5 files changed, 271 insertions, 0 deletions
diff --git a/recipes-extended/libvirt/libvirt/CVE-2020-25637_1.patch b/recipes-extended/libvirt/libvirt/CVE-2020-25637_1.patch
new file mode 100644
index 00000000..362d3d16
--- /dev/null
+++ b/recipes-extended/libvirt/libvirt/CVE-2020-25637_1.patch
@@ -0,0 +1,49 @@
+From 955029bd0ad7ef96000f529ac38204a8f4a96401 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?J=C3=A1n=20Tomko?= <jtomko@redhat.com>
+Date: Fri, 18 Sep 2020 17:44:56 +0200
+Subject: [PATCH] rpc: gendispatch: handle empty flags
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+CVE-2020-25637
+Prepare for omission of the <flagname> in remote_protocol.x
+@acl annotations:
+ @acl: <object>:<permission>:<flagname>
+so that we can add more fields after, e.g.:
+ @acl: <object>:<permission>::<field>
+Signed-off-by: Ján Tomko <jtomko@redhat.com>
+Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
+Upsteam-Status: Backport
+CVE: CVE-2020-25637 dep#1
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ src/rpc/gendispatch.pl | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+Index: libvirt-6.1.0/src/rpc/gendispatch.pl
+===================================================================
+--- libvirt-6.1.0.orig/src/rpc/gendispatch.pl
+++ libvirt-6.1.0/src/rpc/gendispatch.pl
+@@ -2113,7 +2113,7 @@ elsif ($mode eq "client") {
+                 if ($acl[$i]->{object} ne $acl[0]->{object}) {
+                     die "acl for '$call->{ProcName}' cannot check different objects";
+                 }
+-                if (defined $acl[$i]->{flags}) {
+                if (defined $acl[$i]->{flags} && length $acl[$i]->{flags}) {
+                     $checkflags = 1;
+                 }
+             }
+@@ -2201,7 +2201,7 @@ elsif ($mode eq "client") {
+                     my $method = "virAccessManagerCheck" . $object;
+                     my $space = ' ' x length($method);
+                     print "    if (";
+-                    if (defined $acl->{flags}) {
+                    if (defined $acl->{flags} && length $acl->{flags}) {
+                         my $flags = $acl->{flags};
+                         if ($flags =~ /^\!/) {
+                             $flags = substr $flags, 1;
diff --git a/recipes-extended/libvirt/libvirt/CVE-2020-25637_2.patch b/recipes-extended/libvirt/libvirt/CVE-2020-25637_2.patch
new file mode 100644
index 00000000..58eae3e9
--- /dev/null
+++ b/recipes-extended/libvirt/libvirt/CVE-2020-25637_2.patch
@@ -0,0 +1,102 @@
+From 50864dcda191eb35732dbd80fb6ca251a6bba923 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?J=C3=A1n=20Tomko?= <jtomko@redhat.com>
+Date: Fri, 18 Sep 2020 16:09:25 +0200
+Subject: [PATCH] rpc: add support for filtering @acls by uint params
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+CVE-2020-25637
+Add a new field to @acl annotations for filtering by
+unsigned int parameters.
+Signed-off-by: Ján Tomko <jtomko@redhat.com>
+Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
+Upsteam-Status: Backport
+CVE: CVE-2020-25637 dep#2
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ src/remote/remote_protocol.x |  3 +++
+ src/rpc/gendispatch.pl       | 21 ++++++++++++++++++++-
+ 2 files changed, 23 insertions(+), 1 deletion(-)
+Index: libvirt-6.1.0/src/remote/remote_protocol.x
+===================================================================
+--- libvirt-6.1.0.orig/src/remote/remote_protocol.x
+++ libvirt-6.1.0/src/remote/remote_protocol.x
+@@ -3805,6 +3805,7 @@ enum remote_procedure {
+      *
+      * - @acl: <object>:<permission>
+      * - @acl: <object>:<permission>:<flagname>
+     * - @acl: <object>:<permission>::<param>:<value>
+      *
+      *   Declare the access control requirements for the API. May be repeated
+      *   multiple times, if multiple rules are required.
+@@ -3814,6 +3815,8 @@ enum remote_procedure {
+      *     <permission> is one of the permissions in access/viraccessperm.h
+      *     <flagname> indicates the rule only applies if the named flag
+      *     is set in the API call
+     *     <param> and <value> can be used to check an unsigned int parameter
+     *     against value
+      *
+      * - @aclfilter: <object>:<permission>
+      *
+Index: libvirt-6.1.0/src/rpc/gendispatch.pl
+===================================================================
+--- libvirt-6.1.0.orig/src/rpc/gendispatch.pl
+++ libvirt-6.1.0/src/rpc/gendispatch.pl
+@@ -2105,10 +2105,12 @@ elsif ($mode eq "client") {
+             my @acl;
+             foreach (@{$acl}) {
+                 my @bits = split /:/;
+-                push @acl, { object => $bits[0], perm => $bits[1], flags => $bits[2] }
+                push @acl, { object => $bits[0], perm => $bits[1], flags => $bits[2],
+                             param => $bits[3], value => $bits[4] }
+             }
+ 
+             my $checkflags = 0;
+            my $paramtocheck = undef;
+             for (my $i = 1 ; $i <= $#acl ; $i++) {
+                 if ($acl[$i]->{object} ne $acl[0]->{object}) {
+                     die "acl for '$call->{ProcName}' cannot check different objects";
+@@ -2116,6 +2118,9 @@ elsif ($mode eq "client") {
+                 if (defined $acl[$i]->{flags} && length $acl[$i]->{flags}) {
+                     $checkflags = 1;
+                 }
+                if (defined $acl[$i]->{param}) {
+                    $paramtocheck = $acl[$i]->{param};
+                }
+             }
+ 
+             my $apiname = $prefix . $call->{ProcName};
+@@ -2151,6 +2156,9 @@ elsif ($mode eq "client") {
+             if ($checkflags) {
+                 push @argdecls, "unsigned int flags";
+             }
+            if (defined $paramtocheck) {
+                push @argdecls, "unsigned int " . $paramtocheck;
+            }
+ 
+             my $ret;
+             my $pass;
+@@ -2211,6 +2219,17 @@ elsif ($mode eq "client") {
+                         }
+                         print "        ";
+                     }
+                    if (defined $acl->{param}) {
+                        my $param = $acl->{param};
+                        my $value = $acl->{value};
+                        if ($value =~ /^\!/) {
+                            $value = substr $value, 1;
+                            print "($param != ($value)) &&\n";
+                        } else {
+                            print "($param == ($value)) &&\n";
+                        }
+                        print "        ";
+                    }
+                     print "(rv = $method(" . join(", ", @argvars, $perm) . ")) <= 0) {\n";
+                     print "        virObjectUnref(mgr);\n";
+                     if ($action eq "Ensure") {
diff --git a/recipes-extended/libvirt/libvirt/CVE-2020-25637_3.patch b/recipes-extended/libvirt/libvirt/CVE-2020-25637_3.patch
new file mode 100644
index 00000000..5a3ba80c
--- /dev/null
+++ b/recipes-extended/libvirt/libvirt/CVE-2020-25637_3.patch
@@ -0,0 +1,36 @@
+From a63b48c5ecef077bf0f909a85f453a605600cf05 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?J=C3=A1n=20Tomko?= <jtomko@redhat.com>
+Date: Fri, 18 Sep 2020 17:56:37 +0200
+Subject: [PATCH] qemu: agent: set ifname to NULL after freeing
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+CVE-2020-25637
+Signed-off-by: Ján Tomko <jtomko@redhat.com>
+Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
+Fixes: 0977b8aa071de550e1a013d35e2c72615e65d520
+Reviewed-by: Mauro Matteo Cascella <mcascell@redhat.com>
+Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
+Upsteam-Status: Backport
+CVE: CVE-2020-25637 dep#3
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ src/qemu/qemu_agent.c | 1 +
+ 1 file changed, 1 insertion(+)
+Index: libvirt-6.1.0/src/qemu/qemu_agent.c
+===================================================================
+--- libvirt-6.1.0.orig/src/qemu/qemu_agent.c
+++ libvirt-6.1.0/src/qemu/qemu_agent.c
+@@ -2186,6 +2186,7 @@ qemuAgentGetInterfaces(qemuAgentPtr mon,
+ 
+         /* Has to be freed for each interface. */
+         virStringListFree(ifname);
+        ifname = NULL;
+ 
+         /* as well as IP address which - moreover -
+          * can be presented multiple times */
diff --git a/recipes-extended/libvirt/libvirt/CVE-2020-25637_4.patch b/recipes-extended/libvirt/libvirt/CVE-2020-25637_4.patch
new file mode 100644
index 00000000..9b802ca3
--- /dev/null
+++ b/recipes-extended/libvirt/libvirt/CVE-2020-25637_4.patch
@@ -0,0 +1,80 @@
+From e4116eaa44cb366b59f7fe98f4b88d04c04970ad Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?J=C3=A1n=20Tomko?= <jtomko@redhat.com>
+Date: Fri, 18 Sep 2020 17:54:14 +0200
+Subject: [PATCH] rpc: require write acl for guest agent in
+ virDomainInterfaceAddresses
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+CVE-2020-25637
+Add a requirement for domain:write if source is set to
+VIR_DOMAIN_INTERFACE_ADDRESSES_SRC_AGENT.
+Signed-off-by: Ján Tomko <jtomko@redhat.com>
+Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
+Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
+Upsteam-Status: Backport
+CVE: CVE-2020-25637 
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ src/libxl/libxl_driver.c     | 2 +-
+ src/lxc/lxc_driver.c         | 2 +-
+ src/qemu/qemu_driver.c       | 2 +-
+ src/remote/remote_protocol.x | 1 +
+ 4 files changed, 4 insertions(+), 3 deletions(-)
+Index: libvirt-6.1.0/src/libxl/libxl_driver.c
+===================================================================
+--- libvirt-6.1.0.orig/src/libxl/libxl_driver.c
+++ libvirt-6.1.0/src/libxl/libxl_driver.c
+@@ -6331,7 +6331,7 @@ libxlDomainInterfaceAddresses(virDomainP
+     if (!(vm = libxlDomObjFromDomain(dom)))
+         goto cleanup;
+ 
+-    if (virDomainInterfaceAddressesEnsureACL(dom->conn, vm->def) < 0)
+    if (virDomainInterfaceAddressesEnsureACL(dom->conn, vm->def, source) < 0)
+         goto cleanup;
+ 
+     if (virDomainObjCheckActive(vm) < 0)
+Index: libvirt-6.1.0/src/lxc/lxc_driver.c
+===================================================================
+--- libvirt-6.1.0.orig/src/lxc/lxc_driver.c
+++ libvirt-6.1.0/src/lxc/lxc_driver.c
+@@ -1698,7 +1698,7 @@ lxcDomainInterfaceAddresses(virDomainPtr
+     if (!(vm = lxcDomObjFromDomain(dom)))
+         goto cleanup;
+ 
+-    if (virDomainInterfaceAddressesEnsureACL(dom->conn, vm->def) < 0)
+    if (virDomainInterfaceAddressesEnsureACL(dom->conn, vm->def, source) < 0)
+         goto cleanup;
+ 
+     if (virDomainObjCheckActive(vm) < 0)
+Index: libvirt-6.1.0/src/qemu/qemu_driver.c
+===================================================================
+--- libvirt-6.1.0.orig/src/qemu/qemu_driver.c
+++ libvirt-6.1.0/src/qemu/qemu_driver.c
+@@ -21846,7 +21846,7 @@ qemuDomainInterfaceAddresses(virDomainPt
+     if (!(vm = qemuDomainObjFromDomain(dom)))
+         goto cleanup;
+ 
+-    if (virDomainInterfaceAddressesEnsureACL(dom->conn, vm->def) < 0)
+    if (virDomainInterfaceAddressesEnsureACL(dom->conn, vm->def, source) < 0)
+         goto cleanup;
+ 
+     if (virDomainObjCheckActive(vm) < 0)
+Index: libvirt-6.1.0/src/remote/remote_protocol.x
+===================================================================
+--- libvirt-6.1.0.orig/src/remote/remote_protocol.x
+++ libvirt-6.1.0/src/remote/remote_protocol.x
+@@ -6211,6 +6211,7 @@ enum remote_procedure {
+     /**
+      * @generate: none
+      * @acl: domain:read
+     * @acl: domain:write::source:VIR_DOMAIN_INTERFACE_ADDRESSES_SRC_AGENT
+      */
+     REMOTE_PROC_DOMAIN_INTERFACE_ADDRESSES = 353,
+ 
diff --git a/recipes-extended/libvirt/libvirt_6.1.0.bb b/recipes-extended/libvirt/libvirt_6.1.0.bb
index 0146c6cb..aa7563f6 100644
--- a/recipes-extended/libvirt/libvirt_6.1.0.bb
+++ b/recipes-extended/libvirt/libvirt_6.1.0.bb
@@ -41,6 +41,10 @@ SRC_URI = "http://libvirt.org/sources/libvirt-${PV}.tar.xz;name=libvirt \
           file://hook_support.py \
           file://gnutls-helper.py \
           file://CVE-2020-10701.patch \
+           file://CVE-2020-25637_1.patch \
+           file://CVE-2020-25637_2.patch \
+           file://CVE-2020-25637_3.patch \
+           file://CVE-2020-25637_4.patch \
          "
 SRC_URI[libvirt.md5sum] = "a870e63f20fac2ccf98e716d05256145"

diff --git a/recipes-extended/libvirt/libvirt/CVE-2020-25637_1.patch b/recipes-extended/libvirt/libvirt/CVE-2020-25637_1.patch new file mode 100644 index 00000000..362d3d16 --- /dev/null +++ b/recipes-extended/libvirt/libvirt/CVE-2020-25637_1.patch
@@ -0,0 +1,49 @@
		1	From 955029bd0ad7ef96000f529ac38204a8f4a96401 Mon Sep 17 00:00:00 2001
		2	From: =?UTF-8?q?J=C3=A1n=20Tomko?= <jtomko@redhat.com>
		3	Date: Fri, 18 Sep 2020 17:44:56 +0200
		4	Subject: [PATCH] rpc: gendispatch: handle empty flags
		5	MIME-Version: 1.0
		6	Content-Type: text/plain; charset=UTF-8
		7	Content-Transfer-Encoding: 8bit
		8
		9	CVE-2020-25637
		10
		11	Prepare for omission of the <flagname> in remote_protocol.x
		12	@acl annotations:
		13	@acl: <object>:<permission>:<flagname>
		14	so that we can add more fields after, e.g.:
		15	@acl: <object>:<permission>::<field>
		16
		17	Signed-off-by: Ján Tomko <jtomko@redhat.com>
		18	Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
		19
		20	Upsteam-Status: Backport
		21	CVE: CVE-2020-25637 dep#1
		22	Signed-off-by: Armin Kuster <akuster@mvista.com>
		23
		24	---
		25	src/rpc/gendispatch.pl \| 4 ++--
		26	1 file changed, 2 insertions(+), 2 deletions(-)
		27
		28	Index: libvirt-6.1.0/src/rpc/gendispatch.pl
		29	===================================================================
		30	--- libvirt-6.1.0.orig/src/rpc/gendispatch.pl
		31	+++ libvirt-6.1.0/src/rpc/gendispatch.pl
		32	@@ -2113,7 +2113,7 @@ elsif ($mode eq "client") {
		33	if ($acl[$i]->{object} ne $acl[0]->{object}) {
		34	die "acl for '$call->{ProcName}' cannot check different objects";
		35	}
		36	- if (defined $acl[$i]->{flags}) {
		37	+ if (defined $acl[$i]->{flags} && length $acl[$i]->{flags}) {
		38	$checkflags = 1;
		39	}
		40	}
		41	@@ -2201,7 +2201,7 @@ elsif ($mode eq "client") {
		42	my $method = "virAccessManagerCheck" . $object;
		43	my $space = ' ' x length($method);
		44	print " if (";
		45	- if (defined $acl->{flags}) {
		46	+ if (defined $acl->{flags} && length $acl->{flags}) {
		47	my $flags = $acl->{flags};
		48	if ($flags =~ /^\!/) {
		49	$flags = substr $flags, 1;


diff --git a/recipes-extended/libvirt/libvirt/CVE-2020-25637_2.patch b/recipes-extended/libvirt/libvirt/CVE-2020-25637_2.patch new file mode 100644 index 00000000..58eae3e9 --- /dev/null +++ b/recipes-extended/libvirt/libvirt/CVE-2020-25637_2.patch
@@ -0,0 +1,102 @@
		1	From 50864dcda191eb35732dbd80fb6ca251a6bba923 Mon Sep 17 00:00:00 2001
		2	From: =?UTF-8?q?J=C3=A1n=20Tomko?= <jtomko@redhat.com>
		3	Date: Fri, 18 Sep 2020 16:09:25 +0200
		4	Subject: [PATCH] rpc: add support for filtering @acls by uint params
		5	MIME-Version: 1.0
		6	Content-Type: text/plain; charset=UTF-8
		7	Content-Transfer-Encoding: 8bit
		8
		9	CVE-2020-25637
		10
		11	Add a new field to @acl annotations for filtering by
		12	unsigned int parameters.
		13
		14	Signed-off-by: Ján Tomko <jtomko@redhat.com>
		15	Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
		16
		17	Upsteam-Status: Backport
		18	CVE: CVE-2020-25637 dep#2
		19	Signed-off-by: Armin Kuster <akuster@mvista.com>
		20
		21	---
		22	src/remote/remote_protocol.x \| 3 +++
		23	src/rpc/gendispatch.pl \| 21 ++++++++++++++++++++-
		24	2 files changed, 23 insertions(+), 1 deletion(-)
		25
		26	Index: libvirt-6.1.0/src/remote/remote_protocol.x
		27	===================================================================
		28	--- libvirt-6.1.0.orig/src/remote/remote_protocol.x
		29	+++ libvirt-6.1.0/src/remote/remote_protocol.x
		30	@@ -3805,6 +3805,7 @@ enum remote_procedure {
		31	*
		32	* - @acl: <object>:<permission>
		33	* - @acl: <object>:<permission>:<flagname>
		34	+ * - @acl: <object>:<permission>::<param>:<value>
		35	*
		36	* Declare the access control requirements for the API. May be repeated
		37	* multiple times, if multiple rules are required.
		38	@@ -3814,6 +3815,8 @@ enum remote_procedure {
		39	* <permission> is one of the permissions in access/viraccessperm.h
		40	* <flagname> indicates the rule only applies if the named flag
		41	* is set in the API call
		42	+ * <param> and <value> can be used to check an unsigned int parameter
		43	+ * against value
		44	*
		45	* - @aclfilter: <object>:<permission>
		46	*
		47	Index: libvirt-6.1.0/src/rpc/gendispatch.pl
		48	===================================================================
		49	--- libvirt-6.1.0.orig/src/rpc/gendispatch.pl
		50	+++ libvirt-6.1.0/src/rpc/gendispatch.pl
		51	@@ -2105,10 +2105,12 @@ elsif ($mode eq "client") {
		52	my @acl;
		53	foreach (@{$acl}) {
		54	my @bits = split /:/;
		55	- push @acl, { object => $bits[0], perm => $bits[1], flags => $bits[2] }
		56	+ push @acl, { object => $bits[0], perm => $bits[1], flags => $bits[2],
		57	+ param => $bits[3], value => $bits[4] }
		58	}
		59
		60	my $checkflags = 0;
		61	+ my $paramtocheck = undef;
		62	for (my $i = 1 ; $i <= $#acl ; $i++) {
		63	if ($acl[$i]->{object} ne $acl[0]->{object}) {
		64	die "acl for '$call->{ProcName}' cannot check different objects";
		65	@@ -2116,6 +2118,9 @@ elsif ($mode eq "client") {
		66	if (defined $acl[$i]->{flags} && length $acl[$i]->{flags}) {
		67	$checkflags = 1;
		68	}
		69	+ if (defined $acl[$i]->{param}) {
		70	+ $paramtocheck = $acl[$i]->{param};
		71	+ }
		72	}
		73
		74	my $apiname = $prefix . $call->{ProcName};
		75	@@ -2151,6 +2156,9 @@ elsif ($mode eq "client") {
		76	if ($checkflags) {
		77	push @argdecls, "unsigned int flags";
		78	}
		79	+ if (defined $paramtocheck) {
		80	+ push @argdecls, "unsigned int " . $paramtocheck;
		81	+ }
		82
		83	my $ret;
		84	my $pass;
		85	@@ -2211,6 +2219,17 @@ elsif ($mode eq "client") {
		86	}
		87	print " ";
		88	}
		89	+ if (defined $acl->{param}) {
		90	+ my $param = $acl->{param};
		91	+ my $value = $acl->{value};
		92	+ if ($value =~ /^\!/) {
		93	+ $value = substr $value, 1;
		94	+ print "($param != ($value)) &&\n";
		95	+ } else {
		96	+ print "($param == ($value)) &&\n";
		97	+ }
		98	+ print " ";
		99	+ }
		100	print "(rv = $method(" . join(", ", @argvars, $perm) . ")) <= 0) {\n";
		101	print " virObjectUnref(mgr);\n";
		102	if ($action eq "Ensure") {


diff --git a/recipes-extended/libvirt/libvirt/CVE-2020-25637_3.patch b/recipes-extended/libvirt/libvirt/CVE-2020-25637_3.patch new file mode 100644 index 00000000..5a3ba80c --- /dev/null +++ b/recipes-extended/libvirt/libvirt/CVE-2020-25637_3.patch
@@ -0,0 +1,36 @@
		1	From a63b48c5ecef077bf0f909a85f453a605600cf05 Mon Sep 17 00:00:00 2001
		2	From: =?UTF-8?q?J=C3=A1n=20Tomko?= <jtomko@redhat.com>
		3	Date: Fri, 18 Sep 2020 17:56:37 +0200
		4	Subject: [PATCH] qemu: agent: set ifname to NULL after freeing
		5	MIME-Version: 1.0
		6	Content-Type: text/plain; charset=UTF-8
		7	Content-Transfer-Encoding: 8bit
		8
		9	CVE-2020-25637
		10
		11	Signed-off-by: Ján Tomko <jtomko@redhat.com>
		12	Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
		13	Fixes: 0977b8aa071de550e1a013d35e2c72615e65d520
		14	Reviewed-by: Mauro Matteo Cascella <mcascell@redhat.com>
		15	Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
		16
		17	Upsteam-Status: Backport
		18	CVE: CVE-2020-25637 dep#3
		19	Signed-off-by: Armin Kuster <akuster@mvista.com>
		20
		21	---
		22	src/qemu/qemu_agent.c \| 1 +
		23	1 file changed, 1 insertion(+)
		24
		25	Index: libvirt-6.1.0/src/qemu/qemu_agent.c
		26	===================================================================
		27	--- libvirt-6.1.0.orig/src/qemu/qemu_agent.c
		28	+++ libvirt-6.1.0/src/qemu/qemu_agent.c
		29	@@ -2186,6 +2186,7 @@ qemuAgentGetInterfaces(qemuAgentPtr mon,
		30
		31	/* Has to be freed for each interface. */
		32	virStringListFree(ifname);
		33	+ ifname = NULL;
		34
		35	/* as well as IP address which - moreover -
		36	* can be presented multiple times */


diff --git a/recipes-extended/libvirt/libvirt/CVE-2020-25637_4.patch b/recipes-extended/libvirt/libvirt/CVE-2020-25637_4.patch new file mode 100644 index 00000000..9b802ca3 --- /dev/null +++ b/recipes-extended/libvirt/libvirt/CVE-2020-25637_4.patch
@@ -0,0 +1,80 @@
		1	From e4116eaa44cb366b59f7fe98f4b88d04c04970ad Mon Sep 17 00:00:00 2001
		2	From: =?UTF-8?q?J=C3=A1n=20Tomko?= <jtomko@redhat.com>
		3	Date: Fri, 18 Sep 2020 17:54:14 +0200
		4	Subject: [PATCH] rpc: require write acl for guest agent in
		5	virDomainInterfaceAddresses
		6	MIME-Version: 1.0
		7	Content-Type: text/plain; charset=UTF-8
		8	Content-Transfer-Encoding: 8bit
		9
		10	CVE-2020-25637
		11
		12	Add a requirement for domain:write if source is set to
		13	VIR_DOMAIN_INTERFACE_ADDRESSES_SRC_AGENT.
		14
		15	Signed-off-by: Ján Tomko <jtomko@redhat.com>
		16	Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
		17	Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
		18
		19	Upsteam-Status: Backport
		20	CVE: CVE-2020-25637
		21	Signed-off-by: Armin Kuster <akuster@mvista.com>
		22
		23	---
		24	src/libxl/libxl_driver.c \| 2 +-
		25	src/lxc/lxc_driver.c \| 2 +-
		26	src/qemu/qemu_driver.c \| 2 +-
		27	src/remote/remote_protocol.x \| 1 +
		28	4 files changed, 4 insertions(+), 3 deletions(-)
		29
		30	Index: libvirt-6.1.0/src/libxl/libxl_driver.c
		31	===================================================================
		32	--- libvirt-6.1.0.orig/src/libxl/libxl_driver.c
		33	+++ libvirt-6.1.0/src/libxl/libxl_driver.c
		34	@@ -6331,7 +6331,7 @@ libxlDomainInterfaceAddresses(virDomainP
		35	if (!(vm = libxlDomObjFromDomain(dom)))
		36	goto cleanup;
		37
		38	- if (virDomainInterfaceAddressesEnsureACL(dom->conn, vm->def) < 0)
		39	+ if (virDomainInterfaceAddressesEnsureACL(dom->conn, vm->def, source) < 0)
		40	goto cleanup;
		41
		42	if (virDomainObjCheckActive(vm) < 0)
		43	Index: libvirt-6.1.0/src/lxc/lxc_driver.c
		44	===================================================================
		45	--- libvirt-6.1.0.orig/src/lxc/lxc_driver.c
		46	+++ libvirt-6.1.0/src/lxc/lxc_driver.c
		47	@@ -1698,7 +1698,7 @@ lxcDomainInterfaceAddresses(virDomainPtr
		48	if (!(vm = lxcDomObjFromDomain(dom)))
		49	goto cleanup;
		50
		51	- if (virDomainInterfaceAddressesEnsureACL(dom->conn, vm->def) < 0)
		52	+ if (virDomainInterfaceAddressesEnsureACL(dom->conn, vm->def, source) < 0)
		53	goto cleanup;
		54
		55	if (virDomainObjCheckActive(vm) < 0)
		56	Index: libvirt-6.1.0/src/qemu/qemu_driver.c
		57	===================================================================
		58	--- libvirt-6.1.0.orig/src/qemu/qemu_driver.c
		59	+++ libvirt-6.1.0/src/qemu/qemu_driver.c
		60	@@ -21846,7 +21846,7 @@ qemuDomainInterfaceAddresses(virDomainPt
		61	if (!(vm = qemuDomainObjFromDomain(dom)))
		62	goto cleanup;
		63
		64	- if (virDomainInterfaceAddressesEnsureACL(dom->conn, vm->def) < 0)
		65	+ if (virDomainInterfaceAddressesEnsureACL(dom->conn, vm->def, source) < 0)
		66	goto cleanup;
		67
		68	if (virDomainObjCheckActive(vm) < 0)
		69	Index: libvirt-6.1.0/src/remote/remote_protocol.x
		70	===================================================================
		71	--- libvirt-6.1.0.orig/src/remote/remote_protocol.x
		72	+++ libvirt-6.1.0/src/remote/remote_protocol.x
		73	@@ -6211,6 +6211,7 @@ enum remote_procedure {
		74	/**
		75	* @generate: none
		76	* @acl: domain:read
		77	+ * @acl: domain:write::source:VIR_DOMAIN_INTERFACE_ADDRESSES_SRC_AGENT
		78	*/
		79	REMOTE_PROC_DOMAIN_INTERFACE_ADDRESSES = 353,
		80


diff --git a/recipes-extended/libvirt/libvirt_6.1.0.bb b/recipes-extended/libvirt/libvirt_6.1.0.bb index 0146c6cb..aa7563f6 100644 --- a/recipes-extended/libvirt/libvirt_6.1.0.bb +++ b/recipes-extended/libvirt/libvirt_6.1.0.bb
@@ -41,6 +41,10 @@ SRC_URI = "http://libvirt.org/sources/libvirt-${PV}.tar.xz;name=libvirt \
41	file://hook_support.py \	41	file://hook_support.py \
42	file://gnutls-helper.py \	42	file://gnutls-helper.py \
43	file://CVE-2020-10701.patch \	43	file://CVE-2020-10701.patch \
		44	file://CVE-2020-25637_1.patch \
		45	file://CVE-2020-25637_2.patch \
		46	file://CVE-2020-25637_3.patch \
		47	file://CVE-2020-25637_4.patch \
44	"	48	"
45		49
46	SRC_URI[libvirt.md5sum] = "a870e63f20fac2ccf98e716d05256145"	50	SRC_URI[libvirt.md5sum] = "a870e63f20fac2ccf98e716d05256145"