Re: libvirt / CVE-2019-3886

2019-04-29 Thread Brian May
Moritz Mühlenhoff  writes:

> We're tracking at as it's currently assigned by MITRE and it's their usual
> practice to split out secondary angles to a separate CVE ID. As such, you
> should rather reach out to them via https://cveform.mitre.org and request
> a separate ID for the part that affects 1.2.x as well.

Attached is an updated patch using the newly allocated CVE-2016-10746
identifier.
-- 
Brian May 
diff -Nru libvirt-1.2.9/debian/changelog libvirt-1.2.9/debian/changelog
--- libvirt-1.2.9/debian/changelog	2018-03-13 06:51:52.0 +1100
+++ libvirt-1.2.9/debian/changelog	2019-04-08 17:29:21.0 +1000
@@ -1,3 +1,10 @@
+libvirt (1.2.9-9+deb8u6) jessie-security; urgency=high
+
+  * Non-maintainer upload by the LTS Team.
+  * CVE-2016-10746: Ensure get time RPC calls require write access.
+
+ -- Brian May   Mon, 08 Apr 2019 17:29:21 +1000
+
 libvirt (1.2.9-9+deb8u5) jessie-security; urgency=high
 
   * Switch gbp.conf to jessie
diff -Nru libvirt-1.2.9/debian/patches/CVE-2016-10746.patch libvirt-1.2.9/debian/patches/CVE-2016-10746.patch
--- libvirt-1.2.9/debian/patches/CVE-2016-10746.patch	1970-01-01 10:00:00.0 +1000
+++ libvirt-1.2.9/debian/patches/CVE-2016-10746.patch	2019-04-08 17:29:21.0 +1000
@@ -0,0 +1,21 @@
+--- a/src/libvirt.c
 b/src/libvirt.c
+@@ -21229,6 +21229,7 @@
+ virResetLastError();
+ 
+ virCheckDomainReturn(dom, -1);
++virCheckReadOnlyGoto(dom->conn->flags, error);
+ 
+ if (dom->conn->driver->domainGetTime) {
+ int ret = dom->conn->driver->domainGetTime(dom, seconds,
+--- a/src/remote/remote_protocol.x
 b/src/remote/remote_protocol.x
+@@ -5444,7 +5444,7 @@
+ 
+ /**
+  * @generate: none
+- * @acl: domain:read
++ * @acl: domain:write
+  */
+ REMOTE_PROC_DOMAIN_GET_TIME = 337,
+ 
diff -Nru libvirt-1.2.9/debian/patches/series libvirt-1.2.9/debian/patches/series
--- libvirt-1.2.9/debian/patches/series	2018-03-13 06:00:35.0 +1100
+++ libvirt-1.2.9/debian/patches/series	2019-04-08 17:29:21.0 +1000
@@ -37,3 +37,4 @@
 upstream/qemu-Specify-format-iff-disk-source-is-not-empty.patch
 security/CVE-2018-5748-qemu-avoid-denial-of-service-reading-from-Q.patch
 security/CVE-2018-1064-qemu-avoid-denial-of-service-reading-from-Q.patch
+CVE-2016-10746.patch


Re: libvirt / CVE-2019-3886

2019-04-15 Thread Brian May
Moritz Mühlenhoff  writes:

> We're tracking at as it's currently assigned by MITRE and it's their usual
> practice to split out secondary angles to a separate CVE ID. As such, you
> should rather reach out to them via https://cveform.mitre.org and request
> a separate ID for the part that affects 1.2.x as well.

Request submitted. I hope...
-- 
Brian May 



Re: libvirt / CVE-2019-3886

2019-04-11 Thread Moritz Mühlenhoff
On Tue, Apr 09, 2019 at 05:16:47PM +1000, Brian May wrote:
> Guido Günther  writes:
> 
> > I don't think this is needed for jessie since the corresponding function
> > in qemu was implemented in 4.8.0.
> 
> Sounds like it won't hurt to leave this in, in any case...
> 
> > qemuDomainGetTime is present in 1.2.9 and uses the guest agent so it's
> > affected as well. The corresponding virDomainGetTime has no read only
> > check so this could be an issue (but should likely use a different
> > CVE). This was upstream fixed in
> >
> > 506e9d6c2d4baaf580d489fff0690c0ff2ff588f
> 
> Ok, so it does sound like I should make this change too.
> 
> Like it or not, I suspect CVE-2019-3886 might be getting used for both
> issues.

We're tracking at as it's currently assigned by MITRE and it's their usual
practice to split out secondary angles to a separate CVE ID. As such, you
should rather reach out to them via https://cveform.mitre.org and request
a separate ID for the part that affects 1.2.x as well.

Cheers,
Moritz



Re: libvirt / CVE-2019-3886

2019-04-09 Thread Brian May
Brian May  writes:

> Ok, so it does sound like I should make this change too.

Updated patch attached.
-- 
Brian May 
diff -Nru libvirt-1.2.9/debian/changelog libvirt-1.2.9/debian/changelog
--- libvirt-1.2.9/debian/changelog	2018-03-13 06:51:52.0 +1100
+++ libvirt-1.2.9/debian/changelog	2019-04-08 17:29:21.0 +1000
@@ -1,3 +1,11 @@
+libvirt (1.2.9-9+deb8u6) jessie-security; urgency=high
+
+  * Non-maintainer upload by the LTS Team.
+  * CVE-2019-3886: Ensure get hostname and get time RPC calls require write
+access.
+
+ -- Brian May   Mon, 08 Apr 2019 17:29:21 +1000
+
 libvirt (1.2.9-9+deb8u5) jessie-security; urgency=high
 
   * Switch gbp.conf to jessie
diff -Nru libvirt-1.2.9/debian/patches/CVE-2019-3886.patch libvirt-1.2.9/debian/patches/CVE-2019-3886.patch
--- libvirt-1.2.9/debian/patches/CVE-2019-3886.patch	1970-01-01 10:00:00.0 +1000
+++ libvirt-1.2.9/debian/patches/CVE-2019-3886.patch	2019-04-08 17:29:21.0 +1000
@@ -0,0 +1,39 @@
+--- a/src/libvirt.c
 b/src/libvirt.c
+@@ -20994,6 +20994,8 @@
+ virResetLastError();
+ 
+ virCheckDomainReturn(domain, NULL);
++virCheckReadOnlyGoto(domain->conn->flags, error);
++
+ conn = domain->conn;
+ 
+ if (conn->driver->domainGetHostname) {
+@@ -21229,6 +21231,7 @@
+ virResetLastError();
+ 
+ virCheckDomainReturn(dom, -1);
++virCheckReadOnlyGoto(domain->conn->flags, error);
+ 
+ if (dom->conn->driver->domainGetTime) {
+ int ret = dom->conn->driver->domainGetTime(dom, seconds,
+--- a/src/remote/remote_protocol.x
 b/src/remote/remote_protocol.x
+@@ -5049,7 +5049,7 @@
+ 
+ /**
+  * @generate: both
+- * @acl: domain:read
++ * @acl: domain:write
+  */
+ REMOTE_PROC_DOMAIN_GET_HOSTNAME = 277,
+ 
+@@ -5444,7 +5444,7 @@
+ 
+ /**
+  * @generate: none
+- * @acl: domain:read
++ * @acl: domain:write
+  */
+ REMOTE_PROC_DOMAIN_GET_TIME = 337,
+ 
diff -Nru libvirt-1.2.9/debian/patches/series libvirt-1.2.9/debian/patches/series
--- libvirt-1.2.9/debian/patches/series	2018-03-13 06:00:35.0 +1100
+++ libvirt-1.2.9/debian/patches/series	2019-04-08 17:25:13.0 +1000
@@ -37,3 +37,4 @@
 upstream/qemu-Specify-format-iff-disk-source-is-not-empty.patch
 security/CVE-2018-5748-qemu-avoid-denial-of-service-reading-from-Q.patch
 security/CVE-2018-1064-qemu-avoid-denial-of-service-reading-from-Q.patch
+CVE-2019-3886.patch


Re: libvirt / CVE-2019-3886

2019-04-09 Thread Brian May
Guido Günther  writes:

> I don't think this is needed for jessie since the corresponding function
> in qemu was implemented in 4.8.0.

Sounds like it won't hurt to leave this in, in any case...

> qemuDomainGetTime is present in 1.2.9 and uses the guest agent so it's
> affected as well. The corresponding virDomainGetTime has no read only
> check so this could be an issue (but should likely use a different
> CVE). This was upstream fixed in
>
> 506e9d6c2d4baaf580d489fff0690c0ff2ff588f

Ok, so it does sound like I should make this change too.

Like it or not, I suspect CVE-2019-3886 might be getting used for both
issues.
-- 
Brian May 



Re: libvirt / CVE-2019-3886

2019-04-08 Thread Guido Günther
Hi,
On Mon, Apr 08, 2019 at 05:50:46PM +1000, Brian May wrote:
> Patch for Jessie version attached. Patch is applied by hand from
> https://www.redhat.com/archives/libvir-list/2019-April/msg00339.html

I don't think this is needed for jessie since the corresponding function
in qemu was implemented in 4.8.0.

> I am a bit concerned this patch only patches the virDomainGetHostname
> function and not the virDomainGetTime function, while the tests (which I
> suspect are not run in the Debian build) appears to patch both. As such
> I suspect this might be incomplete as is.

qemuDomainGetTime is present in 1.2.9 and uses the guest agent so it's
affected as well. The corresponding virDomainGetTime has no read only
check so this could be an issue (but should likely use a different
CVE). This was upstream fixed in

506e9d6c2d4baaf580d489fff0690c0ff2ff588f

Cheers,
 -- Guido

> -- 
> Brian May 
> https://linuxpenguins.xyz/brian/

> diff -Nru libvirt-1.2.9/debian/changelog libvirt-1.2.9/debian/changelog
> --- libvirt-1.2.9/debian/changelog2018-03-13 06:51:52.0 +1100
> +++ libvirt-1.2.9/debian/changelog2019-04-08 17:29:21.0 +1000
> @@ -1,3 +1,11 @@
> +libvirt (1.2.9-9+deb8u6) jessie-security; urgency=high
> +
> +  * Non-maintainer upload by the LTS Team.
> +  * CVE-2019-3886: Ensure get hostname and get time RPC calls require write
> +access.
> +
> + -- Brian May   Mon, 08 Apr 2019 17:29:21 +1000
> +
>  libvirt (1.2.9-9+deb8u5) jessie-security; urgency=high
>  
>* Switch gbp.conf to jessie
> diff -Nru libvirt-1.2.9/debian/patches/CVE-2019-3886.patch 
> libvirt-1.2.9/debian/patches/CVE-2019-3886.patch
> --- libvirt-1.2.9/debian/patches/CVE-2019-3886.patch  1970-01-01 
> 10:00:00.0 +1000
> +++ libvirt-1.2.9/debian/patches/CVE-2019-3886.patch  2019-04-08 
> 17:29:08.0 +1000
> @@ -0,0 +1,31 @@
> +--- a/src/libvirt.c
>  b/src/libvirt.c
> +@@ -20994,6 +20994,8 @@
> + virResetLastError();
> + 
> + virCheckDomainReturn(domain, NULL);
> ++virCheckReadOnlyGoto(domain->conn->flags, error);
> ++
> + conn = domain->conn;
> + 
> + if (conn->driver->domainGetHostname) {
> +--- a/src/remote/remote_protocol.x
>  b/src/remote/remote_protocol.x
> +@@ -5049,7 +5049,7 @@
> + 
> + /**
> +  * @generate: both
> +- * @acl: domain:read
> ++ * @acl: domain:write
> +  */
> + REMOTE_PROC_DOMAIN_GET_HOSTNAME = 277,
> + 
> +@@ -5444,7 +5444,7 @@
> + 
> + /**
> +  * @generate: none
> +- * @acl: domain:read
> ++ * @acl: domain:write
> +  */
> + REMOTE_PROC_DOMAIN_GET_TIME = 337,
> + 
> diff -Nru libvirt-1.2.9/debian/patches/series 
> libvirt-1.2.9/debian/patches/series
> --- libvirt-1.2.9/debian/patches/series   2018-03-13 06:00:35.0 
> +1100
> +++ libvirt-1.2.9/debian/patches/series   2019-04-08 17:25:13.0 
> +1000
> @@ -37,3 +37,4 @@
>  upstream/qemu-Specify-format-iff-disk-source-is-not-empty.patch
>  security/CVE-2018-5748-qemu-avoid-denial-of-service-reading-from-Q.patch
>  security/CVE-2018-1064-qemu-avoid-denial-of-service-reading-from-Q.patch
> +CVE-2019-3886.patch