Hello community, here is the log from the commit of package libvirt for openSUSE:Factory checked in at 2017-10-21 20:20:50 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libvirt (Old) and /work/SRC/openSUSE:Factory/.libvirt.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libvirt" Sat Oct 21 20:20:50 2017 rev:238 rq:534485 version:3.8.0 Changes: -------- --- /work/SRC/openSUSE:Factory/libvirt/libvirt.changes 2017-10-10 11:38:13.971990679 +0200 +++ /work/SRC/openSUSE:Factory/.libvirt.new/libvirt.changes 2017-10-21 20:20:51.453580367 +0200 @@ -1,0 +2,27 @@ +Mon Oct 16 22:02:16 UTC 2017 - [email protected] + +- qemu: ensure TLS clients always verify the server certificate + CVE-2017-1000256 + 441d3eb6-qemu-tls-client-verify-server-cert.patch + bsc#1062563 + +------------------------------------------------------------------- +Thu Oct 12 23:25:48 UTC 2017 - [email protected] + +- Do not ignore errors from useradd/groupadd. +- Invoke/expand %service_* just once per scriptlet. +- Replace some old macros. + +------------------------------------------------------------------- +Tue Oct 10 19:50:22 UTC 2017 - [email protected] + +- spec: libvirt-daemon-qemu requires libvirt-daemon-driver-storage + bsc#1062620 + +------------------------------------------------------------------- +Mon Oct 9 16:34:50 UTC 2017 - [email protected] + +- spec: reload libvirtd Apparmor profile in %post + bsc#1060860 + +------------------------------------------------------------------- New: ---- 441d3eb6-qemu-tls-client-verify-server-cert.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libvirt.spec ++++++ --- /var/tmp/diff_new_pack.hXkjy3/_old 2017-10-21 20:20:53.257495894 +0200 +++ /var/tmp/diff_new_pack.hXkjy3/_new 2017-10-21 20:20:53.261495706 +0200 @@ -251,6 +251,7 @@ BuildRequires: libpcap-devel BuildRequires: libselinux-devel %if %{with_apparmor} +BuildRequires: apparmor-rpm-macros BuildRequires: libapparmor-devel %endif BuildRequires: dnsmasq >= 2.41 @@ -310,6 +311,7 @@ Source100: %{name}-rpmlintrc # Upstream patches Patch0: c44b29aa-apparmor-dnsmasq-ptrace.patch +Patch1: 441d3eb6-qemu-tls-client-verify-server-cert.patch # Patches pending upstream review Patch100: libxl-dom-reset.patch Patch101: network-don-t-use-dhcp-authoritative-on-static-netwo.patch @@ -703,6 +705,7 @@ Requires: libvirt-daemon-driver-nwfilter = %{version}-%{release} Requires: libvirt-daemon-driver-qemu = %{version}-%{release} Requires: libvirt-daemon-driver-secret = %{version}-%{release} +Requires: libvirt-daemon-driver-storage = %{version}-%{release} %description daemon-qemu Server side daemon and driver required to manage the virtualization @@ -884,6 +887,7 @@ %prep %setup -q %patch0 -p1 +%patch1 -p1 %patch100 -p1 %patch101 -p1 %patch150 -p1 @@ -1103,8 +1107,8 @@ gzip -9 ChangeLog %install -%makeinstall SYSTEMD_UNIT_DIR=%{_unitdir} HTML_DIR=%{_docdir}/%{name} -make %{?jobs:-j%jobs} -C examples distclean +%make_install SYSTEMD_UNIT_DIR=%{_unitdir} HTML_DIR=%{_docdir}/%{name} +make %{?_smp_mflags} -C examples distclean cp examples/lxcconvert/virt-lxc-convert %{buildroot}/%{_bindir} rm -f %{buildroot}/%{_libdir}/*.la %if %{with_wireshark} @@ -1243,34 +1247,30 @@ rm -f $i printf 'int main(void) { return 0; }' > $i.c done -make %{?jobs:-j%jobs} +make %{?_smp_mflags} -if ! make %{?jobs:-j%jobs} check VIR_TEST_DEBUG=1 +if ! make %{?_smp_mflags} check VIR_TEST_DEBUG=1 then cat test-suite.log || true exit 1 fi %pre daemon -%service_add_pre libvirtd.service -%service_add_pre virtlockd.service virtlockd.socket -%service_add_pre virtlogd.service virtlogd.socket -%{_bindir}/getent group libvirt >/dev/null || \ - %{_sbindir}/groupadd -r libvirt || : +%{_bindir}/getent group libvirt >/dev/null || %{_sbindir}/groupadd -r libvirt +%service_add_pre libvirtd.service virtlockd.service virtlockd.socket virtlogd.service virtlogd.socket %post daemon /sbin/ldconfig -%service_add_post libvirtd.service -%service_add_post virtlockd.service virtlockd.socket -%service_add_post virtlogd.service virtlogd.socket +%if %{with_apparmor} +%apparmor_reload /etc/apparmor.d/usr.sbin.libvirtd +%endif +%service_add_post libvirtd.service virtlockd.service virtlockd.socket virtlogd.service virtlogd.socket %{fillup_only -n libvirtd} %{fillup_only -n virtlockd} %{fillup_only -n virtlogd} %preun daemon -%service_del_preun libvirtd.service -%service_del_preun virtlockd.service virtlockd.socket -%service_del_preun virtlogd.service virtlogd.socket +%service_del_preun libvirtd.service virtlockd.service virtlockd.socket virtlogd.service virtlogd.socket %postun daemon /sbin/ldconfig @@ -1281,9 +1281,7 @@ done /usr/bin/systemctl daemon-reload >/dev/null 2>&1 || : fi - %service_del_postun libvirtd.service - %service_del_postun virtlockd.service virtlockd.socket - %service_del_postun virtlogd.service virtlogd.socket + %service_del_postun libvirtd.service virtlockd.service virtlockd.socket virtlogd.service virtlogd.socket %posttrans daemon # All connection drivers should be installed post transaction. ++++++ 441d3eb6-qemu-tls-client-verify-server-cert.patch ++++++ commit 441d3eb6d1be940a67ce45a286602a967601b157 Author: Daniel P. Berrange <[email protected]> Date: Thu Oct 5 17:54:28 2017 +0100 qemu: ensure TLS clients always verify the server certificate The default_tls_x509_verify (and related) parameters in qemu.conf control whether the QEMU TLS servers request & verify certificates from clients. This works as a simple access control system for servers by requiring the CA to issue certs to permitted clients. This use of client certificates is disabled by default, since it requires extra work to issue client certificates. Unfortunately the code was using this configuration parameter when setting up both TLS clients and servers in QEMU. The result was that TLS clients for character devices and disk devices had verification turned off, meaning they would ignore errors while validating the server certificate. This allows for trivial MITM attacks between client and server, as any certificate returned by the attacker will be accepted by the client. This is assigned CVE-2017-1000256 / LSN-2017-0002 Reviewed-by: Eric Blake <[email protected]> Signed-off-by: Daniel P. Berrange <[email protected]> Index: libvirt-3.8.0/src/qemu/qemu_command.c =================================================================== --- libvirt-3.8.0.orig/src/qemu/qemu_command.c +++ libvirt-3.8.0/src/qemu/qemu_command.c @@ -721,7 +721,7 @@ qemuBuildTLSx509BackendProps(const char if (virJSONValueObjectCreate(propsret, "s:dir", path, "s:endpoint", (isListen ? "server": "client"), - "b:verify-peer", verifypeer, + "b:verify-peer", (isListen ? verifypeer : true), NULL) < 0) goto cleanup; Index: libvirt-3.8.0/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev.args =================================================================== --- libvirt-3.8.0.orig/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev.args +++ libvirt-3.8.0/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev.args @@ -26,7 +26,7 @@ server,nowait \ localport=1111 \ -device isa-serial,chardev=charserial0,id=serial0 \ -object tls-creds-x509,id=objcharserial1_tls0,dir=/etc/pki/libvirt-chardev,\ -endpoint=client,verify-peer=no \ +endpoint=client,verify-peer=yes \ -chardev socket,id=charserial1,host=127.0.0.1,port=5555,\ tls-creds=objcharserial1_tls0 \ -device isa-serial,chardev=charserial1,id=serial1 \ Index: libvirt-3.8.0/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-secret-chardev.args =================================================================== --- libvirt-3.8.0.orig/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-secret-chardev.args +++ libvirt-3.8.0/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-secret-chardev.args @@ -31,7 +31,7 @@ localport=1111 \ data=9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1,\ keyid=masterKey0,iv=AAECAwQFBgcICQoLDA0ODw==,format=base64 \ -object tls-creds-x509,id=objcharserial1_tls0,dir=/etc/pki/libvirt-chardev,\ -endpoint=client,verify-peer=no,passwordid=charserial1-secret0 \ +endpoint=client,verify-peer=yes,passwordid=charserial1-secret0 \ -chardev socket,id=charserial1,host=127.0.0.1,port=5555,\ tls-creds=objcharserial1_tls0 \ -device isa-serial,chardev=charserial1,id=serial1 \
