diff --git a/recipes-extended/libvirt/libvirt/CVE-2019-10132_p1.patch b/recipes-extended/libvirt/libvirt/CVE-2019-10132_p1.patch new file mode 100644 index 00000000..1f958fa1 --- /dev/null +++ b/recipes-extended/libvirt/libvirt/CVE-2019-10132_p1.patch @@ -0,0 +1,63 @@ +From b0f788c2d3d9930015258a7df95dde80a498e657 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= +Date: Tue, 30 Apr 2019 17:26:13 +0100 +Subject: [PATCH 1/7] admin: reject clients unless their UID matches the + current UID +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The admin protocol RPC messages are only intended for use by the user +running the daemon. As such they should not be allowed for any client +UID that does not match the server UID. + +Fixes CVE-2019-10132 + +Reviewed-by: Ján Tomko +Signed-off-by: Daniel P. Berrangé +(cherry picked from commit 96f41cd765c9e525fe28ee5abbfbf4a79b3720c7) + +Upstream-Status: Backport +CVE: CVE-2019-10132 patch #1 +Signed-off-by: Armin Kuster + +--- + src/admin/admin_server_dispatch.c | 22 ++++++++++++++++++++++ + 1 file changed, 22 insertions(+) + +diff --git a/src/admin/admin_server_dispatch.c b/src/admin/admin_server_dispatch.c +index b78ff90..9f25813 100644 +--- a/src/admin/admin_server_dispatch.c ++++ b/src/admin/admin_server_dispatch.c +@@ -66,6 +66,28 @@ remoteAdmClientNew(virNetServerClientPtr client ATTRIBUTE_UNUSED, + void *opaque) + { + struct daemonAdmClientPrivate *priv; ++ uid_t clientuid; ++ gid_t clientgid; ++ pid_t clientpid; ++ unsigned long long timestamp; ++ ++ if (virNetServerClientGetUNIXIdentity(client, ++ &clientuid, ++ &clientgid, ++ &clientpid, ++ ×tamp) < 0) ++ return NULL; ++ ++ VIR_DEBUG("New client pid %lld uid %lld", ++ (long long)clientpid, ++ (long long)clientuid); ++ ++ if (geteuid() != clientuid) { ++ virReportRestrictedError(_("Disallowing client %lld with uid %lld"), ++ (long long)clientpid, ++ (long long)clientuid); ++ return NULL; ++ } + + if (VIR_ALLOC(priv) < 0) + return NULL; +-- +2.7.4 + diff --git a/recipes-extended/libvirt/libvirt/CVE-2019-10132_p2.patch b/recipes-extended/libvirt/libvirt/CVE-2019-10132_p2.patch new file mode 100644 index 00000000..2fffe14d --- /dev/null +++ b/recipes-extended/libvirt/libvirt/CVE-2019-10132_p2.patch @@ -0,0 +1,55 @@ +From ea014c9fcf19539c75a7cb6926b14858426746a7 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= +Date: Tue, 30 Apr 2019 16:51:37 +0100 +Subject: [PATCH 2/7] locking: restrict sockets to mode 0600 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The virtlockd daemon's only intended client is the libvirtd daemon. As +such it should never allow clients from other user accounts to connect. +The code already enforces this and drops clients from other UIDs, but +we can get earlier (and thus stronger) protection against DoS by setting +the socket permissions to 0600 + +Fixes CVE-2019-10132 + +Reviewed-by: Ján Tomko +Signed-off-by: Daniel P. Berrangé +(cherry picked from commit f111e09468693909b1f067aa575efdafd9a262a1) + +Upstream-Status: Backport +CVE: CVE-2019-10132 patch #2 +Signed-off-by: Armin Kuster +--- + src/locking/virtlockd-admin.socket.in | 1 + + src/locking/virtlockd.socket.in | 1 + + 2 files changed, 2 insertions(+) + +diff --git a/src/locking/virtlockd-admin.socket.in b/src/locking/virtlockd-admin.socket.in +index 2a7500f..f674c49 100644 +--- a/src/locking/virtlockd-admin.socket.in ++++ b/src/locking/virtlockd-admin.socket.in +@@ -5,6 +5,7 @@ Before=libvirtd.service + [Socket] + ListenStream=@localstatedir@/run/libvirt/virtlockd-admin-sock + Service=virtlockd.service ++SocketMode=0600 + + [Install] + WantedBy=sockets.target +diff --git a/src/locking/virtlockd.socket.in b/src/locking/virtlockd.socket.in +index 45e0f20..d701b27 100644 +--- a/src/locking/virtlockd.socket.in ++++ b/src/locking/virtlockd.socket.in +@@ -4,6 +4,7 @@ Before=libvirtd.service + + [Socket] + ListenStream=@localstatedir@/run/libvirt/virtlockd-sock ++SocketMode=0600 + + [Install] + WantedBy=sockets.target +-- +2.7.4 + diff --git a/recipes-extended/libvirt/libvirt/CVE-2019-10132_p3.patch b/recipes-extended/libvirt/libvirt/CVE-2019-10132_p3.patch new file mode 100644 index 00000000..0cb00053 --- /dev/null +++ b/recipes-extended/libvirt/libvirt/CVE-2019-10132_p3.patch @@ -0,0 +1,55 @@ +From a474f18dceed61d562508980999e5f2d7445d683 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= +Date: Tue, 30 Apr 2019 17:27:41 +0100 +Subject: [PATCH 3/7] logging: restrict sockets to mode 0600 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The virtlogd daemon's only intended client is the libvirtd daemon. As +such it should never allow clients from other user accounts to connect. +The code already enforces this and drops clients from other UIDs, but +we can get earlier (and thus stronger) protection against DoS by setting +the socket permissions to 0600 + +Fixes CVE-2019-10132 + +Reviewed-by: Ján Tomko +Signed-off-by: Daniel P. Berrangé +(cherry picked from commit e37bd65f9948c1185456b2cdaa3bd6e875af680f) + +Upstream-Status: Backport +CVE: CVE-2019-10132 patch #3 +Signed-off-by: Armin Kuster +--- + src/logging/virtlogd-admin.socket.in | 1 + + src/logging/virtlogd.socket.in | 1 + + 2 files changed, 2 insertions(+) + +diff --git a/src/logging/virtlogd-admin.socket.in b/src/logging/virtlogd-admin.socket.in +index 595e6c4..5c41dfe 100644 +--- a/src/logging/virtlogd-admin.socket.in ++++ b/src/logging/virtlogd-admin.socket.in +@@ -5,6 +5,7 @@ Before=libvirtd.service + [Socket] + ListenStream=@localstatedir@/run/libvirt/virtlogd-admin-sock + Service=virtlogd.service ++SocketMode=0600 + + [Install] + WantedBy=sockets.target +diff --git a/src/logging/virtlogd.socket.in b/src/logging/virtlogd.socket.in +index 22b9360..ae48cda 100644 +--- a/src/logging/virtlogd.socket.in ++++ b/src/logging/virtlogd.socket.in +@@ -4,6 +4,7 @@ Before=libvirtd.service + + [Socket] + ListenStream=@localstatedir@/run/libvirt/virtlogd-sock ++SocketMode=0600 + + [Install] + WantedBy=sockets.target +-- +2.7.4 + diff --git a/recipes-extended/libvirt/libvirt/CVE-2019-10161.patch b/recipes-extended/libvirt/libvirt/CVE-2019-10161.patch new file mode 100644 index 00000000..72e69a81 --- /dev/null +++ b/recipes-extended/libvirt/libvirt/CVE-2019-10161.patch @@ -0,0 +1,101 @@ +From 568c735d7b0ccb55f9476c86f8603eb3a5c9fc5c Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?J=C3=A1n=20Tomko?= +Date: Fri, 14 Jun 2019 08:47:42 +0200 +Subject: [PATCH 4/7] api: disallow virDomainSaveImageGetXMLDesc on read-only + connections +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The virDomainSaveImageGetXMLDesc API is taking a path parameter, +which can point to any path on the system. This file will then be +read and parsed by libvirtd running with root privileges. + +Forbid it on read-only connections. + +Fixes: CVE-2019-10161 +Reported-by: Matthias Gerstner +Signed-off-by: Ján Tomko +Reviewed-by: Daniel P. Berrangé +(cherry picked from commit aed6a032cead4386472afb24b16196579e239580) +Signed-off-by: Ján Tomko + +Conflicts: + src/libvirt-domain.c + src/remote/remote_protocol.x + +Upstream commit 12a51f372 which introduced the VIR_DOMAIN_SAVE_IMAGE_XML_SECURE +alias for VIR_DOMAIN_XML_SECURE is not backported. +Just skip the commit since we now disallow the whole API on read-only +connections, regardless of the flag. + +Signed-off-by: Ján Tomko + +Upstream-Status: Backport +CVE: CVE-2019-19161 +Signed-off-by: Armin Kuster +--- + src/libvirt-domain.c | 11 ++--------- + src/qemu/qemu_driver.c | 2 +- + src/remote/remote_protocol.x | 3 +-- + 3 files changed, 4 insertions(+), 12 deletions(-) + +diff --git a/src/libvirt-domain.c b/src/libvirt-domain.c +index 7690339..c188239 100644 +--- a/src/libvirt-domain.c ++++ b/src/libvirt-domain.c +@@ -1073,9 +1073,7 @@ virDomainRestoreFlags(virConnectPtr conn, const char *from, const char *dxml, + * previously by virDomainSave() or virDomainSaveFlags(). + * + * No security-sensitive data will be included unless @flags contains +- * VIR_DOMAIN_XML_SECURE; this flag is rejected on read-only +- * connections. For this API, @flags should not contain either +- * VIR_DOMAIN_XML_INACTIVE or VIR_DOMAIN_XML_UPDATE_CPU. ++ * VIR_DOMAIN_XML_SECURE. + * + * Returns a 0 terminated UTF-8 encoded XML instance, or NULL in case of + * error. The caller must free() the returned value. +@@ -1091,12 +1089,7 @@ virDomainSaveImageGetXMLDesc(virConnectPtr conn, const char *file, + + virCheckConnectReturn(conn, NULL); + virCheckNonNullArgGoto(file, error); +- +- if ((conn->flags & VIR_CONNECT_RO) && (flags & VIR_DOMAIN_XML_SECURE)) { +- virReportError(VIR_ERR_OPERATION_DENIED, "%s", +- _("virDomainSaveImageGetXMLDesc with secure flag")); +- goto error; +- } ++ virCheckReadOnlyGoto(conn->flags, error); + + if (conn->driver->domainSaveImageGetXMLDesc) { + char *ret; +diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c +index a52e249..f7656e5 100644 +--- a/src/qemu/qemu_driver.c ++++ b/src/qemu/qemu_driver.c +@@ -6798,7 +6798,7 @@ qemuDomainSaveImageGetXMLDesc(virConnectPtr conn, const char *path, + if (fd < 0) + goto cleanup; + +- if (virDomainSaveImageGetXMLDescEnsureACL(conn, def, flags) < 0) ++ if (virDomainSaveImageGetXMLDescEnsureACL(conn, def) < 0) + goto cleanup; + + ret = qemuDomainDefFormatXML(driver, def, flags); +diff --git a/src/remote/remote_protocol.x b/src/remote/remote_protocol.x +index 28c8feb..52b9233 100644 +--- a/src/remote/remote_protocol.x ++++ b/src/remote/remote_protocol.x +@@ -5226,8 +5226,7 @@ enum remote_procedure { + /** + * @generate: both + * @priority: high +- * @acl: domain:read +- * @acl: domain:read_secure:VIR_DOMAIN_XML_SECURE ++ * @acl: domain:write + */ + REMOTE_PROC_DOMAIN_SAVE_IMAGE_GET_XML_DESC = 235, + +-- +2.7.4 + diff --git a/recipes-extended/libvirt/libvirt/CVE-2019-10166.patch b/recipes-extended/libvirt/libvirt/CVE-2019-10166.patch new file mode 100644 index 00000000..6305ffd5 --- /dev/null +++ b/recipes-extended/libvirt/libvirt/CVE-2019-10166.patch @@ -0,0 +1,43 @@ +From 0a744e15517d727c7f473fabe32ca6b0dbb7b7d1 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?J=C3=A1n=20Tomko?= +Date: Fri, 14 Jun 2019 09:14:53 +0200 +Subject: [PATCH 5/7] api: disallow virDomainManagedSaveDefineXML on read-only + connections +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The virDomainManagedSaveDefineXML can be used to alter the domain's +config used for managedsave or even execute arbitrary emulator binaries. +Forbid it on read-only connections. + +Fixes: CVE-2019-10166 +Reported-by: Matthias Gerstner +Signed-off-by: Ján Tomko +Reviewed-by: Daniel P. Berrangé +(cherry picked from commit db0b78457f183e4c7ac45bc94de86044a1e2056a) +Signed-off-by: Ján Tomko + +Upstream-Status: Backport +CVE: CVE-2019-19166 +Signed-off-by: Armin Kuster + +--- + src/libvirt-domain.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/libvirt-domain.c b/src/libvirt-domain.c +index c188239..d8b64c0 100644 +--- a/src/libvirt-domain.c ++++ b/src/libvirt-domain.c +@@ -9490,6 +9490,7 @@ virDomainManagedSaveDefineXML(virDomainPtr domain, const char *dxml, + + virCheckDomainReturn(domain, -1); + conn = domain->conn; ++ virCheckReadOnlyGoto(conn->flags, error); + + if (conn->driver->domainManagedSaveDefineXML) { + int ret; +-- +2.7.4 + diff --git a/recipes-extended/libvirt/libvirt/CVE-2019-10167.patch b/recipes-extended/libvirt/libvirt/CVE-2019-10167.patch new file mode 100644 index 00000000..abca309f --- /dev/null +++ b/recipes-extended/libvirt/libvirt/CVE-2019-10167.patch @@ -0,0 +1,41 @@ +From 6452b9fdff7988024a6157ca0a973ac3abf54468 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?J=C3=A1n=20Tomko?= +Date: Fri, 14 Jun 2019 09:16:14 +0200 +Subject: [PATCH 6/7] api: disallow virConnectGetDomainCapabilities on + read-only connections +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This API can be used to execute arbitrary emulators. +Forbid it on read-only connections. + +Fixes: CVE-2019-10167 +Signed-off-by: Ján Tomko +Reviewed-by: Daniel P. Berrangé +(cherry picked from commit 8afa68bac0cf99d1f8aaa6566685c43c22622f26) +Signed-off-by: Ján Tomko + +Upstream-Status: Backport +CVE: CVE-2019-19167 +Signed-off-by: Armin Kuster + +--- + src/libvirt-domain.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/libvirt-domain.c b/src/libvirt-domain.c +index d8b64c0..1e1c4e3 100644 +--- a/src/libvirt-domain.c ++++ b/src/libvirt-domain.c +@@ -11282,6 +11282,7 @@ virConnectGetDomainCapabilities(virConnectPtr conn, + virResetLastError(); + + virCheckConnectReturn(conn, NULL); ++ virCheckReadOnlyGoto(conn->flags, error); + + if (conn->driver->connectGetDomainCapabilities) { + char *ret; +-- +2.7.4 + diff --git a/recipes-extended/libvirt/libvirt/CVE-2019-10168.patch b/recipes-extended/libvirt/libvirt/CVE-2019-10168.patch new file mode 100644 index 00000000..2211238a --- /dev/null +++ b/recipes-extended/libvirt/libvirt/CVE-2019-10168.patch @@ -0,0 +1,49 @@ +From dd88b69a207c1ed6e89d7e9fa6b5f4a9ec4db97c Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?J=C3=A1n=20Tomko?= +Date: Fri, 14 Jun 2019 09:17:39 +0200 +Subject: [PATCH 7/7] api: disallow virConnect*HypervisorCPU on read-only + connections +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +These APIs can be used to execute arbitrary emulators. +Forbid them on read-only connections. + +Fixes: CVE-2019-10168 +Signed-off-by: Ján Tomko +Reviewed-by: Daniel P. Berrangé +(cherry picked from commit bf6c2830b6c338b1f5699b095df36f374777b291) +Signed-off-by: Ján Tomko + +Upstream-Status: Backport +CVE: CVE-2019-19168 +Signed-off-by: Armin Kuster + +--- + src/libvirt-host.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/libvirt-host.c b/src/libvirt-host.c +index e20d6ee..2978825 100644 +--- a/src/libvirt-host.c ++++ b/src/libvirt-host.c +@@ -1041,6 +1041,7 @@ virConnectCompareHypervisorCPU(virConnectPtr conn, + + virCheckConnectReturn(conn, VIR_CPU_COMPARE_ERROR); + virCheckNonNullArgGoto(xmlCPU, error); ++ virCheckReadOnlyGoto(conn->flags, error); + + if (conn->driver->connectCompareHypervisorCPU) { + int ret; +@@ -1234,6 +1235,7 @@ virConnectBaselineHypervisorCPU(virConnectPtr conn, + + virCheckConnectReturn(conn, NULL); + virCheckNonNullArgGoto(xmlCPUs, error); ++ virCheckReadOnlyGoto(conn->flags, error); + + if (conn->driver->connectBaselineHypervisorCPU) { + char *cpu; +-- +2.7.4 + diff --git a/recipes-extended/libvirt/libvirt_4.9.0.bb b/recipes-extended/libvirt/libvirt_4.9.0.bb index 813d95ec..db5a4f93 100644 --- a/recipes-extended/libvirt/libvirt_4.9.0.bb +++ b/recipes-extended/libvirt/libvirt_4.9.0.bb @@ -36,6 +36,13 @@ SRC_URI = "http://libvirt.org/sources/libvirt-${PV}.tar.xz;name=libvirt \ file://0001-ptest-Remove-Windows-1252-check-from-esxutilstest.patch \ file://configure.ac-search-for-rpc-rpc.h-in-the-sysroot.patch \ file://hook_support.py \ + file://CVE-2019-10132_p1.patch \ + file://CVE-2019-10132_p2.patch \ + file://CVE-2019-10132_p3.patch \ + file://CVE-2019-10161.patch \ + file://CVE-2019-10166.patch \ + file://CVE-2019-10167.patch \ + file://CVE-2019-10168.patch \ " SRC_URI[libvirt.md5sum] = "aaf7b265ac2013d6eb184a86b5f7eeb9"