Hi, On Fri, Jun 21, 2019 at 05:38:59PM +0200, Guido Günther wrote: > Package: release.debian.org > Severity: normal > User: release.debian....@packages.debian.org > Usertags: unblock > > Please unblock package libvirt > > It fixes 4 CVEs and adds an apparmor rule to make the life of people > using spice with certificates easier. > Cheers, > -- Guido > > unblock libvirt/5.0.0-4
For reference, debdiff between version in testing and unstable attached. Regards, Salvatore
diff -Nru libvirt-5.0.0/debian/changelog libvirt-5.0.0/debian/changelog --- libvirt-5.0.0/debian/changelog 2019-05-22 12:31:08.000000000 +0200 +++ libvirt-5.0.0/debian/changelog 2019-06-17 19:05:40.000000000 +0200 @@ -1,3 +1,19 @@ +libvirt (5.0.0-4) unstable; urgency=medium + + * [0fdc2af] Fix multiple CVEs related to privilege escalations on R/O + connections. + - CVE-2019-10161: + CVE-2019-10161-api-disallow-virDomainSaveImageGetXMLDesc-.patch + - CVE-2019-10166: + api-disallow-virDomainManagedSaveDefineXML-on-read-only-c.patch + - CVE-2019-10167: + api-disallow-virConnectGetDomainCapabilities-on-read-only.patch + - CVE-2019-10168: + api-disallow-virConnect-HypervisorCPU-on-read-only-connec.patch + * Include /etc/pki/qemu in apparmor (Closes: #930100) + + -- Guido Günther <a...@sigxcpu.org> Mon, 17 Jun 2019 19:05:40 +0200 + libvirt (5.0.0-3) unstable; urgency=medium [ Guido Günther ] diff -Nru libvirt-5.0.0/debian/patches/Include-etc-pki-qemu-in-apparmor.patch libvirt-5.0.0/debian/patches/Include-etc-pki-qemu-in-apparmor.patch --- libvirt-5.0.0/debian/patches/Include-etc-pki-qemu-in-apparmor.patch 1970-01-01 01:00:00.000000000 +0100 +++ libvirt-5.0.0/debian/patches/Include-etc-pki-qemu-in-apparmor.patch 2019-06-17 19:05:40.000000000 +0200 @@ -0,0 +1,26 @@ +From: Sam Hartman <hartm...@debian.org> +Date: Tue, 18 Jun 2019 09:02:09 -0400 +Subject: Include /etc/pki/qemu in apparmor + +We already permit /etc/pki/libvirt-{spice,vnc} to be read in the +apparmor profile. However the default tls directory in qemu.conf that +we ship is /etc/pki/qemu. So permit that as well. + +Closes: #930100 +--- + src/security/apparmor/libvirt-qemu | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/security/apparmor/libvirt-qemu b/src/security/apparmor/libvirt-qemu +index eaa5167..0659cda 100644 +--- a/src/security/apparmor/libvirt-qemu ++++ b/src/security/apparmor/libvirt-qemu +@@ -93,6 +93,8 @@ + /etc/pki/CA/* r, + /etc/pki/libvirt{,-spice,-vnc}/ r, + /etc/pki/libvirt{,-spice,-vnc}/** r, ++ /etc/pki/qemu/ r, ++ /etc/pki/qemu/** r, + + # the various binaries + /usr/bin/kvm rmix, diff -Nru libvirt-5.0.0/debian/patches/security/CVE-2019-10161-api-disallow-virDomainSaveImageGetXMLDesc-.patch libvirt-5.0.0/debian/patches/security/CVE-2019-10161-api-disallow-virDomainSaveImageGetXMLDesc-.patch --- libvirt-5.0.0/debian/patches/security/CVE-2019-10161-api-disallow-virDomainSaveImageGetXMLDesc-.patch 1970-01-01 01:00:00.000000000 +0100 +++ libvirt-5.0.0/debian/patches/security/CVE-2019-10161-api-disallow-virDomainSaveImageGetXMLDesc-.patch 2019-06-17 19:05:40.000000000 +0200 @@ -0,0 +1,79 @@ +From: =?utf-8?q?Guido_G=C3=BCnther?= <a...@sigxcpu.org> +Date: Mon, 17 Jun 2019 18:20:15 +0200 +Subject: CVE-2019-10161: api: disallow virDomainSaveImageGetXMLDesc on + read-only connections +MIME-Version: 1.0 +Content-Type: text/plain; charset="utf-8" +Content-Transfer-Encoding: 8bit + +This is a backport of + +The virDomainSaveImageGetXMLDesc API is taking a path parameter, +which can point to any path on the system. This file will then be +read and parsed by libvirtd running with root privileges. + +Forbid it on read-only connections. + +Fixes: CVE-2019-10161 +Reported-by: Matthias Gerstner <mgerst...@suse.de> +Signed-off-by: Ján Tomko <jto...@redhat.com> +--- + src/libvirt-domain.c | 9 ++------- + src/qemu/qemu_driver.c | 2 +- + src/remote/remote_protocol.x | 3 +-- + 3 files changed, 4 insertions(+), 10 deletions(-) + +diff --git a/src/libvirt-domain.c b/src/libvirt-domain.c +index 9aca54a..6a5fff9 100644 +--- a/src/libvirt-domain.c ++++ b/src/libvirt-domain.c +@@ -1073,8 +1073,7 @@ virDomainRestoreFlags(virConnectPtr conn, const char *from, const char *dxml, + * previously by virDomainSave() or virDomainSaveFlags(). + * + * No security-sensitive data will be included unless @flags contains +- * VIR_DOMAIN_XML_SECURE; this flag is rejected on read-only +- * connections. For this API, @flags should not contain either ++ * VIR_DOMAIN_XML_SECURE; For this API, @flags should not contain either + * VIR_DOMAIN_XML_INACTIVE or VIR_DOMAIN_XML_UPDATE_CPU. + * + * Returns a 0 terminated UTF-8 encoded XML instance, or NULL in case of +@@ -1092,11 +1091,7 @@ virDomainSaveImageGetXMLDesc(virConnectPtr conn, const char *file, + virCheckConnectReturn(conn, NULL); + virCheckNonNullArgGoto(file, error); + +- if ((conn->flags & VIR_CONNECT_RO) && (flags & VIR_DOMAIN_XML_SECURE)) { +- virReportError(VIR_ERR_OPERATION_DENIED, "%s", +- _("virDomainSaveImageGetXMLDesc with secure flag")); +- goto error; +- } ++ virCheckReadOnlyGoto(conn->flags, error); + + if (conn->driver->domainSaveImageGetXMLDesc) { + char *ret; +diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c +index 1d96170..fb417ad 100644 +--- a/src/qemu/qemu_driver.c ++++ b/src/qemu/qemu_driver.c +@@ -7084,7 +7084,7 @@ qemuDomainSaveImageGetXMLDesc(virConnectPtr conn, const char *path, + if (fd < 0) + goto cleanup; + +- if (virDomainSaveImageGetXMLDescEnsureACL(conn, def, flags) < 0) ++ if (virDomainSaveImageGetXMLDescEnsureACL(conn, def) < 0) + goto cleanup; + + ret = qemuDomainDefFormatXML(driver, def, flags); +diff --git a/src/remote/remote_protocol.x b/src/remote/remote_protocol.x +index 1246df5..5cfb8b6 100644 +--- a/src/remote/remote_protocol.x ++++ b/src/remote/remote_protocol.x +@@ -5234,8 +5234,7 @@ enum remote_procedure { + /** + * @generate: both + * @priority: high +- * @acl: domain:read +- * @acl: domain:read_secure:VIR_DOMAIN_XML_SECURE ++ * @acl: domain:write + */ + REMOTE_PROC_DOMAIN_SAVE_IMAGE_GET_XML_DESC = 235, + diff -Nru libvirt-5.0.0/debian/patches/security/api-disallow-virConnect-HypervisorCPU-on-read-only-connec.patch libvirt-5.0.0/debian/patches/security/api-disallow-virConnect-HypervisorCPU-on-read-only-connec.patch --- libvirt-5.0.0/debian/patches/security/api-disallow-virConnect-HypervisorCPU-on-read-only-connec.patch 1970-01-01 01:00:00.000000000 +0100 +++ libvirt-5.0.0/debian/patches/security/api-disallow-virConnect-HypervisorCPU-on-read-only-connec.patch 2019-06-17 19:05:40.000000000 +0200 @@ -0,0 +1,36 @@ +From: =?utf-8?q?J=C3=A1n_Tomko?= <jto...@redhat.com> +Date: Fri, 14 Jun 2019 10:37:34 +0200 +Subject: api: disallow virConnect*HypervisorCPU on read-only connections +MIME-Version: 1.0 +Content-Type: text/plain; charset="utf-8" +Content-Transfer-Encoding: 8bit + +These APIs can be used to execute arbitrary emulators. +Forbid them on read-only connections. + +Fixes: CVE-2019-10168 +Signed-off-by: Ján Tomko <jto...@redhat.com> +--- + src/libvirt-host.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/libvirt-host.c b/src/libvirt-host.c +index e20d6ee..2978825 100644 +--- a/src/libvirt-host.c ++++ b/src/libvirt-host.c +@@ -1041,6 +1041,7 @@ virConnectCompareHypervisorCPU(virConnectPtr conn, + + virCheckConnectReturn(conn, VIR_CPU_COMPARE_ERROR); + virCheckNonNullArgGoto(xmlCPU, error); ++ virCheckReadOnlyGoto(conn->flags, error); + + if (conn->driver->connectCompareHypervisorCPU) { + int ret; +@@ -1234,6 +1235,7 @@ virConnectBaselineHypervisorCPU(virConnectPtr conn, + + virCheckConnectReturn(conn, NULL); + virCheckNonNullArgGoto(xmlCPUs, error); ++ virCheckReadOnlyGoto(conn->flags, error); + + if (conn->driver->connectBaselineHypervisorCPU) { + char *cpu; diff -Nru libvirt-5.0.0/debian/patches/security/api-disallow-virConnectGetDomainCapabilities-on-read-only.patch libvirt-5.0.0/debian/patches/security/api-disallow-virConnectGetDomainCapabilities-on-read-only.patch --- libvirt-5.0.0/debian/patches/security/api-disallow-virConnectGetDomainCapabilities-on-read-only.patch 1970-01-01 01:00:00.000000000 +0100 +++ libvirt-5.0.0/debian/patches/security/api-disallow-virConnectGetDomainCapabilities-on-read-only.patch 2019-06-17 19:05:40.000000000 +0200 @@ -0,0 +1,29 @@ +From: =?utf-8?q?J=C3=A1n_Tomko?= <jto...@redhat.com> +Date: Fri, 14 Jun 2019 10:37:33 +0200 +Subject: api: disallow virConnectGetDomainCapabilities on read-only + connections +MIME-Version: 1.0 +Content-Type: text/plain; charset="utf-8" +Content-Transfer-Encoding: 8bit + +This API can be used to execute arbitrary emulators. +Forbid it on read-only connections. + +Fixes: CVE-2019-10167 +Signed-off-by: Ján Tomko <jto...@redhat.com> +--- + src/libvirt-domain.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/libvirt-domain.c b/src/libvirt-domain.c +index 3d198d2..9b10790 100644 +--- a/src/libvirt-domain.c ++++ b/src/libvirt-domain.c +@@ -11361,6 +11361,7 @@ virConnectGetDomainCapabilities(virConnectPtr conn, + virResetLastError(); + + virCheckConnectReturn(conn, NULL); ++ virCheckReadOnlyGoto(conn->flags, error); + + if (conn->driver->connectGetDomainCapabilities) { + char *ret; diff -Nru libvirt-5.0.0/debian/patches/security/api-disallow-virDomainManagedSaveDefineXML-on-read-only-c.patch libvirt-5.0.0/debian/patches/security/api-disallow-virDomainManagedSaveDefineXML-on-read-only-c.patch --- libvirt-5.0.0/debian/patches/security/api-disallow-virDomainManagedSaveDefineXML-on-read-only-c.patch 1970-01-01 01:00:00.000000000 +0100 +++ libvirt-5.0.0/debian/patches/security/api-disallow-virDomainManagedSaveDefineXML-on-read-only-c.patch 2019-06-17 19:05:40.000000000 +0200 @@ -0,0 +1,30 @@ +From: =?utf-8?q?J=C3=A1n_Tomko?= <jto...@redhat.com> +Date: Fri, 14 Jun 2019 10:37:32 +0200 +Subject: api: disallow virDomainManagedSaveDefineXML on read-only connections +MIME-Version: 1.0 +Content-Type: text/plain; charset="utf-8" +Content-Transfer-Encoding: 8bit + +The virDomainManagedSaveDefineXML can be used to alter the domain's +config used for managedsave or even execute arbitrary emulator binaries. +Forbid it on read-only connections. + +Fixes: CVE-2019-10166 +Reported-by: Matthias Gerstner <mgerst...@suse.de> +Signed-off-by: Ján Tomko <jto...@redhat.com> +--- + src/libvirt-domain.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/libvirt-domain.c b/src/libvirt-domain.c +index 6a5fff9..3d198d2 100644 +--- a/src/libvirt-domain.c ++++ b/src/libvirt-domain.c +@@ -9567,6 +9567,7 @@ virDomainManagedSaveDefineXML(virDomainPtr domain, const char *dxml, + + virCheckDomainReturn(domain, -1); + conn = domain->conn; ++ virCheckReadOnlyGoto(conn->flags, error); + + if (conn->driver->domainManagedSaveDefineXML) { + int ret; diff -Nru libvirt-5.0.0/debian/patches/series libvirt-5.0.0/debian/patches/series --- libvirt-5.0.0/debian/patches/series 2019-05-22 12:31:08.000000000 +0200 +++ libvirt-5.0.0/debian/patches/series 2019-06-17 19:05:40.000000000 +0200 @@ -29,3 +29,8 @@ security/admin-reject-clients-unless-their-UID-matches-the-current.patch security/locking-restrict-sockets-to-mode-0600.patch security/logging-restrict-sockets-to-mode-0600.patch +security/CVE-2019-10161-api-disallow-virDomainSaveImageGetXMLDesc-.patch +security/api-disallow-virDomainManagedSaveDefineXML-on-read-only-c.patch +security/api-disallow-virConnectGetDomainCapabilities-on-read-only.patch +security/api-disallow-virConnect-HypervisorCPU-on-read-only-connec.patch +Include-etc-pki-qemu-in-apparmor.patch