From d0c49b8326c6c53baf2928d10060db39ad1e3bde Mon Sep 17 00:00:00 2001 From: Armin Kuster Date: Thu, 16 Sep 2021 14:23:04 -0700 Subject: libvirt: Security fix for CVE-2020-25637 Source: https://libvirt.org/git/libvirt.git MR: 105864 Type: Security Fix Disposition: Backport from https://libvirt.org/git/libvirt.git ChangeID: 99bb9b4fc1b608e4e9a56b9d2308bfa54d9ba33c Description: * https://libvirt.org/git/?p=libvirt.git;a=commit;h=955029bd0ad7ef96000f529ac38204a8f4a96401 * https://libvirt.org/git/?p=libvirt.git;a=commit;h=50864dcda191eb35732dbd80fb6ca251a6bba923 * https://libvirt.org/git/?p=libvirt.git;a=commit;h=e4116eaa44cb366b59f7fe98f4b88d04c04970ad * https://libvirt.org/git/?p=libvirt.git;a=commit;h=a63b48c5ecef077bf0f909a85f453a605600cf05 Affects <= 6.3.0 Signed-off-by: Armin Kuster Signed-off-by: Bruce Ashfield --- .../libvirt/libvirt/CVE-2020-25637_1.patch | 49 ++++++++++ .../libvirt/libvirt/CVE-2020-25637_2.patch | 102 +++++++++++++++++++++ .../libvirt/libvirt/CVE-2020-25637_3.patch | 36 ++++++++ .../libvirt/libvirt/CVE-2020-25637_4.patch | 80 ++++++++++++++++ recipes-extended/libvirt/libvirt_6.1.0.bb | 4 + 5 files changed, 271 insertions(+) create mode 100644 recipes-extended/libvirt/libvirt/CVE-2020-25637_1.patch create mode 100644 recipes-extended/libvirt/libvirt/CVE-2020-25637_2.patch create mode 100644 recipes-extended/libvirt/libvirt/CVE-2020-25637_3.patch create mode 100644 recipes-extended/libvirt/libvirt/CVE-2020-25637_4.patch (limited to 'recipes-extended/libvirt') diff --git a/recipes-extended/libvirt/libvirt/CVE-2020-25637_1.patch b/recipes-extended/libvirt/libvirt/CVE-2020-25637_1.patch new file mode 100644 index 00000000..362d3d16 --- /dev/null +++ b/recipes-extended/libvirt/libvirt/CVE-2020-25637_1.patch @@ -0,0 +1,49 @@ +From 955029bd0ad7ef96000f529ac38204a8f4a96401 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?J=C3=A1n=20Tomko?= +Date: Fri, 18 Sep 2020 17:44:56 +0200 +Subject: [PATCH] rpc: gendispatch: handle empty flags +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +CVE-2020-25637 + +Prepare for omission of the in remote_protocol.x +@acl annotations: + @acl: :: +so that we can add more fields after, e.g.: + @acl: ::: + +Signed-off-by: Ján Tomko +Reviewed-by: Jiri Denemark + +Upsteam-Status: Backport +CVE: CVE-2020-25637 dep#1 +Signed-off-by: Armin Kuster + +--- + src/rpc/gendispatch.pl | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +Index: libvirt-6.1.0/src/rpc/gendispatch.pl +=================================================================== +--- libvirt-6.1.0.orig/src/rpc/gendispatch.pl ++++ libvirt-6.1.0/src/rpc/gendispatch.pl +@@ -2113,7 +2113,7 @@ elsif ($mode eq "client") { + if ($acl[$i]->{object} ne $acl[0]->{object}) { + die "acl for '$call->{ProcName}' cannot check different objects"; + } +- if (defined $acl[$i]->{flags}) { ++ if (defined $acl[$i]->{flags} && length $acl[$i]->{flags}) { + $checkflags = 1; + } + } +@@ -2201,7 +2201,7 @@ elsif ($mode eq "client") { + my $method = "virAccessManagerCheck" . $object; + my $space = ' ' x length($method); + print " if ("; +- if (defined $acl->{flags}) { ++ if (defined $acl->{flags} && length $acl->{flags}) { + my $flags = $acl->{flags}; + if ($flags =~ /^\!/) { + $flags = substr $flags, 1; diff --git a/recipes-extended/libvirt/libvirt/CVE-2020-25637_2.patch b/recipes-extended/libvirt/libvirt/CVE-2020-25637_2.patch new file mode 100644 index 00000000..58eae3e9 --- /dev/null +++ b/recipes-extended/libvirt/libvirt/CVE-2020-25637_2.patch @@ -0,0 +1,102 @@ +From 50864dcda191eb35732dbd80fb6ca251a6bba923 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?J=C3=A1n=20Tomko?= +Date: Fri, 18 Sep 2020 16:09:25 +0200 +Subject: [PATCH] rpc: add support for filtering @acls by uint params +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +CVE-2020-25637 + +Add a new field to @acl annotations for filtering by +unsigned int parameters. + +Signed-off-by: Ján Tomko +Reviewed-by: Jiri Denemark + +Upsteam-Status: Backport +CVE: CVE-2020-25637 dep#2 +Signed-off-by: Armin Kuster + +--- + src/remote/remote_protocol.x | 3 +++ + src/rpc/gendispatch.pl | 21 ++++++++++++++++++++- + 2 files changed, 23 insertions(+), 1 deletion(-) + +Index: libvirt-6.1.0/src/remote/remote_protocol.x +=================================================================== +--- libvirt-6.1.0.orig/src/remote/remote_protocol.x ++++ libvirt-6.1.0/src/remote/remote_protocol.x +@@ -3805,6 +3805,7 @@ enum remote_procedure { + * + * - @acl: : + * - @acl: :: ++ * - @acl: :::: + * + * Declare the access control requirements for the API. May be repeated + * multiple times, if multiple rules are required. +@@ -3814,6 +3815,8 @@ enum remote_procedure { + * is one of the permissions in access/viraccessperm.h + * indicates the rule only applies if the named flag + * is set in the API call ++ * and can be used to check an unsigned int parameter ++ * against value + * + * - @aclfilter: : + * +Index: libvirt-6.1.0/src/rpc/gendispatch.pl +=================================================================== +--- libvirt-6.1.0.orig/src/rpc/gendispatch.pl ++++ libvirt-6.1.0/src/rpc/gendispatch.pl +@@ -2105,10 +2105,12 @@ elsif ($mode eq "client") { + my @acl; + foreach (@{$acl}) { + my @bits = split /:/; +- push @acl, { object => $bits[0], perm => $bits[1], flags => $bits[2] } ++ push @acl, { object => $bits[0], perm => $bits[1], flags => $bits[2], ++ param => $bits[3], value => $bits[4] } + } + + my $checkflags = 0; ++ my $paramtocheck = undef; + for (my $i = 1 ; $i <= $#acl ; $i++) { + if ($acl[$i]->{object} ne $acl[0]->{object}) { + die "acl for '$call->{ProcName}' cannot check different objects"; +@@ -2116,6 +2118,9 @@ elsif ($mode eq "client") { + if (defined $acl[$i]->{flags} && length $acl[$i]->{flags}) { + $checkflags = 1; + } ++ if (defined $acl[$i]->{param}) { ++ $paramtocheck = $acl[$i]->{param}; ++ } + } + + my $apiname = $prefix . $call->{ProcName}; +@@ -2151,6 +2156,9 @@ elsif ($mode eq "client") { + if ($checkflags) { + push @argdecls, "unsigned int flags"; + } ++ if (defined $paramtocheck) { ++ push @argdecls, "unsigned int " . $paramtocheck; ++ } + + my $ret; + my $pass; +@@ -2211,6 +2219,17 @@ elsif ($mode eq "client") { + } + print " "; + } ++ if (defined $acl->{param}) { ++ my $param = $acl->{param}; ++ my $value = $acl->{value}; ++ if ($value =~ /^\!/) { ++ $value = substr $value, 1; ++ print "($param != ($value)) &&\n"; ++ } else { ++ print "($param == ($value)) &&\n"; ++ } ++ print " "; ++ } + print "(rv = $method(" . join(", ", @argvars, $perm) . ")) <= 0) {\n"; + print " virObjectUnref(mgr);\n"; + if ($action eq "Ensure") { diff --git a/recipes-extended/libvirt/libvirt/CVE-2020-25637_3.patch b/recipes-extended/libvirt/libvirt/CVE-2020-25637_3.patch new file mode 100644 index 00000000..5a3ba80c --- /dev/null +++ b/recipes-extended/libvirt/libvirt/CVE-2020-25637_3.patch @@ -0,0 +1,36 @@ +From a63b48c5ecef077bf0f909a85f453a605600cf05 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?J=C3=A1n=20Tomko?= +Date: Fri, 18 Sep 2020 17:56:37 +0200 +Subject: [PATCH] qemu: agent: set ifname to NULL after freeing +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +CVE-2020-25637 + +Signed-off-by: Ján Tomko +Reported-by: Ilja Van Sprundel +Fixes: 0977b8aa071de550e1a013d35e2c72615e65d520 +Reviewed-by: Mauro Matteo Cascella +Reviewed-by: Jiri Denemark + +Upsteam-Status: Backport +CVE: CVE-2020-25637 dep#3 +Signed-off-by: Armin Kuster + +--- + src/qemu/qemu_agent.c | 1 + + 1 file changed, 1 insertion(+) + +Index: libvirt-6.1.0/src/qemu/qemu_agent.c +=================================================================== +--- libvirt-6.1.0.orig/src/qemu/qemu_agent.c ++++ libvirt-6.1.0/src/qemu/qemu_agent.c +@@ -2186,6 +2186,7 @@ qemuAgentGetInterfaces(qemuAgentPtr mon, + + /* Has to be freed for each interface. */ + virStringListFree(ifname); ++ ifname = NULL; + + /* as well as IP address which - moreover - + * can be presented multiple times */ diff --git a/recipes-extended/libvirt/libvirt/CVE-2020-25637_4.patch b/recipes-extended/libvirt/libvirt/CVE-2020-25637_4.patch new file mode 100644 index 00000000..9b802ca3 --- /dev/null +++ b/recipes-extended/libvirt/libvirt/CVE-2020-25637_4.patch @@ -0,0 +1,80 @@ +From e4116eaa44cb366b59f7fe98f4b88d04c04970ad Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?J=C3=A1n=20Tomko?= +Date: Fri, 18 Sep 2020 17:54:14 +0200 +Subject: [PATCH] rpc: require write acl for guest agent in + virDomainInterfaceAddresses +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +CVE-2020-25637 + +Add a requirement for domain:write if source is set to +VIR_DOMAIN_INTERFACE_ADDRESSES_SRC_AGENT. + +Signed-off-by: Ján Tomko +Reported-by: Ilja Van Sprundel +Reviewed-by: Jiri Denemark + +Upsteam-Status: Backport +CVE: CVE-2020-25637 +Signed-off-by: Armin Kuster + +--- + src/libxl/libxl_driver.c | 2 +- + src/lxc/lxc_driver.c | 2 +- + src/qemu/qemu_driver.c | 2 +- + src/remote/remote_protocol.x | 1 + + 4 files changed, 4 insertions(+), 3 deletions(-) + +Index: libvirt-6.1.0/src/libxl/libxl_driver.c +=================================================================== +--- libvirt-6.1.0.orig/src/libxl/libxl_driver.c ++++ libvirt-6.1.0/src/libxl/libxl_driver.c +@@ -6331,7 +6331,7 @@ libxlDomainInterfaceAddresses(virDomainP + if (!(vm = libxlDomObjFromDomain(dom))) + goto cleanup; + +- if (virDomainInterfaceAddressesEnsureACL(dom->conn, vm->def) < 0) ++ if (virDomainInterfaceAddressesEnsureACL(dom->conn, vm->def, source) < 0) + goto cleanup; + + if (virDomainObjCheckActive(vm) < 0) +Index: libvirt-6.1.0/src/lxc/lxc_driver.c +=================================================================== +--- libvirt-6.1.0.orig/src/lxc/lxc_driver.c ++++ libvirt-6.1.0/src/lxc/lxc_driver.c +@@ -1698,7 +1698,7 @@ lxcDomainInterfaceAddresses(virDomainPtr + if (!(vm = lxcDomObjFromDomain(dom))) + goto cleanup; + +- if (virDomainInterfaceAddressesEnsureACL(dom->conn, vm->def) < 0) ++ if (virDomainInterfaceAddressesEnsureACL(dom->conn, vm->def, source) < 0) + goto cleanup; + + if (virDomainObjCheckActive(vm) < 0) +Index: libvirt-6.1.0/src/qemu/qemu_driver.c +=================================================================== +--- libvirt-6.1.0.orig/src/qemu/qemu_driver.c ++++ libvirt-6.1.0/src/qemu/qemu_driver.c +@@ -21846,7 +21846,7 @@ qemuDomainInterfaceAddresses(virDomainPt + if (!(vm = qemuDomainObjFromDomain(dom))) + goto cleanup; + +- if (virDomainInterfaceAddressesEnsureACL(dom->conn, vm->def) < 0) ++ if (virDomainInterfaceAddressesEnsureACL(dom->conn, vm->def, source) < 0) + goto cleanup; + + if (virDomainObjCheckActive(vm) < 0) +Index: libvirt-6.1.0/src/remote/remote_protocol.x +=================================================================== +--- libvirt-6.1.0.orig/src/remote/remote_protocol.x ++++ libvirt-6.1.0/src/remote/remote_protocol.x +@@ -6211,6 +6211,7 @@ enum remote_procedure { + /** + * @generate: none + * @acl: domain:read ++ * @acl: domain:write::source:VIR_DOMAIN_INTERFACE_ADDRESSES_SRC_AGENT + */ + REMOTE_PROC_DOMAIN_INTERFACE_ADDRESSES = 353, + diff --git a/recipes-extended/libvirt/libvirt_6.1.0.bb b/recipes-extended/libvirt/libvirt_6.1.0.bb index 0146c6cb..aa7563f6 100644 --- a/recipes-extended/libvirt/libvirt_6.1.0.bb +++ b/recipes-extended/libvirt/libvirt_6.1.0.bb @@ -41,6 +41,10 @@ SRC_URI = "http://libvirt.org/sources/libvirt-${PV}.tar.xz;name=libvirt \ file://hook_support.py \ file://gnutls-helper.py \ file://CVE-2020-10701.patch \ + file://CVE-2020-25637_1.patch \ + file://CVE-2020-25637_2.patch \ + file://CVE-2020-25637_3.patch \ + file://CVE-2020-25637_4.patch \ " SRC_URI[libvirt.md5sum] = "a870e63f20fac2ccf98e716d05256145" -- cgit v1.2.3-54-g00ecf