Re: libvirt / CVE-2019-3886
Moritz Mühlenhoff writes: > We're tracking at as it's currently assigned by MITRE and it's their usual > practice to split out secondary angles to a separate CVE ID. As such, you > should rather reach out to them via https://cveform.mitre.org and request > a separate ID for the part that affects 1.2.x as well. Attached is an updated patch using the newly allocated CVE-2016-10746 identifier. -- Brian May diff -Nru libvirt-1.2.9/debian/changelog libvirt-1.2.9/debian/changelog --- libvirt-1.2.9/debian/changelog 2018-03-13 06:51:52.0 +1100 +++ libvirt-1.2.9/debian/changelog 2019-04-08 17:29:21.0 +1000 @@ -1,3 +1,10 @@ +libvirt (1.2.9-9+deb8u6) jessie-security; urgency=high + + * Non-maintainer upload by the LTS Team. + * CVE-2016-10746: Ensure get time RPC calls require write access. + + -- Brian May Mon, 08 Apr 2019 17:29:21 +1000 + libvirt (1.2.9-9+deb8u5) jessie-security; urgency=high * Switch gbp.conf to jessie diff -Nru libvirt-1.2.9/debian/patches/CVE-2016-10746.patch libvirt-1.2.9/debian/patches/CVE-2016-10746.patch --- libvirt-1.2.9/debian/patches/CVE-2016-10746.patch 1970-01-01 10:00:00.0 +1000 +++ libvirt-1.2.9/debian/patches/CVE-2016-10746.patch 2019-04-08 17:29:21.0 +1000 @@ -0,0 +1,21 @@ +--- a/src/libvirt.c b/src/libvirt.c +@@ -21229,6 +21229,7 @@ + virResetLastError(); + + virCheckDomainReturn(dom, -1); ++virCheckReadOnlyGoto(dom->conn->flags, error); + + if (dom->conn->driver->domainGetTime) { + int ret = dom->conn->driver->domainGetTime(dom, seconds, +--- a/src/remote/remote_protocol.x b/src/remote/remote_protocol.x +@@ -5444,7 +5444,7 @@ + + /** + * @generate: none +- * @acl: domain:read ++ * @acl: domain:write + */ + REMOTE_PROC_DOMAIN_GET_TIME = 337, + diff -Nru libvirt-1.2.9/debian/patches/series libvirt-1.2.9/debian/patches/series --- libvirt-1.2.9/debian/patches/series 2018-03-13 06:00:35.0 +1100 +++ libvirt-1.2.9/debian/patches/series 2019-04-08 17:29:21.0 +1000 @@ -37,3 +37,4 @@ upstream/qemu-Specify-format-iff-disk-source-is-not-empty.patch security/CVE-2018-5748-qemu-avoid-denial-of-service-reading-from-Q.patch security/CVE-2018-1064-qemu-avoid-denial-of-service-reading-from-Q.patch +CVE-2016-10746.patch
Re: libvirt / CVE-2019-3886
Moritz Mühlenhoff writes: > We're tracking at as it's currently assigned by MITRE and it's their usual > practice to split out secondary angles to a separate CVE ID. As such, you > should rather reach out to them via https://cveform.mitre.org and request > a separate ID for the part that affects 1.2.x as well. Request submitted. I hope... -- Brian May
Re: libvirt / CVE-2019-3886
On Tue, Apr 09, 2019 at 05:16:47PM +1000, Brian May wrote: > Guido Günther writes: > > > I don't think this is needed for jessie since the corresponding function > > in qemu was implemented in 4.8.0. > > Sounds like it won't hurt to leave this in, in any case... > > > qemuDomainGetTime is present in 1.2.9 and uses the guest agent so it's > > affected as well. The corresponding virDomainGetTime has no read only > > check so this could be an issue (but should likely use a different > > CVE). This was upstream fixed in > > > > 506e9d6c2d4baaf580d489fff0690c0ff2ff588f > > Ok, so it does sound like I should make this change too. > > Like it or not, I suspect CVE-2019-3886 might be getting used for both > issues. We're tracking at as it's currently assigned by MITRE and it's their usual practice to split out secondary angles to a separate CVE ID. As such, you should rather reach out to them via https://cveform.mitre.org and request a separate ID for the part that affects 1.2.x as well. Cheers, Moritz
Re: libvirt / CVE-2019-3886
Brian May writes: > + virCheckDomainReturn(dom, -1); > ++virCheckReadOnlyGoto(domain->conn->flags, error); That is obviously an error. Variable here is called "dom" not "domain". Have fixed this in my version. -- Brian May
Re: libvirt / CVE-2019-3886
Brian May writes: > Ok, so it does sound like I should make this change too. Updated patch attached. -- Brian May diff -Nru libvirt-1.2.9/debian/changelog libvirt-1.2.9/debian/changelog --- libvirt-1.2.9/debian/changelog 2018-03-13 06:51:52.0 +1100 +++ libvirt-1.2.9/debian/changelog 2019-04-08 17:29:21.0 +1000 @@ -1,3 +1,11 @@ +libvirt (1.2.9-9+deb8u6) jessie-security; urgency=high + + * Non-maintainer upload by the LTS Team. + * CVE-2019-3886: Ensure get hostname and get time RPC calls require write +access. + + -- Brian May Mon, 08 Apr 2019 17:29:21 +1000 + libvirt (1.2.9-9+deb8u5) jessie-security; urgency=high * Switch gbp.conf to jessie diff -Nru libvirt-1.2.9/debian/patches/CVE-2019-3886.patch libvirt-1.2.9/debian/patches/CVE-2019-3886.patch --- libvirt-1.2.9/debian/patches/CVE-2019-3886.patch 1970-01-01 10:00:00.0 +1000 +++ libvirt-1.2.9/debian/patches/CVE-2019-3886.patch 2019-04-08 17:29:21.0 +1000 @@ -0,0 +1,39 @@ +--- a/src/libvirt.c b/src/libvirt.c +@@ -20994,6 +20994,8 @@ + virResetLastError(); + + virCheckDomainReturn(domain, NULL); ++virCheckReadOnlyGoto(domain->conn->flags, error); ++ + conn = domain->conn; + + if (conn->driver->domainGetHostname) { +@@ -21229,6 +21231,7 @@ + virResetLastError(); + + virCheckDomainReturn(dom, -1); ++virCheckReadOnlyGoto(domain->conn->flags, error); + + if (dom->conn->driver->domainGetTime) { + int ret = dom->conn->driver->domainGetTime(dom, seconds, +--- a/src/remote/remote_protocol.x b/src/remote/remote_protocol.x +@@ -5049,7 +5049,7 @@ + + /** + * @generate: both +- * @acl: domain:read ++ * @acl: domain:write + */ + REMOTE_PROC_DOMAIN_GET_HOSTNAME = 277, + +@@ -5444,7 +5444,7 @@ + + /** + * @generate: none +- * @acl: domain:read ++ * @acl: domain:write + */ + REMOTE_PROC_DOMAIN_GET_TIME = 337, + diff -Nru libvirt-1.2.9/debian/patches/series libvirt-1.2.9/debian/patches/series --- libvirt-1.2.9/debian/patches/series 2018-03-13 06:00:35.0 +1100 +++ libvirt-1.2.9/debian/patches/series 2019-04-08 17:25:13.0 +1000 @@ -37,3 +37,4 @@ upstream/qemu-Specify-format-iff-disk-source-is-not-empty.patch security/CVE-2018-5748-qemu-avoid-denial-of-service-reading-from-Q.patch security/CVE-2018-1064-qemu-avoid-denial-of-service-reading-from-Q.patch +CVE-2019-3886.patch
Re: libvirt / CVE-2019-3886
Guido Günther writes: > I don't think this is needed for jessie since the corresponding function > in qemu was implemented in 4.8.0. Sounds like it won't hurt to leave this in, in any case... > qemuDomainGetTime is present in 1.2.9 and uses the guest agent so it's > affected as well. The corresponding virDomainGetTime has no read only > check so this could be an issue (but should likely use a different > CVE). This was upstream fixed in > > 506e9d6c2d4baaf580d489fff0690c0ff2ff588f Ok, so it does sound like I should make this change too. Like it or not, I suspect CVE-2019-3886 might be getting used for both issues. -- Brian May
Re: libvirt / CVE-2019-3886
Hi, On Mon, Apr 08, 2019 at 05:50:46PM +1000, Brian May wrote: > Patch for Jessie version attached. Patch is applied by hand from > https://www.redhat.com/archives/libvir-list/2019-April/msg00339.html I don't think this is needed for jessie since the corresponding function in qemu was implemented in 4.8.0. > I am a bit concerned this patch only patches the virDomainGetHostname > function and not the virDomainGetTime function, while the tests (which I > suspect are not run in the Debian build) appears to patch both. As such > I suspect this might be incomplete as is. qemuDomainGetTime is present in 1.2.9 and uses the guest agent so it's affected as well. The corresponding virDomainGetTime has no read only check so this could be an issue (but should likely use a different CVE). This was upstream fixed in 506e9d6c2d4baaf580d489fff0690c0ff2ff588f Cheers, -- Guido > -- > Brian May > https://linuxpenguins.xyz/brian/ > diff -Nru libvirt-1.2.9/debian/changelog libvirt-1.2.9/debian/changelog > --- libvirt-1.2.9/debian/changelog2018-03-13 06:51:52.0 +1100 > +++ libvirt-1.2.9/debian/changelog2019-04-08 17:29:21.0 +1000 > @@ -1,3 +1,11 @@ > +libvirt (1.2.9-9+deb8u6) jessie-security; urgency=high > + > + * Non-maintainer upload by the LTS Team. > + * CVE-2019-3886: Ensure get hostname and get time RPC calls require write > +access. > + > + -- Brian May Mon, 08 Apr 2019 17:29:21 +1000 > + > libvirt (1.2.9-9+deb8u5) jessie-security; urgency=high > >* Switch gbp.conf to jessie > diff -Nru libvirt-1.2.9/debian/patches/CVE-2019-3886.patch > libvirt-1.2.9/debian/patches/CVE-2019-3886.patch > --- libvirt-1.2.9/debian/patches/CVE-2019-3886.patch 1970-01-01 > 10:00:00.0 +1000 > +++ libvirt-1.2.9/debian/patches/CVE-2019-3886.patch 2019-04-08 > 17:29:08.0 +1000 > @@ -0,0 +1,31 @@ > +--- a/src/libvirt.c > b/src/libvirt.c > +@@ -20994,6 +20994,8 @@ > + virResetLastError(); > + > + virCheckDomainReturn(domain, NULL); > ++virCheckReadOnlyGoto(domain->conn->flags, error); > ++ > + conn = domain->conn; > + > + if (conn->driver->domainGetHostname) { > +--- a/src/remote/remote_protocol.x > b/src/remote/remote_protocol.x > +@@ -5049,7 +5049,7 @@ > + > + /** > + * @generate: both > +- * @acl: domain:read > ++ * @acl: domain:write > + */ > + REMOTE_PROC_DOMAIN_GET_HOSTNAME = 277, > + > +@@ -5444,7 +5444,7 @@ > + > + /** > + * @generate: none > +- * @acl: domain:read > ++ * @acl: domain:write > + */ > + REMOTE_PROC_DOMAIN_GET_TIME = 337, > + > diff -Nru libvirt-1.2.9/debian/patches/series > libvirt-1.2.9/debian/patches/series > --- libvirt-1.2.9/debian/patches/series 2018-03-13 06:00:35.0 > +1100 > +++ libvirt-1.2.9/debian/patches/series 2019-04-08 17:25:13.0 > +1000 > @@ -37,3 +37,4 @@ > upstream/qemu-Specify-format-iff-disk-source-is-not-empty.patch > security/CVE-2018-5748-qemu-avoid-denial-of-service-reading-from-Q.patch > security/CVE-2018-1064-qemu-avoid-denial-of-service-reading-from-Q.patch > +CVE-2019-3886.patch