* [meta-virtualization][hardknott][PATCH 1/2] libvirt: Security fix for CVE-2020-25637
@ 2021-09-16 21:13 Armin Kuster
2021-09-16 21:13 ` [meta-virtualization][hardknott][PATCH 2/2] libvirt: Security fix for CVE-2021-3631 Armin Kuster
0 siblings, 1 reply; 2+ messages in thread
From: Armin Kuster @ 2021-09-16 21:13 UTC (permalink / raw)
To: meta-virtualization; +Cc: Armin Kuster
From: Armin Kuster <akuster@mvista.com>
Source: https://libvirt.org/git/libvirt.git
MR: 105864
Type: Security Fix
Disposition: Backport from https://libvirt.org/git/libvirt.git
ChangeID: 99bb9b4fc1b608e4e9a56b9d2308bfa54d9ba33c
Description:
* https://libvirt.org/git/?p=libvirt.git;a=commit;h=955029bd0ad7ef96000f529ac38204a8f4a96401
* https://libvirt.org/git/?p=libvirt.git;a=commit;h=50864dcda191eb35732dbd80fb6ca251a6bba923
* https://libvirt.org/git/?p=libvirt.git;a=commit;h=e4116eaa44cb366b59f7fe98f4b88d04c04970ad
* https://libvirt.org/git/?p=libvirt.git;a=commit;h=a63b48c5ecef077bf0f909a85f453a605600cf05
Affects <= 6.3.0
Signed-off-by: Armin Kuster <akuster@mvista.com>
---
.../libvirt/libvirt/CVE-2020-25637_1.patch | 49 +++++++++
.../libvirt/libvirt/CVE-2020-25637_2.patch | 102 ++++++++++++++++++
.../libvirt/libvirt/CVE-2020-25637_3.patch | 36 +++++++
.../libvirt/libvirt/CVE-2020-25637_4.patch | 80 ++++++++++++++
recipes-extended/libvirt/libvirt_6.3.0.bb | 4 +
5 files changed, 271 insertions(+)
create mode 100644 recipes-extended/libvirt/libvirt/CVE-2020-25637_1.patch
create mode 100644 recipes-extended/libvirt/libvirt/CVE-2020-25637_2.patch
create mode 100644 recipes-extended/libvirt/libvirt/CVE-2020-25637_3.patch
create mode 100644 recipes-extended/libvirt/libvirt/CVE-2020-25637_4.patch
diff --git a/recipes-extended/libvirt/libvirt/CVE-2020-25637_1.patch b/recipes-extended/libvirt/libvirt/CVE-2020-25637_1.patch
new file mode 100644
index 0000000..362d3d1
--- /dev/null
+++ b/recipes-extended/libvirt/libvirt/CVE-2020-25637_1.patch
@@ -0,0 +1,49 @@
+From 955029bd0ad7ef96000f529ac38204a8f4a96401 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?J=C3=A1n=20Tomko?= <jtomko@redhat.com>
+Date: Fri, 18 Sep 2020 17:44:56 +0200
+Subject: [PATCH] rpc: gendispatch: handle empty flags
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+CVE-2020-25637
+
+Prepare for omission of the <flagname> in remote_protocol.x
+@acl annotations:
+ @acl: <object>:<permission>:<flagname>
+so that we can add more fields after, e.g.:
+ @acl: <object>:<permission>::<field>
+
+Signed-off-by: Ján Tomko <jtomko@redhat.com>
+Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
+
+Upsteam-Status: Backport
+CVE: CVE-2020-25637 dep#1
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ src/rpc/gendispatch.pl | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+Index: libvirt-6.1.0/src/rpc/gendispatch.pl
+===================================================================
+--- libvirt-6.1.0.orig/src/rpc/gendispatch.pl
++++ libvirt-6.1.0/src/rpc/gendispatch.pl
+@@ -2113,7 +2113,7 @@ elsif ($mode eq "client") {
+ if ($acl[$i]->{object} ne $acl[0]->{object}) {
+ die "acl for '$call->{ProcName}' cannot check different objects";
+ }
+- if (defined $acl[$i]->{flags}) {
++ if (defined $acl[$i]->{flags} && length $acl[$i]->{flags}) {
+ $checkflags = 1;
+ }
+ }
+@@ -2201,7 +2201,7 @@ elsif ($mode eq "client") {
+ my $method = "virAccessManagerCheck" . $object;
+ my $space = ' ' x length($method);
+ print " if (";
+- if (defined $acl->{flags}) {
++ if (defined $acl->{flags} && length $acl->{flags}) {
+ my $flags = $acl->{flags};
+ if ($flags =~ /^\!/) {
+ $flags = substr $flags, 1;
diff --git a/recipes-extended/libvirt/libvirt/CVE-2020-25637_2.patch b/recipes-extended/libvirt/libvirt/CVE-2020-25637_2.patch
new file mode 100644
index 0000000..58eae3e
--- /dev/null
+++ b/recipes-extended/libvirt/libvirt/CVE-2020-25637_2.patch
@@ -0,0 +1,102 @@
+From 50864dcda191eb35732dbd80fb6ca251a6bba923 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?J=C3=A1n=20Tomko?= <jtomko@redhat.com>
+Date: Fri, 18 Sep 2020 16:09:25 +0200
+Subject: [PATCH] rpc: add support for filtering @acls by uint params
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+CVE-2020-25637
+
+Add a new field to @acl annotations for filtering by
+unsigned int parameters.
+
+Signed-off-by: Ján Tomko <jtomko@redhat.com>
+Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
+
+Upsteam-Status: Backport
+CVE: CVE-2020-25637 dep#2
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ src/remote/remote_protocol.x | 3 +++
+ src/rpc/gendispatch.pl | 21 ++++++++++++++++++++-
+ 2 files changed, 23 insertions(+), 1 deletion(-)
+
+Index: libvirt-6.1.0/src/remote/remote_protocol.x
+===================================================================
+--- libvirt-6.1.0.orig/src/remote/remote_protocol.x
++++ libvirt-6.1.0/src/remote/remote_protocol.x
+@@ -3805,6 +3805,7 @@ enum remote_procedure {
+ *
+ * - @acl: <object>:<permission>
+ * - @acl: <object>:<permission>:<flagname>
++ * - @acl: <object>:<permission>::<param>:<value>
+ *
+ * Declare the access control requirements for the API. May be repeated
+ * multiple times, if multiple rules are required.
+@@ -3814,6 +3815,8 @@ enum remote_procedure {
+ * <permission> is one of the permissions in access/viraccessperm.h
+ * <flagname> indicates the rule only applies if the named flag
+ * is set in the API call
++ * <param> and <value> can be used to check an unsigned int parameter
++ * against value
+ *
+ * - @aclfilter: <object>:<permission>
+ *
+Index: libvirt-6.1.0/src/rpc/gendispatch.pl
+===================================================================
+--- libvirt-6.1.0.orig/src/rpc/gendispatch.pl
++++ libvirt-6.1.0/src/rpc/gendispatch.pl
+@@ -2105,10 +2105,12 @@ elsif ($mode eq "client") {
+ my @acl;
+ foreach (@{$acl}) {
+ my @bits = split /:/;
+- push @acl, { object => $bits[0], perm => $bits[1], flags => $bits[2] }
++ push @acl, { object => $bits[0], perm => $bits[1], flags => $bits[2],
++ param => $bits[3], value => $bits[4] }
+ }
+
+ my $checkflags = 0;
++ my $paramtocheck = undef;
+ for (my $i = 1 ; $i <= $#acl ; $i++) {
+ if ($acl[$i]->{object} ne $acl[0]->{object}) {
+ die "acl for '$call->{ProcName}' cannot check different objects";
+@@ -2116,6 +2118,9 @@ elsif ($mode eq "client") {
+ if (defined $acl[$i]->{flags} && length $acl[$i]->{flags}) {
+ $checkflags = 1;
+ }
++ if (defined $acl[$i]->{param}) {
++ $paramtocheck = $acl[$i]->{param};
++ }
+ }
+
+ my $apiname = $prefix . $call->{ProcName};
+@@ -2151,6 +2156,9 @@ elsif ($mode eq "client") {
+ if ($checkflags) {
+ push @argdecls, "unsigned int flags";
+ }
++ if (defined $paramtocheck) {
++ push @argdecls, "unsigned int " . $paramtocheck;
++ }
+
+ my $ret;
+ my $pass;
+@@ -2211,6 +2219,17 @@ elsif ($mode eq "client") {
+ }
+ print " ";
+ }
++ if (defined $acl->{param}) {
++ my $param = $acl->{param};
++ my $value = $acl->{value};
++ if ($value =~ /^\!/) {
++ $value = substr $value, 1;
++ print "($param != ($value)) &&\n";
++ } else {
++ print "($param == ($value)) &&\n";
++ }
++ print " ";
++ }
+ print "(rv = $method(" . join(", ", @argvars, $perm) . ")) <= 0) {\n";
+ print " virObjectUnref(mgr);\n";
+ if ($action eq "Ensure") {
diff --git a/recipes-extended/libvirt/libvirt/CVE-2020-25637_3.patch b/recipes-extended/libvirt/libvirt/CVE-2020-25637_3.patch
new file mode 100644
index 0000000..5a3ba80
--- /dev/null
+++ b/recipes-extended/libvirt/libvirt/CVE-2020-25637_3.patch
@@ -0,0 +1,36 @@
+From a63b48c5ecef077bf0f909a85f453a605600cf05 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?J=C3=A1n=20Tomko?= <jtomko@redhat.com>
+Date: Fri, 18 Sep 2020 17:56:37 +0200
+Subject: [PATCH] qemu: agent: set ifname to NULL after freeing
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+CVE-2020-25637
+
+Signed-off-by: Ján Tomko <jtomko@redhat.com>
+Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
+Fixes: 0977b8aa071de550e1a013d35e2c72615e65d520
+Reviewed-by: Mauro Matteo Cascella <mcascell@redhat.com>
+Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
+
+Upsteam-Status: Backport
+CVE: CVE-2020-25637 dep#3
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ src/qemu/qemu_agent.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+Index: libvirt-6.1.0/src/qemu/qemu_agent.c
+===================================================================
+--- libvirt-6.1.0.orig/src/qemu/qemu_agent.c
++++ libvirt-6.1.0/src/qemu/qemu_agent.c
+@@ -2186,6 +2186,7 @@ qemuAgentGetInterfaces(qemuAgentPtr mon,
+
+ /* Has to be freed for each interface. */
+ virStringListFree(ifname);
++ ifname = NULL;
+
+ /* as well as IP address which - moreover -
+ * can be presented multiple times */
diff --git a/recipes-extended/libvirt/libvirt/CVE-2020-25637_4.patch b/recipes-extended/libvirt/libvirt/CVE-2020-25637_4.patch
new file mode 100644
index 0000000..9b802ca
--- /dev/null
+++ b/recipes-extended/libvirt/libvirt/CVE-2020-25637_4.patch
@@ -0,0 +1,80 @@
+From e4116eaa44cb366b59f7fe98f4b88d04c04970ad Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?J=C3=A1n=20Tomko?= <jtomko@redhat.com>
+Date: Fri, 18 Sep 2020 17:54:14 +0200
+Subject: [PATCH] rpc: require write acl for guest agent in
+ virDomainInterfaceAddresses
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+CVE-2020-25637
+
+Add a requirement for domain:write if source is set to
+VIR_DOMAIN_INTERFACE_ADDRESSES_SRC_AGENT.
+
+Signed-off-by: Ján Tomko <jtomko@redhat.com>
+Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
+Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
+
+Upsteam-Status: Backport
+CVE: CVE-2020-25637
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ src/libxl/libxl_driver.c | 2 +-
+ src/lxc/lxc_driver.c | 2 +-
+ src/qemu/qemu_driver.c | 2 +-
+ src/remote/remote_protocol.x | 1 +
+ 4 files changed, 4 insertions(+), 3 deletions(-)
+
+Index: libvirt-6.1.0/src/libxl/libxl_driver.c
+===================================================================
+--- libvirt-6.1.0.orig/src/libxl/libxl_driver.c
++++ libvirt-6.1.0/src/libxl/libxl_driver.c
+@@ -6331,7 +6331,7 @@ libxlDomainInterfaceAddresses(virDomainP
+ if (!(vm = libxlDomObjFromDomain(dom)))
+ goto cleanup;
+
+- if (virDomainInterfaceAddressesEnsureACL(dom->conn, vm->def) < 0)
++ if (virDomainInterfaceAddressesEnsureACL(dom->conn, vm->def, source) < 0)
+ goto cleanup;
+
+ if (virDomainObjCheckActive(vm) < 0)
+Index: libvirt-6.1.0/src/lxc/lxc_driver.c
+===================================================================
+--- libvirt-6.1.0.orig/src/lxc/lxc_driver.c
++++ libvirt-6.1.0/src/lxc/lxc_driver.c
+@@ -1698,7 +1698,7 @@ lxcDomainInterfaceAddresses(virDomainPtr
+ if (!(vm = lxcDomObjFromDomain(dom)))
+ goto cleanup;
+
+- if (virDomainInterfaceAddressesEnsureACL(dom->conn, vm->def) < 0)
++ if (virDomainInterfaceAddressesEnsureACL(dom->conn, vm->def, source) < 0)
+ goto cleanup;
+
+ if (virDomainObjCheckActive(vm) < 0)
+Index: libvirt-6.1.0/src/qemu/qemu_driver.c
+===================================================================
+--- libvirt-6.1.0.orig/src/qemu/qemu_driver.c
++++ libvirt-6.1.0/src/qemu/qemu_driver.c
+@@ -21846,7 +21846,7 @@ qemuDomainInterfaceAddresses(virDomainPt
+ if (!(vm = qemuDomainObjFromDomain(dom)))
+ goto cleanup;
+
+- if (virDomainInterfaceAddressesEnsureACL(dom->conn, vm->def) < 0)
++ if (virDomainInterfaceAddressesEnsureACL(dom->conn, vm->def, source) < 0)
+ goto cleanup;
+
+ if (virDomainObjCheckActive(vm) < 0)
+Index: libvirt-6.1.0/src/remote/remote_protocol.x
+===================================================================
+--- libvirt-6.1.0.orig/src/remote/remote_protocol.x
++++ libvirt-6.1.0/src/remote/remote_protocol.x
+@@ -6211,6 +6211,7 @@ enum remote_procedure {
+ /**
+ * @generate: none
+ * @acl: domain:read
++ * @acl: domain:write::source:VIR_DOMAIN_INTERFACE_ADDRESSES_SRC_AGENT
+ */
+ REMOTE_PROC_DOMAIN_INTERFACE_ADDRESSES = 353,
+
diff --git a/recipes-extended/libvirt/libvirt_6.3.0.bb b/recipes-extended/libvirt/libvirt_6.3.0.bb
index eeb1bf8..fc2b63d 100644
--- a/recipes-extended/libvirt/libvirt_6.3.0.bb
+++ b/recipes-extended/libvirt/libvirt_6.3.0.bb
@@ -40,6 +40,10 @@ SRC_URI = "http://libvirt.org/sources/libvirt-${PV}.tar.xz;name=libvirt \
file://0001-build-drop-unnecessary-libgnu.la-reference.patch \
file://hook_support.py \
file://gnutls-helper.py \
+ file://CVE-2020-25637_1.patch \
+ file://CVE-2020-25637_2.patch \
+ file://CVE-2020-25637_3.patch \
+ file://CVE-2020-25637_4.patch \
"
SRC_URI[libvirt.md5sum] = "1bd4435f77924f5ec9928b538daf4a02"
--
2.25.1
^ permalink raw reply related [flat|nested] 2+ messages in thread
* [meta-virtualization][hardknott][PATCH 2/2] libvirt: Security fix for CVE-2021-3631
2021-09-16 21:13 [meta-virtualization][hardknott][PATCH 1/2] libvirt: Security fix for CVE-2020-25637 Armin Kuster
@ 2021-09-16 21:13 ` Armin Kuster
0 siblings, 0 replies; 2+ messages in thread
From: Armin Kuster @ 2021-09-16 21:13 UTC (permalink / raw)
To: meta-virtualization; +Cc: Armin Kuster
From: Armin Kuster <akuster@mvista.com>
Source: https://libvirt.org/git/libvirt.git
MR: 112956
Type: Security Fix
Disposition: Backport from https://gitlab.com/libvirt/libvirt/-/commit/15073504dbb624d3f6c911e85557019d3620fdb2
ChangeID: 314727e329e5b1351326737eb9c9232f465db184
Description:
Signed-off-by: Armin Kuster <akuster@mvista.com>
---
.../libvirt/libvirt/CVE-2021-3631.patch | 56 +++++++++++++++++++
recipes-extended/libvirt/libvirt_6.3.0.bb | 1 +
2 files changed, 57 insertions(+)
create mode 100644 recipes-extended/libvirt/libvirt/CVE-2021-3631.patch
diff --git a/recipes-extended/libvirt/libvirt/CVE-2021-3631.patch b/recipes-extended/libvirt/libvirt/CVE-2021-3631.patch
new file mode 100644
index 0000000..c1fa8c2
--- /dev/null
+++ b/recipes-extended/libvirt/libvirt/CVE-2021-3631.patch
@@ -0,0 +1,56 @@
+From 15073504dbb624d3f6c911e85557019d3620fdb2 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
+Date: Mon, 28 Jun 2021 13:09:04 +0100
+Subject: [PATCH] security: fix SELinux label generation logic
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+A process can access a file if the set of MCS categories
+for the file is equal-to *or* a subset-of, the set of
+MCS categories for the process.
+
+If there are two VMs:
+
+ a) svirt_t:s0:c117
+ b) svirt_t:s0:c117,c720
+
+Then VM (b) is able to access files labelled for VM (a).
+
+IOW, we must discard case where the categories are equal
+because that is a subset of many other valid category pairs.
+
+Fixes: https://gitlab.com/libvirt/libvirt/-/issues/153
+CVE-2021-3631
+Reviewed-by: Peter Krempa <pkrempa@redhat.com>
+Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
+
+Upstream-Status: Backport
+CVE: CVE-2021-3631
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ src/security/security_selinux.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+Index: libvirt-6.1.0/src/security/security_selinux.c
+===================================================================
+--- libvirt-6.1.0.orig/src/security/security_selinux.c
++++ libvirt-6.1.0/src/security/security_selinux.c
+@@ -391,7 +391,15 @@ virSecuritySELinuxMCSFind(virSecurityMan
+ VIR_DEBUG("Try cat %s:c%d,c%d", sens, c1 + catMin, c2 + catMin);
+
+ if (c1 == c2) {
+- mcs = g_strdup_printf("%s:c%d", sens, catMin + c1);
++ /*
++ * A process can access a file if the set of MCS categories
++ * for the file is equal-to *or* a subset-of, the set of
++ * MCS categories for the process.
++ *
++ * IOW, we must discard case where the categories are equal
++ * because that is a subset of other category pairs.
++ */
++ continue;
+ } else {
+ if (c1 > c2) {
+ int t = c1;
diff --git a/recipes-extended/libvirt/libvirt_6.3.0.bb b/recipes-extended/libvirt/libvirt_6.3.0.bb
index fc2b63d..33bac76 100644
--- a/recipes-extended/libvirt/libvirt_6.3.0.bb
+++ b/recipes-extended/libvirt/libvirt_6.3.0.bb
@@ -44,6 +44,7 @@ SRC_URI = "http://libvirt.org/sources/libvirt-${PV}.tar.xz;name=libvirt \
file://CVE-2020-25637_2.patch \
file://CVE-2020-25637_3.patch \
file://CVE-2020-25637_4.patch \
+ file://CVE-2021-3631.patch \
"
SRC_URI[libvirt.md5sum] = "1bd4435f77924f5ec9928b538daf4a02"
--
2.25.1
^ permalink raw reply related [flat|nested] 2+ messages in thread
end of thread, other threads:[~2021-09-16 21:13 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-09-16 21:13 [meta-virtualization][hardknott][PATCH 1/2] libvirt: Security fix for CVE-2020-25637 Armin Kuster
2021-09-16 21:13 ` [meta-virtualization][hardknott][PATCH 2/2] libvirt: Security fix for CVE-2021-3631 Armin Kuster
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.