diff -Nru libvirt-4.0.0/debian/changelog libvirt-4.0.0/debian/changelog --- libvirt-4.0.0/debian/changelog 2019-05-14 19:11:45.000000000 +0000 +++ libvirt-4.0.0/debian/changelog 2019-07-02 13:19:33.000000000 +0000 @@ -1,3 +1,31 @@ +libvirt (4.0.0-1ubuntu8.12) bionic-security; urgency=medium + + * SECURITY UPDATE: virDomainSaveImageGetXMLDesc does not check for + read-only connection + - debian/patches/CVE-2019-10161.patch: add check to + src/libvirt-domain.c, src/qemu/qemu_driver.c, + src/remote/remote_protocol.x. + - CVE-2019-10161 + * SECURITY UPDATE: virDomainManagedSaveDefineXML does not check for + read-only connection + - debian/patches/CVE-2019-10166.patch: add check to + src/libvirt-domain.c. + - CVE-2019-10166 + * SECURITY UPDATE: virConnectGetDomainCapabilities does not check for + read-only connection + - debian/patches/CVE-2019-10167.patch: add check to + src/libvirt-domain.c. + - CVE-2019-10167 + + -- Marc Deslauriers Tue, 02 Jul 2019 09:19:33 -0400 + +libvirt (4.0.0-1ubuntu8.11) bionic; urgency=medium + + * d/p/ubuntu/lp-1830268-refresh-capabilities-on-KVM-nesting.patch: fix + consideration of VMX flag (LP: #1830268) + + -- Christian Ehrhardt Mon, 27 May 2019 11:52:07 +0200 + libvirt (4.0.0-1ubuntu8.10) bionic-security; urgency=medium * SECURITY UPDATE: Add support for md-clear functionality diff -Nru libvirt-4.0.0/debian/patches/CVE-2019-10161.patch libvirt-4.0.0/debian/patches/CVE-2019-10161.patch --- libvirt-4.0.0/debian/patches/CVE-2019-10161.patch 1970-01-01 00:00:00.000000000 +0000 +++ libvirt-4.0.0/debian/patches/CVE-2019-10161.patch 2019-07-02 13:18:03.000000000 +0000 @@ -0,0 +1,93 @@ +From 1f8129c5db3952a57900b8cd1d94e629068e6aa5 Mon Sep 17 00:00:00 2001 +From: =?utf8?q?J=C3=A1n=20Tomko?= +Date: Fri, 14 Jun 2019 08:47:42 +0200 +Subject: [PATCH] api: disallow virDomainSaveImageGetXMLDesc on read-only connections +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +The virDomainSaveImageGetXMLDesc API is taking a path parameter, +which can point to any path on the system. This file will then be +read and parsed by libvirtd running with root privileges. + +Forbid it on read-only connections. + +Fixes: CVE-2019-10161 +Reported-by: Matthias Gerstner +Signed-off-by: Ján Tomko +Reviewed-by: Daniel P. Berrangé +(cherry picked from commit aed6a032cead4386472afb24b16196579e239580) +Signed-off-by: Ján Tomko + +Conflicts: + src/libvirt-domain.c + src/remote/remote_protocol.x + +Upstream commit 12a51f372 which introduced the VIR_DOMAIN_SAVE_IMAGE_XML_SECURE +alias for VIR_DOMAIN_XML_SECURE is not backported. +Just skip the commit since we now disallow the whole API on read-only +connections, regardless of the flag. + +Signed-off-by: Ján Tomko +--- + src/libvirt-domain.c | 11 ++--------- + src/qemu/qemu_driver.c | 2 +- + src/remote/remote_protocol.x | 3 +-- + 3 files changed, 4 insertions(+), 12 deletions(-) + +Index: libvirt-4.0.0/src/libvirt-domain.c +=================================================================== +--- libvirt-4.0.0.orig/src/libvirt-domain.c 2019-07-02 09:18:00.815650192 -0400 ++++ libvirt-4.0.0/src/libvirt-domain.c 2019-07-02 09:18:00.807650169 -0400 +@@ -1073,9 +1073,7 @@ virDomainRestoreFlags(virConnectPtr conn + * previously by virDomainSave() or virDomainSaveFlags(). + * + * No security-sensitive data will be included unless @flags contains +- * VIR_DOMAIN_XML_SECURE; this flag is rejected on read-only +- * connections. For this API, @flags should not contain either +- * VIR_DOMAIN_XML_INACTIVE or VIR_DOMAIN_XML_UPDATE_CPU. ++ * VIR_DOMAIN_XML_SECURE. + * + * Returns a 0 terminated UTF-8 encoded XML instance, or NULL in case of + * error. The caller must free() the returned value. +@@ -1091,12 +1089,7 @@ virDomainSaveImageGetXMLDesc(virConnectP + + virCheckConnectReturn(conn, NULL); + virCheckNonNullArgGoto(file, error); +- +- if ((conn->flags & VIR_CONNECT_RO) && (flags & VIR_DOMAIN_XML_SECURE)) { +- virReportError(VIR_ERR_OPERATION_DENIED, "%s", +- _("virDomainSaveImageGetXMLDesc with secure flag")); +- goto error; +- } ++ virCheckReadOnlyGoto(conn->flags, error); + + if (conn->driver->domainSaveImageGetXMLDesc) { + char *ret; +Index: libvirt-4.0.0/src/qemu/qemu_driver.c +=================================================================== +--- libvirt-4.0.0.orig/src/qemu/qemu_driver.c 2019-07-02 09:18:00.815650192 -0400 ++++ libvirt-4.0.0/src/qemu/qemu_driver.c 2019-07-02 09:18:00.811650180 -0400 +@@ -6799,7 +6799,7 @@ qemuDomainSaveImageGetXMLDesc(virConnect + if (fd < 0) + goto cleanup; + +- if (virDomainSaveImageGetXMLDescEnsureACL(conn, def, flags) < 0) ++ if (virDomainSaveImageGetXMLDescEnsureACL(conn, def) < 0) + goto cleanup; + + ret = qemuDomainDefFormatXML(driver, def, flags); +Index: libvirt-4.0.0/src/remote/remote_protocol.x +=================================================================== +--- libvirt-4.0.0.orig/src/remote/remote_protocol.x 2019-07-02 09:18:00.815650192 -0400 ++++ libvirt-4.0.0/src/remote/remote_protocol.x 2019-07-02 09:18:00.811650180 -0400 +@@ -5109,8 +5109,7 @@ enum remote_procedure { + /** + * @generate: both + * @priority: high +- * @acl: domain:read +- * @acl: domain:read_secure:VIR_DOMAIN_XML_SECURE ++ * @acl: domain:write + */ + REMOTE_PROC_DOMAIN_SAVE_IMAGE_GET_XML_DESC = 235, + diff -Nru libvirt-4.0.0/debian/patches/CVE-2019-10166.patch libvirt-4.0.0/debian/patches/CVE-2019-10166.patch --- libvirt-4.0.0/debian/patches/CVE-2019-10166.patch 1970-01-01 00:00:00.000000000 +0000 +++ libvirt-4.0.0/debian/patches/CVE-2019-10166.patch 2019-07-02 13:18:07.000000000 +0000 @@ -0,0 +1,37 @@ +From d9a1f3debad411756f53ab8ab81e44ab0bb50e0a Mon Sep 17 00:00:00 2001 +From: =?utf8?q?J=C3=A1n=20Tomko?= +Date: Fri, 14 Jun 2019 09:14:53 +0200 +Subject: [PATCH] api: disallow virDomainManagedSaveDefineXML on read-only connections +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +The virDomainManagedSaveDefineXML can be used to alter the domain's +config used for managedsave or even execute arbitrary emulator binaries. +Forbid it on read-only connections. + +Fixes: CVE-2019-10166 +Reported-by: Matthias Gerstner +Signed-off-by: Ján Tomko +Reviewed-by: Daniel P. Berrangé +(cherry picked from commit db0b78457f183e4c7ac45bc94de86044a1e2056a) +Signed-off-by: Ján Tomko +--- + src/libvirt-domain.c | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +diff --git a/src/libvirt-domain.c b/src/libvirt-domain.c +index 159c2b3..dd6b1a5 100644 +--- a/src/libvirt-domain.c ++++ b/src/libvirt-domain.c +@@ -9424,6 +9424,7 @@ virDomainManagedSaveDefineXML(virDomainPtr domain, const char *dxml, + + virCheckDomainReturn(domain, -1); + conn = domain->conn; ++ virCheckReadOnlyGoto(conn->flags, error); + + if (conn->driver->domainManagedSaveDefineXML) { + int ret; +-- +1.7.1 + diff -Nru libvirt-4.0.0/debian/patches/CVE-2019-10167.patch libvirt-4.0.0/debian/patches/CVE-2019-10167.patch --- libvirt-4.0.0/debian/patches/CVE-2019-10167.patch 1970-01-01 00:00:00.000000000 +0000 +++ libvirt-4.0.0/debian/patches/CVE-2019-10167.patch 2019-07-02 13:18:14.000000000 +0000 @@ -0,0 +1,35 @@ +From 585be8edbef5ce4ef30e6c20386358ca1ba8e344 Mon Sep 17 00:00:00 2001 +From: =?utf8?q?J=C3=A1n=20Tomko?= +Date: Fri, 14 Jun 2019 09:16:14 +0200 +Subject: [PATCH] api: disallow virConnectGetDomainCapabilities on read-only connections +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +This API can be used to execute arbitrary emulators. +Forbid it on read-only connections. + +Fixes: CVE-2019-10167 +Signed-off-by: Ján Tomko +Reviewed-by: Daniel P. Berrangé +(cherry picked from commit 8afa68bac0cf99d1f8aaa6566685c43c22622f26) +Signed-off-by: Ján Tomko +--- + src/libvirt-domain.c | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +diff --git a/src/libvirt-domain.c b/src/libvirt-domain.c +index dd6b1a5..2f496bc 100644 +--- a/src/libvirt-domain.c ++++ b/src/libvirt-domain.c +@@ -11216,6 +11216,7 @@ virConnectGetDomainCapabilities(virConnectPtr conn, + virResetLastError(); + + virCheckConnectReturn(conn, NULL); ++ virCheckReadOnlyGoto(conn->flags, error); + + if (conn->driver->connectGetDomainCapabilities) { + char *ret; +-- +1.7.1 + diff -Nru libvirt-4.0.0/debian/patches/series libvirt-4.0.0/debian/patches/series --- libvirt-4.0.0/debian/patches/series 2019-05-14 19:11:37.000000000 +0000 +++ libvirt-4.0.0/debian/patches/series 2019-07-02 13:18:14.000000000 +0000 @@ -128,3 +128,7 @@ CVE-2019-3840.patch ubuntu/lp-1823676-Use-the-correct-vm-def-on-cold-attach.patch md-clear.patch +ubuntu/lp-1830268-refresh-capabilities-on-KVM-nesting.patch +CVE-2019-10161.patch +CVE-2019-10166.patch +CVE-2019-10167.patch diff -Nru libvirt-4.0.0/debian/patches/ubuntu/lp-1830268-refresh-capabilities-on-KVM-nesting.patch libvirt-4.0.0/debian/patches/ubuntu/lp-1830268-refresh-capabilities-on-KVM-nesting.patch --- libvirt-4.0.0/debian/patches/ubuntu/lp-1830268-refresh-capabilities-on-KVM-nesting.patch 1970-01-01 00:00:00.000000000 +0000 +++ libvirt-4.0.0/debian/patches/ubuntu/lp-1830268-refresh-capabilities-on-KVM-nesting.patch 2019-05-27 09:52:07.000000000 +0000 @@ -0,0 +1,153 @@ +From b183a75319b90d0af5512be513743e1eab950612 Mon Sep 17 00:00:00 2001 +From: John Ferlan +Date: Mon, 12 Nov 2018 14:58:09 -0500 +Subject: [PATCH] qemu: Add check for whether KVM nesting is enabled + +Support for nested KVM is handled via a kernel module configuration +parameters values for kvm_intel, kvm_amd, kvm_hv (PPC), or kvm (s390). +While it's possible to fetch the kmod config values via virKModConfig, +unfortunately that is the static value and we need to get the +current/dynamic value from the kernel file system. + +So this patch adds a new API virHostKVMSupportsNesting that will +search the 3 kernel modules to get the nesting value and check if +it is 'Y' (or 'y' just in case) to return a true/false whether +the KVM kernel supports nesting. + +We need to do this in order to handle cases where adjustments to +the value are made after libvirtd is started to force a refetch of +the latest QEMU capabilities since the correct CPU settings need +to be made for a guest to add the "vmx=on" to/for the guest config. + +Signed-off-by: John Ferlan +ACKed-by: Michal Privoznik + +Author: Christian Ehrhardt +Original-Author: John Ferlan +Origin: backport, https://libvirt.org/git/?p=libvirt.git;a=commit;h=b183a75319b90d0af5512be513743e1eab950612 +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1830268 +Last-Update: 2019-05-27 + +--- + src/qemu/qemu_capabilities.c | 54 ++++++++++++++++++++++++++++++++++++ + 1 file changed, 54 insertions(+) + +--- a/src/qemu/qemu_capabilities.c ++++ b/src/qemu/qemu_capabilities.c +@@ -500,6 +500,7 @@ struct _virQEMUCaps { + virObject object; + + bool usedQMP; ++ bool kvmSupportsNesting; + + char *binary; + time_t ctime; +@@ -2293,6 +2294,7 @@ virQEMUCapsPtr virQEMUCapsNewCopy(virQEM + return NULL; + + ret->usedQMP = qemuCaps->usedQMP; ++ ret->kvmSupportsNesting = qemuCaps->kvmSupportsNesting; + + if (VIR_STRDUP(ret->binary, qemuCaps->binary) < 0) + goto error; +@@ -4111,6 +4113,9 @@ virQEMUCapsLoadCache(virArch hostArch, + virQEMUCapsInitHostCPUModel(qemuCaps, hostArch, VIR_DOMAIN_VIRT_KVM); + virQEMUCapsInitHostCPUModel(qemuCaps, hostArch, VIR_DOMAIN_VIRT_QEMU); + ++ if (virXPathBoolean("boolean(./kvmSupportsNesting)", ctxt) > 0) ++ qemuCaps->kvmSupportsNesting = true; ++ + ret = 0; + cleanup: + VIR_FREE(str); +@@ -4306,6 +4311,9 @@ virQEMUCapsFormatCache(virQEMUCapsPtr qe + emulated ? "yes" : "no"); + } + ++ if (qemuCaps->kvmSupportsNesting) ++ virBufferAddLit(&buf, "\n"); ++ + virBufferAdjustIndent(&buf, -2); + virBufferAddLit(&buf, "\n"); + +@@ -4346,6 +4354,48 @@ virQEMUCapsSaveFile(void *data, + } + + ++/* Check the kernel module parameters 'nested' file to determine if enabled ++ * ++ * Intel: 'kvm_intel' uses 'Y' ++ * AMD: 'kvm_amd' uses '1' ++ * PPC64: 'kvm_hv' uses 'Y' ++ * S390: 'kvm' uses '1' ++ */ ++static bool ++virQEMUCapsKVMSupportsNesting(void) ++{ ++ static char const * const kmod[] = {"kvm_intel", "kvm_amd", ++ "kvm_hv", "kvm"}; ++ char *value = NULL; ++ int rc; ++ bool ret = false; ++ size_t i; ++ ++ for (i = 0; i < ARRAY_CARDINALITY(kmod); i++) { ++ VIR_FREE(value); ++ rc = virFileReadValueString(&value, "/sys/module/%s/parameters/nested", ++ kmod[i]); ++ if (rc == -2) ++ continue; ++ if (rc < 0) { ++ virResetLastError(); ++ ret = false; ++ goto cleanup; ++ } ++ ++ if (value[0] == 'Y' || value[0] == 'y' || value[0] == '1') ++ ret = true; ++ goto cleanup; ++ } ++ ++ ret = false; ++ ++cleanup: ++ VIR_FREE(value); ++ return ret; ++} ++ ++ + static bool + virQEMUCapsIsValid(void *data, + void *privData) +@@ -4354,6 +4404,7 @@ virQEMUCapsIsValid(void *data, + virQEMUCapsCachePrivPtr priv = privData; + bool kvmUsable; + struct stat sb; ++ bool kvmSupportsNesting; + + if (!qemuCaps->binary) + return true; +@@ -4424,6 +4475,14 @@ virQEMUCapsIsValid(void *data, + qemuCaps->kernelVersion); + return false; + } ++ ++ kvmSupportsNesting = virQEMUCapsKVMSupportsNesting(); ++ if (kvmSupportsNesting != qemuCaps->kvmSupportsNesting) { ++ VIR_DEBUG("Outdated capabilities for '%s': kvm kernel nested " ++ "value changed from %d", ++ qemuCaps->binary, qemuCaps->kvmSupportsNesting); ++ return false; ++ } + } + + return true; +@@ -5321,6 +5380,8 @@ virQEMUCapsNewForBinaryInternal(virArch + + if (VIR_STRDUP(qemuCaps->kernelVersion, kernelVersion) < 0) + goto error; ++ ++ qemuCaps->kvmSupportsNesting = virQEMUCapsKVMSupportsNesting(); + } + + cleanup: