diff -Nru libvirt-1.3.1/debian/changelog libvirt-1.3.1/debian/changelog --- libvirt-1.3.1/debian/changelog 2019-05-14 19:13:18.000000000 +0000 +++ libvirt-1.3.1/debian/changelog 2019-07-02 13:22:43.000000000 +0000 @@ -1,3 +1,19 @@ +libvirt (1.3.1-1ubuntu10.27) xenial-security; urgency=medium + + * SECURITY UPDATE: virDomainSaveImageGetXMLDesc does not check for + read-only connection + - debian/patches/CVE-2019-10161.patch: add check to + src/libvirt-domain.c, src/qemu/qemu_driver.c, + src/remote/remote_protocol.x. + - CVE-2019-10161 + * SECURITY UPDATE: virConnectGetDomainCapabilities does not check for + read-only connection + - debian/patches/CVE-2019-10167.patch: add check to + src/libvirt-domain.c. + - CVE-2019-10167 + + -- Marc Deslauriers Tue, 02 Jul 2019 09:22:37 -0400 + libvirt (1.3.1-1ubuntu10.26) xenial-security; urgency=medium * SECURITY UPDATE: Add support for md-clear functionality diff -Nru libvirt-1.3.1/debian/patches/CVE-2019-10161.patch libvirt-1.3.1/debian/patches/CVE-2019-10161.patch --- libvirt-1.3.1/debian/patches/CVE-2019-10161.patch 1970-01-01 00:00:00.000000000 +0000 +++ libvirt-1.3.1/debian/patches/CVE-2019-10161.patch 2019-07-02 13:22:28.000000000 +0000 @@ -0,0 +1,96 @@ +From 980109c41c8bb55fd105809f2e063667721feaea Mon Sep 17 00:00:00 2001 +From: =?utf8?q?J=C3=A1n=20Tomko?= +Date: Fri, 14 Jun 2019 08:47:42 +0200 +Subject: [PATCH] api: disallow virDomainSaveImageGetXMLDesc on read-only connections +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +The virDomainSaveImageGetXMLDesc API is taking a path parameter, +which can point to any path on the system. This file will then be +read and parsed by libvirtd running with root privileges. + +Forbid it on read-only connections. + +Fixes: CVE-2019-10161 +Reported-by: Matthias Gerstner +Signed-off-by: Ján Tomko +Reviewed-by: Daniel P. Berrangé +(cherry picked from commit aed6a032cead4386472afb24b16196579e239580) +Signed-off-by: Ján Tomko + +Conflicts: + src/libvirt-domain.c + src/remote/remote_protocol.x + +Upstream commit 12a51f372 which introduced the VIR_DOMAIN_SAVE_IMAGE_XML_SECURE +alias for VIR_DOMAIN_XML_SECURE is not backported. +Just skip the commit since we now disallow the whole API on read-only +connections, regardless of the flag. + +Signed-off-by: Ján Tomko +--- + src/libvirt-domain.c | 11 ++--------- + src/qemu/qemu_driver.c | 2 +- + src/remote/remote_protocol.x | 3 +-- + 3 files changed, 4 insertions(+), 12 deletions(-) + +diff --git a/src/libvirt-domain.c b/src/libvirt-domain.c +index 9491845..f72cc34 100644 +--- a/src/libvirt-domain.c ++++ b/src/libvirt-domain.c +@@ -1077,9 +1077,7 @@ virDomainRestoreFlags(virConnectPtr conn, const char *from, const char *dxml, + * previously by virDomainSave() or virDomainSaveFlags(). + * + * No security-sensitive data will be included unless @flags contains +- * VIR_DOMAIN_XML_SECURE; this flag is rejected on read-only +- * connections. For this API, @flags should not contain either +- * VIR_DOMAIN_XML_INACTIVE or VIR_DOMAIN_XML_UPDATE_CPU. ++ * VIR_DOMAIN_XML_SECURE. + * + * Returns a 0 terminated UTF-8 encoded XML instance, or NULL in case of + * error. The caller must free() the returned value. +@@ -1095,12 +1093,7 @@ virDomainSaveImageGetXMLDesc(virConnectPtr conn, const char *file, + + virCheckConnectReturn(conn, NULL); + virCheckNonNullArgGoto(file, error); +- +- if ((conn->flags & VIR_CONNECT_RO) && (flags & VIR_DOMAIN_XML_SECURE)) { +- virReportError(VIR_ERR_OPERATION_DENIED, "%s", +- _("virDomainSaveImageGetXMLDesc with secure flag")); +- goto error; +- } ++ virCheckReadOnlyGoto(conn->flags, error); + + if (conn->driver->domainSaveImageGetXMLDesc) { + char *ret; +diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c +index 33f38c8..5475b6f 100644 +--- a/src/qemu/qemu_driver.c ++++ b/src/qemu/qemu_driver.c +@@ -6882,7 +6882,7 @@ qemuDomainSaveImageGetXMLDesc(virConnectPtr conn, const char *path, + if (fd < 0) + goto cleanup; + +- if (virDomainSaveImageGetXMLDescEnsureACL(conn, def, flags) < 0) ++ if (virDomainSaveImageGetXMLDescEnsureACL(conn, def) < 0) + goto cleanup; + + ret = qemuDomainDefFormatXML(driver, def, flags); +diff --git a/src/remote/remote_protocol.x b/src/remote/remote_protocol.x +index 9f131f8..8bb2dc4 100644 +--- a/src/remote/remote_protocol.x ++++ b/src/remote/remote_protocol.x +@@ -4889,8 +4889,7 @@ enum remote_procedure { + /** + * @generate: both + * @priority: high +- * @acl: domain:read +- * @acl: domain:read_secure:VIR_DOMAIN_XML_SECURE ++ * @acl: domain:write + */ + REMOTE_PROC_DOMAIN_SAVE_IMAGE_GET_XML_DESC = 235, + +-- +1.7.1 + diff -Nru libvirt-1.3.1/debian/patches/CVE-2019-10167.patch libvirt-1.3.1/debian/patches/CVE-2019-10167.patch --- libvirt-1.3.1/debian/patches/CVE-2019-10167.patch 1970-01-01 00:00:00.000000000 +0000 +++ libvirt-1.3.1/debian/patches/CVE-2019-10167.patch 2019-07-02 13:22:32.000000000 +0000 @@ -0,0 +1,35 @@ +From be5d96d547ec54bc35e5eab6472ec900184ae837 Mon Sep 17 00:00:00 2001 +From: =?utf8?q?J=C3=A1n=20Tomko?= +Date: Fri, 14 Jun 2019 09:16:14 +0200 +Subject: [PATCH] api: disallow virConnectGetDomainCapabilities on read-only connections +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +This API can be used to execute arbitrary emulators. +Forbid it on read-only connections. + +Fixes: CVE-2019-10167 +Signed-off-by: Ján Tomko +Reviewed-by: Daniel P. Berrangé +(cherry picked from commit 8afa68bac0cf99d1f8aaa6566685c43c22622f26) +Signed-off-by: Ján Tomko +--- + src/libvirt-domain.c | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +diff --git a/src/libvirt-domain.c b/src/libvirt-domain.c +index f72cc34..79a9045 100644 +--- a/src/libvirt-domain.c ++++ b/src/libvirt-domain.c +@@ -11077,6 +11077,7 @@ virConnectGetDomainCapabilities(virConnectPtr conn, + virResetLastError(); + + virCheckConnectReturn(conn, NULL); ++ virCheckReadOnlyGoto(conn->flags, error); + + if (conn->driver->connectGetDomainCapabilities) { + char *ret; +-- +1.7.1 + diff -Nru libvirt-1.3.1/debian/patches/series libvirt-1.3.1/debian/patches/series --- libvirt-1.3.1/debian/patches/series 2019-05-14 19:12:08.000000000 +0000 +++ libvirt-1.3.1/debian/patches/series 2019-07-02 13:22:32.000000000 +0000 @@ -109,3 +109,5 @@ CVE-2018-3639-2.patch CVE-2019-3840.patch md-clear.patch +CVE-2019-10161.patch +CVE-2019-10167.patch