diff -Nru libvirt-8.0.0/debian/changelog libvirt-8.0.0/debian/changelog --- libvirt-8.0.0/debian/changelog 2022-11-22 14:59:28.000000000 +0000 +++ libvirt-8.0.0/debian/changelog 2023-05-26 14:08:33.000000000 +0000 @@ -1,3 +1,16 @@ +libvirt (8.0.0-1ubuntu7.5) jammy-security; urgency=medium + + * SECURITY UPDATE: DoS via nwfilter driver + - debian/patches/CVE-2022-0897.patch: fix crash when counting number of + network filters in src/nwfilter/nwfilter_driver.c. + - CVE-2022-0897 + * SECURITY UPDATE: DoS via memleak in SR-IOV PCI device capabilities + - debian/patches/CVE-2023-2700.patch: resolve leak in + virPCIVirtualFunctionList cleanup in src/util/virpci.c. + - CVE-2023-2700 + + -- Marc Deslauriers Fri, 26 May 2023 10:08:33 -0400 + libvirt (8.0.0-1ubuntu7.4) jammy; urgency=medium * d/p/u/lp-1993304-apparmor-allow-getattr-on-usb-devices.patch: prevent diff -Nru libvirt-8.0.0/debian/patches/CVE-2022-0897.patch libvirt-8.0.0/debian/patches/CVE-2022-0897.patch --- libvirt-8.0.0/debian/patches/CVE-2022-0897.patch 1970-01-01 00:00:00.000000000 +0000 +++ libvirt-8.0.0/debian/patches/CVE-2022-0897.patch 2023-05-26 14:08:15.000000000 +0000 @@ -0,0 +1,47 @@ +From a4947e8f63c3e6b7b067b444f3d6cf674c0d7f36 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= +Date: Tue, 8 Mar 2022 17:28:38 +0000 +Subject: [PATCH] nwfilter: fix crash when counting number of network filters +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The virNWFilterObjListNumOfNWFilters method iterates over the +driver->nwfilters, accessing virNWFilterObj instances. As such +it needs to be protected against concurrent modification of +the driver->nwfilters object. + +This API allows unprivileged users to connect, so users with +read-only access to libvirt can cause a denial of service +crash if they are able to race with a call of virNWFilterUndefine. +Since network filters are usually statically defined, this is +considered a low severity problem. + +This is assigned CVE-2022-0897. + +Reviewed-by: Eric Blake +Signed-off-by: Daniel P. Berrangé +--- + src/nwfilter/nwfilter_driver.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/src/nwfilter/nwfilter_driver.c ++++ b/src/nwfilter/nwfilter_driver.c +@@ -478,11 +478,15 @@ nwfilterLookupByName(virConnectPtr conn, + static int + nwfilterConnectNumOfNWFilters(virConnectPtr conn) + { ++ int ret; + if (virConnectNumOfNWFiltersEnsureACL(conn) < 0) + return -1; + +- return virNWFilterObjListNumOfNWFilters(driver->nwfilters, conn, +- virConnectNumOfNWFiltersCheckACL); ++ nwfilterDriverLock(); ++ ret = virNWFilterObjListNumOfNWFilters(driver->nwfilters, conn, ++ virConnectNumOfNWFiltersCheckACL); ++ nwfilterDriverUnlock(); ++ return ret; + } + + diff -Nru libvirt-8.0.0/debian/patches/CVE-2023-2700.patch libvirt-8.0.0/debian/patches/CVE-2023-2700.patch --- libvirt-8.0.0/debian/patches/CVE-2023-2700.patch 1970-01-01 00:00:00.000000000 +0000 +++ libvirt-8.0.0/debian/patches/CVE-2023-2700.patch 2023-05-26 14:08:26.000000000 +0000 @@ -0,0 +1,45 @@ +From 6425a311b8ad19d6f9c0b315bf1d722551ea3585 Mon Sep 17 00:00:00 2001 +From: Tim Shearer +Date: Mon, 1 May 2023 13:15:48 +0000 +Subject: [PATCH] virpci: Resolve leak in virPCIVirtualFunctionList cleanup +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Repeatedly querying an SR-IOV PCI device's capabilities exposes a +memory leak caused by a failure to free the virPCIVirtualFunction +array within the parent struct's g_autoptr cleanup. + +Valgrind output after getting a single interface's XML description +1000 times: + +==325982== 256,000 bytes in 1,000 blocks are definitely lost in loss record 2,634 of 2,635 +==325982== at 0x4C3C096: realloc (vg_replace_malloc.c:1437) +==325982== by 0x59D952D: g_realloc (in /usr/lib64/libglib-2.0.so.0.5600.4) +==325982== by 0x4EE1F52: virReallocN (viralloc.c:52) +==325982== by 0x4EE1FB7: virExpandN (viralloc.c:78) +==325982== by 0x4EE219A: virInsertElementInternal (viralloc.c:183) +==325982== by 0x4EE23B2: virAppendElement (viralloc.c:288) +==325982== by 0x4F65D85: virPCIGetVirtualFunctionsFull (virpci.c:2389) +==325982== by 0x4F65753: virPCIGetVirtualFunctions (virpci.c:2256) +==325982== by 0x505CB75: virNodeDeviceGetPCISRIOVCaps (node_device_conf.c:2969) +==325982== by 0x505D181: virNodeDeviceGetPCIDynamicCaps (node_device_conf.c:3099) +==325982== by 0x505BC4E: virNodeDeviceUpdateCaps (node_device_conf.c:2677) +==325982== by 0x260FCBB2: nodeDeviceGetXMLDesc (node_device_driver.c:355) + +Signed-off-by: Tim Shearer +Reviewed-by: Ján Tomko +--- + src/util/virpci.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/src/util/virpci.c ++++ b/src/util/virpci.c +@@ -2255,6 +2255,7 @@ virPCIVirtualFunctionListFree(virPCIVirt + g_free(list->functions[i].ifname); + } + ++ g_free(list->functions); + g_free(list); + } + diff -Nru libvirt-8.0.0/debian/patches/series libvirt-8.0.0/debian/patches/series --- libvirt-8.0.0/debian/patches/series 2022-11-22 14:59:28.000000000 +0000 +++ libvirt-8.0.0/debian/patches/series 2023-05-26 14:08:20.000000000 +0000 @@ -37,3 +37,5 @@ ubuntu/lp-1990499-virt-aa-helper-allow-common-riscv64-loader-paths.patch ubuntu/lp-1996176-nodedev-ignore-EINVAL-from-libudev-in-udevEventHandl.patch ubuntu/lp-1993304-apparmor-allow-getattr-on-usb-devices.patch +CVE-2022-0897.patch +CVE-2023-2700.patch