libvirt-5.4.0-2.fc31

CVE-2019-10161: arbitrary file read/exec via virDomainSaveImageGetXMLDesc API (bz #1722463, bz #1720115)
CVE-2019-10166: virDomainManagedSaveDefineXML API exposed to readonly clients (bz #1722462, bz #1720114)
CVE-2019-10167: arbitrary command execution via virConnectGetDomainCapabilities API (bz #1722464, bz #1720117)
CVE-2019-10168: arbitrary command execution via virConnectBaselineHypervisorCPU and virConnectCompareHypervisorCPU APIs (bz #1722466, bz #1720118)
This commit is contained in:
Cole Robinson 2019-06-20 12:30:57 -04:00
parent c2c89ec6a3
commit a2479f539e
5 changed files with 210 additions and 1 deletions

View File

@ -0,0 +1,81 @@
From: =?UTF-8?q?J=C3=A1n=20Tomko?= <jtomko@redhat.com>
Date: Fri, 14 Jun 2019 08:47:42 +0200
Subject: [PATCH] api: disallow virDomainSaveImageGetXMLDesc on read-only
connections
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The virDomainSaveImageGetXMLDesc API is taking a path parameter,
which can point to any path on the system. This file will then be
read and parsed by libvirtd running with root privileges.
Forbid it on read-only connections.
Fixes: CVE-2019-10161
Reported-by: Matthias Gerstner <mgerstner@suse.de>
Signed-off-by: Ján Tomko <jtomko@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
(cherry picked from commit aed6a032cead4386472afb24b16196579e239580)
---
src/libvirt-domain.c | 11 ++---------
src/qemu/qemu_driver.c | 2 +-
src/remote/remote_protocol.x | 3 +--
3 files changed, 4 insertions(+), 12 deletions(-)
diff --git a/src/libvirt-domain.c b/src/libvirt-domain.c
index df7e405b3e..1cc8537c04 100644
--- a/src/libvirt-domain.c
+++ b/src/libvirt-domain.c
@@ -1073,8 +1073,7 @@ virDomainRestoreFlags(virConnectPtr conn, const char *from, const char *dxml,
* previously by virDomainSave() or virDomainSaveFlags().
*
* No security-sensitive data will be included unless @flags contains
- * VIR_DOMAIN_SAVE_IMAGE_XML_SECURE; this flag is rejected on read-only
- * connections.
+ * VIR_DOMAIN_SAVE_IMAGE_XML_SECURE.
*
* Returns a 0 terminated UTF-8 encoded XML instance, or NULL in case of
* error. The caller must free() the returned value.
@@ -1090,13 +1089,7 @@ virDomainSaveImageGetXMLDesc(virConnectPtr conn, const char *file,
virCheckConnectReturn(conn, NULL);
virCheckNonNullArgGoto(file, error);
-
- if ((conn->flags & VIR_CONNECT_RO) &&
- (flags & VIR_DOMAIN_SAVE_IMAGE_XML_SECURE)) {
- virReportError(VIR_ERR_OPERATION_DENIED, "%s",
- _("virDomainSaveImageGetXMLDesc with secure flag"));
- goto error;
- }
+ virCheckReadOnlyGoto(conn->flags, error);
if (conn->driver->domainSaveImageGetXMLDesc) {
char *ret;
diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
index 42b1ce2521..ea9a3d33a3 100644
--- a/src/qemu/qemu_driver.c
+++ b/src/qemu/qemu_driver.c
@@ -7038,7 +7038,7 @@ qemuDomainSaveImageGetXMLDesc(virConnectPtr conn, const char *path,
if (fd < 0)
goto cleanup;
- if (virDomainSaveImageGetXMLDescEnsureACL(conn, def, flags) < 0)
+ if (virDomainSaveImageGetXMLDescEnsureACL(conn, def) < 0)
goto cleanup;
ret = qemuDomainDefFormatXML(driver, def, flags);
diff --git a/src/remote/remote_protocol.x b/src/remote/remote_protocol.x
index 11f44ee267..737d67c47b 100644
--- a/src/remote/remote_protocol.x
+++ b/src/remote/remote_protocol.x
@@ -5242,8 +5242,7 @@ enum remote_procedure {
/**
* @generate: both
* @priority: high
- * @acl: domain:read
- * @acl: domain:read_secure:VIR_DOMAIN_SAVE_IMAGE_XML_SECURE
+ * @acl: domain:write
*/
REMOTE_PROC_DOMAIN_SAVE_IMAGE_GET_XML_DESC = 235,

View File

@ -0,0 +1,33 @@
From: =?UTF-8?q?J=C3=A1n=20Tomko?= <jtomko@redhat.com>
Date: Fri, 14 Jun 2019 09:14:53 +0200
Subject: [PATCH] api: disallow virDomainManagedSaveDefineXML on read-only
connections
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The virDomainManagedSaveDefineXML can be used to alter the domain's
config used for managedsave or even execute arbitrary emulator binaries.
Forbid it on read-only connections.
Fixes: CVE-2019-10166
Reported-by: Matthias Gerstner <mgerstner@suse.de>
Signed-off-by: Ján Tomko <jtomko@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
(cherry picked from commit db0b78457f183e4c7ac45bc94de86044a1e2056a)
---
src/libvirt-domain.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/libvirt-domain.c b/src/libvirt-domain.c
index 1cc8537c04..f77fc23a3f 100644
--- a/src/libvirt-domain.c
+++ b/src/libvirt-domain.c
@@ -9563,6 +9563,7 @@ virDomainManagedSaveDefineXML(virDomainPtr domain, const char *dxml,
virCheckDomainReturn(domain, -1);
conn = domain->conn;
+ virCheckReadOnlyGoto(conn->flags, error);
if (conn->driver->domainManagedSaveDefineXML) {
int ret;

View File

@ -0,0 +1,31 @@
From: =?UTF-8?q?J=C3=A1n=20Tomko?= <jtomko@redhat.com>
Date: Fri, 14 Jun 2019 09:16:14 +0200
Subject: [PATCH] api: disallow virConnectGetDomainCapabilities on read-only
connections
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This API can be used to execute arbitrary emulators.
Forbid it on read-only connections.
Fixes: CVE-2019-10167
Signed-off-by: Ján Tomko <jtomko@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
(cherry picked from commit 8afa68bac0cf99d1f8aaa6566685c43c22622f26)
---
src/libvirt-domain.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/libvirt-domain.c b/src/libvirt-domain.c
index f77fc23a3f..c500d6be36 100644
--- a/src/libvirt-domain.c
+++ b/src/libvirt-domain.c
@@ -11360,6 +11360,7 @@ virConnectGetDomainCapabilities(virConnectPtr conn,
virResetLastError();
virCheckConnectReturn(conn, NULL);
+ virCheckReadOnlyGoto(conn->flags, error);
if (conn->driver->connectGetDomainCapabilities) {
char *ret;

View File

@ -0,0 +1,39 @@
From: =?UTF-8?q?J=C3=A1n=20Tomko?= <jtomko@redhat.com>
Date: Fri, 14 Jun 2019 09:17:39 +0200
Subject: [PATCH] api: disallow virConnect*HypervisorCPU on read-only
connections
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
These APIs can be used to execute arbitrary emulators.
Forbid them on read-only connections.
Fixes: CVE-2019-10168
Signed-off-by: Ján Tomko <jtomko@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
(cherry picked from commit bf6c2830b6c338b1f5699b095df36f374777b291)
---
src/libvirt-host.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/libvirt-host.c b/src/libvirt-host.c
index e20d6ee250..2978825d22 100644
--- a/src/libvirt-host.c
+++ b/src/libvirt-host.c
@@ -1041,6 +1041,7 @@ virConnectCompareHypervisorCPU(virConnectPtr conn,
virCheckConnectReturn(conn, VIR_CPU_COMPARE_ERROR);
virCheckNonNullArgGoto(xmlCPU, error);
+ virCheckReadOnlyGoto(conn->flags, error);
if (conn->driver->connectCompareHypervisorCPU) {
int ret;
@@ -1234,6 +1235,7 @@ virConnectBaselineHypervisorCPU(virConnectPtr conn,
virCheckConnectReturn(conn, NULL);
virCheckNonNullArgGoto(xmlCPUs, error);
+ virCheckReadOnlyGoto(conn->flags, error);
if (conn->driver->connectBaselineHypervisorCPU) {
char *cpu;

View File

@ -216,7 +216,7 @@
Summary: Library providing a simple virtualization API
Name: libvirt
Version: 5.4.0
Release: 1%{?dist}
Release: 2%{?dist}
License: LGPLv2+
URL: https://libvirt.org/
@ -225,6 +225,20 @@ URL: https://libvirt.org/
%endif
Source: https://libvirt.org/sources/%{?mainturl}libvirt-%{version}.tar.xz
# CVE-2019-10161: arbitrary file read/exec via virDomainSaveImageGetXMLDesc
# API (bz #1722463, bz #1720115)
Patch0001: 0001-api-disallow-virDomainSaveImageGetXMLDesc-on-read-on.patch
# CVE-2019-10166: virDomainManagedSaveDefineXML API exposed to readonly
# clients (bz #1722462, bz #1720114)
Patch0002: 0002-api-disallow-virDomainManagedSaveDefineXML-on-read-o.patch
# CVE-2019-10167: arbitrary command execution via
# virConnectGetDomainCapabilities API (bz #1722464, bz #1720117)
Patch0003: 0003-api-disallow-virConnectGetDomainCapabilities-on-read.patch
# CVE-2019-10168: arbitrary command execution via
# virConnectBaselineHypervisorCPU and virConnectCompareHypervisorCPU APIs (bz
# #1722466, bz #1720118)
Patch0004: 0004-api-disallow-virConnect-HypervisorCPU-on-read-only-c.patch
Requires: libvirt-daemon = %{version}-%{release}
Requires: libvirt-daemon-config-network = %{version}-%{release}
Requires: libvirt-daemon-config-nwfilter = %{version}-%{release}
@ -1870,6 +1884,17 @@ exit 0
%changelog
* Thu Jun 20 2019 Cole Robinson <crobinso@redhat.com> - 5.4.0-2
- CVE-2019-10161: arbitrary file read/exec via virDomainSaveImageGetXMLDesc
API (bz #1722463, bz #1720115)
- CVE-2019-10166: virDomainManagedSaveDefineXML API exposed to readonly
clients (bz #1722462, bz #1720114)
- CVE-2019-10167: arbitrary command execution via
virConnectGetDomainCapabilities API (bz #1722464, bz #1720117)
- CVE-2019-10168: arbitrary command execution via
virConnectBaselineHypervisorCPU and virConnectCompareHypervisorCPU APIs (bz
#1722466, bz #1720118)
* Wed Jun 12 2019 Daniel P. Berrangé <berrange@redhat.com> - 5.4.0-1
- Update to 5.4.0 release