Fix systemd socket permissions (CVE-2019-10132)
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
This commit is contained in:
Daniel P. Berrangé
parent
a2be167dfe
commit
d61e2404ba
|
|
@ -0,0 +1,58 @@
|
|||
From fd48a871a9dcdb8b8b1eb39612e5df870a7e2c3c Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
|
||||
Date: Tue, 30 Apr 2019 17:26:13 +0100
|
||||
Subject: [PATCH 1/3] admin: reject clients unless their UID matches the
|
||||
current UID
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
The admin protocol RPC messages are only intended for use by the user
|
||||
running the daemon. As such they should not be allowed for any client
|
||||
UID that does not match the server UID.
|
||||
|
||||
Fixes CVE-2019-10132
|
||||
|
||||
Reviewed-by: Ján Tomko <jtomko@redhat.com>
|
||||
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
|
||||
(cherry picked from commit 96f41cd765c9e525fe28ee5abbfbf4a79b3720c7)
|
||||
---
|
||||
src/admin/admin_server_dispatch.c | 22 ++++++++++++++++++++++
|
||||
1 file changed, 22 insertions(+)
|
||||
|
||||
diff --git a/src/admin/admin_server_dispatch.c b/src/admin/admin_server_dispatch.c
|
||||
index 85e693d76c..6e3b99f97d 100644
|
||||
--- a/src/admin/admin_server_dispatch.c
|
||||
+++ b/src/admin/admin_server_dispatch.c
|
||||
@@ -64,6 +64,28 @@ remoteAdmClientNew(virNetServerClientPtr client ATTRIBUTE_UNUSED,
|
||||
void *opaque)
|
||||
{
|
||||
struct daemonAdmClientPrivate *priv;
|
||||
+ uid_t clientuid;
|
||||
+ gid_t clientgid;
|
||||
+ pid_t clientpid;
|
||||
+ unsigned long long timestamp;
|
||||
+
|
||||
+ if (virNetServerClientGetUNIXIdentity(client,
|
||||
+ &clientuid,
|
||||
+ &clientgid,
|
||||
+ &clientpid,
|
||||
+ ×tamp) < 0)
|
||||
+ return NULL;
|
||||
+
|
||||
+ VIR_DEBUG("New client pid %lld uid %lld",
|
||||
+ (long long)clientpid,
|
||||
+ (long long)clientuid);
|
||||
+
|
||||
+ if (geteuid() != clientuid) {
|
||||
+ virReportRestrictedError(_("Disallowing client %lld with uid %lld"),
|
||||
+ (long long)clientpid,
|
||||
+ (long long)clientuid);
|
||||
+ return NULL;
|
||||
+ }
|
||||
|
||||
if (VIR_ALLOC(priv) < 0)
|
||||
return NULL;
|
||||
--
|
||||
2.21.0
|
||||
|
||||
|
|
@ -0,0 +1,51 @@
|
|||
From 8c2c611df31d3b37f149385e4597c47300ae1489 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
|
||||
Date: Tue, 30 Apr 2019 16:51:37 +0100
|
||||
Subject: [PATCH 2/3] locking: restrict sockets to mode 0600
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
The virtlockd daemon's only intended client is the libvirtd daemon. As
|
||||
such it should never allow clients from other user accounts to connect.
|
||||
The code already enforces this and drops clients from other UIDs, but
|
||||
we can get earlier (and thus stronger) protection against DoS by setting
|
||||
the socket permissions to 0600
|
||||
|
||||
Fixes CVE-2019-10132
|
||||
|
||||
Reviewed-by: Ján Tomko <jtomko@redhat.com>
|
||||
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
|
||||
(cherry picked from commit f111e09468693909b1f067aa575efdafd9a262a1)
|
||||
---
|
||||
src/locking/virtlockd-admin.socket.in | 1 +
|
||||
src/locking/virtlockd.socket.in | 1 +
|
||||
2 files changed, 2 insertions(+)
|
||||
|
||||
diff --git a/src/locking/virtlockd-admin.socket.in b/src/locking/virtlockd-admin.socket.in
|
||||
index 2a7500f3d0..f674c492f7 100644
|
||||
--- a/src/locking/virtlockd-admin.socket.in
|
||||
+++ b/src/locking/virtlockd-admin.socket.in
|
||||
@@ -5,6 +5,7 @@ Before=libvirtd.service
|
||||
[Socket]
|
||||
ListenStream=@localstatedir@/run/libvirt/virtlockd-admin-sock
|
||||
Service=virtlockd.service
|
||||
+SocketMode=0600
|
||||
|
||||
[Install]
|
||||
WantedBy=sockets.target
|
||||
diff --git a/src/locking/virtlockd.socket.in b/src/locking/virtlockd.socket.in
|
||||
index 45e0f20235..d701b27516 100644
|
||||
--- a/src/locking/virtlockd.socket.in
|
||||
+++ b/src/locking/virtlockd.socket.in
|
||||
@@ -4,6 +4,7 @@ Before=libvirtd.service
|
||||
|
||||
[Socket]
|
||||
ListenStream=@localstatedir@/run/libvirt/virtlockd-sock
|
||||
+SocketMode=0600
|
||||
|
||||
[Install]
|
||||
WantedBy=sockets.target
|
||||
--
|
||||
2.21.0
|
||||
|
||||
|
|
@ -0,0 +1,51 @@
|
|||
From a968b3103c503db8a9fb6c9d64f0dd49d3b6f2a3 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
|
||||
Date: Tue, 30 Apr 2019 17:27:41 +0100
|
||||
Subject: [PATCH 3/3] logging: restrict sockets to mode 0600
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
The virtlogd daemon's only intended client is the libvirtd daemon. As
|
||||
such it should never allow clients from other user accounts to connect.
|
||||
The code already enforces this and drops clients from other UIDs, but
|
||||
we can get earlier (and thus stronger) protection against DoS by setting
|
||||
the socket permissions to 0600
|
||||
|
||||
Fixes CVE-2019-10132
|
||||
|
||||
Reviewed-by: Ján Tomko <jtomko@redhat.com>
|
||||
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
|
||||
(cherry picked from commit e37bd65f9948c1185456b2cdaa3bd6e875af680f)
|
||||
---
|
||||
src/logging/virtlogd-admin.socket.in | 1 +
|
||||
src/logging/virtlogd.socket.in | 1 +
|
||||
2 files changed, 2 insertions(+)
|
||||
|
||||
diff --git a/src/logging/virtlogd-admin.socket.in b/src/logging/virtlogd-admin.socket.in
|
||||
index 595e6c4c4b..5c41dfeb7b 100644
|
||||
--- a/src/logging/virtlogd-admin.socket.in
|
||||
+++ b/src/logging/virtlogd-admin.socket.in
|
||||
@@ -5,6 +5,7 @@ Before=libvirtd.service
|
||||
[Socket]
|
||||
ListenStream=@localstatedir@/run/libvirt/virtlogd-admin-sock
|
||||
Service=virtlogd.service
|
||||
+SocketMode=0600
|
||||
|
||||
[Install]
|
||||
WantedBy=sockets.target
|
||||
diff --git a/src/logging/virtlogd.socket.in b/src/logging/virtlogd.socket.in
|
||||
index 22b9360c8d..ae48cdab9a 100644
|
||||
--- a/src/logging/virtlogd.socket.in
|
||||
+++ b/src/logging/virtlogd.socket.in
|
||||
@@ -4,6 +4,7 @@ Before=libvirtd.service
|
||||
|
||||
[Socket]
|
||||
ListenStream=@localstatedir@/run/libvirt/virtlogd-sock
|
||||
+SocketMode=0600
|
||||
|
||||
[Install]
|
||||
WantedBy=sockets.target
|
||||
--
|
||||
2.21.0
|
||||
|
||||
10
libvirt.spec
10
libvirt.spec
|
|
@ -216,7 +216,7 @@
|
|||
Summary: Library providing a simple virtualization API
|
||||
Name: libvirt
|
||||
Version: 5.3.0
|
||||
Release: 2%{?dist}
|
||||
Release: 3%{?dist}
|
||||
License: LGPLv2+
|
||||
URL: https://libvirt.org/
|
||||
|
||||
|
|
@ -226,6 +226,10 @@ URL: https://libvirt.org/
|
|||
Source: https://libvirt.org/sources/%{?mainturl}libvirt-%{version}.tar.xz
|
||||
Patch1: 0001-cputest-Add-data-for-Intel-R-Xeon-R-CPU-E3-1225-v5.patch
|
||||
Patch2: 0002-cpu_map-Define-md-clear-CPUID-bit.patch
|
||||
# Fix systemd socket permissions (CVE-2019-10132)
|
||||
Patch3: 0003-admin-reject-clients-unless-their-UID-matches-the-cu.patch
|
||||
Patch4: 0004-locking-restrict-sockets-to-mode-0600.patch
|
||||
Patch5: 0005-logging-restrict-sockets-to-mode-0600.patch
|
||||
|
||||
Requires: libvirt-daemon = %{version}-%{release}
|
||||
Requires: libvirt-daemon-config-network = %{version}-%{release}
|
||||
|
|
@ -1889,6 +1893,10 @@ exit 0
|
|||
|
||||
|
||||
%changelog
|
||||
* Tue May 21 2019 Daniel P. Berrangé <berrange@redhat.com> - 5.3.0-3
|
||||
- Fix systemd socket permissions
|
||||
- Resolves: rhbz #1712498 (CVE-2019-10132)
|
||||
|
||||
* Tue May 14 2019 Daniel P. Berrangé <berrange@redhat.com> - 5.3.0-2
|
||||
- Define md-clear CPUID bit
|
||||
- Resolves: rhbz #1709977 (CVE-2018-12126), rhbz #1709979 (CVE-2018-12127),
|
||||
|
|
|
|||
Loading…
Reference in New Issue