[libvirt/f20] Fix xen hvm VNC port (bz #1094262) CVE-2014-0179: Unsafe XML parsing (bz #1094792, bz #1088290) Fix

Cole Robinson crobinso at fedoraproject.org
Mon May 19 22:51:53 UTC 2014 

commit 5be4aa5a0b94c6ac77af832fb7c7cf36c013797c
Author: Cole Robinson <crobinso at redhat.com>
Date:   Mon May 19 18:51:52 2014 -0400

    Fix xen hvm VNC port (bz #1094262)
    CVE-2014-0179: Unsafe XML parsing (bz #1094792, bz #1088290)
    Fix failure to start xen instances (rackspace in particular) (bz #1098376)

 ...-framebuffer-port-setting-for-HVM-domains.patch |   53 ++++++++++++++++++++
 ...03-Don-t-expand-entities-when-parsing-XML.patch |   37 ++++++++++++++
 ...-for-control_d-string-to-decide-about-dom.patch |   49 ++++++++++++++++++
 libvirt.spec                                       |   23 ++++++++-
 4 files changed, 161 insertions(+), 1 deletions(-)
---
diff --git a/0001-libxl-fix-framebuffer-port-setting-for-HVM-domains.patch b/0001-libxl-fix-framebuffer-port-setting-for-HVM-domains.patch
new file mode 100644
index 0000000..21c1da3
--- /dev/null
+++ b/0001-libxl-fix-framebuffer-port-setting-for-HVM-domains.patch
@@ -0,0 +1,53 @@
+From 811738592be072be6329d320219a288194b5bb3e Mon Sep 17 00:00:00 2001
+From: Jim Fehlig <jfehlig at suse.com>
+Date: Mon, 17 Mar 2014 14:22:44 -0600
+Subject: [PATCH] libxl: fix framebuffer port setting for HVM domains
+
+libxl uses the libxl_vnc_info and libxl_sdl_info fields from the
+hvm union in libxl_domain_build_info struct when generating QEMU
+args for VNC or SDL.  These fields were left unset by the libxl
+driver, causing libxl to ignore any user settings.  E.g. with
+
+  <graphics type='vnc' port='5950'/>
+
+port would be ignored and QEMU would instead be invoked with
+
+  -vnc 127.0.0.1:0,to=99
+
+Unlike the libxl_domain_config struct, the libxl_domain_build_info
+contains only a single libxl_vnc_info and libxl_sdl_info, so
+populate these fields from the first vfb in
+libxl_domain_config->vfbs.
+
+Signed-off-by: Jim Fehlig <jfehlig at suse.com>
+Signed-off-by: David Kiarie <davidkiarie4 at gmail.com>
+(cherry picked from commit b55cc5f4e31b488c4f9c3c8470c992c1f8f5d09c)
+---
+ src/libxl/libxl_conf.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+diff --git a/src/libxl/libxl_conf.c b/src/libxl/libxl_conf.c
+index d4226b8..f796804 100644
+--- a/src/libxl/libxl_conf.c
++++ b/src/libxl/libxl_conf.c
+@@ -1003,6 +1003,20 @@ libxlMakeVfbList(libxlDriverPrivatePtr driver,
+     d_config->vkbs = x_vkbs;
+     d_config->num_vfbs = d_config->num_vkbs = nvfbs;
+ 
++    /*
++     * VNC or SDL info must also be set in libxl_domain_build_info
++     * for HVM domains.  Use the first vfb device.
++     */
++    if (STREQ(def->os.type, "hvm")) {
++        libxl_domain_build_info *b_info = &d_config->b_info;
++        libxl_device_vfb vfb = d_config->vfbs[0];
++
++        if (libxl_defbool_val(vfb.vnc.enable))
++            memcpy(&b_info->u.hvm.vnc, &vfb.vnc, sizeof(libxl_vnc_info));
++        else if (libxl_defbool_val(vfb.sdl.enable))
++            memcpy(&b_info->u.hvm.sdl, &vfb.sdl, sizeof(libxl_sdl_info));
++    }
++
+     return 0;
+ 
+ error:
diff --git a/0002-LSN-2014-0003-Don-t-expand-entities-when-parsing-XML.patch b/0002-LSN-2014-0003-Don-t-expand-entities-when-parsing-XML.patch
new file mode 100644
index 0000000..c030d3e
--- /dev/null
+++ b/0002-LSN-2014-0003-Don-t-expand-entities-when-parsing-XML.patch
@@ -0,0 +1,37 @@
+From 46de45d079ae2622660fe147cf237ee617cc461c Mon Sep 17 00:00:00 2001
+From: "Daniel P. Berrange" <berrange at redhat.com>
+Date: Tue, 15 Apr 2014 11:20:29 +0100
+Subject: [PATCH] LSN-2014-0003: Don't expand entities when parsing XML
+
+If the XML_PARSE_NOENT flag is passed to libxml2, then any
+entities in the input document will be fully expanded. This
+allows the user to read arbitrary files on the host machine
+by creating an entity pointing to a local file. Removing
+the XML_PARSE_NOENT flag means that any entities are left
+unchanged by the parser, or expanded to "" by the XPath
+APIs.
+
+Signed-off-by: Daniel P. Berrange <berrange at redhat.com>
+(cherry picked from commit d6b27d3e4c40946efa79e91d134616b41b1666c4)
+---
+ src/util/virxml.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/util/virxml.c b/src/util/virxml.c
+index 5852374..de1e1e0 100644
+--- a/src/util/virxml.c
++++ b/src/util/virxml.c
+@@ -746,11 +746,11 @@ virXMLParseHelper(int domcode,
+ 
+     if (filename) {
+         xml = xmlCtxtReadFile(pctxt, filename, NULL,
+-                              XML_PARSE_NOENT | XML_PARSE_NONET |
++                              XML_PARSE_NONET |
+                               XML_PARSE_NOWARNING);
+     } else {
+         xml = xmlCtxtReadDoc(pctxt, BAD_CAST xmlStr, url, NULL,
+-                             XML_PARSE_NOENT | XML_PARSE_NONET |
++                             XML_PARSE_NONET |
+                              XML_PARSE_NOWARNING);
+     }
+     if (!xml)
diff --git a/0003-libxl-Check-for-control_d-string-to-decide-about-dom.patch b/0003-libxl-Check-for-control_d-string-to-decide-about-dom.patch
new file mode 100644
index 0000000..2f55192
--- /dev/null
+++ b/0003-libxl-Check-for-control_d-string-to-decide-about-dom.patch
@@ -0,0 +1,49 @@
+From 5fd44adb6baeeb686a9c3ac89a5188ace1fb5e40 Mon Sep 17 00:00:00 2001
+From: Stefan Bader <stefan.bader at canonical.com>
+Date: Wed, 12 Mar 2014 13:03:26 +0100
+Subject: [PATCH] libxl: Check for control_d string to decide about dom0
+
+As soon as any guest mounts xenfs to /proc/xen, there is a capabilities
+file in that directory. However it returns nothing when reading from it.
+Change the test to actually check the contents of the file.
+
+BugLink: http://bugs.launchpad.net/bugs/1248025
+
+Signed-off-by: Stefan Bader <stefan.bader at canonical.com>
+(cherry picked from commit 8c869ad9f9c5d57ba0ef516835a08afdba7ad828)
+---
+ src/libxl/libxl_driver.c | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+diff --git a/src/libxl/libxl_driver.c b/src/libxl/libxl_driver.c
+index 764a686..fb2a7cc 100644
+--- a/src/libxl/libxl_driver.c
++++ b/src/libxl/libxl_driver.c
+@@ -783,6 +783,7 @@ libxlDriverShouldLoad(bool privileged)
+     bool ret = false;
+     virCommandPtr cmd;
+     int status;
++    char *output = NULL;
+ 
+     /* Don't load if non-root */
+     if (!privileged) {
+@@ -790,8 +791,17 @@ libxlDriverShouldLoad(bool privileged)
+         return ret;
+     }
+ 
+-    /* Don't load if not running on a Xen control domain (dom0) */
+-    if (!virFileExists("/proc/xen/capabilities")) {
++    /*
++     * Don't load if not running on a Xen control domain (dom0). It is not
++     * sufficient to check for the file to exist as any guest can mount
++     * xenfs to /proc/xen.
++     */
++    status = virFileReadAll("/proc/xen/capabilities", 10, &output);
++    if (status >= 0) {
++        status = strncmp(output, "control_d", 9);
++    }
++    VIR_FREE(output);
++    if (status) {
+         VIR_INFO("No Xen capabilities detected, probably not running "
+                  "in a Xen Dom0.  Disabling libxenlight driver");
+ 
diff --git a/libvirt.spec b/libvirt.spec
index 2847f47..04255c9 100644
--- a/libvirt.spec
+++ b/libvirt.spec
@@ -367,7 +367,7 @@
 Summary: Library providing a simple virtualization API
 Name: libvirt
 Version: 1.1.3.5
-Release: 1%{?dist}%{?extra_release}
+Release: 2%{?dist}%{?extra_release}
 License: LGPLv2+
 Group: Development/Libraries
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
@@ -378,6 +378,14 @@ URL: http://libvirt.org/
 %endif
 Source: http://libvirt.org/sources/%{?mainturl}libvirt-%{version}.tar.gz
 
+# Fix xen hvm VNC port (bz #1094262)
+Patch0001: 0001-libxl-fix-framebuffer-port-setting-for-HVM-domains.patch
+# CVE-2014-0179: Unsafe XML parsing (bz #1094792, bz #1088290)
+Patch0002: 0002-LSN-2014-0003-Don-t-expand-entities-when-parsing-XML.patch
+# Fix failure to start xen instances (rackspace in particular) (bz
+# #1098376)
+Patch0003: 0003-libxl-Check-for-control_d-string-to-decide-about-dom.patch
+
 %if %{with_libvirtd}
 Requires: libvirt-daemon = %{version}-%{release}
     %if %{with_network}
@@ -1161,6 +1169,14 @@ of recent versions of Linux (and other OSes).
 %prep
 %setup -q
 
+# Fix xen hvm VNC port (bz #1094262)
+%patch0001 -p1
+# CVE-2014-0179: Unsafe XML parsing (bz #1094792, bz #1088290)
+%patch0002 -p1
+# Fix failure to start xen instances (rackspace in particular) (bz
+# #1098376)
+%patch0003 -p1
+
 %build
 %if ! %{with_xen}
     %define _without_xen --without-xen
@@ -2118,6 +2134,11 @@ fi
 %endif
 
 %changelog
+* Mon May 19 2014 Cole Robinson <crobinso at redhat.com> - 1.1.3.5-2
+- Fix xen hvm VNC port (bz #1094262)
+- CVE-2014-0179: Unsafe XML parsing (bz #1094792, bz #1088290)
+- Fix failure to start xen instances (rackspace in particular) (bz #1098376)
+
 * Sat May 03 2014 Cole Robinson <crobinso at redhat.com> - 1.1.3.5-1
 - Rebased to version 1.1.3.5
 - Fix QXL PCI address conflict (bz #1016775)

More information about the scm-commits mailing list