CVE-2014-7823: dumpxml: security hole with migratable flag

Closes: #769149

CVE-2014-7823: dumpxml: security hole with migratable flag
214d4464 · Guido Günther · f71dc81c · 214d4464 · 214d4464
Commit 214d4464 authored 10 years ago by Guido Günther
--- a/debian/patches/security/CVE-2014-7823-dumpxml-security-hole-with-migratable-.patch
+++ b/debian/patches/security/CVE-2014-7823-dumpxml-security-hole-with-migratable-.patch
+From: Eric Blake <eblake@redhat.com>
+Date: Fri, 31 Oct 2014 22:14:07 -0600
+Subject: CVE-2014-7823: dumpxml: security hole with migratable flag
+
+Commit 28f8dfd (v1.0.0) introduced a security hole: in at least
+the qemu implementation of virDomainGetXMLDesc, the use of the
+flag VIR_DOMAIN_XML_MIGRATABLE (which is usable from a read-only
+connection) triggers the implicit use of VIR_DOMAIN_XML_SECURE
+prior to calling qemuDomainFormatXML.  However, the use of
+VIR_DOMAIN_XML_SECURE is supposed to be restricted to read-write
+clients only.  This patch treats the migratable flag as requiring
+the same permissions, rather than analyzing what might break if
+migratable xml no longer includes secret information.
+
+Fortunately, the information leak is low-risk: all that is gated
+by the VIR_DOMAIN_XML_SECURE flag is the VNC connection password;
+but VNC passwords are already weak (FIPS forbids their use, and
+on a non-FIPS machine, anyone stupid enough to trust a max-8-byte
+password sent in plaintext over the network deserves what they
+get).  SPICE offers better security than VNC, and all other
+secrets are properly protected by use of virSecret associations
+rather than direct output in domain XML.
+
+* src/remote/remote_protocol.x (REMOTE_PROC_DOMAIN_GET_XML_DESC):
+Tighten rules on use of migratable flag.
+* src/libvirt-domain.c (virDomainGetXMLDesc): Likewise.
+
+Signed-off-by: Eric Blake <eblake@redhat.com>
+---
+ src/libvirt-domain.c         | 3 ++-
+ src/remote/remote_protocol.x | 1 +
+ 2 files changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/src/libvirt-domain.c b/src/libvirt-domain.c
+index 7dc3146..2b0defc 100644
+--- a/src/libvirt-domain.c
+++ b/src/libvirt-domain.c
+@@ -2607,7 +2607,8 @@ virDomainGetXMLDesc(virDomainPtr domain, unsigned int flags)
+     virCheckDomainReturn(domain, NULL);
+     conn = domain->conn;
+ 
+-    if ((conn->flags & VIR_CONNECT_RO) && (flags & VIR_DOMAIN_XML_SECURE)) {
+    if ((conn->flags & VIR_CONNECT_RO) &&
+        (flags & (VIR_DOMAIN_XML_SECURE | VIR_DOMAIN_XML_MIGRATABLE))) {
+         virReportError(VIR_ERR_OPERATION_DENIED, "%s",
+                        _("virDomainGetXMLDesc with secure flag"));
+         goto error;
+diff --git a/src/remote/remote_protocol.x b/src/remote/remote_protocol.x
+index db12cda..ebf4530 100644
+--- a/src/remote/remote_protocol.x
+++ b/src/remote/remote_protocol.x
+@@ -3255,6 +3255,7 @@ enum remote_procedure {
+      * @generate: both
+      * @acl: domain:read
+      * @acl: domain:read_secure:VIR_DOMAIN_XML_SECURE
+     * @acl: domain:read_secure:VIR_DOMAIN_XML_MIGRATABLE
+      */
+     REMOTE_PROC_DOMAIN_GET_XML_DESC = 14,
+ 
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -11,3 +11,4 @@ debian/Debianize-systemd-service-files.patch
 Allow-xen-toolstack-to-find-it-s-binaries.patch
 Skip-vircgrouptest.patch
 debian/Debianize-virtlockd.patch
+security/CVE-2014-7823-dumpxml-security-hole-with-migratable-.patch