Bug#817015: jessie-pu: package libvirt/1.2.9-9+deb8u1

[Philipp Hahn <pmhahn@pmhahn.de>]

Hello,

Am 24.03.2016 um 15:00 schrieb Adam D. Barratt:
> On 2016-03-24 13:48, Philipp Hahn wrote:
>> Am 23.03.2016 um 21:55 schrieb Adam D. Barratt:
>>> On Mon, 2016-03-07 at 07:22 +0100, Philipp Hahn wrote:
>>>> Guido asked me to prepare an update for libvirt:
>>>> - CVE-2015-5313 is marked 'no-dsa', but should be fixed anyway
>>>> (#808273)
>>>>   Salvatore Bonaccorso (security team) asked me to prepare an update
>>>> via
>>>>   jessie-proposed-updates.
>>>> - the SUID bridge-helper in searched in /usr/libexec/, while it
>>>> realy is
>>>>   in /usr/lib/qemu/ (#816602)
>>>> While preparing the update I noticed that it FTBFS in my pbuilder
>>>> environment, requiring 3 more fixes.
>>>
>>> The Build-Depends change makes me unhappy, but...
>>>
>>> Please can we have an actual debdiff of the prepared (and tested)
>>> package, rather than the git patches?
>>
>> Here it is:
>>
>>> $ debdiff --from /var/cache/apt/archives/*libvirt*.deb --to
>>> *libvirt*.deb
> 
> Thanks, but I meant of the source package. :-)

Attached.

Philipp

diff -Nru libvirt-1.2.9/debian/changelog libvirt-1.2.9/debian/changelog
--- libvirt-1.2.9/debian/changelog	2015-08-26 08:34:22.000000000 +0200
+++ libvirt-1.2.9/debian/changelog	2016-03-05 08:18:07.000000000 +0100
@@ -1,3 +1,13 @@
+libvirt (1.2.9-9+deb8u2) jessie; urgency=medium
+
+  * Non-maintainer upload.
+  * Fix CVE-2015-5313 (Closes: #808273)
+  * libvirt-daemon: Expects qemu-bridge-helper in /usr/libexec/
+    (Closes: #816602)
+  * Fix several FTBFS errors
+
+ -- Philipp Matthias Hahn <pmhahn@debian.org>  Fri, 04 Mar 2016 12:01:36 +0100
+
 libvirt (1.2.9-9+deb8u1) jessie; urgency=medium
 
   [ Guido Günther ]
diff -Nru libvirt-1.2.9/debian/control libvirt-1.2.9/debian/control
--- libvirt-1.2.9/debian/control	2015-08-24 16:20:54.000000000 +0200
+++ libvirt-1.2.9/debian/control	2016-03-04 13:42:30.000000000 +0100
@@ -5,6 +5,7 @@
 Uploaders: Guido Günther <agx@sigxcpu.org>, Laurent Léonard <laurent@open-minds.org>
 Build-Depends:
  debhelper (>= 7),
+ dh-autoreconf,
  dh-systemd (>= 1.18~),
  libxml2-dev,
  libncurses5-dev,
diff -Nru libvirt-1.2.9/debian/patches/debian/Debianize-bridge-helper-path.patch libvirt-1.2.9/debian/patches/debian/Debianize-bridge-helper-path.patch
--- libvirt-1.2.9/debian/patches/debian/Debianize-bridge-helper-path.patch	1970-01-01 01:00:00.000000000 +0100
+++ libvirt-1.2.9/debian/patches/debian/Debianize-bridge-helper-path.patch	2016-03-05 08:18:07.000000000 +0100
@@ -0,0 +1,42 @@
+libvirt-daemon: Expects qemu-bridge-helper in /usr/libexec/
+
+$ strings /usr/lib/libvirt/connection-driver/libvirt_driver_qemu.so | grep bridge-helper
+/usr/libexec/qemu-bridge-helper
+
+$ dpkg -S bridge-helper
+qemu-system-common: /usr/lib/qemu/qemu-bridge-helper
+
+Closes #816602
+--- a/src/qemu/qemu.conf
++++ b/src/qemu/qemu.conf
+@@ -357,7 +357,7 @@
+ # is used to create <source type='bridge'> interfaces when libvirtd is
+ # running unprivileged.  libvirt invokes the helper directly, instead
+ # of using "-netdev bridge", for security reasons.
+-#bridge_helper = "/usr/libexec/qemu-bridge-helper"
++#bridge_helper = "/usr/lib/qemu/qemu-bridge-helper"
+ 
+ 
+ 
+--- a/src/qemu/qemu_conf.c
++++ b/src/qemu/qemu_conf.c
+@@ -244,7 +244,7 @@ virQEMUDriverConfigPtr virQEMUDriverConf
+             goto error;
+     }
+ 
+-    if (VIR_STRDUP(cfg->bridgeHelperName, "/usr/libexec/qemu-bridge-helper") < 0)
++    if (VIR_STRDUP(cfg->bridgeHelperName, "/usr/lib/qemu/qemu-bridge-helper") < 0)
+         goto error;
+ 
+     cfg->clearEmulatorCapabilities = true;
+--- a/src/qemu/test_libvirtd_qemu.aug.in
++++ b/src/qemu/test_libvirtd_qemu.aug.in
+@@ -56,7 +56,7 @@ module Test_libvirtd_qemu =
+ { "auto_dump_bypass_cache" = "0" }
+ { "auto_start_bypass_cache" = "0" }
+ { "hugetlbfs_mount" = "/dev/hugepages" }
+-{ "bridge_helper" = "/usr/libexec/qemu-bridge-helper" }
++{ "bridge_helper" = "/usr/lib/qemu/qemu-bridge-helper" }
+ { "clear_emulator_capabilities" = "1" }
+ { "set_process_name" = "1" }
+ { "max_processes" = "0" }
diff -Nru libvirt-1.2.9/debian/patches/Disable-failing-virnetsockettest.patch libvirt-1.2.9/debian/patches/Disable-failing-virnetsockettest.patch
--- libvirt-1.2.9/debian/patches/Disable-failing-virnetsockettest.patch	2015-08-24 16:20:54.000000000 +0200
+++ libvirt-1.2.9/debian/patches/Disable-failing-virnetsockettest.patch	2016-03-04 14:47:12.000000000 +0100
@@ -7,11 +7,25 @@
  tests/virnetsockettest.c | 2 ++
  1 file changed, 2 insertions(+)
 
-diff --git a/tests/virnetsockettest.c b/tests/virnetsockettest.c
-index 5d91f26..1f283a3 100644
 --- a/tests/virnetsockettest.c
 +++ b/tests/virnetsockettest.c
-@@ -501,10 +501,12 @@ mymain(void)
+@@ -333,6 +333,7 @@ static int testSocketUNIXAddrs(const voi
+     return ret;
+ }
+ 
++#if 0
+ static int testSocketCommandNormal(const void *data ATTRIBUTE_UNUSED)
+ {
+     virNetSocketPtr csock = NULL; /* Client socket */
+@@ -383,6 +384,7 @@ static int testSocketCommandFail(const v
+     virObjectUnref(csock);
+     return ret;
+ }
++#endif
+ 
+ struct testSSHData {
+     const char *nodename;
+@@ -501,10 +503,12 @@ mymain(void)
      if (virtTestRun("Socket UNIX Addrs", testSocketUNIXAddrs, NULL) < 0)
          ret = -1;
  
diff -Nru libvirt-1.2.9/debian/patches/security/CVE-2015-5313-storage-don-t-allow-in-filesystem-volu.patch libvirt-1.2.9/debian/patches/security/CVE-2015-5313-storage-don-t-allow-in-filesystem-volu.patch
--- libvirt-1.2.9/debian/patches/security/CVE-2015-5313-storage-don-t-allow-in-filesystem-volu.patch	1970-01-01 01:00:00.000000000 +0100
+++ libvirt-1.2.9/debian/patches/security/CVE-2015-5313-storage-don-t-allow-in-filesystem-volu.patch	2016-03-04 14:46:20.000000000 +0100
@@ -0,0 +1,72 @@
+From 034e47c338b13a95cf02106a3af912c1c5f818d7 Mon Sep 17 00:00:00 2001
+Message-Id: <034e47c338b13a95cf02106a3af912c1c5f818d7.1457088964.git.hahn@univention.de>
+From: Eric Blake <eblake@redhat.com>
+Date: Tue, 8 Dec 2015 17:46:31 -0700
+Subject: [PATCH] CVE-2015-5313: storage: don't allow '/' in filesystem volume
+ names
+Organization: Univention GmbH, Bremen, Germany
+To: libvir-list@redhat.com
+
+The libvirt file system storage driver determines what file to
+act on by concatenating the pool location with the volume name.
+If a user is able to pick names like "../../../etc/passwd", then
+they can escape the bounds of the pool.  For that matter,
+virStoragePoolListVolumes() doesn't descend into subdirectories,
+so a user really shouldn't use a name with a slash.
+
+Normally, only privileged users can coerce libvirt into creating
+or opening existing files using the virStorageVol APIs; and such
+users already have full privilege to create any domain XML (so it
+is not an escalation of privilege).  But in the case of
+fine-grained ACLs, it is feasible that a user can be granted
+storage_vol:create but not domain:write, and it violates
+assumptions if such a user can abuse libvirt to access files
+outside of the storage pool.
+
+Therefore, prevent all use of volume names that contain "/",
+whether or not such a name is actually attempting to escape the
+pool.
+
+This changes things from:
+
+$ virsh vol-create-as default ../../../../../../etc/haha --capacity 128
+Vol ../../../../../../etc/haha created
+$ rm /etc/haha
+
+to:
+
+$ virsh vol-create-as default ../../../../../../etc/haha --capacity 128
+error: Failed to create vol ../../../../../../etc/haha
+error: Requested operation is not valid: volume name '../../../../../../etc/haha' cannot contain '/'
+
+Signed-off-by: Eric Blake <eblake@redhat.com>
+---
+ src/storage/storage_backend_fs.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+--- a/src/storage/storage_backend_fs.c
++++ b/src/storage/storage_backend_fs.c
+@@ -1,7 +1,7 @@
+ /*
+  * storage_backend_fs.c: storage backend for FS and directory handling
+  *
+- * Copyright (C) 2007-2014 Red Hat, Inc.
++ * Copyright (C) 2007-2015 Red Hat, Inc.
+  * Copyright (C) 2007-2008 Daniel P. Berrange
+  *
+  * This library is free software; you can redistribute it and/or
+@@ -1005,6 +1005,14 @@ virStorageBackendFileSystemVolCreate(vir
+ 
+     vol->type = VIR_STORAGE_VOL_FILE;
+ 
++    /* Volumes within a directory pools are not recursive; do not
++     * allow escape to ../ or a subdir */
++    if (strchr(vol->name, '/')) {
++        virReportError(VIR_ERR_OPERATION_INVALID,
++                       _("volume name '%s' cannot contain '/'"), vol->name);
++        return -1;
++    }
++
+     VIR_FREE(vol->target.path);
+     if (virAsprintf(&vol->target.path, "%s/%s",
+                     pool->def->target.path,
diff -Nru libvirt-1.2.9/debian/patches/series libvirt-1.2.9/debian/patches/series
--- libvirt-1.2.9/debian/patches/series	2015-08-24 16:20:54.000000000 +0200
+++ libvirt-1.2.9/debian/patches/series	2016-03-05 08:18:07.000000000 +0100
@@ -31,3 +31,5 @@
 Allow-access-to-libnl-3-config-files.patch
 Fix-crash-on-live-migration.patch
 upstream/Report-original-error-when-QMP-probing-fails-with-ne.patch
+security/CVE-2015-5313-storage-don-t-allow-in-filesystem-volu.patch
+debian/Debianize-bridge-helper-path.patch
diff -Nru libvirt-1.2.9/debian/patches/upstream/Report-original-error-when-QMP-probing-fails-with-ne.patch libvirt-1.2.9/debian/patches/upstream/Report-original-error-when-QMP-probing-fails-with-ne.patch
--- libvirt-1.2.9/debian/patches/upstream/Report-original-error-when-QMP-probing-fails-with-ne.patch	2015-08-24 16:20:54.000000000 +0200
+++ libvirt-1.2.9/debian/patches/upstream/Report-original-error-when-QMP-probing-fails-with-ne.patch	2016-03-04 14:47:12.000000000 +0100
@@ -176,7 +176,7 @@
  
      if (virQEMUCapsParseHelpStr("QEMU", help, flags,
 -                                &version, &is_kvm, &kvm_version, false) == -1)
-+                                &version, &is_kvm, &kvm_version, false, NULL) == -1) {
++                                &version, &is_kvm, &kvm_version, false, NULL) == -1)
          goto cleanup;
  
  # ifndef WITH_YAJL
diff -Nru libvirt-1.2.9/debian/README.Debian libvirt-1.2.9/debian/README.Debian
--- libvirt-1.2.9/debian/README.Debian	2015-08-24 16:20:54.000000000 +0200
+++ libvirt-1.2.9/debian/README.Debian	2016-03-05 08:18:07.000000000 +0100
@@ -51,6 +51,18 @@
 This makes dnsmasq only bind to the loopback interface by default so libvirtd
 can handle the virtual bridges.
 
+Bridged network
+===============
+libvirt can use the qemu-bridge-helper to create bridged network interfaces for
+session domains. For this to work the helper must have the capability to create
+TUN/TAP devices or must have the SUID permission set.
+This can be done by running the following command as the user root:
+
+    setcap cap_net_admin+ep /usr/lib/qemu/qemu-bridge-helper
+
+The allowed bridges must be configured in the file '/etc/qemu/bridge.conf'. For
+each bridge add a line like 'allow br0'.
+
 Access Control
 ==============
 Access to the libvirt managing tasks is controlled by PolicyKit. To ease
diff -Nru libvirt-1.2.9/debian/rules libvirt-1.2.9/debian/rules
--- libvirt-1.2.9/debian/rules	2015-08-24 16:20:54.000000000 +0200
+++ libvirt-1.2.9/debian/rules	2016-03-04 13:42:30.000000000 +0100
@@ -123,7 +123,7 @@
 EXAMPLES_DIR = $(CURDIR)/debian/libvirt-doc/usr/share/doc/libvirt-doc/examples/
 
 %:
-	dh $@ --builddirectory=$(DEB_BUILDDIR) --parallel
+	dh $@ --builddirectory=$(DEB_BUILDDIR) --parallel --with autoreconf
 
 override_dh_auto_configure:
 	dh_auto_configure -- $(DEB_CONFIGURE_EXTRA_ARGS)