2 files changed, 82 insertions, 0 deletions
diff --git a/recipes-extended/libvirt/libvirt-1.3.5/0001-qemu-Let-empty-default-VNC-password-work-as-document.patch b/recipes-extended/libvirt/libvirt-1.3.5/0001-qemu-Let-empty-default-VNC-password-work-as-document.patch
new file mode 100644
index 00000000..1d13dd36
--- /dev/null
+++ b/recipes-extended/libvirt/libvirt-1.3.5/0001-qemu-Let-empty-default-VNC-password-work-as-document.patch
@@ -0,0 +1,81 @@
+Upstream-Status: Backport
+Backport patch to fix CVE-2016-5008 from:
+https://libvirt.org/git/?p=libvirt.git;a=commit;h=f32441c69bf450d6ac593c3acd621c37e120cdaf
+Signed-off-by: Kai Kang <kai.kang@windriver.com>
+---
+From f32441c69bf450d6ac593c3acd621c37e120cdaf Mon Sep 17 00:00:00 2001
+From: Jiri Denemark <jdenemar@redhat.com>
+Date: Tue, 28 Jun 2016 14:39:58 +0200
+Subject: [PATCH] qemu: Let empty default VNC password work as documented
+CVE-2016-5008
+Setting an empty graphics password is documented as a way to disable
+VNC/SPICE access, but QEMU does not always behaves like that. VNC would
+happily accept the empty password. Let's enforce the behavior by setting
+password expiration to "now".
+https://bugzilla.redhat.com/show_bug.cgi?id=1180092
+Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
+(cherry picked from commit bb848feec0f3f10e92dd8e5231ae7aa89b5598f3)
+---
+ src/qemu/qemu_hotplug.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+diff --git a/src/qemu/qemu_hotplug.c b/src/qemu/qemu_hotplug.c
+index 5f12d77..fda28b0 100644
+--- a/src/qemu/qemu_hotplug.c
+++ b/src/qemu/qemu_hotplug.c
+@@ -3547,6 +3547,7 @@ qemuDomainChangeGraphicsPasswords(virQEMUDriverPtr driver,
+     time_t now = time(NULL);
+     char expire_time [64];
+     const char *connected = NULL;
+    const char *password;
+     int ret = -1;
+     virQEMUDriverConfigPtr cfg = virQEMUDriverGetConfig(driver);
+ 
+@@ -3554,16 +3555,14 @@ qemuDomainChangeGraphicsPasswords(virQEMUDriverPtr driver,
+         ret = 0;
+         goto cleanup;
+     }
+    password = auth->passwd ? auth->passwd : defaultPasswd;
+ 
+     if (auth->connected)
+         connected = virDomainGraphicsAuthConnectedTypeToString(auth->connected);
+ 
+     if (qemuDomainObjEnterMonitorAsync(driver, vm, asyncJob) < 0)
+         goto cleanup;
+-    ret = qemuMonitorSetPassword(priv->mon,
+-                                 type,
+-                                 auth->passwd ? auth->passwd : defaultPasswd,
+-                                 connected);
+    ret = qemuMonitorSetPassword(priv->mon, type, password, connected);
+ 
+     if (ret == -2) {
+         if (type != VIR_DOMAIN_GRAPHICS_TYPE_VNC) {
+@@ -3571,14 +3570,15 @@ qemuDomainChangeGraphicsPasswords(virQEMUDriverPtr driver,
+                            _("Graphics password only supported for VNC"));
+             ret = -1;
+         } else {
+-            ret = qemuMonitorSetVNCPassword(priv->mon,
+-                                            auth->passwd ? auth->passwd : defaultPasswd);
+            ret = qemuMonitorSetVNCPassword(priv->mon, password);
+         }
+     }
+     if (ret != 0)
+         goto end_job;
+ 
+-    if (auth->expires) {
+    if (password[0] == '\0') {
+        snprintf(expire_time, sizeof(expire_time), "now");
+    } else if (auth->expires) {
+         time_t lifetime = auth->validTo - now;
+         if (lifetime <= 0)
+             snprintf(expire_time, sizeof(expire_time), "now");
+-- 
+2.9.0
diff --git a/recipes-extended/libvirt/libvirt_1.3.5.bb b/recipes-extended/libvirt/libvirt_1.3.5.bb
index 7ff2c5f6..6222b697 100644
--- a/recipes-extended/libvirt/libvirt_1.3.5.bb
+++ b/recipes-extended/libvirt/libvirt_1.3.5.bb
@@ -34,6 +34,7 @@ SRC_URI = "http://libvirt.org/sources/libvirt-${PV}.tar.gz;name=libvirt \
           file://Revert-build-add-prefix-to-SYSTEMD_UNIT_DIR.patch \
           file://install-missing-file.patch \
           file://0001-nsslinktest-also-build-virAtomic.h.patch \
+           file://0001-qemu-Let-empty-default-VNC-password-work-as-document.patch \
          "
 SRC_URI[libvirt.md5sum] = "f9dc1e63d559eca50ae0ee798a4c6c6d"

diff --git a/recipes-extended/libvirt/libvirt-1.3.5/0001-qemu-Let-empty-default-VNC-password-work-as-document.patch b/recipes-extended/libvirt/libvirt-1.3.5/0001-qemu-Let-empty-default-VNC-password-work-as-document.patch new file mode 100644 index 00000000..1d13dd36 --- /dev/null +++ b/recipes-extended/libvirt/libvirt-1.3.5/0001-qemu-Let-empty-default-VNC-password-work-as-document.patch
@@ -0,0 +1,81 @@
		1	Upstream-Status: Backport
		2
		3	Backport patch to fix CVE-2016-5008 from:
		4
		5	https://libvirt.org/git/?p=libvirt.git;a=commit;h=f32441c69bf450d6ac593c3acd621c37e120cdaf
		6
		7	Signed-off-by: Kai Kang <kai.kang@windriver.com>
		8	---
		9	From f32441c69bf450d6ac593c3acd621c37e120cdaf Mon Sep 17 00:00:00 2001
		10	From: Jiri Denemark <jdenemar@redhat.com>
		11	Date: Tue, 28 Jun 2016 14:39:58 +0200
		12	Subject: [PATCH] qemu: Let empty default VNC password work as documented
		13
		14	CVE-2016-5008
		15
		16	Setting an empty graphics password is documented as a way to disable
		17	VNC/SPICE access, but QEMU does not always behaves like that. VNC would
		18	happily accept the empty password. Let's enforce the behavior by setting
		19	password expiration to "now".
		20
		21	https://bugzilla.redhat.com/show_bug.cgi?id=1180092
		22
		23	Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
		24	(cherry picked from commit bb848feec0f3f10e92dd8e5231ae7aa89b5598f3)
		25	---
		26	src/qemu/qemu_hotplug.c \| 14 +++++++-------
		27	1 file changed, 7 insertions(+), 7 deletions(-)
		28
		29	diff --git a/src/qemu/qemu_hotplug.c b/src/qemu/qemu_hotplug.c
		30	index 5f12d77..fda28b0 100644
		31	--- a/src/qemu/qemu_hotplug.c
		32	+++ b/src/qemu/qemu_hotplug.c
		33	@@ -3547,6 +3547,7 @@ qemuDomainChangeGraphicsPasswords(virQEMUDriverPtr driver,
		34	time_t now = time(NULL);
		35	char expire_time [64];
		36	const char *connected = NULL;
		37	+ const char *password;
		38	int ret = -1;
		39	virQEMUDriverConfigPtr cfg = virQEMUDriverGetConfig(driver);
		40
		41	@@ -3554,16 +3555,14 @@ qemuDomainChangeGraphicsPasswords(virQEMUDriverPtr driver,
		42	ret = 0;
		43	goto cleanup;
		44	}
		45	+ password = auth->passwd ? auth->passwd : defaultPasswd;
		46
		47	if (auth->connected)
		48	connected = virDomainGraphicsAuthConnectedTypeToString(auth->connected);
		49
		50	if (qemuDomainObjEnterMonitorAsync(driver, vm, asyncJob) < 0)
		51	goto cleanup;
		52	- ret = qemuMonitorSetPassword(priv->mon,
		53	- type,
		54	- auth->passwd ? auth->passwd : defaultPasswd,
		55	- connected);
		56	+ ret = qemuMonitorSetPassword(priv->mon, type, password, connected);
		57
		58	if (ret == -2) {
		59	if (type != VIR_DOMAIN_GRAPHICS_TYPE_VNC) {
		60	@@ -3571,14 +3570,15 @@ qemuDomainChangeGraphicsPasswords(virQEMUDriverPtr driver,
		61	_("Graphics password only supported for VNC"));
		62	ret = -1;
		63	} else {
		64	- ret = qemuMonitorSetVNCPassword(priv->mon,
		65	- auth->passwd ? auth->passwd : defaultPasswd);
		66	+ ret = qemuMonitorSetVNCPassword(priv->mon, password);
		67	}
		68	}
		69	if (ret != 0)
		70	goto end_job;
		71
		72	- if (auth->expires) {
		73	+ if (password[0] == '\0') {
		74	+ snprintf(expire_time, sizeof(expire_time), "now");
		75	+ } else if (auth->expires) {
		76	time_t lifetime = auth->validTo - now;
		77	if (lifetime <= 0)
		78	snprintf(expire_time, sizeof(expire_time), "now");
		79	--
		80	2.9.0
		81


diff --git a/recipes-extended/libvirt/libvirt_1.3.5.bb b/recipes-extended/libvirt/libvirt_1.3.5.bb index 7ff2c5f6..6222b697 100644 --- a/recipes-extended/libvirt/libvirt_1.3.5.bb +++ b/recipes-extended/libvirt/libvirt_1.3.5.bb
@@ -34,6 +34,7 @@ SRC_URI = "http://libvirt.org/sources/libvirt-${PV}.tar.gz;name=libvirt \
34	file://Revert-build-add-prefix-to-SYSTEMD_UNIT_DIR.patch \	34	file://Revert-build-add-prefix-to-SYSTEMD_UNIT_DIR.patch \
35	file://install-missing-file.patch \	35	file://install-missing-file.patch \
36	file://0001-nsslinktest-also-build-virAtomic.h.patch \	36	file://0001-nsslinktest-also-build-virAtomic.h.patch \
		37	file://0001-qemu-Let-empty-default-VNC-password-work-as-document.patch \
37	"	38	"
38		39
39	SRC_URI[libvirt.md5sum] = "f9dc1e63d559eca50ae0ee798a4c6c6d"	40	SRC_URI[libvirt.md5sum] = "f9dc1e63d559eca50ae0ee798a4c6c6d"