lib/libvirt/qemu/dump     \
+		   /var/lib/libvirt/qemu          \
+		   /var/cache/libvirt/qemu; do
+	    [ ! -d $dir ] || rmdir --ignore-fail-on-non-empty $dir
+	done
     ;;
     remove|upgrade|failed-upgrade|abort-install|abort-upgrade|disappear)
     ;;
diff --git a/debian/patches/security/CVE-2014-7823-dumpxml-security-hole-with-migratable-.patch b/debian/patches/security/CVE-2014-7823-dumpxml-security-hole-with-migratable-.patch
new file mode 100644
index 0000000..a22a1e3
--- /dev/null
+++ b/debian/patches/security/CVE-2014-7823-dumpxml-security-hole-with-migratable-.patch
@@ -0,0 +1,64 @@
+From: Eric Blake <eblake@redhat.com>
+Date: Thu, 6 Nov 2014 09:42:24 +0100
+Subject: CVE-2014-7823: dumpxml: security hole with migratable flag
+
+Commit 28f8dfd (v1.0.0) introduced a security hole: in at least
+the qemu implementation of virDomainGetXMLDesc, the use of the
+flag VIR_DOMAIN_XML_MIGRATABLE (which is usable from a read-only
+connection) triggers the implicit use of VIR_DOMAIN_XML_SECURE
+prior to calling qemuDomainFormatXML.  However, the use of
+VIR_DOMAIN_XML_SECURE is supposed to be restricted to read-write
+clients only.  This patch treats the migratable flag as requiring
+the same permissions, rather than analyzing what might break if
+migratable xml no longer includes secret information.
+
+Fortunately, the information leak is low-risk: all that is gated
+by the VIR_DOMAIN_XML_SECURE flag is the VNC connection password;
+but VNC passwords are already weak (FIPS forbids their use, and
+on a non-FIPS machine, anyone stupid enough to trust a max-8-byte
+password sent in plaintext over the network deserves what they
+get).  SPICE offers better security than VNC, and all other
+secrets are properly protected by use of virSecret associations
+rather than direct output in domain XML.
+
+* src/remote/remote_protocol.x (REMOTE_PROC_DOMAIN_GET_XML_DESC):
+Tighten rules on use of migratable flag.
+* src/libvirt-domain.c (virDomainGetXMLDesc): Likewise.
+
+Signed-off-by: Eric Blake <eblake@redhat.com>
+(cherry picked from commit b1674ad5a97441b7e1bd5f5ebaff498ef2fbb11b)
+
+Conflicts:
+	src/libvirt-domain.c - file split from older src/libvirt.c
+Signed-off-by: Eric Blake <eblake@redhat.com>
+---
+ src/libvirt.c                | 3 ++-
+ src/remote/remote_protocol.x | 1 +
+ 2 files changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/src/libvirt.c b/src/libvirt.c
+index 245c373..a4e6745 100644
+--- a/src/libvirt.c
++++ b/src/libvirt.c
+@@ -4369,7 +4369,8 @@ virDomainGetXMLDesc(virDomainPtr domain, unsigned int flags)
+     virCheckDomainReturn(domain, NULL);
+     conn = domain->conn;
+ 
+-    if ((conn->flags & VIR_CONNECT_RO) && (flags & VIR_DOMAIN_XML_SECURE)) {
++    if ((conn->flags & VIR_CONNECT_RO) &&
++        (flags & (VIR_DOMAIN_XML_SECURE | VIR_DOMAIN_XML_MIGRATABLE))) {
+         virReportError(VIR_ERR_OPERATION_DENIED, "%s",
+                        _("virDomainGetXMLDesc with secure flag"));
+         goto error;
+diff --git a/src/remote/remote_protocol.x b/src/remote/remote_protocol.x
+index db12cda..ebf4530 100644
+--- a/src/remote/remote_protocol.x
++++ b/src/remote/remote_protocol.x
+@@ -3255,6 +3255,7 @@ enum remote_procedure {
+      * @generate: both
+      * @acl: domain:read
+      * @acl: domain:read_secure:VIR_DOMAIN_XML_SECURE
++     * @acl: domain:read_secure:VIR_DOMAIN_XML_MIGRATABLE
+      */
+     REMOTE_PROC_DOMAIN_GET_XML_DESC = 14,
+ 
diff --git a/debian/patches/series b/debian/patches/series
index 26e296b..14dcfbe 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -13,3 +13,4 @@ Skip-vircgrouptest.patch
 debian/Use-sensible-editor-as-fallback.patch
 debian/Debianize-virtlockd.patch
 qemu-use-systemd-s-TerminateMachine-to-kill-all-proc.patch
+security/CVE-2014-7823-dumpxml-security-hole-with-migratable-.patch
Reply to: