diff -Nru libvirt-1.2.2/debian/apparmor/libvirt-qemu libvirt-1.2.2/debian/apparmor/libvirt-qemu --- libvirt-1.2.2/debian/apparmor/libvirt-qemu 2015-08-27 17:50:45.000000000 +0000 +++ libvirt-1.2.2/debian/apparmor/libvirt-qemu 2015-01-07 16:40:45.000000000 +0000 @@ -159,8 +159,3 @@ # workaround LP: #1403648 by allowing read access to the directory. This will be removed in future releases /tmp/ r, /var/tmp/ r, - - # allow serial console backed by pts chardev (LP: #1342083) - /usr/lib/pt_chown ix, - owner @{PROC}/0-9*/fd/ r, - diff -Nru libvirt-1.2.2/debian/changelog libvirt-1.2.2/debian/changelog --- libvirt-1.2.2/debian/changelog 2015-08-27 19:06:13.000000000 +0000 +++ libvirt-1.2.2/debian/changelog 2016-02-04 15:58:31.000000000 +0000 @@ -1,15 +1,29 @@ -libvirt (1.2.2-0ubuntu13.1.15) trusty; urgency=medium +libvirt (1.2.2-0ubuntu13.1.17) trusty; urgency=medium - * 9037-virt-aa-helper-add-unix-channels-esp-for-qemu-guest-.patch: Allow - libvirt domains to start when using qemu guest agent. (LP: #1393842) - * create /var/lib/libvirt/qemu/channel/target (LP: #1393842) - - libvirt-bin.dirs: add /var/lib/libvirt/qemu/channel/target - - libvirt-bin.postinst: chown target directory to libvirt-qemu:kvm so - qemu can create the unix sockets. - * debian/apparmor/libvirt-qemu: - allow serial console backed by pts chardev (LP: #1342083) + * d/p/fix-util-don-t-fail-if-no-portdata-is-found.patch: + make ovs-vsctl not raise error if there's no portData available. + (LP: #1540537). - -- Serge Hallyn Thu, 27 Aug 2015 14:05:46 -0500 + -- Jorge Niedbalski Thu, 04 Feb 2016 16:58:31 +0100 + +libvirt (1.2.2-0ubuntu13.1.16) trusty-security; urgency=medium + + * SECURITY UPDATE: denial of service via incorrect ACL check handling + - debian/patches/CVE-2014-8136.patch: properly unlock vm on failed ACL + check in src/qemu/qemu_driver.c. + - CVE-2014-8136 + * SECURITY UPDATE: VNC password leak via snapshots and save images + - debian/patches/CVE-2015-0236.patch: check ACLs when dumping security + info in src/qemu/qemu_driver.c, src/remote/remote_protocol.x. + - CVE-2015-0236 + * SECURITY UPDATE: ACL bypass using storage pool directory traversal + - debian/patches/CVE-2015-5313.patch: filter filesystem volume names in + src/storage/storage_backend_fs.c. + - CVE-2015-5313 + * This package does _not_ contain the changes from 1.2.2-0ubuntu13.1.15 + in trusty-proposed. + + -- Marc Deslauriers Fri, 08 Jan 2016 10:03:14 -0500 libvirt (1.2.2-0ubuntu13.1.14) trusty; urgency=medium diff -Nru libvirt-1.2.2/debian/libvirt-bin.dirs libvirt-1.2.2/debian/libvirt-bin.dirs --- libvirt-1.2.2/debian/libvirt-bin.dirs 2015-08-27 17:25:47.000000000 +0000 +++ libvirt-1.2.2/debian/libvirt-bin.dirs 2014-03-24 18:32:46.000000000 +0000 @@ -9,7 +9,6 @@ /var/lib/libvirt/images /var/lib/libvirt/qemu /var/lib/libvirt/sanlock -/var/lib/libvirt/qemu/channel/target /var/cache/libvirt /var/cache/libvirt/qemu /var/log/libvirt/qemu diff -Nru libvirt-1.2.2/debian/libvirt-bin.postinst libvirt-1.2.2/debian/libvirt-bin.postinst --- libvirt-1.2.2/debian/libvirt-bin.postinst 2015-08-27 17:29:09.000000000 +0000 +++ libvirt-1.2.2/debian/libvirt-bin.postinst 2014-09-30 18:53:53.000000000 +0000 @@ -192,7 +192,6 @@ update-rc.d -f libvirt-bin remove >/dev/null fi fi - chown libvirt-qemu:kvm /var/lib/libvirt/qemu/channel/target for p in usr.sbin.libvirtd usr.lib.libvirt.virt-aa-helper ; do profile="/etc/apparmor.d/$p" diff -Nru libvirt-1.2.2/debian/patches/9037-virt-aa-helper-add-unix-channels-esp-for-qemu-guest-.patch libvirt-1.2.2/debian/patches/9037-virt-aa-helper-add-unix-channels-esp-for-qemu-guest-.patch --- libvirt-1.2.2/debian/patches/9037-virt-aa-helper-add-unix-channels-esp-for-qemu-guest-.patch 2015-08-27 17:24:34.000000000 +0000 +++ libvirt-1.2.2/debian/patches/9037-virt-aa-helper-add-unix-channels-esp-for-qemu-guest-.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,27 +0,0 @@ -From f02696388ec31bb17fc8a3c96d8d79efd15b39af Mon Sep 17 00:00:00 2001 -From: Serge Hallyn -Date: Mon, 6 Apr 2015 11:08:31 -0500 -Subject: [PATCH 1/1] virt-aa-helper: add unix channels (esp for - qemu-guest-agent) - -Signed-off-by: Serge Hallyn ---- - src/security/virt-aa-helper.c | 1 + - 1 file changed, 1 insertion(+) - -Index: libvirt-1.2.2/src/security/virt-aa-helper.c -=================================================================== ---- libvirt-1.2.2.orig/src/security/virt-aa-helper.c -+++ libvirt-1.2.2/src/security/virt-aa-helper.c -@@ -978,8 +978,10 @@ get_files(vahControl * ctl) - (ctl->def->channels[i]->source.type == VIR_DOMAIN_CHR_TYPE_PTY || - ctl->def->channels[i]->source.type == VIR_DOMAIN_CHR_TYPE_DEV || - ctl->def->channels[i]->source.type == VIR_DOMAIN_CHR_TYPE_FILE || -+ ctl->def->channels[i]->source.type == VIR_DOMAIN_CHR_TYPE_UNIX || - ctl->def->channels[i]->source.type == VIR_DOMAIN_CHR_TYPE_PIPE) && -- ctl->def->channels[i]->source.data.file.path) -+ ctl->def->channels[i]->source.data.file.path && -+ *ctl->def->channels[i]->source.data.file.path != '\0') - if (vah_add_file_chardev(&buf, - ctl->def->channels[i]->source.data.file.path, - "rw", diff -Nru libvirt-1.2.2/debian/patches/CVE-2014-8136.patch libvirt-1.2.2/debian/patches/CVE-2014-8136.patch --- libvirt-1.2.2/debian/patches/CVE-2014-8136.patch 1970-01-01 00:00:00.000000000 +0000 +++ libvirt-1.2.2/debian/patches/CVE-2014-8136.patch 2016-01-08 15:01:48.000000000 +0000 @@ -0,0 +1,46 @@ +From f5a151754f2080598049baf5d68282f183a30f5c Mon Sep 17 00:00:00 2001 +From: Peter Krempa +Date: Mon, 8 Dec 2014 19:25:21 +0100 +Subject: [PATCH] qemu: migration: Unlock vm on failed ACL check in protocol v2 APIs + +Avoid leaving the domain locked on a failed ACL check in +qemuDomainMigratePerform() and qemuDomainMigrateFinish2(). + +Introduced in commit abf75aea247e (Add ACL checks into the QEMU driver). + +(cherry picked from commit 2bdcd29c713dfedd813c89f56ae98f6f3898313d) +--- + src/qemu/qemu_driver.c | 8 ++++++-- + 1 files changed, 6 insertions(+), 2 deletions(-) + +diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c +index eb82643..9afec73 100644 +--- a/src/qemu/qemu_driver.c ++++ b/src/qemu/qemu_driver.c +@@ -10622,8 +10622,10 @@ qemuDomainMigratePerform(virDomainPtr dom, + if (!(vm = qemuDomObjFromDomain(dom))) + goto cleanup; + +- if (virDomainMigratePerformEnsureACL(dom->conn, vm->def) < 0) ++ if (virDomainMigratePerformEnsureACL(dom->conn, vm->def) < 0) { ++ virObjectUnlock(vm); + goto cleanup; ++ } + + if (flags & VIR_MIGRATE_PEER2PEER) { + dconnuri = uri; +@@ -10670,8 +10672,10 @@ qemuDomainMigrateFinish2(virConnectPtr dconn, + goto cleanup; + } + +- if (virDomainMigrateFinish2EnsureACL(dconn, vm->def) < 0) ++ if (virDomainMigrateFinish2EnsureACL(dconn, vm->def) < 0) { ++ virObjectUnlock(vm); + goto cleanup; ++ } + + /* Do not use cookies in v2 protocol, since the cookie + * length was not sufficiently large, causing failures +-- +1.7.1 + diff -Nru libvirt-1.2.2/debian/patches/CVE-2015-0236.patch libvirt-1.2.2/debian/patches/CVE-2015-0236.patch --- libvirt-1.2.2/debian/patches/CVE-2015-0236.patch 1970-01-01 00:00:00.000000000 +0000 +++ libvirt-1.2.2/debian/patches/CVE-2015-0236.patch 2016-01-08 15:07:23.000000000 +0000 @@ -0,0 +1,47 @@ +Description: fix VNC password leak via snapshots and save images +Origin: upstream, http://libvirt.org/git/?p=libvirt.git;a=commit;h=e99c25ca63c695a63b4c9b91ee956be4fb660772 +Origin: upstream, http://libvirt.org/git/?p=libvirt.git;a=commit;h=8107c1e3694ba4685960ec09868076379718f037 +Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=776065 + +Index: libvirt-1.2.2/src/qemu/qemu_driver.c +=================================================================== +--- libvirt-1.2.2.orig/src/qemu/qemu_driver.c 2016-01-08 10:01:49.859605491 -0500 ++++ libvirt-1.2.2/src/qemu/qemu_driver.c 2016-01-08 10:02:34.080092542 -0500 +@@ -5552,7 +5552,7 @@ + if (fd < 0) + goto cleanup; + +- if (virDomainSaveImageGetXMLDescEnsureACL(conn, def) < 0) ++ if (virDomainSaveImageGetXMLDescEnsureACL(conn, def, flags) < 0) + goto cleanup; + + ret = qemuDomainDefFormatXML(driver, def, flags); +@@ -13776,7 +13776,7 @@ + if (!(vm = qemuDomObjFromSnapshot(snapshot))) + goto cleanup; + +- if (virDomainSnapshotGetXMLDescEnsureACL(snapshot->domain->conn, vm->def) < 0) ++ if (virDomainSnapshotGetXMLDescEnsureACL(snapshot->domain->conn, vm->def, flags) < 0) + goto cleanup; + + if (!(snap = qemuSnapObjFromSnapshot(vm, snapshot))) +Index: libvirt-1.2.2/src/remote/remote_protocol.x +=================================================================== +--- libvirt-1.2.2.orig/src/remote/remote_protocol.x 2016-01-08 09:40:22.000000000 -0500 ++++ libvirt-1.2.2/src/remote/remote_protocol.x 2016-01-08 10:02:34.080092542 -0500 +@@ -4291,6 +4291,7 @@ + * @generate: both + * @priority: high + * @acl: domain:read ++ * @acl: domain:read_secure:VIR_DOMAIN_XML_SECURE + */ + REMOTE_PROC_DOMAIN_SNAPSHOT_GET_XML_DESC = 186, + +@@ -4621,6 +4622,7 @@ + * @generate: both + * @priority: high + * @acl: domain:read ++ * @acl: domain:read_secure:VIR_DOMAIN_XML_SECURE + */ + REMOTE_PROC_DOMAIN_SAVE_IMAGE_GET_XML_DESC = 235, + diff -Nru libvirt-1.2.2/debian/patches/CVE-2015-5313.patch libvirt-1.2.2/debian/patches/CVE-2015-5313.patch --- libvirt-1.2.2/debian/patches/CVE-2015-5313.patch 1970-01-01 00:00:00.000000000 +0000 +++ libvirt-1.2.2/debian/patches/CVE-2015-5313.patch 2016-01-08 15:03:04.000000000 +0000 @@ -0,0 +1,74 @@ +From 6542e643024ca4272f14e9052b3786378f6eec62 Mon Sep 17 00:00:00 2001 +From: Eric Blake +Date: Tue, 8 Dec 2015 17:46:31 -0700 +Subject: [PATCH] CVE-2015-5313: storage: don't allow '/' in filesystem volume names + +The libvirt file system storage driver determines what file to +act on by concatenating the pool location with the volume name. +If a user is able to pick names like "../../../etc/passwd", then +they can escape the bounds of the pool. For that matter, +virStoragePoolListVolumes() doesn't descend into subdirectories, +so a user really shouldn't use a name with a slash. + +Normally, only privileged users can coerce libvirt into creating +or opening existing files using the virStorageVol APIs; and such +users already have full privilege to create any domain XML (so it +is not an escalation of privilege). But in the case of +fine-grained ACLs, it is feasible that a user can be granted +storage_vol:create but not domain:write, and it violates +assumptions if such a user can abuse libvirt to access files +outside of the storage pool. + +Therefore, prevent all use of volume names that contain "/", +whether or not such a name is actually attempting to escape the +pool. + +This changes things from: + +$ virsh vol-create-as default ../../../../../../etc/haha --capacity 128 +Vol ../../../../../../etc/haha created +$ rm /etc/haha + +to: + +$ virsh vol-create-as default ../../../../../../etc/haha --capacity 128 +error: Failed to create vol ../../../../../../etc/haha +error: Requested operation is not valid: volume name '../../../../../../etc/haha' cannot contain '/' + +Signed-off-by: Eric Blake +(cherry picked from commit 034e47c338b13a95cf02106a3af912c1c5f818d7) +--- + src/storage/storage_backend_fs.c | 10 +++++++++- + 1 files changed, 9 insertions(+), 1 deletions(-) + +diff --git a/src/storage/storage_backend_fs.c b/src/storage/storage_backend_fs.c +index 4d69f74..8b5e70b 100644 +--- a/src/storage/storage_backend_fs.c ++++ b/src/storage/storage_backend_fs.c +@@ -1,7 +1,7 @@ + /* + * storage_backend_fs.c: storage backend for FS and directory handling + * +- * Copyright (C) 2007-2014 Red Hat, Inc. ++ * Copyright (C) 2007-2015 Red Hat, Inc. + * Copyright (C) 2007-2008 Daniel P. Berrange + * + * This library is free software; you can redistribute it and/or +@@ -1001,6 +1001,14 @@ virStorageBackendFileSystemVolCreate(virConnectPtr conn ATTRIBUTE_UNUSED, + + vol->type = VIR_STORAGE_VOL_FILE; + ++ /* Volumes within a directory pools are not recursive; do not ++ * allow escape to ../ or a subdir */ ++ if (strchr(vol->name, '/')) { ++ virReportError(VIR_ERR_OPERATION_INVALID, ++ _("volume name '%s' cannot contain '/'"), vol->name); ++ return -1; ++ } ++ + VIR_FREE(vol->target.path); + if (virAsprintf(&vol->target.path, "%s/%s", + pool->def->target.path, +-- +1.7.1 + diff -Nru libvirt-1.2.2/debian/patches/fix-util-don-t-fail-if-no-portdata-is-found.patch libvirt-1.2.2/debian/patches/fix-util-don-t-fail-if-no-portdata-is-found.patch --- libvirt-1.2.2/debian/patches/fix-util-don-t-fail-if-no-portdata-is-found.patch 1970-01-01 00:00:00.000000000 +0000 +++ libvirt-1.2.2/debian/patches/fix-util-don-t-fail-if-no-portdata-is-found.patch 2016-02-04 15:58:30.000000000 +0000 @@ -0,0 +1,88 @@ +|From 25df57db73adc3e610193ee1fcdd202c47ba471d Mon Sep 17 00:00:00 2001 +|From: zhang bo +|Date: Thu, 5 Mar 2015 10:01:50 +0800 +|Subject: [PATCH] util: don't fail if no PortData is found while getting +| migrateData +| +|Introduced by f6a2f97e +| +|Problem Description: +|After multiple times of migrating a domain, which has an ovs interface with no portData set, +|with non-shared disk, nbd ports got overflowed. +| +|The steps to reproduce the problem: +|1 define and start a domain with its network configured as: +| +| +| +| +| +| +| +|2 do not set the network's portData. +|3 migrate(ToURI2) it with flag 91(1011011), which means: +| VIR_MIGRATE_LIVE +| VIR_MIGRATE_PEER2PEER +| VIR_MIGRATE_PERSIST_DEST +| VIR_MIGRATE_UNDEFINE_SOURCE +| VIR_MIGRATE_NON_SHARED_DISK +|4 migrate success, but we got an error log in libvirtd.log: +| error : virCommandWait:2423 : internal error: Child process (ovs-vsctl --timeout=5 get Interface +| vnet1 external_ids:PortData) unexpected exit status 1: ovs-vsctl: no key "PortData" in Interface +| record "vnet1" column external_ids +|5 migrate it back, migrate it , migrate it back, ....... +|6 nbd port got overflowed. +| +|The reasons for the problem is : +|1 virNetDevOpenvswitchGetMigrateData() takes it as wrong if no portData is available for the ovs +| interface of a domain. (We think it's not appropriate, as portData is just OPTIONAL) +|2 in func qemuMigrationBakeCookie(), it fails in qemuMigrationCookieAddNetwork(), and returns with -1. +| qemuMigrationCookieAddNBD() is not called thereafter, and mig->nbd is still NULL. +|3 However, qemuMigrationRun() just *WARN* if qemuMigrationBakeCookie() fails, migration still successes. +| cookie is NULL, it's not baked on the src side. +|4 On the destination side, it would alloc a port first and then free the nbd port in COOKIE. +| But the cookie is NULL due to qemuMigrationCookieAddNetwork() failure at src side. thus the nbd port +| is not freed. +| +|In this patch, we add "--if-exists" option to make ovs-vsctl not raise error if there's no portData available. +|Further more, because portData may be NULL in the cookie at the dest side, check it before setting portData. +| +|Signed-off-by: Zhou Yimin +|Signed-off-by: Zhang Bo + +--- + +Origin: upstream, https://github.com/libvirt/libvirt/commit/25df57db73adc3e610193ee1fcdd202c47ba471d +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1540537 + +--- libvirt-1.2.2.orig/src/util/virnetdevopenvswitch.c ++++ libvirt-1.2.2/src/util/virnetdevopenvswitch.c +@@ -30,6 +30,7 @@ + #include "virerror.h" + #include "virmacaddr.h" + #include "virstring.h" ++#include "virlog.h" + + #define VIR_FROM_THIS VIR_FROM_NONE + +@@ -208,7 +209,7 @@ int virNetDevOpenvswitchGetMigrateData(c + virCommandPtr cmd = NULL; + int ret = -1; + +- cmd = virCommandNewArgList(OVSVSCTL, "--timeout=5", "get", "Interface", ++ cmd = virCommandNewArgList(OVSVSCTL, "--timeout=5", "--if-exists", "get", "Interface", + ifname, "external_ids:PortData", NULL); + + virCommandSetOutputBuffer(cmd, migrate); +@@ -243,6 +244,11 @@ int virNetDevOpenvswitchSetMigrateData(c + virCommandPtr cmd = NULL; + int ret = -1; + ++ if (!migrate) { ++ VIR_DEBUG("No OVS port data for interface %s", ifname); ++ return 0; ++ } ++ + cmd = virCommandNewArgList(OVSVSCTL, "--timeout=5", "set", + "Interface", ifname, NULL); + virCommandAddArgFormat(cmd, "external_ids:PortData=%s", migrate); diff -Nru libvirt-1.2.2/debian/patches/series libvirt-1.2.2/debian/patches/series --- libvirt-1.2.2/debian/patches/series 2015-08-27 17:24:29.000000000 +0000 +++ libvirt-1.2.2/debian/patches/series 2016-02-04 15:58:30.000000000 +0000 @@ -46,4 +46,7 @@ qemu-filterref-crash.patch storage_backend_rbd-correct-arg-order-to-rbd_create3 fix_libvirtd_killed_by_sigsegv.patch -9037-virt-aa-helper-add-unix-channels-esp-for-qemu-guest-.patch +CVE-2014-8136.patch +CVE-2015-0236.patch +CVE-2015-5313.patch +fix-util-don-t-fail-if-no-portdata-is-found.patch