CVE-2017-1000256: libvirt: TLS certificate verification disabled for clients (bz #1503687)
This commit is contained in:
parent
faf5df2081
commit
54d3da1da5
|
@ -19,10 +19,11 @@ diff --git a/src/cpu/cpu.c b/src/cpu/cpu.c
|
||||||
index 8a407ac18..702b14dbb 100644
|
index 8a407ac18..702b14dbb 100644
|
||||||
--- a/src/cpu/cpu.c
|
--- a/src/cpu/cpu.c
|
||||||
+++ b/src/cpu/cpu.c
|
+++ b/src/cpu/cpu.c
|
||||||
@@ -358,6 +358,26 @@ virCPUDataFree(virCPUDataPtr data)
|
@@ -357,6 +357,26 @@ virCPUDataFree(virCPUDataPtr data)
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
/**
|
+/**
|
||||||
+ * virCPUGetHostIsSupported:
|
+ * virCPUGetHostIsSupported:
|
||||||
+ *
|
+ *
|
||||||
+ * @arch: CPU architecture
|
+ * @arch: CPU architecture
|
||||||
|
@ -42,10 +43,9 @@ index 8a407ac18..702b14dbb 100644
|
||||||
+}
|
+}
|
||||||
+
|
+
|
||||||
+
|
+
|
||||||
+/**
|
/**
|
||||||
* virCPUGetHost:
|
* virCPUGetHost:
|
||||||
*
|
*
|
||||||
* @arch: CPU architecture
|
|
||||||
diff --git a/src/cpu/cpu.h b/src/cpu/cpu.h
|
diff --git a/src/cpu/cpu.h b/src/cpu/cpu.h
|
||||||
index 352445c40..c6ca111e9 100644
|
index 352445c40..c6ca111e9 100644
|
||||||
--- a/src/cpu/cpu.h
|
--- a/src/cpu/cpu.h
|
||||||
|
|
|
@ -42,10 +42,11 @@ index 922e48494..1f8d279bf 100644
|
||||||
char *baselabel;
|
char *baselabel;
|
||||||
virSecurityManagerDACChownCallback chownCallback;
|
virSecurityManagerDACChownCallback chownCallback;
|
||||||
};
|
};
|
||||||
@@ -238,6 +239,15 @@ virSecurityDACSetDynamicOwnership(virSecurityManagerPtr mgr,
|
@@ -237,6 +238,15 @@ virSecurityDACSetDynamicOwnership(virSecurityManagerPtr mgr,
|
||||||
|
priv->dynamicOwnership = dynamicOwnership;
|
||||||
}
|
}
|
||||||
|
|
||||||
void
|
+void
|
||||||
+virSecurityDACSetMountNamespace(virSecurityManagerPtr mgr,
|
+virSecurityDACSetMountNamespace(virSecurityManagerPtr mgr,
|
||||||
+ bool mountNamespace)
|
+ bool mountNamespace)
|
||||||
+{
|
+{
|
||||||
|
@ -54,10 +55,9 @@ index 922e48494..1f8d279bf 100644
|
||||||
+}
|
+}
|
||||||
+
|
+
|
||||||
+
|
+
|
||||||
+void
|
void
|
||||||
virSecurityDACSetChownCallback(virSecurityManagerPtr mgr,
|
virSecurityDACSetChownCallback(virSecurityManagerPtr mgr,
|
||||||
virSecurityManagerDACChownCallback chownCallback)
|
virSecurityManagerDACChownCallback chownCallback)
|
||||||
{
|
|
||||||
diff --git a/src/security/security_dac.h b/src/security/security_dac.h
|
diff --git a/src/security/security_dac.h b/src/security/security_dac.h
|
||||||
index 846cefbb5..97681c961 100644
|
index 846cefbb5..97681c961 100644
|
||||||
--- a/src/security/security_dac.h
|
--- a/src/security/security_dac.h
|
||||||
|
|
|
@ -20,10 +20,11 @@ diff --git a/src/security/security_dac.c b/src/security/security_dac.c
|
||||||
index 1f8d279bf..5f13bcee8 100644
|
index 1f8d279bf..5f13bcee8 100644
|
||||||
--- a/src/security/security_dac.c
|
--- a/src/security/security_dac.c
|
||||||
+++ b/src/security/security_dac.c
|
+++ b/src/security/security_dac.c
|
||||||
@@ -1380,6 +1380,54 @@ virSecurityDACRestoreTPMFileLabel(virSecurityManagerPtr mgr,
|
@@ -1379,6 +1379,54 @@ virSecurityDACRestoreTPMFileLabel(virSecurityManagerPtr mgr,
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
static int
|
+static int
|
||||||
+virSecurityDACSetGraphicsLabel(virSecurityManagerPtr mgr,
|
+virSecurityDACSetGraphicsLabel(virSecurityManagerPtr mgr,
|
||||||
+ virDomainDefPtr def,
|
+ virDomainDefPtr def,
|
||||||
+ virDomainGraphicsDefPtr gfx)
|
+ virDomainGraphicsDefPtr gfx)
|
||||||
|
@ -71,10 +72,9 @@ index 1f8d279bf..5f13bcee8 100644
|
||||||
+}
|
+}
|
||||||
+
|
+
|
||||||
+
|
+
|
||||||
+static int
|
static int
|
||||||
virSecurityDACSetInputLabel(virSecurityManagerPtr mgr,
|
virSecurityDACSetInputLabel(virSecurityManagerPtr mgr,
|
||||||
virDomainDefPtr def,
|
virDomainDefPtr def,
|
||||||
virDomainInputDefPtr input)
|
|
||||||
@@ -1489,6 +1537,11 @@ virSecurityDACRestoreAllLabel(virSecurityManagerPtr mgr,
|
@@ -1489,6 +1537,11 @@ virSecurityDACRestoreAllLabel(virSecurityManagerPtr mgr,
|
||||||
rc = -1;
|
rc = -1;
|
||||||
}
|
}
|
||||||
|
|
|
@ -0,0 +1,71 @@
|
||||||
|
From: "Daniel P. Berrange" <berrange@redhat.com>
|
||||||
|
Date: Thu, 5 Oct 2017 17:54:28 +0100
|
||||||
|
Subject: [PATCH] qemu: ensure TLS clients always verify the server certificate
|
||||||
|
|
||||||
|
The default_tls_x509_verify (and related) parameters in qemu.conf
|
||||||
|
control whether the QEMU TLS servers request & verify certificates
|
||||||
|
from clients. This works as a simple access control system for
|
||||||
|
servers by requiring the CA to issue certs to permitted clients.
|
||||||
|
This use of client certificates is disabled by default, since it
|
||||||
|
requires extra work to issue client certificates.
|
||||||
|
|
||||||
|
Unfortunately the code was using this configuration parameter when
|
||||||
|
setting up both TLS clients and servers in QEMU. The result was that
|
||||||
|
TLS clients for character devices and disk devices had verification
|
||||||
|
turned off, meaning they would ignore errors while validating the
|
||||||
|
server certificate.
|
||||||
|
|
||||||
|
This allows for trivial MITM attacks between client and server,
|
||||||
|
as any certificate returned by the attacker will be accepted by
|
||||||
|
the client.
|
||||||
|
|
||||||
|
This is assigned CVE-2017-1000256 / LSN-2017-0002
|
||||||
|
|
||||||
|
Reviewed-by: Eric Blake <eblake@redhat.com>
|
||||||
|
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
|
||||||
|
(cherry picked from commit 441d3eb6d1be940a67ce45a286602a967601b157)
|
||||||
|
---
|
||||||
|
src/qemu/qemu_command.c | 2 +-
|
||||||
|
tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev.args | 2 +-
|
||||||
|
.../qemuxml2argv-serial-tcp-tlsx509-secret-chardev.args | 2 +-
|
||||||
|
3 files changed, 3 insertions(+), 3 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c
|
||||||
|
index 311edd13e..141831635 100644
|
||||||
|
--- a/src/qemu/qemu_command.c
|
||||||
|
+++ b/src/qemu/qemu_command.c
|
||||||
|
@@ -727,7 +727,7 @@ qemuBuildTLSx509BackendProps(const char *tlspath,
|
||||||
|
if (virJSONValueObjectCreate(propsret,
|
||||||
|
"s:dir", path,
|
||||||
|
"s:endpoint", (isListen ? "server": "client"),
|
||||||
|
- "b:verify-peer", verifypeer,
|
||||||
|
+ "b:verify-peer", (isListen ? verifypeer : true),
|
||||||
|
NULL) < 0)
|
||||||
|
goto cleanup;
|
||||||
|
|
||||||
|
diff --git a/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev.args b/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev.args
|
||||||
|
index b456cce30..003d11de7 100644
|
||||||
|
--- a/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev.args
|
||||||
|
+++ b/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev.args
|
||||||
|
@@ -26,7 +26,7 @@ server,nowait \
|
||||||
|
localport=1111 \
|
||||||
|
-device isa-serial,chardev=charserial0,id=serial0 \
|
||||||
|
-object tls-creds-x509,id=objcharserial1_tls0,dir=/etc/pki/libvirt-chardev,\
|
||||||
|
-endpoint=client,verify-peer=no \
|
||||||
|
+endpoint=client,verify-peer=yes \
|
||||||
|
-chardev socket,id=charserial1,host=127.0.0.1,port=5555,\
|
||||||
|
tls-creds=objcharserial1_tls0 \
|
||||||
|
-device isa-serial,chardev=charserial1,id=serial1 \
|
||||||
|
diff --git a/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-secret-chardev.args b/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-secret-chardev.args
|
||||||
|
index 7f9fedb6c..a020ff006 100644
|
||||||
|
--- a/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-secret-chardev.args
|
||||||
|
+++ b/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-secret-chardev.args
|
||||||
|
@@ -31,7 +31,7 @@ localport=1111 \
|
||||||
|
data=9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1,\
|
||||||
|
keyid=masterKey0,iv=AAECAwQFBgcICQoLDA0ODw==,format=base64 \
|
||||||
|
-object tls-creds-x509,id=objcharserial1_tls0,dir=/etc/pki/libvirt-chardev,\
|
||||||
|
-endpoint=client,verify-peer=no,passwordid=charserial1-secret0 \
|
||||||
|
+endpoint=client,verify-peer=yes,passwordid=charserial1-secret0 \
|
||||||
|
-chardev socket,id=charserial1,host=127.0.0.1,port=5555,\
|
||||||
|
tls-creds=objcharserial1_tls0 \
|
||||||
|
-device isa-serial,chardev=charserial1,id=serial1 \
|
|
@ -240,7 +240,7 @@
|
||||||
Summary: Library providing a simple virtualization API
|
Summary: Library providing a simple virtualization API
|
||||||
Name: libvirt
|
Name: libvirt
|
||||||
Version: 3.2.1
|
Version: 3.2.1
|
||||||
Release: 6%{?dist}%{?extra_release}
|
Release: 7%{?dist}%{?extra_release}
|
||||||
License: LGPLv2+
|
License: LGPLv2+
|
||||||
Group: Development/Libraries
|
Group: Development/Libraries
|
||||||
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
|
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
|
||||||
|
@ -287,6 +287,9 @@ Patch0106: 0106-security-dac-relabel-spice-rendernode.patch
|
||||||
Patch0107: 0107-qemu-Honour-on_reboot.patch
|
Patch0107: 0107-qemu-Honour-on_reboot.patch
|
||||||
# Fix disk images in /dev/shm (bz #1482146)
|
# Fix disk images in /dev/shm (bz #1482146)
|
||||||
Patch0108: 0108-qemuDomainBuildNamespace-Move-dev-mountpoints-later.patch
|
Patch0108: 0108-qemuDomainBuildNamespace-Move-dev-mountpoints-later.patch
|
||||||
|
# CVE-2017-1000256: libvirt: TLS certificate verification disabled for
|
||||||
|
# clients (bz #1503687)
|
||||||
|
Patch0109: 0109-qemu-ensure-TLS-clients-always-verify-the-server-cer.patch
|
||||||
|
|
||||||
Requires: libvirt-daemon = %{version}-%{release}
|
Requires: libvirt-daemon = %{version}-%{release}
|
||||||
Requires: libvirt-daemon-config-network = %{version}-%{release}
|
Requires: libvirt-daemon-config-network = %{version}-%{release}
|
||||||
|
@ -2154,6 +2157,10 @@ exit 0
|
||||||
|
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Mon Dec 04 2017 Cole Robinson <crobinso@redhat.com> - 3.2.1-7
|
||||||
|
- CVE-2017-1000256: libvirt: TLS certificate verification disabled for
|
||||||
|
clients (bz #1503687)
|
||||||
|
|
||||||
* Fri Sep 15 2017 Cole Robinson <crobinso@redhat.com> - 3.2.1-6
|
* Fri Sep 15 2017 Cole Robinson <crobinso@redhat.com> - 3.2.1-6
|
||||||
- Fix TPM2 passthrough (bz #1486240)
|
- Fix TPM2 passthrough (bz #1486240)
|
||||||
- Fix spice GL qemu:///system rendernode permissions (bz #1460804)
|
- Fix spice GL qemu:///system rendernode permissions (bz #1460804)
|
||||||
|
|
Loading…
Reference in New Issue