From d61e2404ba10c8e0126ea7964645efd13a15aa4a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= Date: Tue, 21 May 2019 15:39:17 +0100 Subject: [PATCH] Fix systemd socket permissions (CVE-2019-10132) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Daniel P. Berrangé --- ...ents-unless-their-UID-matches-the-cu.patch | 58 +++++++++++++++++++ ...ocking-restrict-sockets-to-mode-0600.patch | 51 ++++++++++++++++ ...ogging-restrict-sockets-to-mode-0600.patch | 51 ++++++++++++++++ libvirt.spec | 10 +++- 4 files changed, 169 insertions(+), 1 deletion(-) create mode 100644 0003-admin-reject-clients-unless-their-UID-matches-the-cu.patch create mode 100644 0004-locking-restrict-sockets-to-mode-0600.patch create mode 100644 0005-logging-restrict-sockets-to-mode-0600.patch diff --git a/0003-admin-reject-clients-unless-their-UID-matches-the-cu.patch b/0003-admin-reject-clients-unless-their-UID-matches-the-cu.patch new file mode 100644 index 0000000..c9e27df --- /dev/null +++ b/0003-admin-reject-clients-unless-their-UID-matches-the-cu.patch @@ -0,0 +1,58 @@ +From fd48a871a9dcdb8b8b1eb39612e5df870a7e2c3c Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= +Date: Tue, 30 Apr 2019 17:26:13 +0100 +Subject: [PATCH 1/3] admin: reject clients unless their UID matches the + current UID +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The admin protocol RPC messages are only intended for use by the user +running the daemon. As such they should not be allowed for any client +UID that does not match the server UID. + +Fixes CVE-2019-10132 + +Reviewed-by: Ján Tomko +Signed-off-by: Daniel P. Berrangé +(cherry picked from commit 96f41cd765c9e525fe28ee5abbfbf4a79b3720c7) +--- + src/admin/admin_server_dispatch.c | 22 ++++++++++++++++++++++ + 1 file changed, 22 insertions(+) + +diff --git a/src/admin/admin_server_dispatch.c b/src/admin/admin_server_dispatch.c +index 85e693d76c..6e3b99f97d 100644 +--- a/src/admin/admin_server_dispatch.c ++++ b/src/admin/admin_server_dispatch.c +@@ -64,6 +64,28 @@ remoteAdmClientNew(virNetServerClientPtr client ATTRIBUTE_UNUSED, + void *opaque) + { + struct daemonAdmClientPrivate *priv; ++ uid_t clientuid; ++ gid_t clientgid; ++ pid_t clientpid; ++ unsigned long long timestamp; ++ ++ if (virNetServerClientGetUNIXIdentity(client, ++ &clientuid, ++ &clientgid, ++ &clientpid, ++ ×tamp) < 0) ++ return NULL; ++ ++ VIR_DEBUG("New client pid %lld uid %lld", ++ (long long)clientpid, ++ (long long)clientuid); ++ ++ if (geteuid() != clientuid) { ++ virReportRestrictedError(_("Disallowing client %lld with uid %lld"), ++ (long long)clientpid, ++ (long long)clientuid); ++ return NULL; ++ } + + if (VIR_ALLOC(priv) < 0) + return NULL; +-- +2.21.0 + diff --git a/0004-locking-restrict-sockets-to-mode-0600.patch b/0004-locking-restrict-sockets-to-mode-0600.patch new file mode 100644 index 0000000..2d3fc27 --- /dev/null +++ b/0004-locking-restrict-sockets-to-mode-0600.patch @@ -0,0 +1,51 @@ +From 8c2c611df31d3b37f149385e4597c47300ae1489 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= +Date: Tue, 30 Apr 2019 16:51:37 +0100 +Subject: [PATCH 2/3] locking: restrict sockets to mode 0600 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The virtlockd daemon's only intended client is the libvirtd daemon. As +such it should never allow clients from other user accounts to connect. +The code already enforces this and drops clients from other UIDs, but +we can get earlier (and thus stronger) protection against DoS by setting +the socket permissions to 0600 + +Fixes CVE-2019-10132 + +Reviewed-by: Ján Tomko +Signed-off-by: Daniel P. Berrangé +(cherry picked from commit f111e09468693909b1f067aa575efdafd9a262a1) +--- + src/locking/virtlockd-admin.socket.in | 1 + + src/locking/virtlockd.socket.in | 1 + + 2 files changed, 2 insertions(+) + +diff --git a/src/locking/virtlockd-admin.socket.in b/src/locking/virtlockd-admin.socket.in +index 2a7500f3d0..f674c492f7 100644 +--- a/src/locking/virtlockd-admin.socket.in ++++ b/src/locking/virtlockd-admin.socket.in +@@ -5,6 +5,7 @@ Before=libvirtd.service + [Socket] + ListenStream=@localstatedir@/run/libvirt/virtlockd-admin-sock + Service=virtlockd.service ++SocketMode=0600 + + [Install] + WantedBy=sockets.target +diff --git a/src/locking/virtlockd.socket.in b/src/locking/virtlockd.socket.in +index 45e0f20235..d701b27516 100644 +--- a/src/locking/virtlockd.socket.in ++++ b/src/locking/virtlockd.socket.in +@@ -4,6 +4,7 @@ Before=libvirtd.service + + [Socket] + ListenStream=@localstatedir@/run/libvirt/virtlockd-sock ++SocketMode=0600 + + [Install] + WantedBy=sockets.target +-- +2.21.0 + diff --git a/0005-logging-restrict-sockets-to-mode-0600.patch b/0005-logging-restrict-sockets-to-mode-0600.patch new file mode 100644 index 0000000..a4c01a9 --- /dev/null +++ b/0005-logging-restrict-sockets-to-mode-0600.patch @@ -0,0 +1,51 @@ +From a968b3103c503db8a9fb6c9d64f0dd49d3b6f2a3 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= +Date: Tue, 30 Apr 2019 17:27:41 +0100 +Subject: [PATCH 3/3] logging: restrict sockets to mode 0600 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The virtlogd daemon's only intended client is the libvirtd daemon. As +such it should never allow clients from other user accounts to connect. +The code already enforces this and drops clients from other UIDs, but +we can get earlier (and thus stronger) protection against DoS by setting +the socket permissions to 0600 + +Fixes CVE-2019-10132 + +Reviewed-by: Ján Tomko +Signed-off-by: Daniel P. Berrangé +(cherry picked from commit e37bd65f9948c1185456b2cdaa3bd6e875af680f) +--- + src/logging/virtlogd-admin.socket.in | 1 + + src/logging/virtlogd.socket.in | 1 + + 2 files changed, 2 insertions(+) + +diff --git a/src/logging/virtlogd-admin.socket.in b/src/logging/virtlogd-admin.socket.in +index 595e6c4c4b..5c41dfeb7b 100644 +--- a/src/logging/virtlogd-admin.socket.in ++++ b/src/logging/virtlogd-admin.socket.in +@@ -5,6 +5,7 @@ Before=libvirtd.service + [Socket] + ListenStream=@localstatedir@/run/libvirt/virtlogd-admin-sock + Service=virtlogd.service ++SocketMode=0600 + + [Install] + WantedBy=sockets.target +diff --git a/src/logging/virtlogd.socket.in b/src/logging/virtlogd.socket.in +index 22b9360c8d..ae48cdab9a 100644 +--- a/src/logging/virtlogd.socket.in ++++ b/src/logging/virtlogd.socket.in +@@ -4,6 +4,7 @@ Before=libvirtd.service + + [Socket] + ListenStream=@localstatedir@/run/libvirt/virtlogd-sock ++SocketMode=0600 + + [Install] + WantedBy=sockets.target +-- +2.21.0 + diff --git a/libvirt.spec b/libvirt.spec index e1ca9c3..c6a9f23 100644 --- a/libvirt.spec +++ b/libvirt.spec @@ -216,7 +216,7 @@ Summary: Library providing a simple virtualization API Name: libvirt Version: 5.3.0 -Release: 2%{?dist} +Release: 3%{?dist} License: LGPLv2+ URL: https://libvirt.org/ @@ -226,6 +226,10 @@ URL: https://libvirt.org/ Source: https://libvirt.org/sources/%{?mainturl}libvirt-%{version}.tar.xz Patch1: 0001-cputest-Add-data-for-Intel-R-Xeon-R-CPU-E3-1225-v5.patch Patch2: 0002-cpu_map-Define-md-clear-CPUID-bit.patch +# Fix systemd socket permissions (CVE-2019-10132) +Patch3: 0003-admin-reject-clients-unless-their-UID-matches-the-cu.patch +Patch4: 0004-locking-restrict-sockets-to-mode-0600.patch +Patch5: 0005-logging-restrict-sockets-to-mode-0600.patch Requires: libvirt-daemon = %{version}-%{release} Requires: libvirt-daemon-config-network = %{version}-%{release} @@ -1889,6 +1893,10 @@ exit 0 %changelog +* Tue May 21 2019 Daniel P. Berrangé - 5.3.0-3 +- Fix systemd socket permissions +- Resolves: rhbz #1712498 (CVE-2019-10132) + * Tue May 14 2019 Daniel P. Berrangé - 5.3.0-2 - Define md-clear CPUID bit - Resolves: rhbz #1709977 (CVE-2018-12126), rhbz #1709979 (CVE-2018-12127),