Hi, On Sat, Jun 22, 2019 at 03:03:47PM +0200, Salvatore Bonaccorso wrote: > Hi, > > On Fri, Jun 21, 2019 at 05:38:59PM +0200, Guido Günther wrote: > > Package: release.debian.org > > Severity: normal > > User: [email protected] > > Usertags: unblock > > > > Please unblock package libvirt > > > > It fixes 4 CVEs and adds an apparmor rule to make the life of people > > using spice with certificates easier. > > Cheers, > > -- Guido > > > > unblock libvirt/5.0.0-4 > > For reference, debdiff between version in testing and unstable > attached.
thanks for fixing my oversight. I meant to attach it. -- Guido > > Regards, > Salvatore > diff -Nru libvirt-5.0.0/debian/changelog libvirt-5.0.0/debian/changelog > --- libvirt-5.0.0/debian/changelog 2019-05-22 12:31:08.000000000 +0200 > +++ libvirt-5.0.0/debian/changelog 2019-06-17 19:05:40.000000000 +0200 > @@ -1,3 +1,19 @@ > +libvirt (5.0.0-4) unstable; urgency=medium > + > + * [0fdc2af] Fix multiple CVEs related to privilege escalations on R/O > + connections. > + - CVE-2019-10161: > + CVE-2019-10161-api-disallow-virDomainSaveImageGetXMLDesc-.patch > + - CVE-2019-10166: > + api-disallow-virDomainManagedSaveDefineXML-on-read-only-c.patch > + - CVE-2019-10167: > + api-disallow-virConnectGetDomainCapabilities-on-read-only.patch > + - CVE-2019-10168: > + api-disallow-virConnect-HypervisorCPU-on-read-only-connec.patch > + * Include /etc/pki/qemu in apparmor (Closes: #930100) > + > + -- Guido Günther <[email protected]> Mon, 17 Jun 2019 19:05:40 +0200 > + > libvirt (5.0.0-3) unstable; urgency=medium > > [ Guido Günther ] > diff -Nru libvirt-5.0.0/debian/patches/Include-etc-pki-qemu-in-apparmor.patch > libvirt-5.0.0/debian/patches/Include-etc-pki-qemu-in-apparmor.patch > --- libvirt-5.0.0/debian/patches/Include-etc-pki-qemu-in-apparmor.patch > 1970-01-01 01:00:00.000000000 +0100 > +++ libvirt-5.0.0/debian/patches/Include-etc-pki-qemu-in-apparmor.patch > 2019-06-17 19:05:40.000000000 +0200 > @@ -0,0 +1,26 @@ > +From: Sam Hartman <[email protected]> > +Date: Tue, 18 Jun 2019 09:02:09 -0400 > +Subject: Include /etc/pki/qemu in apparmor > + > +We already permit /etc/pki/libvirt-{spice,vnc} to be read in the > +apparmor profile. However the default tls directory in qemu.conf that > +we ship is /etc/pki/qemu. So permit that as well. > + > +Closes: #930100 > +--- > + src/security/apparmor/libvirt-qemu | 2 ++ > + 1 file changed, 2 insertions(+) > + > +diff --git a/src/security/apparmor/libvirt-qemu > b/src/security/apparmor/libvirt-qemu > +index eaa5167..0659cda 100644 > +--- a/src/security/apparmor/libvirt-qemu > ++++ b/src/security/apparmor/libvirt-qemu > +@@ -93,6 +93,8 @@ > + /etc/pki/CA/* r, > + /etc/pki/libvirt{,-spice,-vnc}/ r, > + /etc/pki/libvirt{,-spice,-vnc}/** r, > ++ /etc/pki/qemu/ r, > ++ /etc/pki/qemu/** r, > + > + # the various binaries > + /usr/bin/kvm rmix, > diff -Nru > libvirt-5.0.0/debian/patches/security/CVE-2019-10161-api-disallow-virDomainSaveImageGetXMLDesc-.patch > > libvirt-5.0.0/debian/patches/security/CVE-2019-10161-api-disallow-virDomainSaveImageGetXMLDesc-.patch > --- > libvirt-5.0.0/debian/patches/security/CVE-2019-10161-api-disallow-virDomainSaveImageGetXMLDesc-.patch > 1970-01-01 01:00:00.000000000 +0100 > +++ > libvirt-5.0.0/debian/patches/security/CVE-2019-10161-api-disallow-virDomainSaveImageGetXMLDesc-.patch > 2019-06-17 19:05:40.000000000 +0200 > @@ -0,0 +1,79 @@ > +From: =?utf-8?q?Guido_G=C3=BCnther?= <[email protected]> > +Date: Mon, 17 Jun 2019 18:20:15 +0200 > +Subject: CVE-2019-10161: api: disallow virDomainSaveImageGetXMLDesc on > + read-only connections > +MIME-Version: 1.0 > +Content-Type: text/plain; charset="utf-8" > +Content-Transfer-Encoding: 8bit > + > +This is a backport of > + > +The virDomainSaveImageGetXMLDesc API is taking a path parameter, > +which can point to any path on the system. This file will then be > +read and parsed by libvirtd running with root privileges. > + > +Forbid it on read-only connections. > + > +Fixes: CVE-2019-10161 > +Reported-by: Matthias Gerstner <[email protected]> > +Signed-off-by: Ján Tomko <[email protected]> > +--- > + src/libvirt-domain.c | 9 ++------- > + src/qemu/qemu_driver.c | 2 +- > + src/remote/remote_protocol.x | 3 +-- > + 3 files changed, 4 insertions(+), 10 deletions(-) > + > +diff --git a/src/libvirt-domain.c b/src/libvirt-domain.c > +index 9aca54a..6a5fff9 100644 > +--- a/src/libvirt-domain.c > ++++ b/src/libvirt-domain.c > +@@ -1073,8 +1073,7 @@ virDomainRestoreFlags(virConnectPtr conn, const char > *from, const char *dxml, > + * previously by virDomainSave() or virDomainSaveFlags(). > + * > + * No security-sensitive data will be included unless @flags contains > +- * VIR_DOMAIN_XML_SECURE; this flag is rejected on read-only > +- * connections. For this API, @flags should not contain either > ++ * VIR_DOMAIN_XML_SECURE; For this API, @flags should not contain either > + * VIR_DOMAIN_XML_INACTIVE or VIR_DOMAIN_XML_UPDATE_CPU. > + * > + * Returns a 0 terminated UTF-8 encoded XML instance, or NULL in case of > +@@ -1092,11 +1091,7 @@ virDomainSaveImageGetXMLDesc(virConnectPtr conn, > const char *file, > + virCheckConnectReturn(conn, NULL); > + virCheckNonNullArgGoto(file, error); > + > +- if ((conn->flags & VIR_CONNECT_RO) && (flags & VIR_DOMAIN_XML_SECURE)) { > +- virReportError(VIR_ERR_OPERATION_DENIED, "%s", > +- _("virDomainSaveImageGetXMLDesc with secure flag")); > +- goto error; > +- } > ++ virCheckReadOnlyGoto(conn->flags, error); > + > + if (conn->driver->domainSaveImageGetXMLDesc) { > + char *ret; > +diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c > +index 1d96170..fb417ad 100644 > +--- a/src/qemu/qemu_driver.c > ++++ b/src/qemu/qemu_driver.c > +@@ -7084,7 +7084,7 @@ qemuDomainSaveImageGetXMLDesc(virConnectPtr conn, > const char *path, > + if (fd < 0) > + goto cleanup; > + > +- if (virDomainSaveImageGetXMLDescEnsureACL(conn, def, flags) < 0) > ++ if (virDomainSaveImageGetXMLDescEnsureACL(conn, def) < 0) > + goto cleanup; > + > + ret = qemuDomainDefFormatXML(driver, def, flags); > +diff --git a/src/remote/remote_protocol.x b/src/remote/remote_protocol.x > +index 1246df5..5cfb8b6 100644 > +--- a/src/remote/remote_protocol.x > ++++ b/src/remote/remote_protocol.x > +@@ -5234,8 +5234,7 @@ enum remote_procedure { > + /** > + * @generate: both > + * @priority: high > +- * @acl: domain:read > +- * @acl: domain:read_secure:VIR_DOMAIN_XML_SECURE > ++ * @acl: domain:write > + */ > + REMOTE_PROC_DOMAIN_SAVE_IMAGE_GET_XML_DESC = 235, > + > diff -Nru > libvirt-5.0.0/debian/patches/security/api-disallow-virConnect-HypervisorCPU-on-read-only-connec.patch > > libvirt-5.0.0/debian/patches/security/api-disallow-virConnect-HypervisorCPU-on-read-only-connec.patch > --- > libvirt-5.0.0/debian/patches/security/api-disallow-virConnect-HypervisorCPU-on-read-only-connec.patch > 1970-01-01 01:00:00.000000000 +0100 > +++ > libvirt-5.0.0/debian/patches/security/api-disallow-virConnect-HypervisorCPU-on-read-only-connec.patch > 2019-06-17 19:05:40.000000000 +0200 > @@ -0,0 +1,36 @@ > +From: =?utf-8?q?J=C3=A1n_Tomko?= <[email protected]> > +Date: Fri, 14 Jun 2019 10:37:34 +0200 > +Subject: api: disallow virConnect*HypervisorCPU on read-only connections > +MIME-Version: 1.0 > +Content-Type: text/plain; charset="utf-8" > +Content-Transfer-Encoding: 8bit > + > +These APIs can be used to execute arbitrary emulators. > +Forbid them on read-only connections. > + > +Fixes: CVE-2019-10168 > +Signed-off-by: Ján Tomko <[email protected]> > +--- > + src/libvirt-host.c | 2 ++ > + 1 file changed, 2 insertions(+) > + > +diff --git a/src/libvirt-host.c b/src/libvirt-host.c > +index e20d6ee..2978825 100644 > +--- a/src/libvirt-host.c > ++++ b/src/libvirt-host.c > +@@ -1041,6 +1041,7 @@ virConnectCompareHypervisorCPU(virConnectPtr conn, > + > + virCheckConnectReturn(conn, VIR_CPU_COMPARE_ERROR); > + virCheckNonNullArgGoto(xmlCPU, error); > ++ virCheckReadOnlyGoto(conn->flags, error); > + > + if (conn->driver->connectCompareHypervisorCPU) { > + int ret; > +@@ -1234,6 +1235,7 @@ virConnectBaselineHypervisorCPU(virConnectPtr conn, > + > + virCheckConnectReturn(conn, NULL); > + virCheckNonNullArgGoto(xmlCPUs, error); > ++ virCheckReadOnlyGoto(conn->flags, error); > + > + if (conn->driver->connectBaselineHypervisorCPU) { > + char *cpu; > diff -Nru > libvirt-5.0.0/debian/patches/security/api-disallow-virConnectGetDomainCapabilities-on-read-only.patch > > libvirt-5.0.0/debian/patches/security/api-disallow-virConnectGetDomainCapabilities-on-read-only.patch > --- > libvirt-5.0.0/debian/patches/security/api-disallow-virConnectGetDomainCapabilities-on-read-only.patch > 1970-01-01 01:00:00.000000000 +0100 > +++ > libvirt-5.0.0/debian/patches/security/api-disallow-virConnectGetDomainCapabilities-on-read-only.patch > 2019-06-17 19:05:40.000000000 +0200 > @@ -0,0 +1,29 @@ > +From: =?utf-8?q?J=C3=A1n_Tomko?= <[email protected]> > +Date: Fri, 14 Jun 2019 10:37:33 +0200 > +Subject: api: disallow virConnectGetDomainCapabilities on read-only > + connections > +MIME-Version: 1.0 > +Content-Type: text/plain; charset="utf-8" > +Content-Transfer-Encoding: 8bit > + > +This API can be used to execute arbitrary emulators. > +Forbid it on read-only connections. > + > +Fixes: CVE-2019-10167 > +Signed-off-by: Ján Tomko <[email protected]> > +--- > + src/libvirt-domain.c | 1 + > + 1 file changed, 1 insertion(+) > + > +diff --git a/src/libvirt-domain.c b/src/libvirt-domain.c > +index 3d198d2..9b10790 100644 > +--- a/src/libvirt-domain.c > ++++ b/src/libvirt-domain.c > +@@ -11361,6 +11361,7 @@ virConnectGetDomainCapabilities(virConnectPtr conn, > + virResetLastError(); > + > + virCheckConnectReturn(conn, NULL); > ++ virCheckReadOnlyGoto(conn->flags, error); > + > + if (conn->driver->connectGetDomainCapabilities) { > + char *ret; > diff -Nru > libvirt-5.0.0/debian/patches/security/api-disallow-virDomainManagedSaveDefineXML-on-read-only-c.patch > > libvirt-5.0.0/debian/patches/security/api-disallow-virDomainManagedSaveDefineXML-on-read-only-c.patch > --- > libvirt-5.0.0/debian/patches/security/api-disallow-virDomainManagedSaveDefineXML-on-read-only-c.patch > 1970-01-01 01:00:00.000000000 +0100 > +++ > libvirt-5.0.0/debian/patches/security/api-disallow-virDomainManagedSaveDefineXML-on-read-only-c.patch > 2019-06-17 19:05:40.000000000 +0200 > @@ -0,0 +1,30 @@ > +From: =?utf-8?q?J=C3=A1n_Tomko?= <[email protected]> > +Date: Fri, 14 Jun 2019 10:37:32 +0200 > +Subject: api: disallow virDomainManagedSaveDefineXML on read-only connections > +MIME-Version: 1.0 > +Content-Type: text/plain; charset="utf-8" > +Content-Transfer-Encoding: 8bit > + > +The virDomainManagedSaveDefineXML can be used to alter the domain's > +config used for managedsave or even execute arbitrary emulator binaries. > +Forbid it on read-only connections. > + > +Fixes: CVE-2019-10166 > +Reported-by: Matthias Gerstner <[email protected]> > +Signed-off-by: Ján Tomko <[email protected]> > +--- > + src/libvirt-domain.c | 1 + > + 1 file changed, 1 insertion(+) > + > +diff --git a/src/libvirt-domain.c b/src/libvirt-domain.c > +index 6a5fff9..3d198d2 100644 > +--- a/src/libvirt-domain.c > ++++ b/src/libvirt-domain.c > +@@ -9567,6 +9567,7 @@ virDomainManagedSaveDefineXML(virDomainPtr domain, > const char *dxml, > + > + virCheckDomainReturn(domain, -1); > + conn = domain->conn; > ++ virCheckReadOnlyGoto(conn->flags, error); > + > + if (conn->driver->domainManagedSaveDefineXML) { > + int ret; > diff -Nru libvirt-5.0.0/debian/patches/series > libvirt-5.0.0/debian/patches/series > --- libvirt-5.0.0/debian/patches/series 2019-05-22 12:31:08.000000000 > +0200 > +++ libvirt-5.0.0/debian/patches/series 2019-06-17 19:05:40.000000000 > +0200 > @@ -29,3 +29,8 @@ > security/admin-reject-clients-unless-their-UID-matches-the-current.patch > security/locking-restrict-sockets-to-mode-0600.patch > security/logging-restrict-sockets-to-mode-0600.patch > +security/CVE-2019-10161-api-disallow-virDomainSaveImageGetXMLDesc-.patch > +security/api-disallow-virDomainManagedSaveDefineXML-on-read-only-c.patch > +security/api-disallow-virConnectGetDomainCapabilities-on-read-only.patch > +security/api-disallow-virConnect-HypervisorCPU-on-read-only-connec.patch > +Include-etc-pki-qemu-in-apparmor.patch
