[Pkg-libvirt-commits] [SCM] Libvirt debian packaging branch, master, updated. debian/0.4.6-9-2-ga62bca8

Guido Guenther agx at sigxcpu.org
Thu Dec 18 17:02:38 UTC 2008 

The following commit has been merged in the master branch:
commit 5878698afc63cdbc99080854bb21b7675b92e602
Author: Guido Günther <agx at sigxcpu.org>
Date:   Thu Dec 18 16:58:42 2008 +0100

    cherry-pick patch for CVE-2008-5086 from experimental

diff --git a/debian/patches/0011-Fix-missing-read-only-access-checks-CVE-2008-5086.patch b/debian/patches/0011-Fix-missing-read-only-access-checks-CVE-2008-5086.patch
new file mode 100644
index 0000000..db58676
--- /dev/null
+++ b/debian/patches/0011-Fix-missing-read-only-access-checks-CVE-2008-5086.patch
@@ -0,0 +1,188 @@
+From 7855c34e1517163aa7a4c58f6c4fff762cef515b Mon Sep 17 00:00:00 2001
+From: Daniel P. Berrange <berrange at redhat.com>
+Date: Wed, 17 Dec 2008 16:55:58 +0000
+Subject: [PATCH] Fix missing read-only access checks (CVE-2008-5086)
+
+The following methods in libvirt.c are missing a check against the
+read-only connection flag:
+
+    virDomainMigrate
+    virDomainMigratePrepare
+    virDomainMigratePerform
+    virDomainMigrateFinish
+    virDomainMigratePrepare2
+    virDomainMigrateFinish2
+    virDomainBlockPeek
+    virDomainMemoryPeek
+    virDomainSetAutostart
+    virNetworkSetAutostart
+    virConnectFindStoragePoolSources
+    virStoragePoolSetAutostart
+
+If using PolicyKit auth, the default policy will allow any local user
+to make a read-only connection to the libvirtd daemon without needing
+authentication.
+
+If not using PolicyKit, the default libvirtd.conf configuration settings
+will allow an unprivileged user to make a read-only connection to the
+libvirtd daemon without needing authentication.
+
+Thus out of the box unprivileged local users may be able to migrate VMs,
+set or unset the autostart flag for domains, networks & storage pools,
+and access privileged data in the VM memory, or disks.
+
+All TCP remote connections are read-write, and default settings require
+full authentication, thus remote access is not impacted by this flaw.
+
+Administrators can apply a workaround by editting /etc/libvirt/libvirtd.conf
+to explicitly set 'unix_sock_ro_perms'   parameter to  '0700'. Restart the
+libvirtd daemon after making this change.
+
+The first vulnerable release was 0.3.2, where the virDomainMigrate API
+was added for the Xen driver. Other APIs were added in various subsequent
+releases depending on the hypervisor driver in question.
+
+The attached patch has been committed to CVS, and OS distributors are
+recommended to apply this patch to all existing releases shipped. It
+was diff'd against current CVS head, and applies against 0.5.1, and
+is trivially re-diffable for all earlier releases.
+
+This flaw has been assigned the identifier CVE-2008-5086
+
+Daniel
+---
+ src/libvirt.c |   55 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ 1 files changed, 55 insertions(+), 0 deletions(-)
+
+diff --git a/src/libvirt.c b/src/libvirt.c
+index ed98323..02f67b7 100644
+--- a/src/libvirt.c
++++ b/src/libvirt.c
+@@ -2180,6 +2180,16 @@ virDomainMigrate (virDomainPtr domain,
+         return NULL;
+     }
+ 
++    if (domain->conn->flags & VIR_CONNECT_RO) {
++        virLibDomainError(domain, VIR_ERR_OPERATION_DENIED, __FUNCTION__);
++        return NULL;
++    }
++    if (dconn->flags & VIR_CONNECT_RO) {
++        /* NB, delibrately report error against source object, not dest here */
++        virLibDomainError(domain, VIR_ERR_OPERATION_DENIED, __FUNCTION__);
++        return NULL;
++    }
++
+     /* Check that migration is supported by both drivers. */
+     if (!VIR_DRV_SUPPORTS_FEATURE (conn->driver, conn,
+                                    VIR_DRV_FEATURE_MIGRATION_V1) ||
+@@ -2257,6 +2267,11 @@ __virDomainMigratePrepare (virConnectPtr dconn,
+         return -1;
+     }
+ 
++    if (dconn->flags & VIR_CONNECT_RO) {
++        virLibConnError(dconn, VIR_ERR_OPERATION_DENIED, __FUNCTION__);
++        return -1;
++    }
++
+     if (dconn->driver->domainMigratePrepare)
+         return dconn->driver->domainMigratePrepare (dconn, cookie, cookielen,
+                                                     uri_in, uri_out,
+@@ -2287,6 +2302,11 @@ __virDomainMigratePerform (virDomainPtr domain,
+     }
+     conn = domain->conn;
+ 
++    if (domain->conn->flags & VIR_CONNECT_RO) {
++        virLibDomainError(domain, VIR_ERR_OPERATION_DENIED, __FUNCTION__);
++        return -1;
++    }
++
+     if (conn->driver->domainMigratePerform)
+         return conn->driver->domainMigratePerform (domain, cookie, cookielen,
+                                                    uri,
+@@ -2314,6 +2334,11 @@ __virDomainMigrateFinish (virConnectPtr dconn,
+         return NULL;
+     }
+ 
++    if (dconn->flags & VIR_CONNECT_RO) {
++        virLibConnError(dconn, VIR_ERR_OPERATION_DENIED, __FUNCTION__);
++        return NULL;
++    }
++
+     if (dconn->driver->domainMigrateFinish)
+         return dconn->driver->domainMigrateFinish (dconn, dname,
+                                                    cookie, cookielen,
+@@ -2671,6 +2696,11 @@ virDomainBlockPeek (virDomainPtr dom,
+     }
+     conn = dom->conn;
+ 
++    if (dom->conn->flags & VIR_CONNECT_RO) {
++        virLibDomainError(dom, VIR_ERR_OPERATION_DENIED, __FUNCTION__);
++        return (-1);
++    }
++
+     if (!path) {
+         virLibDomainError (dom, VIR_ERR_INVALID_ARG,
+                            _("path is NULL"));
+@@ -2746,6 +2776,11 @@ virDomainMemoryPeek (virDomainPtr dom,
+     }
+     conn = dom->conn;
+ 
++    if (dom->conn->flags & VIR_CONNECT_RO) {
++        virLibDomainError(dom, VIR_ERR_OPERATION_DENIED, __FUNCTION__);
++        return (-1);
++    }
++
+     /* Flags must be VIR_MEMORY_VIRTUAL at the moment.
+      *
+      * Note on access to physical memory: A VIR_MEMORY_PHYSICAL flag is
+@@ -3013,6 +3048,11 @@ virDomainSetAutostart(virDomainPtr domain,
+ 
+     conn = domain->conn;
+ 
++    if (domain->conn->flags & VIR_CONNECT_RO) {
++        virLibDomainError(domain, VIR_ERR_OPERATION_DENIED, __FUNCTION__);
++        return (-1);
++    }
++
+     if (conn->driver->domainSetAutostart)
+         return conn->driver->domainSetAutostart (domain, autostart);
+ 
+@@ -3963,6 +4003,11 @@ virNetworkSetAutostart(virNetworkPtr network,
+         return (-1);
+     }
+ 
++    if (network->conn->flags & VIR_CONNECT_RO) {
++        virLibNetworkError(network, VIR_ERR_OPERATION_DENIED, __FUNCTION__);
++        return (-1);
++    }
++
+     conn = network->conn;
+ 
+     if (conn->networkDriver && conn->networkDriver->networkSetAutostart)
+@@ -4161,6 +4206,11 @@ virConnectFindStoragePoolSources(virConnectPtr conn,
+         return NULL;
+     }
+ 
++    if (conn->flags & VIR_CONNECT_RO) {
++        virLibConnError(conn, VIR_ERR_OPERATION_DENIED, __FUNCTION__);
++        return NULL;
++    }
++
+     if (conn->storageDriver && conn->storageDriver->findPoolSources)
+         return conn->storageDriver->findPoolSources(conn, type, srcSpec, flags);
+ 
+@@ -4834,6 +4884,11 @@ virStoragePoolSetAutostart(virStoragePoolPtr pool,
+         return (-1);
+     }
+ 
++    if (pool->conn->flags & VIR_CONNECT_RO) {
++        virLibStoragePoolError(pool, VIR_ERR_OPERATION_DENIED, __FUNCTION__);
++        return (-1);
++    }
++
+     conn = pool->conn;
+ 
+     if (conn->storageDriver && conn->storageDriver->poolSetAutostart)
+-- 
+1.6.0.3
+
diff --git a/debian/patches/series b/debian/patches/series
index b8b43aa..3c173f3 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -8,3 +8,4 @@
 0008-Increase-initial-qemu-monitor-read-timeout.patch
 0009-Open-qemu-monitor-log-O_APPEND-instead-of-O_TRUNC.patch
 0010-raise-error-on-invalid-volume-format.patch
+0011-Fix-missing-read-only-access-checks-CVE-2008-5086.patch

-- 
Libvirt debian packaging

More information about the Pkg-libvirt-commits mailing list