Your message dated Thu, 29 Sep 2016 10:34:43 +0000 with message-id <[email protected]> and subject line Bug#835563: fixed in libvirt 2.3.0~rc1-1 has caused the Debian Bug report #835563, regarding libvirt-daemon-system: virt-aa-helper crashes with filesystem mounts to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 835563: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=835563 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: libvirt-daemon-system Version: 2.1.0-2 Tags: patch Hi, virt-aa-helper segfaults when starting a VM with a read-only filesystem mount. The issue is in line virt-aa-helper.c:774 > if ((sub = strchr(perms, 'R')) != NULL) { > /* Don't write the invalid R permission, replace it with 'r' */ > sub[0] = 'r'; Esentially it overwrites parts of perms which is a const char* parameter. Attached is a patch that fixes this issue. It first copies perms and then modifies the local copy. Cheers, Felix--- libvirt-2.1.0.orig/src/security/virt-aa-helper.c +++ libvirt-2.1.0/src/security/virt-aa-helper.c @@ -740,6 +740,7 @@ vah_add_path(virBufferPtr buf, const cha bool readonly = true; bool explicit_deny_rule = true; char *sub = NULL; + char perms_fixed[32] = {0}; if (path == NULL) return rc; @@ -770,7 +770,12 @@ vah_add_path(virBufferPtr buf, const cha explicit_deny_rule = false; } - if ((sub = strchr(perms, 'R')) != NULL) { + if (virStrcpyStatic(perms_fixed, perms) == NULL) { + vah_error(NULL, 0, path); + vah_error(NULL, 0, _("perms string is too long")); + return rc; + } + if ((sub = strchr(perms_fixed, 'R')) != NULL) { /* Don't write the invalid R permission, replace it with 'r' */ sub[0] = 'r'; explicit_deny_rule = false; @@ -788,7 +789,7 @@ vah_add_path(virBufferPtr buf, const cha if (tmp[strlen(tmp) - 1] == '/') tmp[strlen(tmp) - 1] = '\0'; - virBufferAsprintf(buf, " \"%s%s\" %s,\n", tmp, recursive ? "/**" : "", perms); + virBufferAsprintf(buf, " \"%s%s\" %s,\n", tmp, recursive ? "/**" : "", perms_fixed); if (explicit_deny_rule) { virBufferAddLit(buf, " # don't audit writes to readonly files\n"); virBufferAsprintf(buf, " deny \"%s%s\" w,\n", tmp, recursive ? "/**" : "");
--- End Message ---
--- Begin Message ---Source: libvirt Source-Version: 2.3.0~rc1-1 We believe that the bug you reported is fixed in the latest version of libvirt, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Guido Günther <[email protected]> (supplier of updated libvirt package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Thu, 29 Sep 2016 10:02:12 +0200 Source: libvirt Binary: libvirt-clients libvirt-daemon libvirt-daemon-system libvirt0 libvirt-doc libvirt-dev libvirt-sanlock libnss-libvirt Architecture: all source Version: 2.3.0~rc1-1 Distribution: experimental Urgency: medium Maintainer: Debian Libvirt Maintainers <[email protected]> Changed-By: Guido Günther <[email protected]> Closes: 835563 837995 838949 Description: libnss-libvirt - nss plugin providing IP add ress resolution for virtual machines libvirt0 - library for interfacing with different virtualization systems libvirt-clients - Programs for the libvirt library libvirt-daemon-system - Libvirt daemon configuration files libvirt-daemon - Virtualization daemon libvirt-dev - development files for the libvirt library libvirt-doc - documentation for the libvirt library libvirt-sanlock - Sanlock plugin for virtlockd Changes: libvirt (2.3.0~rc1-1) experimental; urgency=medium . [ Riku Voipio ] * [439afb5] Run testsuite on arm architectures (Closes: #837995) . [ Guido Günther ] * [6858d33] New upstream version 2.3.0~rc1 (Closes: #835563) * [6c294c5] Bump symbol versions * [d7e6337] Rediff patches * [f9ce70a] Build with numctl on arm64. Thanks to dann frazier (Closes: #838949) * [4ab7ff4] build-test: add missing dep on pkg-config Checksums-Sha1: 075d454b85d37121066a725d1147c921e568848c 3807 libvirt_2.3.0~rc1-1.dsc ab6a826fa69d8923c10ac42002ebeafed89874eb 13223484 libvirt_2.3.0~rc1.orig.tar.xz 424af4433b84ad778cdbfcf6e2ac276b900f6599 55936 libvirt_2.3.0~rc1-1.debian.tar.xz 9b6b05a6cb5c92355b73b3eaf3633a22d0238b15 1294086 libvirt-doc_2.3.0~rc1-1_all.deb Checksums-Sha256: 507a3282a4bc382ee0472057c1f711adadbd1ebc10a1ce527e749f66111ce420 3807 libvirt_2.3.0~rc1-1.dsc fd9cf001ea24aedc1831e6c505eea2a402758afdf1250c0a978e7d07f7856117 13223484 libvirt_2.3.0~rc1.orig.tar.xz 46f31a19db29713dd062ab48828f57b30a70542828151323da1c69eb7e5345e6 55936 libvirt_2.3.0~rc1-1.debian.tar.xz 163d6bd3c8ec474ffc4b7ca9e89729bdcdf43cbac92b1bf63181aa7b8ca09050 1294086 libvirt-doc_2.3.0~rc1-1_all.deb Files: a7772aebade42d26bcec84e7f5542e5b 3807 libs optional libvirt_2.3.0~rc1-1.dsc a53e62e261c3bfff1157a5fe7eaf3610 13223484 libs optional libvirt_2.3.0~rc1.orig.tar.xz e8aee4b36938c67177f5a5e591126e56 55936 libs optional libvirt_2.3.0~rc1-1.debian.tar.xz 1bcaaead9d0d40581fc1f61d7ff72d55 1294086 doc optional libvirt-doc_2.3.0~rc1-1_all.deb -----BEGIN PGP SIGNATURE----- iQIcBAEBCAAGBQJX7NpiAAoJEAe4t7DqmBILZXsP/RoOUhmhlSpaq7xzVrsi0+oo MeXWhFDh+/qJOs/2Wk9NFGVJYHWWN0YHc7QagZQoeUULmShO+BhjWz7pVMaENaqJ 0gOPjo130RkfIoJrat0HIYEr36Erj1UTKaiWHeOcB16GEl47DKo2by64XXj9ez/Q mnYBVWtL26Z0OqjXHcgS7w4o1b89m9e+ELY7pLtFnAc4a1mYZatx5r1UxLhH57mJ 2LDlXVwHTTqONCg4nkMu/SpyyZe04/LVOCpwhbe3XhkaVMSUGICjMWNSoPYsdkjp 6y4a7leSznMhv3TGEqmBU+iC2j8y6xBhvhnbS1kmtDF7/MO9OZJUnezlVeHeFp+L AyDR/6WWkm09TcCxnxPF+lJa4dPtve6uJ61C0iqsJivk1ouZboz0JF+aFikDW2E8 JfIHkmg1M5t85zOGk98w6sdZX9NqHAdwaFQnAz0MqCeIFKke4pOSixxiU/CKaqWD FSOaIAXRF1LJYZ0E83Q30ge0YyIHuAOrsnDG+1ATCsyrlP0XnHWuF88PR9S0PqtQ sQWzWbEFp+uBkBQ7FLDH7o41AxR/F9DhawNCIWY9BUT7+wiyOceBBzFCIFy8UEBu 3Hq2cF1XEXQ0DHZorw9vMoS86NTBPFa1fBGQDRZpbopau+Gu/FQWs/VJZDdSM+sw WIdf6FV+SDCvU/na6miE =bOdi -----END PGP SIGNATURE-----
--- End Message ---
