Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian....@packages.debian.org
Usertags: pu
Guido asked me to prepare an update for libvirt:
- CVE-2015-5313 is marked 'no-dsa', but should be fixed anyway (#808273)
Salvatore Bonaccorso (security team) asked me to prepare an update via
jessie-proposed-updates.
- the SUID bridge-helper in searched in /usr/libexec/, while it realy is
in /usr/lib/qemu/ (#816602)
While preparing the update I noticed that it FTBFS in my pbuilder
environment, requiring 3 more fixes.
I'm running the binary on my amd64 system without problems: The CVE is
fixed and bridging works again.
-- System Information:
Debian Release: 8.3
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable'), (90, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
>From fc0ddb2c5709e2b6ac4fc34fe66a275fc2388326 Mon Sep 17 00:00:00 2001
Message-Id: <fc0ddb2c5709e2b6ac4fc34fe66a275fc2388326.1457180803.git.h...@univention.de>
From: Philipp Hahn <h...@univention.de>
Date: Fri, 4 Mar 2016 11:57:52 +0100
Subject: [PATCH 1/6] Fix CVE-2015-5313
Organization: Univention GmbH, Bremen, Germany
Patches cherry-picked from upstream
Closes: #808273
---
...13-storage-don-t-allow-in-filesystem-volu.patch | 72 ++++++++++++++++++++++
debian/patches/series | 1 +
2 files changed, 73 insertions(+)
create mode 100644 debian/patches/security/CVE-2015-5313-storage-don-t-allow-in-filesystem-volu.patch
diff --git a/debian/patches/security/CVE-2015-5313-storage-don-t-allow-in-filesystem-volu.patch b/debian/patches/security/CVE-2015-5313-storage-don-t-allow-in-filesystem-volu.patch
new file mode 100644
index 0000000..90e9610
--- /dev/null
+++ b/debian/patches/security/CVE-2015-5313-storage-don-t-allow-in-filesystem-volu.patch
@@ -0,0 +1,72 @@
+From 034e47c338b13a95cf02106a3af912c1c5f818d7 Mon Sep 17 00:00:00 2001
+Message-Id: <034e47c338b13a95cf02106a3af912c1c5f818d7.1457088964.git.h...@univention.de>
+From: Eric Blake <ebl...@redhat.com>
+Date: Tue, 8 Dec 2015 17:46:31 -0700
+Subject: [PATCH] CVE-2015-5313: storage: don't allow '/' in filesystem volume
+ names
+Organization: Univention GmbH, Bremen, Germany
+To: libvir-l...@redhat.com
+
+The libvirt file system storage driver determines what file to
+act on by concatenating the pool location with the volume name.
+If a user is able to pick names like "../../../etc/passwd", then
+they can escape the bounds of the pool. For that matter,
+virStoragePoolListVolumes() doesn't descend into subdirectories,
+so a user really shouldn't use a name with a slash.
+
+Normally, only privileged users can coerce libvirt into creating
+or opening existing files using the virStorageVol APIs; and such
+users already have full privilege to create any domain XML (so it
+is not an escalation of privilege). But in the case of
+fine-grained ACLs, it is feasible that a user can be granted
+storage_vol:create but not domain:write, and it violates
+assumptions if such a user can abuse libvirt to access files
+outside of the storage pool.
+
+Therefore, prevent all use of volume names that contain "/",
+whether or not such a name is actually attempting to escape the
+pool.
+
+This changes things from:
+
+$ virsh vol-create-as default ../../../../../../etc/haha --capacity 128
+Vol ../../../../../../etc/haha created
+$ rm /etc/haha
+
+to:
+
+$ virsh vol-create-as default ../../../../../../etc/haha --capacity 128
+error: Failed to create vol ../../../../../../etc/haha
+error: Requested operation is not valid: volume name '../../../../../../etc/haha' cannot contain '/'
+
+Signed-off-by: Eric Blake <ebl...@redhat.com>
+---
+ src/storage/storage_backend_fs.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+--- a/src/storage/storage_backend_fs.c
++++ b/src/storage/storage_backend_fs.c
+@@ -1,7 +1,7 @@
+ /*
+ * storage_backend_fs.c: storage backend for FS and directory handling
+ *
+- * Copyright (C) 2007-2014 Red Hat, Inc.
++ * Copyright (C) 2007-2015 Red Hat, Inc.
+ * Copyright (C) 2007-2008 Daniel P. Berrange
+ *
+ * This library is free software; you can redistribute it and/or
+@@ -1005,6 +1005,14 @@ virStorageBackendFileSystemVolCreate(vir
+
+ vol->type = VIR_STORAGE_VOL_FILE;
+
++ /* Volumes within a directory pools are not recursive; do not
++ * allow escape to ../ or a subdir */
++ if (strchr(vol->name, '/')) {
++ virReportError(VIR_ERR_OPERATION_INVALID,
++ _("volume name '%s' cannot contain '/'"), vol->name);
++ return -1;
++ }
++
+ VIR_FREE(vol->target.path);
+ if (virAsprintf(&vol->target.path, "%s/%s",
+ pool->def->target.path,
diff --git a/debian/patches/series b/debian/patches/series
index bac1f34..69667f6 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -31,3 +31,4 @@ upstream/Teach-virt-aa-helper-to-use-TEMPLATE.qemu-if-the-dom.patch
Allow-access-to-libnl-3-config-files.patch
Fix-crash-on-live-migration.patch
upstream/Report-original-error-when-QMP-probing-fails-with-ne.patch
+security/CVE-2015-5313-storage-don-t-allow-in-filesystem-volu.patch
--
2.1.4
>From 8d6c7c6c781f794f9cfb8fa10be5aa74eeaedbf5 Mon Sep 17 00:00:00 2001
Message-Id: <8d6c7c6c781f794f9cfb8fa10be5aa74eeaedbf5.1457180803.git.h...@univention.de>
In-Reply-To: <fc0ddb2c5709e2b6ac4fc34fe66a275fc2388326.1457180803.git.h...@univention.de>
References: <fc0ddb2c5709e2b6ac4fc34fe66a275fc2388326.1457180803.git.h...@univention.de>
From: Philipp Hahn <h...@univention.de>
Date: Fri, 4 Mar 2016 13:39:49 +0100
Subject: [PATCH 2/6] FTBFS: automake-1.13 missing
Organization: Univention GmbH, Bremen, Germany
> dh_auto_build -O--builddirectory=.../debian/build -O--parallel
...
> cd ../.. && /bin/bash .../build-aux/missing automake-1.13 --gnu
> .../build-aux/missing: line 81: automake-1.13: command not found
Run autoreconf through dh-autoreconf
---
debian/control | 1 +
debian/rules | 2 +-
2 files changed, 2 insertions(+), 1 deletion(-)
diff --git a/debian/control b/debian/control
index 8b9cd9b..c8cbfe9 100644
--- a/debian/control
+++ b/debian/control
@@ -5,6 +5,7 @@ Maintainer: Debian Libvirt Maintainers <pkg-libvirt-maintain...@lists.alioth.deb
Uploaders: Guido Günther <a...@sigxcpu.org>, Laurent Léonard <laur...@open-minds.org>
Build-Depends:
debhelper (>= 7),
+ dh-autoreconf,
dh-systemd (>= 1.18~),
libxml2-dev,
libncurses5-dev,
diff --git a/debian/rules b/debian/rules
index 6812719..a9ca414 100755
--- a/debian/rules
+++ b/debian/rules
@@ -123,7 +123,7 @@ LOGROTATE = $(basename $(basename $(notdir $(wildcard daemon/libvirtd*.logrotate
EXAMPLES_DIR = $(CURDIR)/debian/libvirt-doc/usr/share/doc/libvirt-doc/examples/
%:
- dh $@ --builddirectory=$(DEB_BUILDDIR) --parallel
+ dh $@ --builddirectory=$(DEB_BUILDDIR) --parallel --with autoreconf
override_dh_auto_configure:
dh_auto_configure -- $(DEB_CONFIGURE_EXTRA_ARGS)
--
2.1.4
>From 6070bbf438f9bad1acda428a1fa982ad99e35db1 Mon Sep 17 00:00:00 2001
Message-Id: <6070bbf438f9bad1acda428a1fa982ad99e35db1.1457180803.git.h...@univention.de>
In-Reply-To: <fc0ddb2c5709e2b6ac4fc34fe66a275fc2388326.1457180803.git.h...@univention.de>
References: <fc0ddb2c5709e2b6ac4fc34fe66a275fc2388326.1457180803.git.h...@univention.de>
From: Philipp Hahn <h...@univention.de>
Date: Fri, 4 Mar 2016 14:32:52 +0100
Subject: [PATCH 3/6] FTBFS: Disable failing virnetsockettest
Organization: Univention GmbH, Bremen, Germany
> gcc ../../../tests/virnetsockettest.c
> ../../../tests/virnetsockettest.c:336:12: error: 'testSocketCommandNormal' defined but not used [-Werror=unused-function]
> static int testSocketCommandNormal(const void *data ATTRIBUTE_UNUSED)
> ^
> ../../../tests/virnetsockettest.c:364:12: error: 'testSocketCommandFail' defined but not used [-Werror=unused-function]
> static int testSocketCommandFail(const void *data ATTRIBUTE_UNUSED)
> ^
> cc1: all warnings being treated as errors
Use "#if 0" also for those two function definitions.
---
.../patches/Disable-failing-virnetsockettest.patch | 20 +++++++++++++++++---
1 file changed, 17 insertions(+), 3 deletions(-)
diff --git a/debian/patches/Disable-failing-virnetsockettest.patch b/debian/patches/Disable-failing-virnetsockettest.patch
index 3044ed5..a4d2a3b 100644
--- a/debian/patches/Disable-failing-virnetsockettest.patch
+++ b/debian/patches/Disable-failing-virnetsockettest.patch
@@ -7,11 +7,25 @@ until we debugged the interaction with pbuilder
tests/virnetsockettest.c | 2 ++
1 file changed, 2 insertions(+)
-diff --git a/tests/virnetsockettest.c b/tests/virnetsockettest.c
-index 5d91f26..1f283a3 100644
--- a/tests/virnetsockettest.c
+++ b/tests/virnetsockettest.c
-@@ -501,10 +501,12 @@ mymain(void)
+@@ -333,6 +333,7 @@ static int testSocketUNIXAddrs(const voi
+ return ret;
+ }
+
++#if 0
+ static int testSocketCommandNormal(const void *data ATTRIBUTE_UNUSED)
+ {
+ virNetSocketPtr csock = NULL; /* Client socket */
+@@ -383,6 +384,7 @@ static int testSocketCommandFail(const v
+ virObjectUnref(csock);
+ return ret;
+ }
++#endif
+
+ struct testSSHData {
+ const char *nodename;
+@@ -501,10 +503,12 @@ mymain(void)
if (virtTestRun("Socket UNIX Addrs", testSocketUNIXAddrs, NULL) < 0)
ret = -1;
--
2.1.4
>From e9dd9c308dad6a9b023a4d78719b2761a94e33dc Mon Sep 17 00:00:00 2001
Message-Id: <e9dd9c308dad6a9b023a4d78719b2761a94e33dc.1457180803.git.h...@univention.de>
In-Reply-To: <fc0ddb2c5709e2b6ac4fc34fe66a275fc2388326.1457180803.git.h...@univention.de>
References: <fc0ddb2c5709e2b6ac4fc34fe66a275fc2388326.1457180803.git.h...@univention.de>
From: Philipp Hahn <h...@univention.de>
Date: Fri, 4 Mar 2016 14:41:06 +0100
Subject: [PATCH 4/6] FTBFS: Fix
Report-original-error-when-QMP-probing-fails-with-ne.patch
Organization: Univention GmbH, Bremen, Germany
> ../../../tests/qemuhelptest.c
> ../../../tests/qemuhelptest.c: In function 'testHelpStrParsing':
> ../../../tests/qemuhelptest.c:131:1: error: invalid storage class for function 'mymain'
> mymain(void)
> ^
> ../../../tests/qemuhelptest.c: In function 'mymain':
> ../../../tests/qemuhelptest.c:133:9: error: declaration of 'ret' shadows a previous local [-Werror=shadow]
> int ret = 0;
> ^
> ../../../tests/qemuhelptest.c:47:9: error: shadowed declaration is here [-Werror=shadow]
> int ret = -1;
> ^
Remove trailing curly brace in patch without matching closing brace.
---
.../upstream/Report-original-error-when-QMP-probing-fails-with-ne.patch | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/debian/patches/upstream/Report-original-error-when-QMP-probing-fails-with-ne.patch b/debian/patches/upstream/Report-original-error-when-QMP-probing-fails-with-ne.patch
index 1f6dab7..2adc0db 100644
--- a/debian/patches/upstream/Report-original-error-when-QMP-probing-fails-with-ne.patch
+++ b/debian/patches/upstream/Report-original-error-when-QMP-probing-fails-with-ne.patch
@@ -176,7 +176,7 @@ index 975edf3..271fddc 100644
if (virQEMUCapsParseHelpStr("QEMU", help, flags,
- &version, &is_kvm, &kvm_version, false) == -1)
-+ &version, &is_kvm, &kvm_version, false, NULL) == -1) {
++ &version, &is_kvm, &kvm_version, false, NULL) == -1)
goto cleanup;
# ifndef WITH_YAJL
--
2.1.4
>From 9e6d9e39a701aa8edce8aa870e0fd72a56508c7d Mon Sep 17 00:00:00 2001
Message-Id: <9e6d9e39a701aa8edce8aa870e0fd72a56508c7d.1457180803.git.h...@univention.de>
In-Reply-To: <fc0ddb2c5709e2b6ac4fc34fe66a275fc2388326.1457180803.git.h...@univention.de>
References: <fc0ddb2c5709e2b6ac4fc34fe66a275fc2388326.1457180803.git.h...@univention.de>
From: Philipp Hahn <h...@univention.de>
Date: Fri, 4 Mar 2016 11:52:01 +0100
Subject: [PATCH 5/6] libvirt-daemon: Expects qemu-bridge-helper in
/usr/libexec/
Organization: Univention GmbH, Bremen, Germany
$ strings /usr/lib/libvirt/connection-driver/libvirt_driver_qemu.so |
grep bridge-helper
/usr/libexec/qemu-bridge-helper
$ dpkg -S bridge-helper
qemu-system-common: /usr/lib/qemu/qemu-bridge-helper
Closes: #816602
---
debian/README.Debian | 12 +++++++
.../debian/Debianize-bridge-helper-path.patch | 42 ++++++++++++++++++++++
debian/patches/series | 1 +
3 files changed, 55 insertions(+)
create mode 100644 debian/patches/debian/Debianize-bridge-helper-path.patch
diff --git a/debian/README.Debian b/debian/README.Debian
index 0fa9358..0637b68 100644
--- a/debian/README.Debian
+++ b/debian/README.Debian
@@ -51,6 +51,18 @@ EOF
This makes dnsmasq only bind to the loopback interface by default so libvirtd
can handle the virtual bridges.
+Bridged network
+===============
+libvirt can use the qemu-bridge-helper to create bridged network interfaces for
+session domains. For this to work the helper must have the capability to create
+TUN/TAP devices or must have the SUID permission set.
+This can be done by running the following command as the user root:
+
+ setcap cap_net_admin+ep /usr/lib/qemu/qemu-bridge-helper
+
+The allowed bridges must be configured in the file '/etc/qemu/bridge.conf'. For
+each bridge add a line like 'allow br0'.
+
Access Control
==============
Access to the libvirt managing tasks is controlled by PolicyKit. To ease
diff --git a/debian/patches/debian/Debianize-bridge-helper-path.patch b/debian/patches/debian/Debianize-bridge-helper-path.patch
new file mode 100644
index 0000000..689741e
--- /dev/null
+++ b/debian/patches/debian/Debianize-bridge-helper-path.patch
@@ -0,0 +1,42 @@
+libvirt-daemon: Expects qemu-bridge-helper in /usr/libexec/
+
+$ strings /usr/lib/libvirt/connection-driver/libvirt_driver_qemu.so | grep bridge-helper
+/usr/libexec/qemu-bridge-helper
+
+$ dpkg -S bridge-helper
+qemu-system-common: /usr/lib/qemu/qemu-bridge-helper
+
+Closes #816602
+--- a/src/qemu/qemu.conf
++++ b/src/qemu/qemu.conf
+@@ -357,7 +357,7 @@
+ # is used to create <source type='bridge'> interfaces when libvirtd is
+ # running unprivileged. libvirt invokes the helper directly, instead
+ # of using "-netdev bridge", for security reasons.
+-#bridge_helper = "/usr/libexec/qemu-bridge-helper"
++#bridge_helper = "/usr/lib/qemu/qemu-bridge-helper"
+
+
+
+--- a/src/qemu/qemu_conf.c
++++ b/src/qemu/qemu_conf.c
+@@ -244,7 +244,7 @@ virQEMUDriverConfigPtr virQEMUDriverConf
+ goto error;
+ }
+
+- if (VIR_STRDUP(cfg->bridgeHelperName, "/usr/libexec/qemu-bridge-helper") < 0)
++ if (VIR_STRDUP(cfg->bridgeHelperName, "/usr/lib/qemu/qemu-bridge-helper") < 0)
+ goto error;
+
+ cfg->clearEmulatorCapabilities = true;
+--- a/src/qemu/test_libvirtd_qemu.aug.in
++++ b/src/qemu/test_libvirtd_qemu.aug.in
+@@ -56,7 +56,7 @@ module Test_libvirtd_qemu =
+ { "auto_dump_bypass_cache" = "0" }
+ { "auto_start_bypass_cache" = "0" }
+ { "hugetlbfs_mount" = "/dev/hugepages" }
+-{ "bridge_helper" = "/usr/libexec/qemu-bridge-helper" }
++{ "bridge_helper" = "/usr/lib/qemu/qemu-bridge-helper" }
+ { "clear_emulator_capabilities" = "1" }
+ { "set_process_name" = "1" }
+ { "max_processes" = "0" }
diff --git a/debian/patches/series b/debian/patches/series
index 69667f6..7651164 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -32,3 +32,4 @@ Allow-access-to-libnl-3-config-files.patch
Fix-crash-on-live-migration.patch
upstream/Report-original-error-when-QMP-probing-fails-with-ne.patch
security/CVE-2015-5313-storage-don-t-allow-in-filesystem-volu.patch
+debian/Debianize-bridge-helper-path.patch
--
2.1.4
>From 2a73851b96e0ea2fc1c9e5fc8c30dc7d92dbf6c4 Mon Sep 17 00:00:00 2001
Message-Id: <2a73851b96e0ea2fc1c9e5fc8c30dc7d92dbf6c4.1457180803.git.h...@univention.de>
In-Reply-To: <fc0ddb2c5709e2b6ac4fc34fe66a275fc2388326.1457180803.git.h...@univention.de>
References: <fc0ddb2c5709e2b6ac4fc34fe66a275fc2388326.1457180803.git.h...@univention.de>
From: Philipp Hahn <h...@univention.de>
Date: Fri, 4 Mar 2016 12:09:58 +0100
Subject: [PATCH 6/6] Document changes and release 1.2.9-9+deb8u1.1
Organization: Univention GmbH, Bremen, Germany
---
debian/changelog | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index 23da1b7..28f43d1 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,13 @@
+libvirt (1.2.9-9+deb8u2) jessie; urgency=medium
+
+ * Non-maintainer upload.
+ * Fix CVE-2015-5313 (Closes: #808273)
+ * libvirt-daemon: Expects qemu-bridge-helper in /usr/libexec/
+ (Closes: #816602)
+ * Fix several FTBFS errors
+
+ -- Philipp Matthias Hahn <pmh...@debian.org> Fri, 04 Mar 2016 12:01:36 +0100
+
libvirt (1.2.9-9+deb8u1) jessie; urgency=medium
[ Guido Günther ]
--
2.1.4
