890965e...
by
=?utf-8?q?J=C3=A1n_Tomko?= <email address hidden>
api: disallow virConnect*HypervisorCPU on read-only connections
These APIs can be used to execute arbitrary emulators.
Forbid them on read-only connections.
Fixes: CVE-2019-10168
Signed-off-by: Ján Tomko <email address hidden>
Reviewed-by: Daniel P. Berrangé <email address hidden>
(cherry picked from commit bf6c2830b6c338b1f5699b095df36f374777b291)
Signed-off-by: Ján Tomko <email address hidden>
93edb0e...
by
=?utf-8?q?J=C3=A1n_Tomko?= <email address hidden>
api: disallow virConnectGetDomainCapabilities on read-only connections
This API can be used to execute arbitrary emulators.
Forbid it on read-only connections.
Fixes: CVE-2019-10167
Signed-off-by: Ján Tomko <email address hidden>
Reviewed-by: Daniel P. Berrangé <email address hidden>
(cherry picked from commit 8afa68bac0cf99d1f8aaa6566685c43c22622f26)
Signed-off-by: Ján Tomko <email address hidden>
00e673c...
by
=?utf-8?q?J=C3=A1n_Tomko?= <email address hidden>
api: disallow virDomainManagedSaveDefineXML on read-only connections
The virDomainManagedSaveDefineXML can be used to alter the domain's
config used for managedsave or even execute arbitrary emulator binaries.
Forbid it on read-only connections.
Fixes: CVE-2019-10166
Reported-by: Matthias Gerstner <email address hidden>
Signed-off-by: Ján Tomko <email address hidden>
Reviewed-by: Daniel P. Berrangé <email address hidden>
(cherry picked from commit db0b78457f183e4c7ac45bc94de86044a1e2056a)
Signed-off-by: Ján Tomko <email address hidden>
a276596...
by
=?utf-8?q?J=C3=A1n_Tomko?= <email address hidden>
api: disallow virDomainSaveImageGetXMLDesc on read-only connections
The virDomainSaveImageGetXMLDesc API is taking a path parameter,
which can point to any path on the system. This file will then be
read and parsed by libvirtd running with root privileges.
Forbid it on read-only connections.
Fixes: CVE-2019-10161
Reported-by: Matthias Gerstner <email address hidden>
Signed-off-by: Ján Tomko <email address hidden>
Reviewed-by: Daniel P. Berrangé <email address hidden>
(cherry picked from commit aed6a032cead4386472afb24b16196579e239580)
Signed-off-by: Ján Tomko <email address hidden>
Upstream commit 12a51f372 which introduced the VIR_DOMAIN_SAVE_IMAGE_XML_SECURE
alias for VIR_DOMAIN_XML_SECURE is not backported.
Just skip the commit since we now disallow the whole API on read-only
connections, regardless of the flag.
The virtlogd daemon's only intended client is the libvirtd daemon. As
such it should never allow clients from other user accounts to connect.
The code already enforces this and drops clients from other UIDs, but
we can get earlier (and thus stronger) protection against DoS by setting
the socket permissions to 0600
Fixes CVE-2019-10132
Reviewed-by: Ján Tomko <email address hidden>
Signed-off-by: Daniel P. Berrangé <email address hidden>
(cherry picked from commit e37bd65f9948c1185456b2cdaa3bd6e875af680f)
The virtlockd daemon's only intended client is the libvirtd daemon. As
such it should never allow clients from other user accounts to connect.
The code already enforces this and drops clients from other UIDs, but
we can get earlier (and thus stronger) protection against DoS by setting
the socket permissions to 0600
Fixes CVE-2019-10132
Reviewed-by: Ján Tomko <email address hidden>
Signed-off-by: Daniel P. Berrangé <email address hidden>
(cherry picked from commit f111e09468693909b1f067aa575efdafd9a262a1)
admin: reject clients unless their UID matches the current UID
The admin protocol RPC messages are only intended for use by the user
running the daemon. As such they should not be allowed for any client
UID that does not match the server UID.
Fixes CVE-2019-10132
Reviewed-by: Ján Tomko <email address hidden>
Signed-off-by: Daniel P. Berrangé <email address hidden>
(cherry picked from commit 96f41cd765c9e525fe28ee5abbfbf4a79b3720c7)
1f8be8e...
by
Daniel Veillard <email address hidden>
Release of libvirt-4.6.0
* docs/news.xml: updated for release
Signed-off-by: Daniel Veillard <email address hidden>
3ad77f8...
by
Matthias Bolte <email address hidden>
esx: Fix double-free and freeing static strings in esxDomainSetAutostart
Since commit ae83e02f3dd7fe99fed5d8159a35b666fafeafd5#l3393 the
newPowerInfo pointer itself is used to track the ownership of the
AutoStartPowerInfo object to make Coverity understand the code better.
This broke the code that unset some members of the AutoStartPowerInfo
object that should not be freed the normal way.
Instead, transfer ownership of the AutoStartPowerInfo object to the
HostAutoStartManagerConfig object before filling in the values that
need special handling. This allows to free the AutoStartPowerInfo
directly without having to deal with the special values, or to let
the old (now restored) logic handle the special values again.
Signed-off-by: Matthias Bolte <email address hidden>
Tested-by: Marcos Paulo de Souza <email address hidden>
Reviewed-by: John Ferlan <email address hidden>
tests: mock virRandomBits to make it endian stable
virRandomBits is implemented in terms of virRandomBytes. Although we
mock virRandomBytes to give a stable value, this is not sufficient to
make virRandomBits give a stable value. The result of virRandomBits will
vary depending on endianness. Thus we mock virRandomBits to return a
stable value directly.
Reviewed-by: Boris Fiuczynski <email address hidden>
Tested-by: Boris Fiuczynski <email address hidden>
Reviewed-by: Eric Blake <email address hidden>
Signed-off-by: Daniel P. Berrangé <email address hidden>
