Fix multiple CVEs related to privilege escalations on R/O connections

CVE-2019-10161: CVE-2019-10161-api-disallow-virDomainSaveImageGetXMLDesc-.patch
CVE-2019-10166: api-disallow-virDomainManagedSaveDefineXML-on-read-only-c.patch
CVE-2019-10167: api-disallow-virConnectGetDomainCapabilities-on-read-only.patch
CVE-2019-10168: api-disallow-virConnect-HypervisorCPU-on-read-only-connec.patch

debian/patches/security/CVE-2019-10161-api-disallow-virDomainSaveImageGetXMLDesc-.patch

+From: =?utf-8?q?Guido_G=C3=BCnther?= <agx@sigxcpu.org>
+Date: Mon, 17 Jun 2019 18:20:15 +0200
+Subject: CVE-2019-10161: api: disallow virDomainSaveImageGetXMLDesc on
+ read-only connections
+MIME-Version: 1.0
+Content-Type: text/plain; charset="utf-8"
+Content-Transfer-Encoding: 8bit
+
+This is a backport of
+
+The virDomainSaveImageGetXMLDesc API is taking a path parameter,
+which can point to any path on the system. This file will then be
+read and parsed by libvirtd running with root privileges.
+
+Forbid it on read-only connections.
+
+Fixes: CVE-2019-10161
+Reported-by: Matthias Gerstner <mgerstner@suse.de>
+Signed-off-by: Ján Tomko <jtomko@redhat.com>
+---
+ src/libvirt-domain.c         | 9 ++-------
+ src/qemu/qemu_driver.c       | 2 +-
+ src/remote/remote_protocol.x | 3 +--
+ 3 files changed, 4 insertions(+), 10 deletions(-)
+
+diff --git a/src/libvirt-domain.c b/src/libvirt-domain.c
+index 9aca54a..6a5fff9 100644
+--- a/src/libvirt-domain.c
++++ b/src/libvirt-domain.c
+@@ -1073,8 +1073,7 @@ virDomainRestoreFlags(virConnectPtr conn, const char *from, const char *dxml,
+  * previously by virDomainSave() or virDomainSaveFlags().
+  *
+  * No security-sensitive data will be included unless @flags contains
+- * VIR_DOMAIN_XML_SECURE; this flag is rejected on read-only
+- * connections.  For this API, @flags should not contain either
++ * VIR_DOMAIN_XML_SECURE; For this API, @flags should not contain either
+  * VIR_DOMAIN_XML_INACTIVE or VIR_DOMAIN_XML_UPDATE_CPU.
+  *
+  * Returns a 0 terminated UTF-8 encoded XML instance, or NULL in case of
+@@ -1092,11 +1091,7 @@ virDomainSaveImageGetXMLDesc(virConnectPtr conn, const char *file,
+     virCheckConnectReturn(conn, NULL);
+     virCheckNonNullArgGoto(file, error);
+ 
+-    if ((conn->flags & VIR_CONNECT_RO) && (flags & VIR_DOMAIN_XML_SECURE)) {
+-        virReportError(VIR_ERR_OPERATION_DENIED, "%s",
+-                       _("virDomainSaveImageGetXMLDesc with secure flag"));
+-        goto error;
+-    }
++    virCheckReadOnlyGoto(conn->flags, error);
+ 
+     if (conn->driver->domainSaveImageGetXMLDesc) {
+         char *ret;
+diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
+index 1d96170..fb417ad 100644
+--- a/src/qemu/qemu_driver.c
++++ b/src/qemu/qemu_driver.c
+@@ -7084,7 +7084,7 @@ qemuDomainSaveImageGetXMLDesc(virConnectPtr conn, const char *path,
+     if (fd < 0)
+         goto cleanup;
+ 
+-    if (virDomainSaveImageGetXMLDescEnsureACL(conn, def, flags) < 0)
++    if (virDomainSaveImageGetXMLDescEnsureACL(conn, def) < 0)
+         goto cleanup;
+ 
+     ret = qemuDomainDefFormatXML(driver, def, flags);
+diff --git a/src/remote/remote_protocol.x b/src/remote/remote_protocol.x
+index 1246df5..5cfb8b6 100644
+--- a/src/remote/remote_protocol.x
++++ b/src/remote/remote_protocol.x
+@@ -5234,8 +5234,7 @@ enum remote_procedure {
+     /**
+      * @generate: both
+      * @priority: high
+-     * @acl: domain:read
+-     * @acl: domain:read_secure:VIR_DOMAIN_XML_SECURE
++     * @acl: domain:write
+      */
+     REMOTE_PROC_DOMAIN_SAVE_IMAGE_GET_XML_DESC = 235,
+ 

debian/patches/security/api-disallow-virConnect-HypervisorCPU-on-read-only-connec.patch

+From: =?utf-8?q?J=C3=A1n_Tomko?= <jtomko@redhat.com>
+Date: Fri, 14 Jun 2019 10:37:34 +0200
+Subject: api: disallow virConnect*HypervisorCPU on read-only connections
+MIME-Version: 1.0
+Content-Type: text/plain; charset="utf-8"
+Content-Transfer-Encoding: 8bit
+
+These APIs can be used to execute arbitrary emulators.
+Forbid them on read-only connections.
+
+Fixes: CVE-2019-10168
+Signed-off-by: Ján Tomko <jtomko@redhat.com>
+---
+ src/libvirt-host.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/libvirt-host.c b/src/libvirt-host.c
+index e20d6ee..2978825 100644
+--- a/src/libvirt-host.c
++++ b/src/libvirt-host.c
+@@ -1041,6 +1041,7 @@ virConnectCompareHypervisorCPU(virConnectPtr conn,
+ 
+     virCheckConnectReturn(conn, VIR_CPU_COMPARE_ERROR);
+     virCheckNonNullArgGoto(xmlCPU, error);
++    virCheckReadOnlyGoto(conn->flags, error);
+ 
+     if (conn->driver->connectCompareHypervisorCPU) {
+         int ret;
+@@ -1234,6 +1235,7 @@ virConnectBaselineHypervisorCPU(virConnectPtr conn,
+ 
+     virCheckConnectReturn(conn, NULL);
+     virCheckNonNullArgGoto(xmlCPUs, error);
++    virCheckReadOnlyGoto(conn->flags, error);
+ 
+     if (conn->driver->connectBaselineHypervisorCPU) {
+         char *cpu;

debian/patches/security/api-disallow-virConnectGetDomainCapabilities-on-read-only.patch

+From: =?utf-8?q?J=C3=A1n_Tomko?= <jtomko@redhat.com>
+Date: Fri, 14 Jun 2019 10:37:33 +0200
+Subject: api: disallow virConnectGetDomainCapabilities on read-only
+ connections
+MIME-Version: 1.0
+Content-Type: text/plain; charset="utf-8"
+Content-Transfer-Encoding: 8bit
+
+This API can be used to execute arbitrary emulators.
+Forbid it on read-only connections.
+
+Fixes: CVE-2019-10167
+Signed-off-by: Ján Tomko <jtomko@redhat.com>
+---
+ src/libvirt-domain.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/libvirt-domain.c b/src/libvirt-domain.c
+index 3d198d2..9b10790 100644
+--- a/src/libvirt-domain.c
++++ b/src/libvirt-domain.c
+@@ -11361,6 +11361,7 @@ virConnectGetDomainCapabilities(virConnectPtr conn,
+     virResetLastError();
+ 
+     virCheckConnectReturn(conn, NULL);
++    virCheckReadOnlyGoto(conn->flags, error);
+ 
+     if (conn->driver->connectGetDomainCapabilities) {
+         char *ret;

debian/patches/security/api-disallow-virDomainManagedSaveDefineXML-on-read-only-c.patch

+From: =?utf-8?q?J=C3=A1n_Tomko?= <jtomko@redhat.com>
+Date: Fri, 14 Jun 2019 10:37:32 +0200
+Subject: api: disallow virDomainManagedSaveDefineXML on read-only connections
+MIME-Version: 1.0
+Content-Type: text/plain; charset="utf-8"
+Content-Transfer-Encoding: 8bit
+
+The virDomainManagedSaveDefineXML can be used to alter the domain's
+config used for managedsave or even execute arbitrary emulator binaries.
+Forbid it on read-only connections.
+
+Fixes: CVE-2019-10166
+Reported-by: Matthias Gerstner <mgerstner@suse.de>
+Signed-off-by: Ján Tomko <jtomko@redhat.com>
+---
+ src/libvirt-domain.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/libvirt-domain.c b/src/libvirt-domain.c
+index 6a5fff9..3d198d2 100644
+--- a/src/libvirt-domain.c
++++ b/src/libvirt-domain.c
+@@ -9567,6 +9567,7 @@ virDomainManagedSaveDefineXML(virDomainPtr domain, const char *dxml,
+ 
+     virCheckDomainReturn(domain, -1);
+     conn = domain->conn;
++    virCheckReadOnlyGoto(conn->flags, error);
+ 
+     if (conn->driver->domainManagedSaveDefineXML) {
+         int ret;

debian/patches/series

@@ -29,3 +29,7 @@ security/cpu_map-Define-md-clear-CPUID-bit.patch
 security/admin-reject-clients-unless-their-UID-matches-the-current.patch
 security/locking-restrict-sockets-to-mode-0600.patch
 security/logging-restrict-sockets-to-mode-0600.patch
+security/CVE-2019-10161-api-disallow-virDomainSaveImageGetXMLDesc-.patch
+security/api-disallow-virDomainManagedSaveDefineXML-on-read-only-c.patch
+security/api-disallow-virConnectGetDomainCapabilities-on-read-only.patch
+security/api-disallow-virConnect-HypervisorCPU-on-read-only-connec.patch