CVE-2017-1000256: libvirt: TLS certificate verification disabled for clients (bz #1503687)

2017-12-04 12:16:49 -05:00 · 2017-12-04 12:16:49 -05:00 · 54d3da1da5
parent faf5df2081
commit 54d3da1da5
5 changed files with 91 additions and 13 deletions
--- a/0015-cpu-Introduce-virCPUGetHostIsSupported.patch
+++ b/0015-cpu-Introduce-virCPUGetHostIsSupported.patch
@ -19,10 +19,11 @@ diff --git a/src/cpu/cpu.c b/src/cpu/cpu.c
 index 8a407ac18..702b14dbb 100644
 --- a/src/cpu/cpu.c
 +++ b/src/cpu/cpu.c
-@@ -358,6 +358,26 @@ virCPUDataFree(virCPUDataPtr data)
+@@ -357,6 +357,26 @@ virCPUDataFree(virCPUDataPtr data)
+ }
 
 
- /**
+/**
 + * virCPUGetHostIsSupported:
 + *
 + * @arch: CPU architecture
@ -42,10 +43,9 @@ index 8a407ac18..702b14dbb 100644
 +}
 +
 +
-+/**
+ /**
  * virCPUGetHost:
  *
-  * @arch: CPU architecture
 diff --git a/src/cpu/cpu.h b/src/cpu/cpu.h
 index 352445c40..c6ca111e9 100644
 --- a/src/cpu/cpu.h
--- a/0105-security-add-MANAGER_MOUNT_NAMESPACE-flag.patch
+++ b/0105-security-add-MANAGER_MOUNT_NAMESPACE-flag.patch
@ -42,10 +42,11 @@ index 922e48494..1f8d279bf 100644
     char *baselabel;
     virSecurityManagerDACChownCallback chownCallback;
 };
-@@ -238,6 +239,15 @@ virSecurityDACSetDynamicOwnership(virSecurityManagerPtr mgr,
+@@ -237,6 +238,15 @@ virSecurityDACSetDynamicOwnership(virSecurityManagerPtr mgr,
+     priv->dynamicOwnership = dynamicOwnership;
 }
 
- void
+void
 +virSecurityDACSetMountNamespace(virSecurityManagerPtr mgr,
 +                                bool mountNamespace)
 +{
@ -54,10 +55,9 @@ index 922e48494..1f8d279bf 100644
 +}
 +
 +
-+void
+ void
 virSecurityDACSetChownCallback(virSecurityManagerPtr mgr,
                                virSecurityManagerDACChownCallback chownCallback)
- {
 diff --git a/src/security/security_dac.h b/src/security/security_dac.h
 index 846cefbb5..97681c961 100644
 --- a/src/security/security_dac.h
--- a/0106-security-dac-relabel-spice-rendernode.patch
+++ b/0106-security-dac-relabel-spice-rendernode.patch
@ -20,10 +20,11 @@ diff --git a/src/security/security_dac.c b/src/security/security_dac.c
 index 1f8d279bf..5f13bcee8 100644
 --- a/src/security/security_dac.c
 +++ b/src/security/security_dac.c
-@@ -1380,6 +1380,54 @@ virSecurityDACRestoreTPMFileLabel(virSecurityManagerPtr mgr,
+@@ -1379,6 +1379,54 @@ virSecurityDACRestoreTPMFileLabel(virSecurityManagerPtr mgr,
+ }
 
 
- static int
+static int
 +virSecurityDACSetGraphicsLabel(virSecurityManagerPtr mgr,
 +                               virDomainDefPtr def,
 +                               virDomainGraphicsDefPtr gfx)
@ -71,10 +72,9 @@ index 1f8d279bf..5f13bcee8 100644
 +}
 +
 +
-+static int
+ static int
 virSecurityDACSetInputLabel(virSecurityManagerPtr mgr,
                             virDomainDefPtr def,
-                             virDomainInputDefPtr input)
@@ -1489,6 +1537,11 @@ virSecurityDACRestoreAllLabel(virSecurityManagerPtr mgr,
             rc = -1;
     }
--- a/0109-qemu-ensure-TLS-clients-always-verify-the-server-cer.patch
+++ b/0109-qemu-ensure-TLS-clients-always-verify-the-server-cer.patch
@ -0,0 +1,71 @@
+From: "Daniel P. Berrange" <berrange@redhat.com>
+Date: Thu, 5 Oct 2017 17:54:28 +0100
+Subject: [PATCH] qemu: ensure TLS clients always verify the server certificate
+
+The default_tls_x509_verify (and related) parameters in qemu.conf
+control whether the QEMU TLS servers request & verify certificates
+from clients. This works as a simple access control system for
+servers by requiring the CA to issue certs to permitted clients.
+This use of client certificates is disabled by default, since it
+requires extra work to issue client certificates.
+
+Unfortunately the code was using this configuration parameter when
+setting up both TLS clients and servers in QEMU. The result was that
+TLS clients for character devices and disk devices had verification
+turned off, meaning they would ignore errors while validating the
+server certificate.
+
+This allows for trivial MITM attacks between client and server,
+as any certificate returned by the attacker will be accepted by
+the client.
+
+This is assigned CVE-2017-1000256  / LSN-2017-0002
+
+Reviewed-by: Eric Blake <eblake@redhat.com>
+Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
+(cherry picked from commit 441d3eb6d1be940a67ce45a286602a967601b157)
+---
+ src/qemu/qemu_command.c                                                 | 2 +-
+ tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev.args     | 2 +-
+ .../qemuxml2argv-serial-tcp-tlsx509-secret-chardev.args                 | 2 +-
+ 3 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c
+index 311edd13e..141831635 100644
+--- a/src/qemu/qemu_command.c
+++ b/src/qemu/qemu_command.c
+@@ -727,7 +727,7 @@ qemuBuildTLSx509BackendProps(const char *tlspath,
+     if (virJSONValueObjectCreate(propsret,
+                                  "s:dir", path,
+                                  "s:endpoint", (isListen ? "server": "client"),
+-                                 "b:verify-peer", verifypeer,
+                                 "b:verify-peer", (isListen ? verifypeer : true),
+                                  NULL) < 0)
+         goto cleanup;
+ 
+diff --git a/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev.args b/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev.args
+index b456cce30..003d11de7 100644
+--- a/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev.args
+++ b/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev.args
+@@ -26,7 +26,7 @@ server,nowait \
+ localport=1111 \
+ -device isa-serial,chardev=charserial0,id=serial0 \
+ -object tls-creds-x509,id=objcharserial1_tls0,dir=/etc/pki/libvirt-chardev,\
+-endpoint=client,verify-peer=no \
+endpoint=client,verify-peer=yes \
+ -chardev socket,id=charserial1,host=127.0.0.1,port=5555,\
+ tls-creds=objcharserial1_tls0 \
+ -device isa-serial,chardev=charserial1,id=serial1 \
+diff --git a/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-secret-chardev.args b/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-secret-chardev.args
+index 7f9fedb6c..a020ff006 100644
+--- a/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-secret-chardev.args
+++ b/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-secret-chardev.args
+@@ -31,7 +31,7 @@ localport=1111 \
+ data=9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1,\
+ keyid=masterKey0,iv=AAECAwQFBgcICQoLDA0ODw==,format=base64 \
+ -object tls-creds-x509,id=objcharserial1_tls0,dir=/etc/pki/libvirt-chardev,\
+-endpoint=client,verify-peer=no,passwordid=charserial1-secret0 \
+endpoint=client,verify-peer=yes,passwordid=charserial1-secret0 \
+ -chardev socket,id=charserial1,host=127.0.0.1,port=5555,\
+ tls-creds=objcharserial1_tls0 \
+ -device isa-serial,chardev=charserial1,id=serial1 \
--- a/libvirt.spec
+++ b/libvirt.spec
@ -240,7 +240,7 @@
 Summary: Library providing a simple virtualization API
 Name: libvirt
 Version: 3.2.1
-Release: 6%{?dist}%{?extra_release}
+Release: 7%{?dist}%{?extra_release}
 License: LGPLv2+
 Group: Development/Libraries
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
@ -287,6 +287,9 @@ Patch0106: 0106-security-dac-relabel-spice-rendernode.patch
 Patch0107: 0107-qemu-Honour-on_reboot.patch
 # Fix disk images in /dev/shm (bz #1482146)
 Patch0108: 0108-qemuDomainBuildNamespace-Move-dev-mountpoints-later.patch
+# CVE-2017-1000256:  libvirt: TLS certificate verification disabled for
+# clients (bz #1503687)
+Patch0109: 0109-qemu-ensure-TLS-clients-always-verify-the-server-cer.patch

 Requires: libvirt-daemon = %{version}-%{release}
 Requires: libvirt-daemon-config-network = %{version}-%{release}
@ -2154,6 +2157,10 @@ exit 0


 %changelog
+* Mon Dec 04 2017 Cole Robinson <crobinso@redhat.com> - 3.2.1-7
+- CVE-2017-1000256:  libvirt: TLS certificate verification disabled for
+  clients (bz #1503687)
+
 * Fri Sep 15 2017 Cole Robinson <crobinso@redhat.com> - 3.2.1-6
 - Fix TPM2 passthrough (bz #1486240)
 - Fix spice GL qemu:///system rendernode permissions (bz #1460804)