Bug#930867: unblock: libvirt/5.0.0-4
Hi,
On Sat, Jun 22, 2019 at 03:03:47PM +0200, Salvatore Bonaccorso wrote:
> Hi,
>
> On Fri, Jun 21, 2019 at 05:38:59PM +0200, Guido Günther wrote:
> > Package: release.debian.org
> > Severity: normal
> > User: release.debian.org@packages.debian.org
> > Usertags: unblock
> >
> > Please unblock package libvirt
> >
> > It fixes 4 CVEs and adds an apparmor rule to make the life of people
> > using spice with certificates easier.
> > Cheers,
> > -- Guido
> >
> > unblock libvirt/5.0.0-4
>
> For reference, debdiff between version in testing and unstable
> attached.
thanks for fixing my oversight. I meant to attach it.
-- Guido
>
> Regards,
> Salvatore
> diff -Nru libvirt-5.0.0/debian/changelog libvirt-5.0.0/debian/changelog
> --- libvirt-5.0.0/debian/changelog 2019-05-22 12:31:08.000000000 +0200
> +++ libvirt-5.0.0/debian/changelog 2019-06-17 19:05:40.000000000 +0200
> @@ -1,3 +1,19 @@
> +libvirt (5.0.0-4) unstable; urgency=medium
> +
> + * [0fdc2af] Fix multiple CVEs related to privilege escalations on R/O
> + connections.
> + - CVE-2019-10161:
> + CVE-2019-10161-api-disallow-virDomainSaveImageGetXMLDesc-.patch
> + - CVE-2019-10166:
> + api-disallow-virDomainManagedSaveDefineXML-on-read-only-c.patch
> + - CVE-2019-10167:
> + api-disallow-virConnectGetDomainCapabilities-on-read-only.patch
> + - CVE-2019-10168:
> + api-disallow-virConnect-HypervisorCPU-on-read-only-connec.patch
> + * Include /etc/pki/qemu in apparmor (Closes: #930100)
> +
> + -- Guido Günther <agx@sigxcpu.org> Mon, 17 Jun 2019 19:05:40 +0200
> +
> libvirt (5.0.0-3) unstable; urgency=medium
>
> [ Guido Günther ]
> diff -Nru libvirt-5.0.0/debian/patches/Include-etc-pki-qemu-in-apparmor.patch libvirt-5.0.0/debian/patches/Include-etc-pki-qemu-in-apparmor.patch
> --- libvirt-5.0.0/debian/patches/Include-etc-pki-qemu-in-apparmor.patch 1970-01-01 01:00:00.000000000 +0100
> +++ libvirt-5.0.0/debian/patches/Include-etc-pki-qemu-in-apparmor.patch 2019-06-17 19:05:40.000000000 +0200
> @@ -0,0 +1,26 @@
> +From: Sam Hartman <hartmans@debian.org>
> +Date: Tue, 18 Jun 2019 09:02:09 -0400
> +Subject: Include /etc/pki/qemu in apparmor
> +
> +We already permit /etc/pki/libvirt-{spice,vnc} to be read in the
> +apparmor profile. However the default tls directory in qemu.conf that
> +we ship is /etc/pki/qemu. So permit that as well.
> +
> +Closes: #930100
> +---
> + src/security/apparmor/libvirt-qemu | 2 ++
> + 1 file changed, 2 insertions(+)
> +
> +diff --git a/src/security/apparmor/libvirt-qemu b/src/security/apparmor/libvirt-qemu
> +index eaa5167..0659cda 100644
> +--- a/src/security/apparmor/libvirt-qemu
> ++++ b/src/security/apparmor/libvirt-qemu
> +@@ -93,6 +93,8 @@
> + /etc/pki/CA/* r,
> + /etc/pki/libvirt{,-spice,-vnc}/ r,
> + /etc/pki/libvirt{,-spice,-vnc}/** r,
> ++ /etc/pki/qemu/ r,
> ++ /etc/pki/qemu/** r,
> +
> + # the various binaries
> + /usr/bin/kvm rmix,
> diff -Nru libvirt-5.0.0/debian/patches/security/CVE-2019-10161-api-disallow-virDomainSaveImageGetXMLDesc-.patch libvirt-5.0.0/debian/patches/security/CVE-2019-10161-api-disallow-virDomainSaveImageGetXMLDesc-.patch
> --- libvirt-5.0.0/debian/patches/security/CVE-2019-10161-api-disallow-virDomainSaveImageGetXMLDesc-.patch 1970-01-01 01:00:00.000000000 +0100
> +++ libvirt-5.0.0/debian/patches/security/CVE-2019-10161-api-disallow-virDomainSaveImageGetXMLDesc-.patch 2019-06-17 19:05:40.000000000 +0200
> @@ -0,0 +1,79 @@
> +From: =?utf-8?q?Guido_G=C3=BCnther?= <agx@sigxcpu.org>
> +Date: Mon, 17 Jun 2019 18:20:15 +0200
> +Subject: CVE-2019-10161: api: disallow virDomainSaveImageGetXMLDesc on
> + read-only connections
> +MIME-Version: 1.0
> +Content-Type: text/plain; charset="utf-8"
> +Content-Transfer-Encoding: 8bit
> +
> +This is a backport of
> +
> +The virDomainSaveImageGetXMLDesc API is taking a path parameter,
> +which can point to any path on the system. This file will then be
> +read and parsed by libvirtd running with root privileges.
> +
> +Forbid it on read-only connections.
> +
> +Fixes: CVE-2019-10161
> +Reported-by: Matthias Gerstner <mgerstner@suse.de>
> +Signed-off-by: Ján Tomko <jtomko@redhat.com>
> +---
> + src/libvirt-domain.c | 9 ++-------
> + src/qemu/qemu_driver.c | 2 +-
> + src/remote/remote_protocol.x | 3 +--
> + 3 files changed, 4 insertions(+), 10 deletions(-)
> +
> +diff --git a/src/libvirt-domain.c b/src/libvirt-domain.c
> +index 9aca54a..6a5fff9 100644
> +--- a/src/libvirt-domain.c
> ++++ b/src/libvirt-domain.c
> +@@ -1073,8 +1073,7 @@ virDomainRestoreFlags(virConnectPtr conn, const char *from, const char *dxml,
> + * previously by virDomainSave() or virDomainSaveFlags().
> + *
> + * No security-sensitive data will be included unless @flags contains
> +- * VIR_DOMAIN_XML_SECURE; this flag is rejected on read-only
> +- * connections. For this API, @flags should not contain either
> ++ * VIR_DOMAIN_XML_SECURE; For this API, @flags should not contain either
> + * VIR_DOMAIN_XML_INACTIVE or VIR_DOMAIN_XML_UPDATE_CPU.
> + *
> + * Returns a 0 terminated UTF-8 encoded XML instance, or NULL in case of
> +@@ -1092,11 +1091,7 @@ virDomainSaveImageGetXMLDesc(virConnectPtr conn, const char *file,
> + virCheckConnectReturn(conn, NULL);
> + virCheckNonNullArgGoto(file, error);
> +
> +- if ((conn->flags & VIR_CONNECT_RO) && (flags & VIR_DOMAIN_XML_SECURE)) {
> +- virReportError(VIR_ERR_OPERATION_DENIED, "%s",
> +- _("virDomainSaveImageGetXMLDesc with secure flag"));
> +- goto error;
> +- }
> ++ virCheckReadOnlyGoto(conn->flags, error);
> +
> + if (conn->driver->domainSaveImageGetXMLDesc) {
> + char *ret;
> +diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
> +index 1d96170..fb417ad 100644
> +--- a/src/qemu/qemu_driver.c
> ++++ b/src/qemu/qemu_driver.c
> +@@ -7084,7 +7084,7 @@ qemuDomainSaveImageGetXMLDesc(virConnectPtr conn, const char *path,
> + if (fd < 0)
> + goto cleanup;
> +
> +- if (virDomainSaveImageGetXMLDescEnsureACL(conn, def, flags) < 0)
> ++ if (virDomainSaveImageGetXMLDescEnsureACL(conn, def) < 0)
> + goto cleanup;
> +
> + ret = qemuDomainDefFormatXML(driver, def, flags);
> +diff --git a/src/remote/remote_protocol.x b/src/remote/remote_protocol.x
> +index 1246df5..5cfb8b6 100644
> +--- a/src/remote/remote_protocol.x
> ++++ b/src/remote/remote_protocol.x
> +@@ -5234,8 +5234,7 @@ enum remote_procedure {
> + /**
> + * @generate: both
> + * @priority: high
> +- * @acl: domain:read
> +- * @acl: domain:read_secure:VIR_DOMAIN_XML_SECURE
> ++ * @acl: domain:write
> + */
> + REMOTE_PROC_DOMAIN_SAVE_IMAGE_GET_XML_DESC = 235,
> +
> diff -Nru libvirt-5.0.0/debian/patches/security/api-disallow-virConnect-HypervisorCPU-on-read-only-connec.patch libvirt-5.0.0/debian/patches/security/api-disallow-virConnect-HypervisorCPU-on-read-only-connec.patch
> --- libvirt-5.0.0/debian/patches/security/api-disallow-virConnect-HypervisorCPU-on-read-only-connec.patch 1970-01-01 01:00:00.000000000 +0100
> +++ libvirt-5.0.0/debian/patches/security/api-disallow-virConnect-HypervisorCPU-on-read-only-connec.patch 2019-06-17 19:05:40.000000000 +0200
> @@ -0,0 +1,36 @@
> +From: =?utf-8?q?J=C3=A1n_Tomko?= <jtomko@redhat.com>
> +Date: Fri, 14 Jun 2019 10:37:34 +0200
> +Subject: api: disallow virConnect*HypervisorCPU on read-only connections
> +MIME-Version: 1.0
> +Content-Type: text/plain; charset="utf-8"
> +Content-Transfer-Encoding: 8bit
> +
> +These APIs can be used to execute arbitrary emulators.
> +Forbid them on read-only connections.
> +
> +Fixes: CVE-2019-10168
> +Signed-off-by: Ján Tomko <jtomko@redhat.com>
> +---
> + src/libvirt-host.c | 2 ++
> + 1 file changed, 2 insertions(+)
> +
> +diff --git a/src/libvirt-host.c b/src/libvirt-host.c
> +index e20d6ee..2978825 100644
> +--- a/src/libvirt-host.c
> ++++ b/src/libvirt-host.c
> +@@ -1041,6 +1041,7 @@ virConnectCompareHypervisorCPU(virConnectPtr conn,
> +
> + virCheckConnectReturn(conn, VIR_CPU_COMPARE_ERROR);
> + virCheckNonNullArgGoto(xmlCPU, error);
> ++ virCheckReadOnlyGoto(conn->flags, error);
> +
> + if (conn->driver->connectCompareHypervisorCPU) {
> + int ret;
> +@@ -1234,6 +1235,7 @@ virConnectBaselineHypervisorCPU(virConnectPtr conn,
> +
> + virCheckConnectReturn(conn, NULL);
> + virCheckNonNullArgGoto(xmlCPUs, error);
> ++ virCheckReadOnlyGoto(conn->flags, error);
> +
> + if (conn->driver->connectBaselineHypervisorCPU) {
> + char *cpu;
> diff -Nru libvirt-5.0.0/debian/patches/security/api-disallow-virConnectGetDomainCapabilities-on-read-only.patch libvirt-5.0.0/debian/patches/security/api-disallow-virConnectGetDomainCapabilities-on-read-only.patch
> --- libvirt-5.0.0/debian/patches/security/api-disallow-virConnectGetDomainCapabilities-on-read-only.patch 1970-01-01 01:00:00.000000000 +0100
> +++ libvirt-5.0.0/debian/patches/security/api-disallow-virConnectGetDomainCapabilities-on-read-only.patch 2019-06-17 19:05:40.000000000 +0200
> @@ -0,0 +1,29 @@
> +From: =?utf-8?q?J=C3=A1n_Tomko?= <jtomko@redhat.com>
> +Date: Fri, 14 Jun 2019 10:37:33 +0200
> +Subject: api: disallow virConnectGetDomainCapabilities on read-only
> + connections
> +MIME-Version: 1.0
> +Content-Type: text/plain; charset="utf-8"
> +Content-Transfer-Encoding: 8bit
> +
> +This API can be used to execute arbitrary emulators.
> +Forbid it on read-only connections.
> +
> +Fixes: CVE-2019-10167
> +Signed-off-by: Ján Tomko <jtomko@redhat.com>
> +---
> + src/libvirt-domain.c | 1 +
> + 1 file changed, 1 insertion(+)
> +
> +diff --git a/src/libvirt-domain.c b/src/libvirt-domain.c
> +index 3d198d2..9b10790 100644
> +--- a/src/libvirt-domain.c
> ++++ b/src/libvirt-domain.c
> +@@ -11361,6 +11361,7 @@ virConnectGetDomainCapabilities(virConnectPtr conn,
> + virResetLastError();
> +
> + virCheckConnectReturn(conn, NULL);
> ++ virCheckReadOnlyGoto(conn->flags, error);
> +
> + if (conn->driver->connectGetDomainCapabilities) {
> + char *ret;
> diff -Nru libvirt-5.0.0/debian/patches/security/api-disallow-virDomainManagedSaveDefineXML-on-read-only-c.patch libvirt-5.0.0/debian/patches/security/api-disallow-virDomainManagedSaveDefineXML-on-read-only-c.patch
> --- libvirt-5.0.0/debian/patches/security/api-disallow-virDomainManagedSaveDefineXML-on-read-only-c.patch 1970-01-01 01:00:00.000000000 +0100
> +++ libvirt-5.0.0/debian/patches/security/api-disallow-virDomainManagedSaveDefineXML-on-read-only-c.patch 2019-06-17 19:05:40.000000000 +0200
> @@ -0,0 +1,30 @@
> +From: =?utf-8?q?J=C3=A1n_Tomko?= <jtomko@redhat.com>
> +Date: Fri, 14 Jun 2019 10:37:32 +0200
> +Subject: api: disallow virDomainManagedSaveDefineXML on read-only connections
> +MIME-Version: 1.0
> +Content-Type: text/plain; charset="utf-8"
> +Content-Transfer-Encoding: 8bit
> +
> +The virDomainManagedSaveDefineXML can be used to alter the domain's
> +config used for managedsave or even execute arbitrary emulator binaries.
> +Forbid it on read-only connections.
> +
> +Fixes: CVE-2019-10166
> +Reported-by: Matthias Gerstner <mgerstner@suse.de>
> +Signed-off-by: Ján Tomko <jtomko@redhat.com>
> +---
> + src/libvirt-domain.c | 1 +
> + 1 file changed, 1 insertion(+)
> +
> +diff --git a/src/libvirt-domain.c b/src/libvirt-domain.c
> +index 6a5fff9..3d198d2 100644
> +--- a/src/libvirt-domain.c
> ++++ b/src/libvirt-domain.c
> +@@ -9567,6 +9567,7 @@ virDomainManagedSaveDefineXML(virDomainPtr domain, const char *dxml,
> +
> + virCheckDomainReturn(domain, -1);
> + conn = domain->conn;
> ++ virCheckReadOnlyGoto(conn->flags, error);
> +
> + if (conn->driver->domainManagedSaveDefineXML) {
> + int ret;
> diff -Nru libvirt-5.0.0/debian/patches/series libvirt-5.0.0/debian/patches/series
> --- libvirt-5.0.0/debian/patches/series 2019-05-22 12:31:08.000000000 +0200
> +++ libvirt-5.0.0/debian/patches/series 2019-06-17 19:05:40.000000000 +0200
> @@ -29,3 +29,8 @@
> security/admin-reject-clients-unless-their-UID-matches-the-current.patch
> security/locking-restrict-sockets-to-mode-0600.patch
> security/logging-restrict-sockets-to-mode-0600.patch
> +security/CVE-2019-10161-api-disallow-virDomainSaveImageGetXMLDesc-.patch
> +security/api-disallow-virDomainManagedSaveDefineXML-on-read-only-c.patch
> +security/api-disallow-virConnectGetDomainCapabilities-on-read-only.patch
> +security/api-disallow-virConnect-HypervisorCPU-on-read-only-connec.patch
> +Include-etc-pki-qemu-in-apparmor.patch
Reply to: