[libvirt/f13/master] Fix for CVE-2011-1146, missing checks on read-only connections
Daniel Veillard
veillard at fedoraproject.org
Tue Mar 15 01:26:14 UTC 2011
commit 00d22f3bca67acb78a6deb121e5d4643977d95a8
Author: Daniel Veillard <veillard at redhat.com>
Date: Tue Mar 15 09:25:30 2011 +0800
Fix for CVE-2011-1146, missing checks on read-only connections
libvirt-0.8.2-read-only-checks.patch | 95 ++++++++++++++++++++++++++++++++++
libvirt.spec | 8 +++-
2 files changed, 102 insertions(+), 1 deletions(-)
---
diff --git a/libvirt-0.8.2-read-only-checks.patch b/libvirt-0.8.2-read-only-checks.patch
new file mode 100644
index 0000000..76cce55
--- /dev/null
+++ b/libvirt-0.8.2-read-only-checks.patch
@@ -0,0 +1,95 @@
+From: Guido Günther <agx at sigxcpu.org>
+Date: Mon, 14 Mar 2011 02:56:28 +0000 (+0800)
+Subject: Add missing checks for read only connections
+X-Git-Url: http://libvirt.org/git/?p=libvirt.git;a=commitdiff_plain;h=71753cb7f7a16ff800381c0b5ee4e99eea92fed3;hp=13c00dde3171b3a38d23cceb3f9151cb6cac3dad
+
+Add missing checks for read only connections
+
+As pointed on CVE-2011-1146, some API forgot to check the read-only
+status of the connection for entry point which modify the state
+of the system or may lead to a remote execution using user data.
+The entry points concerned are:
+ - virConnectDomainXMLToNative
+ - virNodeDeviceDettach
+ - virNodeDeviceReAttach
+ - virNodeDeviceReset
+ - virDomainRevertToSnapshot
+ - virDomainSnapshotDelete
+
+* src/libvirt.c: fix the above set of entry points to error on read-only
+ connections
+
+Rebased to 0.8.2, mostly changed the call of the error routines
+---
+
+--- src/libvirt.c.orig 2011-03-14 17:03:45.000000000 +0800
++++ src/libvirt.c 2011-03-14 17:10:41.000000000 +0800
+@@ -3190,6 +3190,10 @@ char *virConnectDomainXMLToNative(virCon
+ virDispatchError(NULL);
+ return (NULL);
+ }
++ if (conn->flags & VIR_CONNECT_RO) {
++ virLibDomainError(NULL, VIR_ERR_OPERATION_DENIED, __FUNCTION__);
++ goto error;
++ }
+
+ if (nativeFormat == NULL || domainXml == NULL) {
+ virLibConnError(conn, VIR_ERR_INVALID_ARG, __FUNCTION__);
+@@ -9432,6 +9436,11 @@ virNodeDeviceDettach(virNodeDevicePtr de
+ return (-1);
+ }
+
++ if (dev->conn->flags & VIR_CONNECT_RO) {
++ virLibConnError(dev->conn, VIR_ERR_OPERATION_DENIED, __FUNCTION__);
++ goto error;
++ }
++
+ if (dev->conn->driver->nodeDeviceDettach) {
+ int ret;
+ ret = dev->conn->driver->nodeDeviceDettach (dev);
+@@ -9475,6 +9484,11 @@ virNodeDeviceReAttach(virNodeDevicePtr d
+ return (-1);
+ }
+
++ if (dev->conn->flags & VIR_CONNECT_RO) {
++ virLibConnError(dev->conn, VIR_ERR_OPERATION_DENIED, __FUNCTION__);
++ goto error;
++ }
++
+ if (dev->conn->driver->nodeDeviceReAttach) {
+ int ret;
+ ret = dev->conn->driver->nodeDeviceReAttach (dev);
+@@ -9520,6 +9534,11 @@ virNodeDeviceReset(virNodeDevicePtr dev)
+ return (-1);
+ }
+
++ if (dev->conn->flags & VIR_CONNECT_RO) {
++ virLibConnError(dev->conn, VIR_ERR_OPERATION_DENIED, __FUNCTION__);
++ goto error;
++ }
++
+ if (dev->conn->driver->nodeDeviceReset) {
+ int ret;
+ ret = dev->conn->driver->nodeDeviceReset (dev);
+@@ -12775,6 +12794,10 @@ virDomainRevertToSnapshot(virDomainSnaps
+ }
+
+ conn = snapshot->domain->conn;
++ if (conn->flags & VIR_CONNECT_RO) {
++ virLibConnError(conn, VIR_ERR_OPERATION_DENIED, __FUNCTION__);
++ goto error;
++ }
+
+ if (conn->driver->domainRevertToSnapshot) {
+ int ret = conn->driver->domainRevertToSnapshot(snapshot, flags);
+@@ -12821,6 +12844,10 @@ virDomainSnapshotDelete(virDomainSnapsho
+ }
+
+ conn = snapshot->domain->conn;
++ if (conn->flags & VIR_CONNECT_RO) {
++ virLibConnError(conn, VIR_ERR_OPERATION_DENIED, __FUNCTION__);
++ goto error;
++ }
+
+ if (conn->driver->domainSnapshotDelete) {
+ int ret = conn->driver->domainSnapshotDelete(snapshot, flags);
diff --git a/libvirt.spec b/libvirt.spec
index 0463c3f..ceec7cc 100644
--- a/libvirt.spec
+++ b/libvirt.spec
@@ -185,7 +185,7 @@
Summary: Library providing a simple API virtualization
Name: libvirt
Version: 0.8.2
-Release: 1%{?dist}%{?extra_release}
+Release: 2%{?dist}%{?extra_release}
License: LGPLv2+
Group: Development/Libraries
Source: http://libvirt.org/sources/libvirt-%{version}.tar.gz
@@ -203,6 +203,8 @@ Patch10: libvirt-0.8.2-10-qemu-img-format-handling.patch
Patch11: libvirt-0.8.2-11-storage-vol-backing.patch
# CVE-2010-2242
Patch12: libvirt-0.8.2-apply-iptables-sport-mapping.patch
+# CVE-2011-1146
+Patch13: libvirt-0.8.2-read-only-checks.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
URL: http://libvirt.org/
BuildRequires: python-devel
@@ -450,6 +452,7 @@ of recent versions of Linux (and other OSes).
%patch10 -p1
%patch11 -p1
%patch12 -p1
+%patch13 -p0
%build
%if ! %{with_xen}
@@ -937,6 +940,9 @@ fi
%endif
%changelog
+* Tue Mar 15 2011 Daniel Veillard <veillard at redhat.com> - 0.8.2-2
+- Fix for CVE-2011-1146, missing checks on read-only connections bug 683655
+
* Thu Jun 17 2010 Cole Robinson <crobinso at redhat.com> - 0.7.7-5.fc13
- Add qemu.conf options for audio workaround
- Fix parsing certain USB sysfs files (bz 598272)
More information about the scm-commits
mailing list