diff --git a/0015-cpu-Introduce-virCPUGetHostIsSupported.patch b/0015-cpu-Introduce-virCPUGetHostIsSupported.patch index c4d616c..655cd5a 100644 --- a/0015-cpu-Introduce-virCPUGetHostIsSupported.patch +++ b/0015-cpu-Introduce-virCPUGetHostIsSupported.patch @@ -19,10 +19,11 @@ diff --git a/src/cpu/cpu.c b/src/cpu/cpu.c index 8a407ac18..702b14dbb 100644 --- a/src/cpu/cpu.c +++ b/src/cpu/cpu.c -@@ -358,6 +358,26 @@ virCPUDataFree(virCPUDataPtr data) +@@ -357,6 +357,26 @@ virCPUDataFree(virCPUDataPtr data) + } - /** ++/** + * virCPUGetHostIsSupported: + * + * @arch: CPU architecture @@ -42,10 +43,9 @@ index 8a407ac18..702b14dbb 100644 +} + + -+/** + /** * virCPUGetHost: * - * @arch: CPU architecture diff --git a/src/cpu/cpu.h b/src/cpu/cpu.h index 352445c40..c6ca111e9 100644 --- a/src/cpu/cpu.h diff --git a/0105-security-add-MANAGER_MOUNT_NAMESPACE-flag.patch b/0105-security-add-MANAGER_MOUNT_NAMESPACE-flag.patch index cee8159..6d79260 100644 --- a/0105-security-add-MANAGER_MOUNT_NAMESPACE-flag.patch +++ b/0105-security-add-MANAGER_MOUNT_NAMESPACE-flag.patch @@ -42,10 +42,11 @@ index 922e48494..1f8d279bf 100644 char *baselabel; virSecurityManagerDACChownCallback chownCallback; }; -@@ -238,6 +239,15 @@ virSecurityDACSetDynamicOwnership(virSecurityManagerPtr mgr, +@@ -237,6 +238,15 @@ virSecurityDACSetDynamicOwnership(virSecurityManagerPtr mgr, + priv->dynamicOwnership = dynamicOwnership; } - void ++void +virSecurityDACSetMountNamespace(virSecurityManagerPtr mgr, + bool mountNamespace) +{ @@ -54,10 +55,9 @@ index 922e48494..1f8d279bf 100644 +} + + -+void + void virSecurityDACSetChownCallback(virSecurityManagerPtr mgr, virSecurityManagerDACChownCallback chownCallback) - { diff --git a/src/security/security_dac.h b/src/security/security_dac.h index 846cefbb5..97681c961 100644 --- a/src/security/security_dac.h diff --git a/0106-security-dac-relabel-spice-rendernode.patch b/0106-security-dac-relabel-spice-rendernode.patch index b97bdf1..8af25b9 100644 --- a/0106-security-dac-relabel-spice-rendernode.patch +++ b/0106-security-dac-relabel-spice-rendernode.patch @@ -20,10 +20,11 @@ diff --git a/src/security/security_dac.c b/src/security/security_dac.c index 1f8d279bf..5f13bcee8 100644 --- a/src/security/security_dac.c +++ b/src/security/security_dac.c -@@ -1380,6 +1380,54 @@ virSecurityDACRestoreTPMFileLabel(virSecurityManagerPtr mgr, +@@ -1379,6 +1379,54 @@ virSecurityDACRestoreTPMFileLabel(virSecurityManagerPtr mgr, + } - static int ++static int +virSecurityDACSetGraphicsLabel(virSecurityManagerPtr mgr, + virDomainDefPtr def, + virDomainGraphicsDefPtr gfx) @@ -71,10 +72,9 @@ index 1f8d279bf..5f13bcee8 100644 +} + + -+static int + static int virSecurityDACSetInputLabel(virSecurityManagerPtr mgr, virDomainDefPtr def, - virDomainInputDefPtr input) @@ -1489,6 +1537,11 @@ virSecurityDACRestoreAllLabel(virSecurityManagerPtr mgr, rc = -1; } diff --git a/0109-qemu-ensure-TLS-clients-always-verify-the-server-cer.patch b/0109-qemu-ensure-TLS-clients-always-verify-the-server-cer.patch new file mode 100644 index 0000000..eae86e8 --- /dev/null +++ b/0109-qemu-ensure-TLS-clients-always-verify-the-server-cer.patch @@ -0,0 +1,71 @@ +From: "Daniel P. Berrange" +Date: Thu, 5 Oct 2017 17:54:28 +0100 +Subject: [PATCH] qemu: ensure TLS clients always verify the server certificate + +The default_tls_x509_verify (and related) parameters in qemu.conf +control whether the QEMU TLS servers request & verify certificates +from clients. This works as a simple access control system for +servers by requiring the CA to issue certs to permitted clients. +This use of client certificates is disabled by default, since it +requires extra work to issue client certificates. + +Unfortunately the code was using this configuration parameter when +setting up both TLS clients and servers in QEMU. The result was that +TLS clients for character devices and disk devices had verification +turned off, meaning they would ignore errors while validating the +server certificate. + +This allows for trivial MITM attacks between client and server, +as any certificate returned by the attacker will be accepted by +the client. + +This is assigned CVE-2017-1000256 / LSN-2017-0002 + +Reviewed-by: Eric Blake +Signed-off-by: Daniel P. Berrange +(cherry picked from commit 441d3eb6d1be940a67ce45a286602a967601b157) +--- + src/qemu/qemu_command.c | 2 +- + tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev.args | 2 +- + .../qemuxml2argv-serial-tcp-tlsx509-secret-chardev.args | 2 +- + 3 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c +index 311edd13e..141831635 100644 +--- a/src/qemu/qemu_command.c ++++ b/src/qemu/qemu_command.c +@@ -727,7 +727,7 @@ qemuBuildTLSx509BackendProps(const char *tlspath, + if (virJSONValueObjectCreate(propsret, + "s:dir", path, + "s:endpoint", (isListen ? "server": "client"), +- "b:verify-peer", verifypeer, ++ "b:verify-peer", (isListen ? verifypeer : true), + NULL) < 0) + goto cleanup; + +diff --git a/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev.args b/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev.args +index b456cce30..003d11de7 100644 +--- a/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev.args ++++ b/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev.args +@@ -26,7 +26,7 @@ server,nowait \ + localport=1111 \ + -device isa-serial,chardev=charserial0,id=serial0 \ + -object tls-creds-x509,id=objcharserial1_tls0,dir=/etc/pki/libvirt-chardev,\ +-endpoint=client,verify-peer=no \ ++endpoint=client,verify-peer=yes \ + -chardev socket,id=charserial1,host=127.0.0.1,port=5555,\ + tls-creds=objcharserial1_tls0 \ + -device isa-serial,chardev=charserial1,id=serial1 \ +diff --git a/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-secret-chardev.args b/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-secret-chardev.args +index 7f9fedb6c..a020ff006 100644 +--- a/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-secret-chardev.args ++++ b/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-secret-chardev.args +@@ -31,7 +31,7 @@ localport=1111 \ + data=9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1,\ + keyid=masterKey0,iv=AAECAwQFBgcICQoLDA0ODw==,format=base64 \ + -object tls-creds-x509,id=objcharserial1_tls0,dir=/etc/pki/libvirt-chardev,\ +-endpoint=client,verify-peer=no,passwordid=charserial1-secret0 \ ++endpoint=client,verify-peer=yes,passwordid=charserial1-secret0 \ + -chardev socket,id=charserial1,host=127.0.0.1,port=5555,\ + tls-creds=objcharserial1_tls0 \ + -device isa-serial,chardev=charserial1,id=serial1 \ diff --git a/libvirt.spec b/libvirt.spec index 6fd2f0e..7d16a82 100644 --- a/libvirt.spec +++ b/libvirt.spec @@ -240,7 +240,7 @@ Summary: Library providing a simple virtualization API Name: libvirt Version: 3.2.1 -Release: 6%{?dist}%{?extra_release} +Release: 7%{?dist}%{?extra_release} License: LGPLv2+ Group: Development/Libraries BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root @@ -287,6 +287,9 @@ Patch0106: 0106-security-dac-relabel-spice-rendernode.patch Patch0107: 0107-qemu-Honour-on_reboot.patch # Fix disk images in /dev/shm (bz #1482146) Patch0108: 0108-qemuDomainBuildNamespace-Move-dev-mountpoints-later.patch +# CVE-2017-1000256: libvirt: TLS certificate verification disabled for +# clients (bz #1503687) +Patch0109: 0109-qemu-ensure-TLS-clients-always-verify-the-server-cer.patch Requires: libvirt-daemon = %{version}-%{release} Requires: libvirt-daemon-config-network = %{version}-%{release} @@ -2154,6 +2157,10 @@ exit 0 %changelog +* Mon Dec 04 2017 Cole Robinson - 3.2.1-7 +- CVE-2017-1000256: libvirt: TLS certificate verification disabled for + clients (bz #1503687) + * Fri Sep 15 2017 Cole Robinson - 3.2.1-6 - Fix TPM2 passthrough (bz #1486240) - Fix spice GL qemu:///system rendernode permissions (bz #1460804)