On Sat, Aug 24, 2024 at 03:53:52PM +0100, Adam D. Barratt wrote: > On Sat, 2024-08-24 at 15:41 +0200, Andrea Bolognani wrote: > > Just so that we're on the same page, do you want me to share the > > debdiff here and get an explicit ACK from you before proceeding with > > the upload, or should I go for the the upload first in the interest > > of time? > > If the change from the previously-acked diff is just the addition of > the new patch as per the MR, and a changelog entry for it, then feel > free to upload without waiting for a new ack. Please do still send the > new debdiff to this bug. I've made a couple of tiny tweaks to the commit messages and patch metadata, but nothing functionally relevant. The debdiff is attached, and the corresponding MR is https://salsa.debian.org/libvirt-team/libvirt/-/merge_requests/230 I'll grab some coffee while I wait for the pipeline to run, and proceed with the upload in ~30 minutes unless you tell me otherwise. Thanks! -- Andrea Bolognani <eof@kiyuko.org> Resistance is futile, you will be garbage collected.
diff -Nru libvirt-9.0.0/debian/changelog libvirt-9.0.0/debian/changelog
--- libvirt-9.0.0/debian/changelog 2023-05-21 11:31:31.000000000 +0200
+++ libvirt-9.0.0/debian/changelog 2024-08-24 16:05:45.000000000 +0200
@@ -1,3 +1,28 @@
+libvirt (9.0.0-4+deb12u1) bookworm; urgency=medium
+
+ [ Cyril Brulebois ]
+ * [6a7f95a] patches: Add backports
+ - backport/virsh-Make-domif-setlink-work-more-than-once.patch
+ - Closes: #1075718
+
+ [ Andrea Bolognani ]
+ * [56f1ae3] patches: Add backports
+ - backport/Fix-off-by-one-error-in-udevListInterfacesByStatus.patch
+ - Fixes CVE-2024-1441
+ - backport/interface-fix-udev_device_get_sysattr_value-return-value-.patch
+ - Fixes CVE-2024-2496
+ - backport/remote-check-for-negative-array-lengths-before-allocation.patch
+ - Fixes CVE-2024-2494
+ - backport/storage-Fix-returning-of-locked-objects-from-virStoragePo.patch
+ - Fixes CVE-2023-3750
+
+ [ Lee Garrett ]
+ * [7dc22f9] patches: Add backports
+ - backport/qemu-domain-Fix-logic-when-tainting-domain.patch
+ - Closes: #1052405
+
+ -- Andrea Bolognani <eof@kiyuko.org> Sat, 24 Aug 2024 16:05:45 +0200
+
libvirt (9.0.0-4) unstable; urgency=medium
* [79f6669] patches: Add backports
diff -Nru libvirt-9.0.0/debian/patches/backport/apparmor-Allow-umount-dev.patch libvirt-9.0.0/debian/patches/backport/apparmor-Allow-umount-dev.patch
--- libvirt-9.0.0/debian/patches/backport/apparmor-Allow-umount-dev.patch 2023-05-21 11:31:31.000000000 +0200
+++ libvirt-9.0.0/debian/patches/backport/apparmor-Allow-umount-dev.patch 2024-08-24 16:05:45.000000000 +0200
@@ -24,7 +24,7 @@
Reviewed-by: Jim Fehlig <jfehlig@suse.com>
(cherry picked from commit ef4829510549ec68cf80774e98b200a3e7bbe51f)
-Forwarded: non-needed
+Forwarded: not-needed
Origin: https://gitlab.com/libvirt/libvirt/-/commit/ef4829510549ec68cf80774e98b200a3e7bbe51f
---
src/security/apparmor/usr.sbin.libvirtd.in | 1 +
diff -Nru libvirt-9.0.0/debian/patches/backport/Fix-off-by-one-error-in-udevListInterfacesByStatus.patch libvirt-9.0.0/debian/patches/backport/Fix-off-by-one-error-in-udevListInterfacesByStatus.patch
--- libvirt-9.0.0/debian/patches/backport/Fix-off-by-one-error-in-udevListInterfacesByStatus.patch 1970-01-01 01:00:00.000000000 +0100
+++ libvirt-9.0.0/debian/patches/backport/Fix-off-by-one-error-in-udevListInterfacesByStatus.patch 2024-08-24 16:05:45.000000000 +0200
@@ -0,0 +1,46 @@
+From: Martin Kletzander <mkletzan@redhat.com>
+Date: Tue, 27 Feb 2024 16:20:12 +0100
+Subject: Fix off-by-one error in udevListInterfacesByStatus
+MIME-Version: 1.0
+Content-Type: text/plain; charset="utf-8"
+Content-Transfer-Encoding: 8bit
+
+Ever since this function was introduced in 2012 it could've tried
+filling in an extra interface name. That was made worse in 2019 when
+the caller functions started accepting NULL arrays of size 0.
+
+This is assigned CVE-2024-1441.
+
+Signed-off-by: Martin Kletzander <mkletzan@redhat.com>
+Reported-by: Alexander Kuznetsov <kuznetsovam@altlinux.org>
+Fixes: 5a33366f5c0b18c93d161bd144f9f079de4ac8ca
+Fixes: d6064e2759a24e0802f363e3a810dc5a7d7ebb15
+Reviewed-by: Ján Tomko <jtomko@redhat.com>
+(cherry picked from commit c664015fe3a7bf59db26686e9ed69af011c6ebb8)
+
+Conflicts:
+
+ * NEWS.rst
+ - missing context; the hunk is not relevant to the Debian
+ package anyway and has been dropped
+
+Forwarded: not-needed
+Origin: https://gitlab.com/libvirt/libvirt/-/commit/c664015fe3a7bf59db26686e9ed69af011c6ebb8
+Bug-Debian: https://bugs.debian.org/1066058
+---
+ src/interface/interface_backend_udev.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/interface/interface_backend_udev.c b/src/interface/interface_backend_udev.c
+index 54b43fb..01d6f55 100644
+--- a/src/interface/interface_backend_udev.c
++++ b/src/interface/interface_backend_udev.c
+@@ -219,7 +219,7 @@ udevListInterfacesByStatus(virConnectPtr conn,
+ g_autoptr(virInterfaceDef) def = NULL;
+
+ /* Ensure we won't exceed the size of our array */
+- if (count > names_len)
++ if (count >= names_len)
+ break;
+
+ path = udev_list_entry_get_name(dev_entry);
diff -Nru libvirt-9.0.0/debian/patches/backport/interface-fix-udev_device_get_sysattr_value-return-value-.patch libvirt-9.0.0/debian/patches/backport/interface-fix-udev_device_get_sysattr_value-return-value-.patch
--- libvirt-9.0.0/debian/patches/backport/interface-fix-udev_device_get_sysattr_value-return-value-.patch 1970-01-01 01:00:00.000000000 +0100
+++ libvirt-9.0.0/debian/patches/backport/interface-fix-udev_device_get_sysattr_value-return-value-.patch 2024-08-24 16:05:45.000000000 +0200
@@ -0,0 +1,97 @@
+From: Dmitry Frolov <frolov@swemel.ru>
+Date: Tue, 12 Sep 2023 15:56:47 +0300
+Subject: interface: fix udev_device_get_sysattr_value return value check
+
+Reviewing the code I found that return value of function
+udev_device_get_sysattr_value() is dereferenced without a check.
+udev_device_get_sysattr_value() may return NULL by number of reasons.
+
+v2: VIR_DEBUG added, replaced STREQ(NULLSTR()) with STREQ_NULLABLE()
+v3: More checks added, to skip earlier. More verbose VIR_DEBUG.
+
+Signed-off-by: Dmitry Frolov <frolov@swemel.ru>
+Reviewed-by: Martin Kletzander <mkletzan@redhat.com>
+(cherry picked from commit 2ca94317ac642a70921947150ced8acc674ccdc8)
+
+Conflicts:
+
+ * src/interface/interface_backend_udev.c
+ - slightly different (but functionally identical) format
+ string due to not having commit
+ be664663fab7c3fe008595767404ee2868f41a31
+
+Forwarded: not-needed
+Origin: https://gitlab.com/libvirt/libvirt/-/commit/2ca94317ac642a70921947150ced8acc674ccdc8
+
+CVE-2024-2496
+---
+ src/interface/interface_backend_udev.c | 26 +++++++++++++++++++-------
+ 1 file changed, 19 insertions(+), 7 deletions(-)
+
+diff --git a/src/interface/interface_backend_udev.c b/src/interface/interface_backend_udev.c
+index 01d6f55..b1702f6 100644
+--- a/src/interface/interface_backend_udev.c
++++ b/src/interface/interface_backend_udev.c
+@@ -23,6 +23,7 @@
+ #include <dirent.h>
+ #include <libudev.h>
+
++#include "virlog.h"
+ #include "virerror.h"
+ #include "virfile.h"
+ #include "datatypes.h"
+@@ -40,6 +41,8 @@
+
+ #define VIR_FROM_THIS VIR_FROM_INTERFACE
+
++VIR_LOG_INIT("interface.interface_backend_udev");
++
+ struct udev_iface_driver {
+ struct udev *udev;
+ /* pid file FD, ensures two copies of the driver can't use the same root */
+@@ -354,11 +357,20 @@ udevConnectListAllInterfaces(virConnectPtr conn,
+ const char *macaddr;
+ g_autoptr(virInterfaceDef) def = NULL;
+
+- path = udev_list_entry_get_name(dev_entry);
+- dev = udev_device_new_from_syspath(udev, path);
+- name = udev_device_get_sysname(dev);
++ if (!(path = udev_list_entry_get_name(dev_entry))) {
++ VIR_DEBUG("Skipping interface, path == NULL");
++ continue;
++ }
++ if (!(dev = udev_device_new_from_syspath(udev, path))) {
++ VIR_DEBUG("Skipping interface '%s', dev == NULL", path);
++ continue;
++ }
++ if (!(name = udev_device_get_sysname(dev))) {
++ VIR_DEBUG("Skipping interface '%s', name == NULL", path);
++ continue;
++ }
+ macaddr = udev_device_get_sysattr_value(dev, "address");
+- status = STREQ(udev_device_get_sysattr_value(dev, "operstate"), "up");
++ status = STREQ_NULLABLE(udev_device_get_sysattr_value(dev, "operstate"), "up");
+
+ def = udevGetMinimalDefForDevice(dev);
+ if (!virConnectListAllInterfacesCheckACL(conn, def)) {
+@@ -962,9 +974,9 @@ udevGetIfaceDef(struct udev *udev, const char *name)
+
+ /* MTU */
+ mtu_str = udev_device_get_sysattr_value(dev, "mtu");
+- if (virStrToLong_ui(mtu_str, NULL, 10, &mtu) < 0) {
++ if (!mtu_str || virStrToLong_ui(mtu_str, NULL, 10, &mtu) < 0) {
+ virReportError(VIR_ERR_INTERNAL_ERROR,
+- _("Could not parse MTU value '%s'"), mtu_str);
++ _("Could not parse MTU value '%s'"), NULLSTR(mtu_str));
+ goto error;
+ }
+ ifacedef->mtu = mtu;
+@@ -1087,7 +1099,7 @@ udevInterfaceIsActive(virInterfacePtr ifinfo)
+ goto cleanup;
+
+ /* Check if it's active or not */
+- status = STREQ(udev_device_get_sysattr_value(dev, "operstate"), "up");
++ status = STREQ_NULLABLE(udev_device_get_sysattr_value(dev, "operstate"), "up");
+
+ udev_device_unref(dev);
+
diff -Nru libvirt-9.0.0/debian/patches/backport/qemu-domain-Fix-logic-when-tainting-domain.patch libvirt-9.0.0/debian/patches/backport/qemu-domain-Fix-logic-when-tainting-domain.patch
--- libvirt-9.0.0/debian/patches/backport/qemu-domain-Fix-logic-when-tainting-domain.patch 1970-01-01 01:00:00.000000000 +0100
+++ libvirt-9.0.0/debian/patches/backport/qemu-domain-Fix-logic-when-tainting-domain.patch 2024-08-24 16:05:45.000000000 +0200
@@ -0,0 +1,37 @@
+From: Peter Krempa <pkrempa@redhat.com>
+Date: Wed, 1 Mar 2023 17:09:42 +0100
+Subject: qemu: domain: Fix logic when tainting domain
+
+Originally the code was skipping all repeated taints with the same taint
+flag but a logic bug introduced in commit 30626ed15b239c424ae inverted
+the condition. This caused that actually the first occurence was NOT
+logged but any subsequent was.
+
+This was noticed when going through oVirt logs as they use custom guest
+agent commands and the logs are totally spammed with this message.
+
+Fixes: 30626ed15b239c424ae891f096057a696eadd715
+Signed-off-by: Peter Krempa <pkrempa@redhat.com>
+Reviewed-by: Laine Stump <laine@redhat.com>
+(cherry picked from commit 9134b40d0b43a5e1a9928b0a0d948205941d9807)
+
+Forwarded: not-needed
+Origin: https://gitlab.com/libvirt/libvirt/-/commit/9134b40d0b43a5e1a9928b0a0d948205941d9807
+Bugs-Debian: https://bugs.debian.org/1052405
+---
+ src/qemu/qemu_domain.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c
+index da7a869..6484349 100644
+--- a/src/qemu/qemu_domain.c
++++ b/src/qemu/qemu_domain.c
+@@ -6576,7 +6576,7 @@ void qemuDomainObjTaintMsg(virQEMUDriver *driver,
+ const char *extrasuffix = "";
+ va_list args;
+
+- if (virDomainObjTaint(obj, taint)) {
++ if (!virDomainObjTaint(obj, taint)) {
+ /* If an extra message was given we must always
+ * emit the taint warning, otherwise it is a
+ * one-time only warning per VM
diff -Nru libvirt-9.0.0/debian/patches/backport/qemu_interface-Fix-managed-no-case-when-creating-an-ether.patch libvirt-9.0.0/debian/patches/backport/qemu_interface-Fix-managed-no-case-when-creating-an-ether.patch
--- libvirt-9.0.0/debian/patches/backport/qemu_interface-Fix-managed-no-case-when-creating-an-ether.patch 2023-05-21 11:31:31.000000000 +0200
+++ libvirt-9.0.0/debian/patches/backport/qemu_interface-Fix-managed-no-case-when-creating-an-ether.patch 2024-08-24 16:05:45.000000000 +0200
@@ -21,7 +21,7 @@
Reviewed-by: Martin Kletzander <mkletzan@redhat.com>
(cherry picked from commit d6a8b9eef70887e01fa5fd292580e14ca5eab08c)
-Forwarded: non-needed
+Forwarded: not-needed
Origin: https://gitlab.com/libvirt/libvirt/-/commit/d6a8b9eef70887e01fa5fd292580e14ca5eab08c
---
src/qemu/qemu_interface.c | 5 +++--
diff -Nru libvirt-9.0.0/debian/patches/backport/remote-check-for-negative-array-lengths-before-allocation.patch libvirt-9.0.0/debian/patches/backport/remote-check-for-negative-array-lengths-before-allocation.patch
--- libvirt-9.0.0/debian/patches/backport/remote-check-for-negative-array-lengths-before-allocation.patch 1970-01-01 01:00:00.000000000 +0100
+++ libvirt-9.0.0/debian/patches/backport/remote-check-for-negative-array-lengths-before-allocation.patch 2024-08-24 16:05:45.000000000 +0200
@@ -0,0 +1,217 @@
+From: =?utf-8?b?IkRhbmllbCBQLiBCZXJyYW5nw6ki?= <berrange@redhat.com>
+Date: Fri, 15 Mar 2024 10:47:50 +0000
+Subject: remote: check for negative array lengths before allocation
+MIME-Version: 1.0
+Content-Type: text/plain; charset="utf-8"
+Content-Transfer-Encoding: 8bit
+
+While the C API entry points will validate non-negative lengths
+for various parameters, the RPC server de-serialization code
+will need to allocate memory for arrays before entering the C
+API. These allocations will thus happen before the non-negative
+length check is performed.
+
+Passing a negative length to the g_new0 function will usually
+result in a crash due to the negative length being treated as
+a huge positive number.
+
+This was found and diagnosed by ALT Linux Team with AFLplusplus.
+
+CVE-2024-2494
+Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
+Found-by: Alexandr Shashkin <dutyrok@altlinux.org>
+Co-developed-by: Alexander Kuznetsov <kuznetsovam@altlinux.org>
+Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
+(cherry picked from commit 8a3f8d957507c1f8223fdcf25a3ff885b15557f2)
+
+Forwarded: not-needed
+Origin: https://gitlab.com/libvirt/libvirt/-/commit/8a3f8d957507c1f8223fdcf25a3ff885b15557f2
+Bug-Debian: https://bugs.debian.org/1067461
+---
+ src/remote/remote_daemon_dispatch.c | 65 +++++++++++++++++++++++++++++++++++++
+ src/rpc/gendispatch.pl | 5 +++
+ 2 files changed, 70 insertions(+)
+
+diff --git a/src/remote/remote_daemon_dispatch.c b/src/remote/remote_daemon_dispatch.c
+index 6c56e9e..a847bd6 100644
+--- a/src/remote/remote_daemon_dispatch.c
++++ b/src/remote/remote_daemon_dispatch.c
+@@ -2287,6 +2287,10 @@ remoteDispatchDomainGetSchedulerParameters(virNetServer *server G_GNUC_UNUSED,
+ if (!conn)
+ goto cleanup;
+
++ if (args->nparams < 0) {
++ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams must be non-negative"));
++ goto cleanup;
++ }
+ if (args->nparams > REMOTE_DOMAIN_SCHEDULER_PARAMETERS_MAX) {
+ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large"));
+ goto cleanup;
+@@ -2335,6 +2339,10 @@ remoteDispatchDomainGetSchedulerParametersFlags(virNetServer *server G_GNUC_UNUS
+ if (!conn)
+ goto cleanup;
+
++ if (args->nparams < 0) {
++ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams must be non-negative"));
++ goto cleanup;
++ }
+ if (args->nparams > REMOTE_DOMAIN_SCHEDULER_PARAMETERS_MAX) {
+ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large"));
+ goto cleanup;
+@@ -2493,6 +2501,10 @@ remoteDispatchDomainBlockStatsFlags(virNetServer *server G_GNUC_UNUSED,
+ goto cleanup;
+ flags = args->flags;
+
++ if (args->nparams < 0) {
++ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams must be non-negative"));
++ goto cleanup;
++ }
+ if (args->nparams > REMOTE_DOMAIN_BLOCK_STATS_PARAMETERS_MAX) {
+ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large"));
+ goto cleanup;
+@@ -2718,6 +2730,14 @@ remoteDispatchDomainGetVcpuPinInfo(virNetServer *server G_GNUC_UNUSED,
+ if (!(dom = get_nonnull_domain(conn, args->dom)))
+ goto cleanup;
+
++ if (args->ncpumaps < 0) {
++ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("ncpumaps must be non-negative"));
++ goto cleanup;
++ }
++ if (args->maplen < 0) {
++ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("maplen must be non-negative"));
++ goto cleanup;
++ }
+ if (args->ncpumaps > REMOTE_VCPUINFO_MAX) {
+ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("ncpumaps > REMOTE_VCPUINFO_MAX"));
+ goto cleanup;
+@@ -2812,6 +2832,11 @@ remoteDispatchDomainGetEmulatorPinInfo(virNetServer *server G_GNUC_UNUSED,
+ if (!(dom = get_nonnull_domain(conn, args->dom)))
+ goto cleanup;
+
++ if (args->maplen < 0) {
++ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("maplen must be non-negative"));
++ goto cleanup;
++ }
++
+ /* Allocate buffers to take the results */
+ if (args->maplen > 0)
+ cpumaps = g_new0(unsigned char, args->maplen);
+@@ -2859,6 +2884,14 @@ remoteDispatchDomainGetVcpus(virNetServer *server G_GNUC_UNUSED,
+ if (!(dom = get_nonnull_domain(conn, args->dom)))
+ goto cleanup;
+
++ if (args->maxinfo < 0) {
++ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("maxinfo must be non-negative"));
++ goto cleanup;
++ }
++ if (args->maplen < 0) {
++ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("maxinfo must be non-negative"));
++ goto cleanup;
++ }
+ if (args->maxinfo > REMOTE_VCPUINFO_MAX) {
+ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("maxinfo > REMOTE_VCPUINFO_MAX"));
+ goto cleanup;
+@@ -3098,6 +3131,10 @@ remoteDispatchDomainGetMemoryParameters(virNetServer *server G_GNUC_UNUSED,
+
+ flags = args->flags;
+
++ if (args->nparams < 0) {
++ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams must be non-negative"));
++ goto cleanup;
++ }
+ if (args->nparams > REMOTE_DOMAIN_MEMORY_PARAMETERS_MAX) {
+ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large"));
+ goto cleanup;
+@@ -3158,6 +3195,10 @@ remoteDispatchDomainGetNumaParameters(virNetServer *server G_GNUC_UNUSED,
+
+ flags = args->flags;
+
++ if (args->nparams < 0) {
++ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams must be non-negative"));
++ goto cleanup;
++ }
+ if (args->nparams > REMOTE_DOMAIN_NUMA_PARAMETERS_MAX) {
+ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large"));
+ goto cleanup;
+@@ -3218,6 +3259,10 @@ remoteDispatchDomainGetBlkioParameters(virNetServer *server G_GNUC_UNUSED,
+
+ flags = args->flags;
+
++ if (args->nparams < 0) {
++ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams must be non-negative"));
++ goto cleanup;
++ }
+ if (args->nparams > REMOTE_DOMAIN_BLKIO_PARAMETERS_MAX) {
+ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large"));
+ goto cleanup;
+@@ -3279,6 +3324,10 @@ remoteDispatchNodeGetCPUStats(virNetServer *server G_GNUC_UNUSED,
+
+ flags = args->flags;
+
++ if (args->nparams < 0) {
++ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams must be non-negative"));
++ goto cleanup;
++ }
+ if (args->nparams > REMOTE_NODE_CPU_STATS_MAX) {
+ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large"));
+ goto cleanup;
+@@ -3346,6 +3395,10 @@ remoteDispatchNodeGetMemoryStats(virNetServer *server G_GNUC_UNUSED,
+
+ flags = args->flags;
+
++ if (args->nparams < 0) {
++ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams must be non-negative"));
++ goto cleanup;
++ }
+ if (args->nparams > REMOTE_NODE_MEMORY_STATS_MAX) {
+ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large"));
+ goto cleanup;
+@@ -3526,6 +3579,10 @@ remoteDispatchDomainGetBlockIoTune(virNetServer *server G_GNUC_UNUSED,
+ if (!conn)
+ goto cleanup;
+
++ if (args->nparams < 0) {
++ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams must be non-negative"));
++ goto cleanup;
++ }
+ if (args->nparams > REMOTE_DOMAIN_BLOCK_IO_TUNE_PARAMETERS_MAX) {
+ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large"));
+ goto cleanup;
+@@ -5092,6 +5149,10 @@ remoteDispatchDomainGetInterfaceParameters(virNetServer *server G_GNUC_UNUSED,
+
+ flags = args->flags;
+
++ if (args->nparams < 0) {
++ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams must be non-negative"));
++ goto cleanup;
++ }
+ if (args->nparams > REMOTE_DOMAIN_INTERFACE_PARAMETERS_MAX) {
+ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large"));
+ goto cleanup;
+@@ -5312,6 +5373,10 @@ remoteDispatchNodeGetMemoryParameters(virNetServer *server G_GNUC_UNUSED,
+
+ flags = args->flags;
+
++ if (args->nparams < 0) {
++ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams must be non-negative"));
++ goto cleanup;
++ }
+ if (args->nparams > REMOTE_NODE_MEMORY_PARAMETERS_MAX) {
+ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("nparams too large"));
+ goto cleanup;
+diff --git a/src/rpc/gendispatch.pl b/src/rpc/gendispatch.pl
+index 54d55d9..d295c09 100755
+--- a/src/rpc/gendispatch.pl
++++ b/src/rpc/gendispatch.pl
+@@ -1077,6 +1077,11 @@ elsif ($mode eq "server") {
+ print "\n";
+
+ if ($single_ret_as_list) {
++ print " if (args->$single_ret_list_max_var < 0) {\n";
++ print " virReportError(VIR_ERR_RPC,\n";
++ print " \"%s\", _(\"max$single_ret_list_name must be non-negative\"));\n";
++ print " goto cleanup;\n";
++ print " }\n";
+ print " if (args->$single_ret_list_max_var > $single_ret_list_max_define) {\n";
+ print " virReportError(VIR_ERR_RPC,\n";
+ print " \"%s\", _(\"max$single_ret_list_name > $single_ret_list_max_define\"));\n";
diff -Nru libvirt-9.0.0/debian/patches/backport/storage-Fix-returning-of-locked-objects-from-virStoragePo.patch libvirt-9.0.0/debian/patches/backport/storage-Fix-returning-of-locked-objects-from-virStoragePo.patch
--- libvirt-9.0.0/debian/patches/backport/storage-Fix-returning-of-locked-objects-from-virStoragePo.patch 1970-01-01 01:00:00.000000000 +0100
+++ libvirt-9.0.0/debian/patches/backport/storage-Fix-returning-of-locked-objects-from-virStoragePo.patch 2024-08-24 16:05:45.000000000 +0200
@@ -0,0 +1,56 @@
+From: Peter Krempa <pkrempa@redhat.com>
+Date: Thu, 13 Jul 2023 16:16:37 +0200
+Subject: storage: Fix returning of locked objects from
+ 'virStoragePoolObjListSearch'
+MIME-Version: 1.0
+Content-Type: text/plain; charset="utf-8"
+Content-Transfer-Encoding: 8bit
+
+CVE-2023-3750
+
+'virStoragePoolObjListSearch' explicitly documents that it's returning
+a pointer to a locked and ref'd pool that maches the lookup function.
+
+This was not the case as in commit 0c4b391e2a9 (released in
+libvirt-8.3.0) the code was accidentally converted to use 'VIR_LOCK_GUARD'
+which auto-unlocked it when leaving the scope, even when the code was
+originally "leaking" the lock.
+
+Revert the corresponding conversion and add a comment that this function
+is intentionally leaking a locked object.
+
+Fixes: 0c4b391e2a9
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2221851
+Signed-off-by: Peter Krempa <pkrempa@redhat.com>
+Reviewed-by: Ján Tomko <jtomko@redhat.com>
+(cherry picked from commit 9a47442366fcf8a7b6d7422016d7bbb6764a1098)
+
+Forwarded: not-needed
+Origin: https://gitlab.com/libvirt/libvirt/-/commit/9a47442366fcf8a7b6d7422016d7bbb6764a1098
+Bug-Debian: https://bugs.debian.org/1041811
+---
+ src/conf/virstorageobj.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/src/conf/virstorageobj.c b/src/conf/virstorageobj.c
+index e6c187e..4e89f79 100644
+--- a/src/conf/virstorageobj.c
++++ b/src/conf/virstorageobj.c
+@@ -454,11 +454,16 @@ virStoragePoolObjListSearchCb(const void *payload,
+ virStoragePoolObj *obj = (virStoragePoolObj *) payload;
+ struct _virStoragePoolObjListSearchData *data =
+ (struct _virStoragePoolObjListSearchData *)opaque;
+- VIR_LOCK_GUARD lock = virObjectLockGuard(obj);
+
++ virObjectLock(obj);
++
++ /* If we find the matching pool object we must return while the object is
++ * locked as the caller wants to return a locked object. */
+ if (data->searcher(obj, data->opaque))
+ return 1;
+
++ virObjectUnlock(obj);
++
+ return 0;
+ }
+
diff -Nru libvirt-9.0.0/debian/patches/backport/virsh-Make-domif-setlink-work-more-than-once.patch libvirt-9.0.0/debian/patches/backport/virsh-Make-domif-setlink-work-more-than-once.patch
--- libvirt-9.0.0/debian/patches/backport/virsh-Make-domif-setlink-work-more-than-once.patch 1970-01-01 01:00:00.000000000 +0100
+++ libvirt-9.0.0/debian/patches/backport/virsh-Make-domif-setlink-work-more-than-once.patch 2024-08-24 16:05:45.000000000 +0200
@@ -0,0 +1,45 @@
+From: Michal Privoznik <mprivozn@redhat.com>
+Date: Mon, 30 Jan 2023 10:55:22 +0100
+Subject: virsh: Make domif-setlink work more than once
+MIME-Version: 1.0
+Content-Type: text/plain; charset="utf-8"
+Content-Transfer-Encoding: 8bit
+
+In virsh, we have this convenient domif-setlink command, which is
+just a wrapper over virDomainUpdateDeviceFlags() and which allows
+setting link state of given guest NIC. It does so by fetching
+corresponding <interface/> XML snippet and either putting <link
+state=''/> into it, OR if the element already exists setting the
+attribute to desired value. The XML is then fed into the update
+API.
+
+There's, however, a small bug in detecting the pre-existence of
+the element and its attribute. The code looks at "link"
+attribute, while in fact, the attribute is called "state".
+
+Resolves: https://gitlab.com/libvirt/libvirt/-/issues/426
+Fixes: e575bf082ed4889280be07c986375f1ca15bb7ee
+Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
+Reviewed-by: Ján Tomko <jtomko@redhat.com>
+(cherry-picked from commit 6f3f6c0f763b9ffd8ef93eb124c88dd0b79138fc)
+
+Forwarded: not-needed
+Origin: https://gitlab.com/libvirt/libvirt/-/commit/6f3f6c0f763b9ffd8ef93eb124c88dd0b79138fc
+Bug-Debian: https://bugs.debian.org/1075718
+---
+ tools/virsh-domain.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/virsh-domain.c b/tools/virsh-domain.c
+index 6b431bd..59b2b3c 100644
+--- a/tools/virsh-domain.c
++++ b/tools/virsh-domain.c
+@@ -3209,7 +3209,7 @@ cmdDomIfSetLink(vshControl *ctl, const vshCmd *cmd)
+ }
+ }
+
+- if (xmlHasProp(linkNode, BAD_CAST "link"))
++ if (xmlHasProp(linkNode, BAD_CAST "state"))
+ stateAttr = xmlSetProp(linkNode, BAD_CAST "state", BAD_CAST state);
+ else
+ stateAttr = xmlNewProp(linkNode, BAD_CAST "state", BAD_CAST state);
diff -Nru libvirt-9.0.0/debian/patches/series libvirt-9.0.0/debian/patches/series
--- libvirt-9.0.0/debian/patches/series 2023-05-21 11:31:31.000000000 +0200
+++ libvirt-9.0.0/debian/patches/series 2024-08-24 16:05:45.000000000 +0200
@@ -10,6 +10,12 @@
backport/rpc-Don-t-warn-about-max_client_requests-in-single-thread.patch
backport/conf-Fix-migration-in-some-firmware-autoselection-scenari.patch
backport/virpci-Resolve-leak-in-virPCIVirtualFunctionList-cleanup.patch
+backport/virsh-Make-domif-setlink-work-more-than-once.patch
+backport/storage-Fix-returning-of-locked-objects-from-virStoragePo.patch
+backport/Fix-off-by-one-error-in-udevListInterfacesByStatus.patch
+backport/remote-check-for-negative-array-lengths-before-allocation.patch
+backport/interface-fix-udev_device_get_sysattr_value-return-value-.patch
+backport/qemu-domain-Fix-logic-when-tainting-domain.patch
forward/Skip-vircgrouptest.patch
forward/Reduce-udevadm-settle-timeout-to-10-seconds.patch
forward/Pass-GPG_TTY-env-var-to-the-ssh-binary.patch
diff -Nru libvirt-9.0.0/debian/README.source libvirt-9.0.0/debian/README.source
--- libvirt-9.0.0/debian/README.source 2023-05-21 11:31:31.000000000 +0200
+++ libvirt-9.0.0/debian/README.source 2024-08-24 16:05:45.000000000 +0200
@@ -1,6 +1,6 @@
-This package is maintained with git-buildpackage(1). It follows DEP-14
-for branch naming (e.g. using debian/sid for the current version
-in Debian unstable).
+This package is maintained with git-buildpackage(1). It follows
+DEP-14 for branch naming (e.g. using debian/latest for the current
+development target).
It uses pristine-tar(1) to store enough information in git to generate
bit identical tarballs when building the package without having
@@ -22,7 +22,7 @@
git-pbuilder(1) manpage. In short:
DIST=sid git-pbuilder create
- gbp clone https://anonscm.debian.org/git/pkg-libvirt/libvirt.git
+ gbp clone https://salsa.debian.org/libvirt-team/libvirt.git
cd libvirt
gbp buildpackage --git-pbuilder
Attachment:
signature.asc
Description: PGP signature