c97b296...
by
=?utf-8?q?J=C3=A1n_Tomko?= <email address hidden>
api: disallow virConnectGetDomainCapabilities on read-only connections
This API can be used to execute arbitrary emulators.
Forbid it on read-only connections.
Fixes: CVE-2019-10167
Signed-off-by: Ján Tomko <email address hidden>
Reviewed-by: Daniel P. Berrangé <email address hidden>
(cherry picked from commit 8afa68bac0cf99d1f8aaa6566685c43c22622f26)
Signed-off-by: Ján Tomko <email address hidden>
97829dc...
by
=?utf-8?q?J=C3=A1n_Tomko?= <email address hidden>
api: disallow virDomainSaveImageGetXMLDesc on read-only connections
The virDomainSaveImageGetXMLDesc API is taking a path parameter,
which can point to any path on the system. This file will then be
read and parsed by libvirtd running with root privileges.
Forbid it on read-only connections.
Fixes: CVE-2019-10161
Reported-by: Matthias Gerstner <email address hidden>
Signed-off-by: Ján Tomko <email address hidden>
Reviewed-by: Daniel P. Berrangé <email address hidden>
(cherry picked from commit aed6a032cead4386472afb24b16196579e239580)
Signed-off-by: Ján Tomko <email address hidden>
Upstream commit 12a51f372 which introduced the VIR_DOMAIN_SAVE_IMAGE_XML_SECURE
alias for VIR_DOMAIN_XML_SECURE is not backported.
Just skip the commit since we now disallow the whole API on read-only
connections, regardless of the flag.
The debian etch distro was end-of-life a long time ago so we no
longer need the ULLONG_MAX hack. In any case gnulib now provides
an equivalent fix by default, and so our definition now triggers
syntax-check rule failure
src/internal.h:# define ULLONG_MAX ULONG_LONG_MAX
maint.mk: define the above via some gnulib .h file
maint.mk:843: recipe for target 'sc_prohibit_always-defined_macros' failed
Signed-off-by: Daniel P. Berrange <email address hidden>
(cherry picked from commit 31020664e9614ad0e0057da159379d7e0cd5eb12)
a72540f...
by
Andrea Bolognani <email address hidden>
nss: Remove RES_USE_INET6 usage
The recent deprecation in glibc (commit b76e065991ec) means the
module will fail to build entirely:
nss/libvirt_nss.c: In function '_nss_libvirt_gethostbyname_r':
nss/libvirt_nss.c:363:13: error: RES_USE_INET6 is deprecated [-Werror]
int af = ((_res.options & RES_USE_INET6) ? AF_INET6 : AF_INET); ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This resolver option was removed shortly after being introduced,
and application using it are already broken anyway.
(cherry picked from commit 5fff7b99db42376e00dbc7af13f08ab27c8256e7)
GCC 7.1 introduces a new -Wformat-truncation warning
flag that reports if it thinks the maximum possible
size of the formatted output will exceed the provided
fixed buffer. This is enabled automatically by the
-Wformat warning flag. There are quite a few places
hit by this in libvirt which need rewriting. This is
non-trivial work in some places, so temporarily
disable the new warning until those fixes can be
implemented.
Signed-off-by: Daniel P. Berrange <email address hidden>
(cherry picked from commit f1acc4130c4d9a15fcf327f02cfc42de7eca52ff)
Depending on the platform/architecture, a number of conditionals
in libvirt code expand the same on both branches. This is expected
behaviour and harmless, so disable the warning to avoid creating
unexpected build failures
Two examples, mingw32:
../../src/util/vircommand.c: In function 'virCommandWait':
../../src/util/vircommand.c:2562:51: error: this condition has identical branches [-Werror=duplicated-branches] *exitstatus = cmd->rawStatus ? status : WEXITSTATUS(status); ^
and gcc7.1
In file included from util/virobject.c:28:0:
util/virobject.c: In function 'virClassNew':
util/viratomic.h:176:46: error: this condition has identical branches [-Werror=duplicated-branches] (void)(0 ? *(atomic) ^ *(atomic) : 0); \ ^
util/virobject.c:144:20: note: in expansion of macro 'virAtomicIntInc'
klass->magic = virAtomicIntInc(&magicCounter); ^~~~~~~~~~~~~~~
Signed-off-by: Daniel P. Berrange <email address hidden>
(cherry picked from commit 1ba693994a0ed97764f2c9058e4ae1a64f1287d1)
util/viralloc.c: In function 'virReallocN':
util/viralloc.c:246:23: error: '*' in boolean context, suggest '&&' instead [-Werror=int-in-bool-context]
if (!tmp && (size * count)) { ~~~~~~^~~~~~~~
Keep it happy by adding != 0 to the right hand expression
so it realizes we really are wanting to treat the result
of the arithmetic expression as a boolean
Signed-off-by: Daniel P. Berrange <email address hidden>
(cherry picked from commit 09db97d3cbf334ea28969f08bac8a2fe4aafda16)
35a7d50...
by
Marc Hartmayer <email address hidden>
Use ATTRIBUTE_FALLTHROUGH
Use ATTRIBUTE_FALLTHROUGH, introduced by commit
5d84f5961b8e28e802f600bb2d2c6903e219092e, instead of comments to
indicate that the fall through is an intentional behavior.
Signed-off-by: Marc Hartmayer <email address hidden>
Reviewed-by: Boris Fiuczynski <email address hidden>
Reviewed-by: Bjoern Walk <email address hidden>
(cherry picked from commit adf846d3c96ce5d45594c718003852684ddf0cb9)
Add ATTRIBUTE_FALLTHROUGH for switch cases without break
In GCC 7 there is a new warning triggered when a switch
case has a conditional statement (eg if ... else...) and
some of the code paths fallthrough to the next switch
statement. e.g.
conf/domain_conf.c: In function 'virDomainChrEquals':
conf/domain_conf.c:14926:12: error: this statement may fall through [-Werror=implicit-fallthrough=]
if (src->targetTypeAttr != tgt->targetTypeAttr)
^
conf/domain_conf.c:14928:5: note: here
case VIR_DOMAIN_CHR_DEVICE_TYPE_CONSOLE:
^~~~
conf/domain_conf.c: In function 'virDomainChrDefFormat':
conf/domain_conf.c:22143:12: error: this statement may fall through [-Werror=implicit-fallthrough=]
if (def->targetTypeAttr) {
^
conf/domain_conf.c:22151:5: note: here
default:
^~~~~~~
GCC introduced a __attribute__((fallthrough)) to let you
indicate that this is intentionale behaviour rather than
a bug.
Signed-off-by: Daniel P. Berrange <email address hidden>
(cherry picked from commit 5d84f5961b8e28e802f600bb2d2c6903e219092e)
