Fix for CVE-2011-1486, error reporting in libvirtd is not thread safe, bug 693457

2011-04-05 15:51:36 -04:00 · 2011-04-05 15:51:36 -04:00 · 2915aa73af
parent dedb223721
commit 2915aa73af
3 changed files with 1254 additions and 1 deletions
--- a/libvirt-0.8.8-avoid-resetting-errors.patch
+++ b/libvirt-0.8.8-avoid-resetting-errors.patch
@ -0,0 +1,51 @@
+From 2c2ae4c48c7e57fd233f1b9475fb6ecbab04804a Mon Sep 17 00:00:00 2001
+From: Jiri Denemark <jdenemar@redhat.com>
+Date: Fri, 25 Mar 2011 16:45:45 +0100
+Subject: [PATCH 2/2] daemon: Avoid resetting errors before they are reported
+
+https://bugzilla.redhat.com/show_bug.cgi?id=690733
+
+Commit f44bfb7 was supposed to make sure no additional libvirt API (esp.
+*Free) is called before remoteDispatchConnError() is called on error.
+However, the patch missed two instances.
+(cherry picked from commit 55cc591fc18e87b29febf78dc5b424b7c12f7349)
+---
+ daemon/remote.c |    6 ++++--
+ 1 files changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/daemon/remote.c b/daemon/remote.c
+index 554e75e..159430e 100644
+--- a/daemon/remote.c
+++ b/daemon/remote.c
+@@ -4868,12 +4868,13 @@ remoteDispatchStoragePoolListVolumes (struct qemud_server *server ATTRIBUTE_UNUS
+     ret->names.names_len =
+         virStoragePoolListVolumes (pool,
+                                    ret->names.names_val, args->maxnames);
+-    virStoragePoolFree(pool);
+     if (ret->names.names_len == -1) {
+         VIR_FREE(ret->names.names_val);
+         remoteDispatchConnError(rerr, conn);
+        virStoragePoolFree(pool);
+         return -1;
+     }
+    virStoragePoolFree(pool);
+ 
+     return 0;
+ }
+@@ -4897,11 +4898,12 @@ remoteDispatchStoragePoolNumOfVolumes (struct qemud_server *server ATTRIBUTE_UNU
+     }
+ 
+     ret->num = virStoragePoolNumOfVolumes (pool);
+-    virStoragePoolFree(pool);
+     if (ret->num == -1) {
+         remoteDispatchConnError(rerr, conn);
+        virStoragePoolFree(pool);
+         return -1;
+     }
+    virStoragePoolFree(pool);
+ 
+     return 0;
+ }
+-- 
+1.7.3.4
+
--- a/libvirt-0.8.8-threadsafe-libvirtd-error-reporting.patch
+++ b/libvirt-0.8.8-threadsafe-libvirtd-error-reporting.patch
--- a/libvirt.spec
+++ b/libvirt.spec
@ -204,12 +204,15 @@
 Summary: Library providing a simple virtualization API
 Name: libvirt
 Version: 0.8.8
-Release: 3%{?dist}%{?extra_release}
+Release: 4%{?dist}%{?extra_release}
 License: LGPLv2+
 Group: Development/Libraries
 Source: http://libvirt.org/sources/libvirt-%{version}.tar.gz
 Patch1: %{name}-%{version}-kernel-boot-index.patch
 Patch2: %{name}-%{version}-read-only-checks.patch
+# Patches 5, 6  CVE-2011-1486
+Patch3: %{name}-%{version}-threadsafe-libvirtd-error-reporting.patch
+Patch4: %{name}-%{version}-avoid-resetting-errors.patch
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
 URL: http://libvirt.org/
 BuildRequires: python-devel
@ -458,6 +461,8 @@ of recent versions of Linux (and other OSes).
 %setup -q
 %patch1 -p1
 %patch2 -p1
+%patch3 -p1
+%patch4 -p1

 %build
 %if ! %{with_xen}
@ -977,6 +982,10 @@ fi
 %endif

 %changelog
+* Tue Apr  5 2011 Laine Stump <laine@redhat.com> 0.8.8-4
+- Fix for CVE-2011-1486, error reporting in libvirtd is not thread safe,
+  bug 693457
+
 * Tue Mar 15 2011 Daniel Veillard <veillard@redhat.com> - 0.8.8-3
 - fix a lack of API check on read-only connections 683655
 - CVE-2011-1146