1 |
From 7b334c1660e926da7c0644c945263ce40a80443f Mon Sep 17 00:00:00 2001 |
2 |
From: Eric Blake <eblake@redhat.com> |
3 |
Date: Thu, 6 Nov 2014 10:34:00 +0100 |
4 |
Subject: [PATCH] CVE-2014-7823: dumpxml: security hole with migratable flag |
5 |
|
6 |
Commit 28f8dfd (v1.0.0) introduced a security hole: in at least |
7 |
the qemu implementation of virDomainGetXMLDesc, the use of the |
8 |
flag VIR_DOMAIN_XML_MIGRATABLE (which is usable from a read-only |
9 |
connection) triggers the implicit use of VIR_DOMAIN_XML_SECURE |
10 |
prior to calling qemuDomainFormatXML. However, the use of |
11 |
VIR_DOMAIN_XML_SECURE is supposed to be restricted to read-write |
12 |
clients only. This patch treats the migratable flag as requiring |
13 |
the same permissions, rather than analyzing what might break if |
14 |
migratable xml no longer includes secret information. |
15 |
|
16 |
Fortunately, the information leak is low-risk: all that is gated |
17 |
by the VIR_DOMAIN_XML_SECURE flag is the VNC connection password; |
18 |
but VNC passwords are already weak (FIPS forbids their use, and |
19 |
on a non-FIPS machine, anyone stupid enough to trust a max-8-byte |
20 |
password sent in plaintext over the network deserves what they |
21 |
get). SPICE offers better security than VNC, and all other |
22 |
secrets are properly protected by use of virSecret associations |
23 |
rather than direct output in domain XML. |
24 |
|
25 |
* src/remote/remote_protocol.x (REMOTE_PROC_DOMAIN_GET_XML_DESC): |
26 |
Tighten rules on use of migratable flag. |
27 |
* src/libvirt-domain.c (virDomainGetXMLDesc): Likewise. |
28 |
|
29 |
Signed-off-by: Eric Blake <eblake@redhat.com> |
30 |
(cherry picked from commit b1674ad5a97441b7e1bd5f5ebaff498ef2fbb11b) |
31 |
|
32 |
Conflicts: |
33 |
src/libvirt-domain.c - file split from older src/libvirt.c; context with older virLibConnError |
34 |
src/remote/remote_protocol.x - no fine-grained ACLs |
35 |
Signed-off-by: Eric Blake <eblake@redhat.com> |
36 |
--- |
37 |
src/libvirt.c | 3 ++- |
38 |
1 files changed, 2 insertions(+), 1 deletions(-) |
39 |
|
40 |
diff --git a/src/libvirt.c b/src/libvirt.c |
41 |
index f81a3de..a2cde54 100644 |
42 |
--- a/src/libvirt.c |
43 |
+++ b/src/libvirt.c |
44 |
@@ -4382,7 +4382,8 @@ virDomainGetXMLDesc(virDomainPtr domain, unsigned int flags) |
45 |
|
46 |
conn = domain->conn; |
47 |
|
48 |
- if ((conn->flags & VIR_CONNECT_RO) && (flags & VIR_DOMAIN_XML_SECURE)) { |
49 |
+ if ((conn->flags & VIR_CONNECT_RO) && |
50 |
+ (flags & (VIR_DOMAIN_XML_SECURE | VIR_DOMAIN_XML_MIGRATABLE))) { |
51 |
virLibConnError(VIR_ERR_OPERATION_DENIED, "%s", |
52 |
_("virDomainGetXMLDesc with secure flag")); |
53 |
goto error; |
54 |
-- |
55 |
1.7.1 |
56 |
|