commit d4e5211296a00a0cff32e1a1daaa025002add736 Author: Cole Robinson crobinso@redhat.com Date: Sun Dec 16 14:45:50 2012 -0500
Fix conflict with NM launched dnsmasq (bz #886663)
...event-dnsmasq-from-listening-on-localhost.patch | 182 ++++++++++++++++++++ libvirt.spec | 8 +- 2 files changed, 189 insertions(+), 1 deletions(-) --- diff --git a/0001-network-prevent-dnsmasq-from-listening-on-localhost.patch b/0001-network-prevent-dnsmasq-from-listening-on-localhost.patch new file mode 100644 index 0000000..ffc9d63 --- /dev/null +++ b/0001-network-prevent-dnsmasq-from-listening-on-localhost.patch @@ -0,0 +1,182 @@ +From 9eb2b573253626c8c9329140d4ce2043863e417b Mon Sep 17 00:00:00 2001 +Message-Id: 9eb2b573253626c8c9329140d4ce2043863e417b.1355686333.git.crobinso@redhat.com +From: Laine Stump laine@laine.org +Date: Thu, 13 Dec 2012 01:46:40 -0500 +Subject: [PATCH] network: prevent dnsmasq from listening on localhost + +This patch resolves the problem reported in: + + https://bugzilla.redhat.com/show_bug.cgi?id=886663 + +The source of the problem was the fix for CVE 2011-3411: + + https://bugzilla.redhat.com/show_bug.cgi?id=833033 + +which was originally committed upstream in commit +753ff83a50263d6975f88d6605d4b5ddfcc97560. That commit improperly +removed the "--except-interface lo" from dnsmasq commandlines when +--bind-dynamic was used (based on comments in the latter bug). + +It turns out that the problem reported in the CVE could be eliminated +without removing "--except-interface lo", and removing it actually +caused each instance of dnsmasq to listen on localhost on port 53, +which created a new problem: + +If another instance of dnsmasq using "bind-interfaces" (instead of +"bind-dynamic") had already been started (or if another instance +started later used "bind-dynamic"), this wouldn't have any immediately +visible ill effects, but if you tried to start another dnsmasq +instance using "bind-interfaces" *after* starting any libvirt +networks, the new dnsmasq would fail to start, because there was +already another process listening on port 53. + +This patch changes the network driver to *always* add +"except-interface=lo" to dnsmasq conf files, regardless of whether we use +bind-dynamic or bind-interfaces. This way no libvirt dnsmasq instances +are listening on localhost (and the CVE is still fixed). + +The actual code change is miniscule, but must be propogated through all +of the test files as well. + +(This is *not* a cherry-pick of the upstream commit that fixes the bug +(commit d66eb7866757dd371560c288dc6201fb9348792a), because subsequent +to the CVE fix, another patch changed the network driver to put +dnsmasq options in a conf file rather than directly on the dnsmasq +commandline preserving the same options), so a cherry-pick is just one +very large conflict.) + +diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c +index 8010797..6053770 100644 +--- a/src/network/bridge_driver.c ++++ b/src/network/bridge_driver.c +@@ -510,6 +510,9 @@ networkBuildDnsmasqArgv(virNetworkObjPtr network, + /* *no* conf file */ + virCommandAddArg(cmd, "--conf-file="); + ++ /* dnsmasq will *always* listen on localhost unless told otherwise */ ++ virCommandAddArgList(cmd, "--except-interface", "lo", NULL); ++ + if (dnsmasqCapsGet(caps, DNSMASQ_CAPS_BIND_DYNAMIC)) { + /* using --bind-dynamic with only --interface (no + * --listen-address) prevents dnsmasq from responding to dns +@@ -523,10 +526,7 @@ networkBuildDnsmasqArgv(virNetworkObjPtr network, + "--interface", network->def->bridge, + NULL); + } else { +- virCommandAddArgList(cmd, +- "--bind-interfaces", +- "--except-interface", "lo", +- NULL); ++ virCommandAddArg(cmd, "--bind-interfaces"); + /* + * --interface does not actually work with dnsmasq < 2.47, + * due to DAD for ipv6 addresses on the interface. +diff --git a/tests/networkxml2argvdata/isolated-network.argv b/tests/networkxml2argvdata/isolated-network.argv +index d629192..d91c730 100644 +--- a/tests/networkxml2argvdata/isolated-network.argv ++++ b/tests/networkxml2argvdata/isolated-network.argv +@@ -1,6 +1,6 @@ + @DNSMASQ@ --strict-order \ + --local=// --domain-needed --conf-file= \ +---bind-interfaces --except-interface lo \ ++--except-interface lo --bind-interfaces \ + --listen-address 192.168.152.1 \ + --dhcp-option=3 --no-resolv \ + --dhcp-range 192.168.152.2,192.168.152.254 \ +diff --git a/tests/networkxml2argvdata/nat-network-dns-hosts.argv b/tests/networkxml2argvdata/nat-network-dns-hosts.argv +index e5143ac..431e987 100644 +--- a/tests/networkxml2argvdata/nat-network-dns-hosts.argv ++++ b/tests/networkxml2argvdata/nat-network-dns-hosts.argv +@@ -1,5 +1,5 @@ + @DNSMASQ@ --strict-order --domain=example.com \ + --local=/example.com/ --domain-needed \ + --conf-file= \ +---bind-dynamic --interface virbr0 \ ++--except-interface lo --bind-dynamic --interface virbr0 \ + --expand-hosts --addn-hosts=/var/lib/libvirt/dnsmasq/default.addnhosts\ +diff --git a/tests/networkxml2argvdata/nat-network-dns-srv-record-minimal.argv b/tests/networkxml2argvdata/nat-network-dns-srv-record-minimal.argv +index c38b954..9c26f32 100644 +--- a/tests/networkxml2argvdata/nat-network-dns-srv-record-minimal.argv ++++ b/tests/networkxml2argvdata/nat-network-dns-srv-record-minimal.argv +@@ -1,7 +1,7 @@ + @DNSMASQ@ \ + --strict-order \ + --local=// --domain-needed --conf-file= \ +---bind-interfaces --except-interface lo \ ++--except-interface lo --bind-interfaces \ + --listen-address 192.168.122.1 \ + --listen-address 192.168.123.1 \ + --listen-address fc00:db8:ac10:fe01::1 \ +diff --git a/tests/networkxml2argvdata/nat-network-dns-srv-record.argv b/tests/networkxml2argvdata/nat-network-dns-srv-record.argv +index 311b0d7..ff9c223 100644 +--- a/tests/networkxml2argvdata/nat-network-dns-srv-record.argv ++++ b/tests/networkxml2argvdata/nat-network-dns-srv-record.argv +@@ -1,7 +1,7 @@ + @DNSMASQ@ \ + --strict-order \ + --local=// --domain-needed --conf-file= \ +---bind-dynamic --interface virbr0 \ ++--except-interface lo --bind-dynamic --interface virbr0 \ + --srv-host=name.tcp.test-domain-name,.,1024,10,10 \ + --dhcp-range 192.168.122.2,192.168.122.254 \ + --dhcp-leasefile=/var/lib/libvirt/dnsmasq/default.leases \ +diff --git a/tests/networkxml2argvdata/nat-network-dns-txt-record.argv b/tests/networkxml2argvdata/nat-network-dns-txt-record.argv +index cbdf50d..2b133ff 100644 +--- a/tests/networkxml2argvdata/nat-network-dns-txt-record.argv ++++ b/tests/networkxml2argvdata/nat-network-dns-txt-record.argv +@@ -1,6 +1,6 @@ + @DNSMASQ@ --strict-order \ + --local=// --domain-needed --conf-file= \ +---bind-dynamic --interface virbr0 \ ++--except-interface lo --bind-dynamic --interface virbr0 \ + --txt-record=example,example value \ + --dhcp-range 192.168.122.2,192.168.122.254 \ + --dhcp-leasefile=/var/lib/libvirt/dnsmasq/default.leases \ +diff --git a/tests/networkxml2argvdata/nat-network.argv b/tests/networkxml2argvdata/nat-network.argv +index 967ca94..1a771d0 100644 +--- a/tests/networkxml2argvdata/nat-network.argv ++++ b/tests/networkxml2argvdata/nat-network.argv +@@ -1,6 +1,6 @@ + @DNSMASQ@ --strict-order \ + --local=// --domain-needed --conf-file= \ +---bind-dynamic --interface virbr0 \ ++--except-interface lo --bind-dynamic --interface virbr0 \ + --dhcp-range 192.168.122.2,192.168.122.254 \ + --dhcp-leasefile=/var/lib/libvirt/dnsmasq/default.leases \ + --dhcp-lease-max=253 --dhcp-no-override \ +diff --git a/tests/networkxml2argvdata/netboot-network.argv b/tests/networkxml2argvdata/netboot-network.argv +index bcd6fad..9f8d114 100644 +--- a/tests/networkxml2argvdata/netboot-network.argv ++++ b/tests/networkxml2argvdata/netboot-network.argv +@@ -1,6 +1,6 @@ + @DNSMASQ@ --strict-order --domain=example.com \ + --local=/example.com/ --domain-needed --conf-file= \ +---bind-interfaces --except-interface lo --listen-address 192.168.122.1 \ ++--except-interface lo --bind-interfaces --listen-address 192.168.122.1 \ + --dhcp-range 192.168.122.2,192.168.122.254 \ + --dhcp-leasefile=/var/lib/libvirt/dnsmasq/netboot.leases \ + --dhcp-lease-max=253 --dhcp-no-override --expand-hosts --enable-tftp \ +diff --git a/tests/networkxml2argvdata/netboot-proxy-network.argv b/tests/networkxml2argvdata/netboot-proxy-network.argv +index 8c5ef9b..90a31e2 100644 +--- a/tests/networkxml2argvdata/netboot-proxy-network.argv ++++ b/tests/networkxml2argvdata/netboot-proxy-network.argv +@@ -1,6 +1,6 @@ + @DNSMASQ@ --strict-order --domain=example.com \ + --local=/example.com/ --domain-needed --conf-file= \ +---bind-interfaces --except-interface lo \ ++--except-interface lo --bind-interfaces \ + --listen-address 192.168.122.1 \ + --dhcp-range 192.168.122.2,192.168.122.254 \ + --dhcp-leasefile=/var/lib/libvirt/dnsmasq/netboot.leases \ +diff --git a/tests/networkxml2argvdata/routed-network.argv b/tests/networkxml2argvdata/routed-network.argv +index eacdf2d..862013e 100644 +--- a/tests/networkxml2argvdata/routed-network.argv ++++ b/tests/networkxml2argvdata/routed-network.argv +@@ -1,3 +1,3 @@ + @DNSMASQ@ --strict-order \ + --local=// --domain-needed --conf-file= \ +---bind-dynamic --interface virbr1\ ++--except-interface lo --bind-dynamic --interface virbr1\ +-- +1.8.0.2 + diff --git a/libvirt.spec b/libvirt.spec index 644c407..4d529fa 100644 --- a/libvirt.spec +++ b/libvirt.spec @@ -274,7 +274,7 @@ Summary: Library providing a simple virtualization API Name: libvirt Version: 0.9.11.8 -Release: 1%{?dist}%{?extra_release} +Release: 2%{?dist}%{?extra_release} License: LGPLv2+ Group: Development/Libraries
@@ -297,6 +297,8 @@ Patch4: libvirt-sanlock-readonly-option.patch # Fix LXC domain startup with selinux=disabled (bz 858104) # keep: non upstream fix that doesn't apply to git head Patch5: libvirt-lxc-selinux-context-error.patch +# Fix conflict with NM launched dnsmasq (bz 886663) +Patch6: 0001-network-prevent-dnsmasq-from-listening-on-localhost.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root @@ -769,6 +771,7 @@ of recent versions of Linux (and other OSes). %patch3 -p1 %patch4 -p1 %patch5 -p1 +%patch6 -p1
%build %if ! %{with_xen} @@ -1500,6 +1503,9 @@ rm -f $RPM_BUILD_ROOT%{_sysconfdir}/sysctl.d/libvirtd %endif
%changelog +* Sun Dec 16 2012 Cole Robinson crobinso@redhat.com - 0.9.11.8-2 +- Fix conflict with NM launched dnsmasq (bz #886663) + * Sun Dec 09 2012 Cole Robinson crobinso@redhat.com - 0.9.11.8-1 - Rebased to version 0.9.11.8 - CVE-2012-3411: avoid open DNS proxy with dnsmasq (bz #874702, bz #882309)