current/SOURCES/0134-CVE-2014-7823-dumpxml-security-hole-with-migratable.patch

From 7b334c1660e926da7c0644c945263ce40a80443f Mon Sep 17 00:00:00 2001
From: Eric Blake <eblake@redhat.com>
Date: Thu, 6 Nov 2014 10:34:00 +0100
Subject: [PATCH] CVE-2014-7823: dumpxml: security hole with migratable flag

Commit 28f8dfd (v1.0.0) introduced a security hole: in at least
the qemu implementation of virDomainGetXMLDesc, the use of the
flag VIR_DOMAIN_XML_MIGRATABLE (which is usable from a read-only
connection) triggers the implicit use of VIR_DOMAIN_XML_SECURE
prior to calling qemuDomainFormatXML.  However, the use of
VIR_DOMAIN_XML_SECURE is supposed to be restricted to read-write
clients only.  This patch treats the migratable flag as requiring
the same permissions, rather than analyzing what might break if
migratable xml no longer includes secret information.

Fortunately, the information leak is low-risk: all that is gated
by the VIR_DOMAIN_XML_SECURE flag is the VNC connection password;
but VNC passwords are already weak (FIPS forbids their use, and
on a non-FIPS machine, anyone stupid enough to trust a max-8-byte
password sent in plaintext over the network deserves what they
get).  SPICE offers better security than VNC, and all other
secrets are properly protected by use of virSecret associations
rather than direct output in domain XML.

* src/remote/remote_protocol.x (REMOTE_PROC_DOMAIN_GET_XML_DESC):
Tighten rules on use of migratable flag.
* src/libvirt-domain.c (virDomainGetXMLDesc): Likewise.

Signed-off-by: Eric Blake <eblake@redhat.com>
(cherry picked from commit b1674ad5a97441b7e1bd5f5ebaff498ef2fbb11b)

Conflicts:
        src/libvirt-domain.c - file split from older src/libvirt.c; context with older virLibConnError
        src/remote/remote_protocol.x - no fine-grained ACLs
Signed-off-by: Eric Blake <eblake@redhat.com>
---
 src/libvirt.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

diff --git a/src/libvirt.c b/src/libvirt.c
index f81a3de..a2cde54 100644
--- a/src/libvirt.c
+++ b/src/libvirt.c
@@ -4382,7 +4382,8 @@ virDomainGetXMLDesc(virDomainPtr domain, unsigned int flags)
 
     conn = domain->conn;
 
-    if ((conn->flags & VIR_CONNECT_RO) && (flags & VIR_DOMAIN_XML_SECURE)) {
+    if ((conn->flags & VIR_CONNECT_RO) &&
+        (flags & (VIR_DOMAIN_XML_SECURE | VIR_DOMAIN_XML_MIGRATABLE))) {
         virLibConnError(VIR_ERR_OPERATION_DENIED, "%s",
                         _("virDomainGetXMLDesc with secure flag"));
         goto error;
-- 
1.7.1

1	From 7b334c1660e926da7c0644c945263ce40a80443f Mon Sep 17 00:00:00 2001
2	From: Eric Blake <eblake@redhat.com>
3	Date: Thu, 6 Nov 2014 10:34:00 +0100
4	Subject: [PATCH] CVE-2014-7823: dumpxml: security hole with migratable flag
5
6	Commit 28f8dfd (v1.0.0) introduced a security hole: in at least
7	the qemu implementation of virDomainGetXMLDesc, the use of the
8	flag VIR_DOMAIN_XML_MIGRATABLE (which is usable from a read-only
9	connection) triggers the implicit use of VIR_DOMAIN_XML_SECURE
10	prior to calling qemuDomainFormatXML. However, the use of
11	VIR_DOMAIN_XML_SECURE is supposed to be restricted to read-write
12	clients only. This patch treats the migratable flag as requiring
13	the same permissions, rather than analyzing what might break if
14	migratable xml no longer includes secret information.
15
16	Fortunately, the information leak is low-risk: all that is gated
17	by the VIR_DOMAIN_XML_SECURE flag is the VNC connection password;
18	but VNC passwords are already weak (FIPS forbids their use, and
19	on a non-FIPS machine, anyone stupid enough to trust a max-8-byte
20	password sent in plaintext over the network deserves what they
21	get). SPICE offers better security than VNC, and all other
22	secrets are properly protected by use of virSecret associations
23	rather than direct output in domain XML.
24
25	* src/remote/remote_protocol.x (REMOTE_PROC_DOMAIN_GET_XML_DESC):
26	Tighten rules on use of migratable flag.
27	* src/libvirt-domain.c (virDomainGetXMLDesc): Likewise.
28
29	Signed-off-by: Eric Blake <eblake@redhat.com>
30	(cherry picked from commit b1674ad5a97441b7e1bd5f5ebaff498ef2fbb11b)
31
32	Conflicts:
33	src/libvirt-domain.c - file split from older src/libvirt.c; context with older virLibConnError
34	src/remote/remote_protocol.x - no fine-grained ACLs
35	Signed-off-by: Eric Blake <eblake@redhat.com>
36	---
37	src/libvirt.c \| 3 ++-
38	1 files changed, 2 insertions(+), 1 deletions(-)
39
40	diff --git a/src/libvirt.c b/src/libvirt.c
41	index f81a3de..a2cde54 100644
42	--- a/src/libvirt.c
43	+++ b/src/libvirt.c
44	@@ -4382,7 +4382,8 @@ virDomainGetXMLDesc(virDomainPtr domain, unsigned int flags)
45
46	conn = domain->conn;
47
48	- if ((conn->flags & VIR_CONNECT_RO) && (flags & VIR_DOMAIN_XML_SECURE)) {
49	+ if ((conn->flags & VIR_CONNECT_RO) &&
50	+ (flags & (VIR_DOMAIN_XML_SECURE \| VIR_DOMAIN_XML_MIGRATABLE))) {
51	virLibConnError(VIR_ERR_OPERATION_DENIED, "%s",
52	_("virDomainGetXMLDesc with secure flag"));
53	goto error;
54	--
55	1.7.1
56