diff -Nru libvirt-0.9.13/debian/changelog libvirt-0.9.13/debian/changelog --- libvirt-0.9.13/debian/changelog 2013-09-14 00:55:01.000000000 +0000 +++ libvirt-0.9.13/debian/changelog 2014-01-20 20:38:50.000000000 +0000 @@ -1,3 +1,17 @@ +libvirt (0.9.13-0ubuntu12.6) quantal-security; urgency=medium + + * SECURITY UPDATE: denial of service via job usage issues in several APIs + - debian/patches/CVE-2013-6458.patch: fix races in + src/qemu/qemu_driver.c. Backport virReportError macro to cfg.mk, + src/util/virterror_internal.h. + - CVE-2013-6458 + * SECURITY UPDATE: denial of service via keepalive feature + - debian/patches/CVE-2014-1447.patch: make sure connection isn't closed + in src/rpc/virnetserverclient.c. + - CVE-2014-1447 + + -- Marc Deslauriers Mon, 20 Jan 2014 15:04:57 -0500 + libvirt (0.9.13-0ubuntu12.5) quantal-security; urgency=low * SECURITY UPDATE: possible privilege escalation via pkcheck race. diff -Nru libvirt-0.9.13/debian/patches/CVE-2013-6458.patch libvirt-0.9.13/debian/patches/CVE-2013-6458.patch --- libvirt-0.9.13/debian/patches/CVE-2013-6458.patch 1970-01-01 00:00:00.000000000 +0000 +++ libvirt-0.9.13/debian/patches/CVE-2013-6458.patch 2014-01-20 20:59:23.000000000 +0000 @@ -0,0 +1,194 @@ +Description: fix denial of service via job usage issues in several APIs +Origin: upstream, http://libvirt.org/git/?p=libvirt.git;a=commit;h=4616ff521e301193c8a0cc03bedcf067aece39cb +Origin: upstream, http://libvirt.org/git/?p=libvirt.git;a=commit;h=c430c002dd8287c5d7b834993ddfbd61435248c4 +Origin: backport, http://libvirt.org/git/?p=libvirt.git;a=commit;h=4dd29d3bdf4bf3a4c4b1077ddf4355bcf548ca2f +Origin: upstream, http://libvirt.org/git/?p=libvirt.git;a=commit;h=3e7d9e54e9ce286fe1bee5d32089cd58d63e5cee +Origin: upstream, http://libvirt.org/git/?p=libvirt.git;a=commit;h=2786686eb5855e0046817d47055cd784881ca8cb +Bug-Redhat: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-6458 +Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=734556 + +Index: libvirt-0.9.13/src/qemu/qemu_driver.c +=================================================================== +--- libvirt-0.9.13.orig/src/qemu/qemu_driver.c 2014-01-20 15:55:59.147327347 -0500 ++++ libvirt-0.9.13/src/qemu/qemu_driver.c 2014-01-20 15:57:41.011325768 -0500 +@@ -93,6 +93,7 @@ + #include "virtime.h" + #include "virtypedparam.h" + #include "virdomainlist.h" ++#include "virstring.h" + + #define VIR_FROM_THIS VIR_FROM_QEMU + +@@ -7683,34 +7684,29 @@ + goto cleanup; + } + +- if (!virDomainObjIsActive(vm)) { +- qemuReportError(VIR_ERR_OPERATION_INVALID, +- "%s", _("domain is not running")); ++ if (qemuDomainObjBeginJob(driver, vm, QEMU_JOB_QUERY) < 0) + goto cleanup; ++ ++ if (!virDomainObjIsActive(vm)) { ++ virReportError(VIR_ERR_OPERATION_INVALID, ++ "%s", _("domain is not running")); ++ goto endjob; + } + + if ((i = virDomainDiskIndexByName(vm->def, path, false)) < 0) { +- qemuReportError(VIR_ERR_INVALID_ARG, +- _("invalid path: %s"), path); +- goto cleanup; ++ virReportError(VIR_ERR_INVALID_ARG, ++ _("invalid path: %s"), path); ++ goto endjob; + } + disk = vm->def->disks[i]; + + if (!disk->info.alias) { +- qemuReportError(VIR_ERR_INTERNAL_ERROR, +- _("missing disk device alias name for %s"), disk->dst); +- goto cleanup; ++ virReportError(VIR_ERR_INTERNAL_ERROR, ++ _("missing disk device alias name for %s"), disk->dst); ++ goto endjob; + } + + priv = vm->privateData; +- if (qemuDomainObjBeginJob(driver, vm, QEMU_JOB_QUERY) < 0) +- goto cleanup; +- +- if (!virDomainObjIsActive(vm)) { +- qemuReportError(VIR_ERR_OPERATION_INVALID, +- "%s", _("domain is not running")); +- goto endjob; +- } + + qemuDomainObjEnterMonitor(driver, vm); + ret = qemuMonitorGetBlockStatsInfo(priv->mon, +@@ -8493,10 +8489,12 @@ + } + + +-static int qemuDomainGetBlockInfo(virDomainPtr dom, +- const char *path, +- virDomainBlockInfoPtr info, +- unsigned int flags) { ++static int ++qemuDomainGetBlockInfo(virDomainPtr dom, ++ const char *path, ++ virDomainBlockInfoPtr info, ++ unsigned int flags) ++{ + struct qemud_driver *driver = dom->conn->privateData; + virDomainObjPtr vm; + int ret = -1; +@@ -8507,6 +8505,7 @@ + struct stat sb; + int i; + int format; ++ char *alias = NULL; + + virCheckFlags(0, -1); + +@@ -8629,13 +8628,16 @@ + virDomainObjIsActive(vm)) { + qemuDomainObjPrivatePtr priv = vm->privateData; + ++ if (!(alias = strdup(disk->info.alias))) ++ goto cleanup; ++ + if (qemuDomainObjBeginJob(driver, vm, QEMU_JOB_QUERY) < 0) + goto cleanup; + + if (virDomainObjIsActive(vm)) { + qemuDomainObjEnterMonitor(driver, vm); + ret = qemuMonitorGetBlockExtent(priv->mon, +- disk->info.alias, ++ alias, + &info->allocation); + qemuDomainObjExitMonitor(driver, vm); + } else { +@@ -8649,6 +8651,7 @@ + } + + cleanup: ++ VIR_FREE(alias); + virStorageFileFreeMetadata(meta); + VIR_FORCE_CLOSE(fd); + if (vm) +@@ -11954,11 +11957,6 @@ + goto cleanup; + } + +- device = qemuDiskPathToAlias(vm, path, &idx); +- if (!device) +- goto cleanup; +- disk = vm->def->disks[idx]; +- + if (qemuDomainObjBeginJobWithDriver(driver, vm, QEMU_JOB_MODIFY) < 0) + goto cleanup; + +@@ -11968,6 +11966,11 @@ + goto endjob; + } + ++ device = qemuDiskPathToAlias(vm, path, &idx); ++ if (!device) ++ goto endjob; ++ disk = vm->def->disks[idx]; ++ + qemuDomainObjEnterMonitorWithDriver(driver, vm); + /* XXX - libvirt should really be tracking the backing file chain + * itself, and validating that base is on the chain, rather than +@@ -12362,12 +12365,6 @@ + goto cleanup; + } + +- device = qemuDiskPathToAlias(vm, disk, NULL); +- +- if (!device) { +- goto cleanup; +- } +- + if (qemuDomainObjBeginJobWithDriver(driver, vm, QEMU_JOB_MODIFY) < 0) + goto cleanup; + +@@ -12375,6 +12372,11 @@ + &persistentDef) < 0) + goto endjob; + ++ device = qemuDiskPathToAlias(vm, disk, NULL); ++ if (!device) { ++ goto endjob; ++ } ++ + if (flags & VIR_DOMAIN_AFFECT_LIVE) { + priv = vm->privateData; + qemuDomainObjEnterMonitorWithDriver(driver, vm); +Index: libvirt-0.9.13/cfg.mk +=================================================================== +--- libvirt-0.9.13.orig/cfg.mk 2014-01-20 15:55:59.147327347 -0500 ++++ libvirt-0.9.13/cfg.mk 2014-01-20 15:55:59.143327347 -0500 +@@ -560,6 +560,7 @@ + msg_gen_function += virNodeDeviceReportError + msg_gen_function += virNWFilterReportError + msg_gen_function += virRaiseError ++msg_gen_function += virReportError + msg_gen_function += virReportErrorHelper + msg_gen_function += virReportSystemError + msg_gen_function += virSecretReportError +Index: libvirt-0.9.13/src/util/virterror_internal.h +=================================================================== +--- libvirt-0.9.13.orig/src/util/virterror_internal.h 2014-01-20 15:55:59.147327347 -0500 ++++ libvirt-0.9.13/src/util/virterror_internal.h 2014-01-20 15:55:59.143327347 -0500 +@@ -153,6 +153,9 @@ + # define virReportOOMError() \ + virReportOOMErrorFull(VIR_FROM_THIS, __FILE__, __FUNCTION__, __LINE__) + ++# define virReportError(code, ...) \ ++ virReportErrorHelper(VIR_FROM_THIS, code, __FILE__, \ ++ __FUNCTION__, __LINE__, __VA_ARGS__) + + int virSetError(virErrorPtr newerr); + void virDispatchError(virConnectPtr conn); diff -Nru libvirt-0.9.13/debian/patches/CVE-2014-1447.patch libvirt-0.9.13/debian/patches/CVE-2014-1447.patch --- libvirt-0.9.13/debian/patches/CVE-2014-1447.patch 1970-01-01 00:00:00.000000000 +0000 +++ libvirt-0.9.13/debian/patches/CVE-2014-1447.patch 2014-01-20 20:07:30.000000000 +0000 @@ -0,0 +1,34 @@ +Description: fix denial of service via keepalive feature +Origin: backport, http://libvirt.org/git/?p=libvirt.git;a=commit;h=173c2914734eb5c32df6d35a82bf503e12261bcf +Origin: backport, http://libvirt.org/git/?p=libvirt.git;a=commit;h=066c8ef6c18bc1faf8b3e10787b39796a7a06cc0 +Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=735676 +Bug-Redhat: https://bugzilla.redhat.com/show_bug.cgi?id=1047577 + +Index: libvirt-0.9.13/src/rpc/virnetserverclient.c +=================================================================== +--- libvirt-0.9.13.orig/src/rpc/virnetserverclient.c 2014-01-20 15:02:59.783376606 -0500 ++++ libvirt-0.9.13/src/rpc/virnetserverclient.c 2014-01-20 15:04:17.943375395 -0500 +@@ -1219,9 +1219,22 @@ + int + virNetServerClientStartKeepAlive(virNetServerClientPtr client) + { +- int ret; ++ int ret = -1; ++ + virNetServerClientLock(client); ++ ++ /* The connection might have been closed before we got here and thus the ++ * keepalive object could have been removed too. ++ */ ++ if (!client->keepalive) { ++ virReportError(VIR_ERR_INTERNAL_ERROR, "%s", ++ _("connection not open")); ++ goto cleanup; ++ } ++ + ret = virKeepAliveStart(client->keepalive, 0, 0); ++ ++cleanup: + virNetServerClientUnlock(client); + return ret; + } diff -Nru libvirt-0.9.13/debian/patches/series libvirt-0.9.13/debian/patches/series --- libvirt-0.9.13/debian/patches/series 2013-09-14 00:54:24.000000000 +0000 +++ libvirt-0.9.13/debian/patches/series 2014-01-20 20:02:55.000000000 +0000 @@ -35,3 +35,5 @@ CVE-2013-0170.patch CVE-2013-4311.patch CVE-2013-4296.patch +CVE-2013-6458.patch +CVE-2014-1447.patch