From 9b85a9e1d1dbba5cc0f5a23f2fa3705beb521179 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: May 23 2019 14:41:28 +0000 Subject: import libvirt-4.5.0-10.el7_6.10 --- diff --git a/SOURCES/libvirt-admin-reject-clients-unless-their-UID-matches-the-current-UID.patch b/SOURCES/libvirt-admin-reject-clients-unless-their-UID-matches-the-current-UID.patch new file mode 100644 index 0000000..fe99250 --- /dev/null +++ b/SOURCES/libvirt-admin-reject-clients-unless-their-UID-matches-the-current-UID.patch @@ -0,0 +1,61 @@ +From dba153a54183187d16cb983d269516930c555ad8 Mon Sep 17 00:00:00 2001 +Message-Id: +From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= +Date: Wed, 15 May 2019 21:40:56 +0100 +Subject: [PATCH] admin: reject clients unless their UID matches the current + UID +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The admin protocol RPC messages are only intended for use by the user +running the daemon. As such they should not be allowed for any client +UID that does not match the server UID. + +Fixes CVE-2019-10132 + +Reviewed-by: Ján Tomko +Signed-off-by: Daniel P. Berrangé +(cherry picked from a private commit) +Reviewed-by: Jiri Denemark +Message-Id: <20190515204058.28077-2-berrange@redhat.com> +--- + src/admin/admin_server_dispatch.c | 22 ++++++++++++++++++++++ + 1 file changed, 22 insertions(+) + +diff --git a/src/admin/admin_server_dispatch.c b/src/admin/admin_server_dispatch.c +index b78ff902c0..9f25813ae3 100644 +--- a/src/admin/admin_server_dispatch.c ++++ b/src/admin/admin_server_dispatch.c +@@ -66,6 +66,28 @@ remoteAdmClientNew(virNetServerClientPtr client ATTRIBUTE_UNUSED, + void *opaque) + { + struct daemonAdmClientPrivate *priv; ++ uid_t clientuid; ++ gid_t clientgid; ++ pid_t clientpid; ++ unsigned long long timestamp; ++ ++ if (virNetServerClientGetUNIXIdentity(client, ++ &clientuid, ++ &clientgid, ++ &clientpid, ++ ×tamp) < 0) ++ return NULL; ++ ++ VIR_DEBUG("New client pid %lld uid %lld", ++ (long long)clientpid, ++ (long long)clientuid); ++ ++ if (geteuid() != clientuid) { ++ virReportRestrictedError(_("Disallowing client %lld with uid %lld"), ++ (long long)clientpid, ++ (long long)clientuid); ++ return NULL; ++ } + + if (VIR_ALLOC(priv) < 0) + return NULL; +-- +2.21.0 + diff --git a/SOURCES/libvirt-locking-restrict-sockets-to-mode-0600.patch b/SOURCES/libvirt-locking-restrict-sockets-to-mode-0600.patch new file mode 100644 index 0000000..fde25c9 --- /dev/null +++ b/SOURCES/libvirt-locking-restrict-sockets-to-mode-0600.patch @@ -0,0 +1,54 @@ +From 9062f89d17d1ab5d6c5c3efae8c6056149ef0a28 Mon Sep 17 00:00:00 2001 +Message-Id: <9062f89d17d1ab5d6c5c3efae8c6056149ef0a28@dist-git> +From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= +Date: Wed, 15 May 2019 21:40:57 +0100 +Subject: [PATCH] locking: restrict sockets to mode 0600 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The virtlockd daemon's only intended client is the libvirtd daemon. As +such it should never allow clients from other user accounts to connect. +The code already enforces this and drops clients from other UIDs, but +we can get earlier (and thus stronger) protection against DoS by setting +the socket permissions to 0600 + +Fixes CVE-2019-10132 + +Reviewed-by: Ján Tomko +Signed-off-by: Daniel P. Berrangé +(cherry picked from a private commit) +Reviewed-by: Jiri Denemark +Message-Id: <20190515204058.28077-3-berrange@redhat.com> +--- + src/locking/virtlockd-admin.socket.in | 1 + + src/locking/virtlockd.socket.in | 1 + + 2 files changed, 2 insertions(+) + +diff --git a/src/locking/virtlockd-admin.socket.in b/src/locking/virtlockd-admin.socket.in +index 2a7500f3d0..f674c492f7 100644 +--- a/src/locking/virtlockd-admin.socket.in ++++ b/src/locking/virtlockd-admin.socket.in +@@ -5,6 +5,7 @@ Before=libvirtd.service + [Socket] + ListenStream=@localstatedir@/run/libvirt/virtlockd-admin-sock + Service=virtlockd.service ++SocketMode=0600 + + [Install] + WantedBy=sockets.target +diff --git a/src/locking/virtlockd.socket.in b/src/locking/virtlockd.socket.in +index 45e0f20235..d701b27516 100644 +--- a/src/locking/virtlockd.socket.in ++++ b/src/locking/virtlockd.socket.in +@@ -4,6 +4,7 @@ Before=libvirtd.service + + [Socket] + ListenStream=@localstatedir@/run/libvirt/virtlockd-sock ++SocketMode=0600 + + [Install] + WantedBy=sockets.target +-- +2.21.0 + diff --git a/SOURCES/libvirt-logging-restrict-sockets-to-mode-0600.patch b/SOURCES/libvirt-logging-restrict-sockets-to-mode-0600.patch new file mode 100644 index 0000000..a080a11 --- /dev/null +++ b/SOURCES/libvirt-logging-restrict-sockets-to-mode-0600.patch @@ -0,0 +1,54 @@ +From b87dc9bc856cd8b9d6dbf61ff7b1aa61653748fb Mon Sep 17 00:00:00 2001 +Message-Id: +From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= +Date: Wed, 15 May 2019 21:40:58 +0100 +Subject: [PATCH] logging: restrict sockets to mode 0600 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The virtlogd daemon's only intended client is the libvirtd daemon. As +such it should never allow clients from other user accounts to connect. +The code already enforces this and drops clients from other UIDs, but +we can get earlier (and thus stronger) protection against DoS by setting +the socket permissions to 0600 + +Fixes CVE-2019-10132 + +Reviewed-by: Ján Tomko +Signed-off-by: Daniel P. Berrangé +(cherry picked from a private commit) +Reviewed-by: Jiri Denemark +Message-Id: <20190515204058.28077-4-berrange@redhat.com> +--- + src/logging/virtlogd-admin.socket.in | 1 + + src/logging/virtlogd.socket.in | 1 + + 2 files changed, 2 insertions(+) + +diff --git a/src/logging/virtlogd-admin.socket.in b/src/logging/virtlogd-admin.socket.in +index 595e6c4c4b..5c41dfeb7b 100644 +--- a/src/logging/virtlogd-admin.socket.in ++++ b/src/logging/virtlogd-admin.socket.in +@@ -5,6 +5,7 @@ Before=libvirtd.service + [Socket] + ListenStream=@localstatedir@/run/libvirt/virtlogd-admin-sock + Service=virtlogd.service ++SocketMode=0600 + + [Install] + WantedBy=sockets.target +diff --git a/src/logging/virtlogd.socket.in b/src/logging/virtlogd.socket.in +index 22b9360c8d..ae48cdab9a 100644 +--- a/src/logging/virtlogd.socket.in ++++ b/src/logging/virtlogd.socket.in +@@ -4,6 +4,7 @@ Before=libvirtd.service + + [Socket] + ListenStream=@localstatedir@/run/libvirt/virtlogd-sock ++SocketMode=0600 + + [Install] + WantedBy=sockets.target +-- +2.21.0 + diff --git a/SOURCES/libvirt-virnwfilterbindingobj-Introduce-and-use-virNWFilterBindingObjStealDef.patch b/SOURCES/libvirt-virnwfilterbindingobj-Introduce-and-use-virNWFilterBindingObjStealDef.patch new file mode 100644 index 0000000..852c710 --- /dev/null +++ b/SOURCES/libvirt-virnwfilterbindingobj-Introduce-and-use-virNWFilterBindingObjStealDef.patch @@ -0,0 +1,132 @@ +From 48289dddc0f4398036071c132f96644e3c3e03c4 Mon Sep 17 00:00:00 2001 +Message-Id: <48289dddc0f4398036071c132f96644e3c3e03c4@dist-git> +From: Michal Privoznik +Date: Tue, 23 Apr 2019 10:06:17 +0200 +Subject: [PATCH] virnwfilterbindingobj: Introduce and use + virNWFilterBindingObjStealDef +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RHEL-7.7: https://bugzilla.redhat.com/show_bug.cgi?id=1686927 +RHEL-7.6.z: https://bugzilla.redhat.com/show_bug.cgi?id=1702173 + +When trying to create a nwfilter binding via +nwfilterBindingCreateXML() we may encounter a crash. The sequence +of functions called is as follows: + +1) nwfilterBindingCreateXML() parses the XML and calls +virNWFilterBindingObjListAdd() which calls +virNWFilterBindingObjListAddLocked() + +2) Here, @binding is not found because binding->remove is set. + +3) Therefore, controls continue with creating new @binding, +setting its def to the one from 1) and adding it to the hash +table. + +4) This fails, because the binding is still in the hash table +(duplicate key is detected). + +5) The control jumps to 'error' label where +virNWFilterBindingObjEndAPI() is called which frees the binding +definition passed. + +6) Error is propagated to the caller, which calls +virNWFilterBindingDefFree() over the definition again. + +The solution is to unset binding->def in case of failure so it's +not freed in step 5). + +Signed-off-by: Michal Privoznik +Reviewed-by: Ján Tomko +(cherry picked from commit 8c08a99745ddac9f4055c008e82e68a27ed5093d) +Signed-off-by: Michal Privoznik +Message-Id: +Reviewed-by: Ján Tomko +--- + src/conf/virnwfilterbindingobj.c | 10 ++++++++++ + src/conf/virnwfilterbindingobj.h | 3 +++ + src/conf/virnwfilterbindingobjlist.c | 4 ++++ + src/libvirt_private.syms | 1 + + 4 files changed, 18 insertions(+) + +diff --git a/src/conf/virnwfilterbindingobj.c b/src/conf/virnwfilterbindingobj.c +index d145fe3223..291ba9a5f8 100644 +--- a/src/conf/virnwfilterbindingobj.c ++++ b/src/conf/virnwfilterbindingobj.c +@@ -88,6 +88,16 @@ virNWFilterBindingObjSetDef(virNWFilterBindingObjPtr obj, + } + + ++virNWFilterBindingDefPtr ++virNWFilterBindingObjStealDef(virNWFilterBindingObjPtr obj) ++{ ++ virNWFilterBindingDefPtr def; ++ ++ VIR_STEAL_PTR(def, obj->def); ++ return def; ++} ++ ++ + bool + virNWFilterBindingObjGetRemoving(virNWFilterBindingObjPtr obj) + { +diff --git a/src/conf/virnwfilterbindingobj.h b/src/conf/virnwfilterbindingobj.h +index 21ae85b064..e8f94aa1ef 100644 +--- a/src/conf/virnwfilterbindingobj.h ++++ b/src/conf/virnwfilterbindingobj.h +@@ -38,6 +38,9 @@ void + virNWFilterBindingObjSetDef(virNWFilterBindingObjPtr obj, + virNWFilterBindingDefPtr def); + ++virNWFilterBindingDefPtr ++virNWFilterBindingObjStealDef(virNWFilterBindingObjPtr obj); ++ + bool + virNWFilterBindingObjGetRemoving(virNWFilterBindingObjPtr obj); + +diff --git a/src/conf/virnwfilterbindingobjlist.c b/src/conf/virnwfilterbindingobjlist.c +index 7ce59f7c6e..d0301e7e28 100644 +--- a/src/conf/virnwfilterbindingobjlist.c ++++ b/src/conf/virnwfilterbindingobjlist.c +@@ -169,6 +169,7 @@ virNWFilterBindingObjListAddLocked(virNWFilterBindingObjListPtr bindings, + virNWFilterBindingDefPtr def) + { + virNWFilterBindingObjPtr binding; ++ bool stealDef = false; + + /* See if a binding with matching portdev already exists */ + if ((binding = virNWFilterBindingObjListFindByPortDevLocked( +@@ -183,6 +184,7 @@ virNWFilterBindingObjListAddLocked(virNWFilterBindingObjListPtr bindings, + goto error; + + virNWFilterBindingObjSetDef(binding, def); ++ stealDef = true; + + if (virNWFilterBindingObjListAddObjLocked(bindings, binding) < 0) + goto error; +@@ -190,6 +192,8 @@ virNWFilterBindingObjListAddLocked(virNWFilterBindingObjListPtr bindings, + return binding; + + error: ++ if (stealDef) ++ virNWFilterBindingObjStealDef(binding); + virNWFilterBindingObjEndAPI(&binding); + return NULL; + } +diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms +index 636891eabd..3325b90535 100644 +--- a/src/libvirt_private.syms ++++ b/src/libvirt_private.syms +@@ -1065,6 +1065,7 @@ virNWFilterBindingObjParseFile; + virNWFilterBindingObjSave; + virNWFilterBindingObjSetDef; + virNWFilterBindingObjSetRemoving; ++virNWFilterBindingObjStealDef; + + + # conf/virnwfilterbindingobjlist.h +-- +2.21.0 + diff --git a/SPECS/libvirt.spec b/SPECS/libvirt.spec index a456370..70ed4ef 100644 --- a/SPECS/libvirt.spec +++ b/SPECS/libvirt.spec @@ -253,7 +253,7 @@ Summary: Library providing a simple virtualization API Name: libvirt Version: 4.5.0 -Release: 10%{?dist}.9%{?extra_release} +Release: 10%{?dist}.10%{?extra_release} License: LGPLv2+ URL: https://libvirt.org/ @@ -415,6 +415,10 @@ Patch149: libvirt-cpu_x86-Do-not-cache-microcode-version.patch Patch150: libvirt-cputest-Add-data-for-Intel-R-Xeon-R-CPU-E3-1225-v5.patch Patch151: libvirt-cpu_map-Define-md-clear-CPUID-bit.patch Patch152: libvirt-qemu-Don-t-cache-microcode-version.patch +Patch153: libvirt-virnwfilterbindingobj-Introduce-and-use-virNWFilterBindingObjStealDef.patch +Patch154: libvirt-admin-reject-clients-unless-their-UID-matches-the-current-UID.patch +Patch155: libvirt-locking-restrict-sockets-to-mode-0600.patch +Patch156: libvirt-logging-restrict-sockets-to-mode-0600.patch Requires: libvirt-daemon = %{version}-%{release} Requires: libvirt-daemon-config-network = %{version}-%{release} @@ -2316,6 +2320,12 @@ exit 0 %changelog +* Thu May 16 2019 Jiri Denemark - 4.5.0-10.el7_6.10 +- virnwfilterbindingobj: Introduce and use virNWFilterBindingObjStealDef (rhbz#1702173) +- admin: reject clients unless their UID matches the current UID (CVE-2019-10132) +- locking: restrict sockets to mode 0600 (CVE-2019-10132) +- logging: restrict sockets to mode 0600 (CVE-2019-10132) + * Tue Apr 16 2019 Jiri Denemark - 4.5.0-10.el7_6.9 - qemu: Don't cache microcode version (CVE-2018-12127, CVE-2018-12126, CVE-2018-12130)