Skip to content
Commits on Source (3)
Show whitespace changes
Inline Side-by-side
debian/changelog
View file @ 4116b452
libvirt (3.0.0-4+deb9u3) stretch-security; urgency=high
* gbp: switch branch to stretch
* CVE-2018-1064: qemu: avoid denial of service reading from QEMU guest agent
* CVE-2018-6764: virlog: determine the hostname on startup
(Closes: #889839)
-- Guido Günther <agx@sigxcpu.org> Mon, 12 Mar 2018 19:11:51 +0100
libvirt (3.0.0-4+deb9u2) stretch; urgency=medium
* CVE-2018-5748: qemu: avoid denial of service reading from QEMU monitor
......
debian/patches/security/CVE-2018-1064-qemu-avoid-denial-of-service-reading-from-Q.patch 0 → 100644
View file @ 4116b452
From: =?utf-8?b?IkRhbmllbCBQLiBCZXJyYW5nw6ki?= <berrange@redhat.com>
Date: Thu, 1 Mar 2018 14:55:26 +0000
Subject: CVE-2018-1064: qemu: avoid denial of service reading from QEMU guest
agent
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
V2UgcmVhZCBmcm9tIHRoZSBhZ2VudCB1bnRpbCBzZWVpbmcgYSBcclxuIHBhaXIgdG8gaW5kaWNh
dGUgYSBjb21wbGV0ZWQKcmVwbHkgb3IgZXZlbnQuIFRvIGF2b2lkIG1lbW9yeSBkZW5pYWwtb2Yt
c2VydmljZSB0aG91Z2gsIHdlIG11c3QgaGF2ZSBhCnNpemUgbGltaXQgb24gYW1vdW50IG9mIGRh
dGEgd2UgYnVmZmVyLiAxMCBNQiBpcyBsYXJnZSBlbm91Z2ggdGhhdCBpdApvdWdodCB0byBjb3Bl
IHdpdGggbm9ybWFsIGFnZW50IHJlcGxpZXMsIGFuZCBzbWFsbCBlbm91Z2ggdGhhdCB3ZSdyZSBu
b3QKY29uc3VtaW5nIHVucmVhc29uYWJsZSBtZW0uCgpUaGlzIGlzIGlkZW50aWNhbCB0byB0aGUg
ZmxhdyB3ZSBoYWQgcmVhZGluZyBmcm9tIHRoZSBRRU1VIG1vbml0b3IKYXMgQ1ZFLTIwMTgtNTc0
OCwgc28gcmF0aGVyIGVtYmFycmFzc2luZyB0aGF0IHdlIGZvcmdvdCB0byBmaXgKdGhlIGFnZW50
IGNvZGUgYXQgdGhlIHNhbWUgdGltZS4KClNpZ25lZC1vZmYtYnk6IERhbmllbCBQLiBCZXJyYW5n
w6kgPGJlcnJhbmdlQHJlZGhhdC5jb20+Cg==
---
src/qemu/qemu_agent.c | 15 +++++++++++++++
1 file changed, 15 insertions(+)
diff --git a/src/qemu/qemu_agent.c b/src/qemu/qemu_agent.c
index 46cad53..da07bf2 100644
--- a/src/qemu/qemu_agent.c
+++ b/src/qemu/qemu_agent.c
@@ -53,6 +53,15 @@ VIR_LOG_INIT("qemu.qemu_agent");
#define DEBUG_IO 0
#define DEBUG_RAW_IO 0
+/* We read from QEMU until seeing a \r\n pair to indicate a
+ * completed reply or event. To avoid memory denial-of-service
+ * though, we must have a size limit on amount of data we
+ * buffer. 10 MB is large enough that it ought to cope with
+ * normal QEMU replies, and small enough that we're not
+ * consuming unreasonable mem.
+ */
+#define QEMU_AGENT_MAX_RESPONSE (10 * 1024 * 1024)
+
/* When you are the first to uncomment this,
* don't forget to uncomment the corresponding
* part in qemuAgentIOProcessEvent as well.
@@ -535,6 +544,12 @@ qemuAgentIORead(qemuAgentPtr mon)
int ret = 0;
if (avail < 1024) {
+ if (mon->bufferLength >= QEMU_AGENT_MAX_RESPONSE) {
+ virReportSystemError(ERANGE,
+ _("No complete agent response found in %d bytes"),
+ QEMU_AGENT_MAX_RESPONSE);
+ return -1;
+ }
if (VIR_REALLOC_N(mon->buffer,
mon->bufferLength + 1024) < 0)
return -1;
debian/patches/security/CVE-2018-6764-virlog-determine-the-hostname-on-startup.patch 0 → 100644
View file @ 4116b452
From: =?utf-8?q?Guido_G=C3=BCnther?= <agx@sigxcpu.org>
Date: Mon, 12 Mar 2018 19:11:23 +0100
Subject: CVE-2018-6764: virlog: determine the hostname on startup
At later point it might not be possible or even safe to use getaddrinfo(). It
can in turn result in a load of NSS module.
(cherry picked from commit 759b4d1b0fe5f4d84d98b99153dfa7ac289dd167
cherry picked from commit 6ce3acc129bfdbe7fd02bcb8bbe8af6d13903684
cherry picked from commit c2dc6698c88fb591639e542c8ecb0076c54f3dfb)
---
cfg.mk | 2 +-
src/util/virlog.c | 27 +++++++++++++++++++--------
2 files changed, 20 insertions(+), 9 deletions(-)
diff --git a/cfg.mk b/cfg.mk
index 69e3f3a..e710a05 100644
--- a/cfg.mk
+++ b/cfg.mk
@@ -1144,7 +1144,7 @@ _src2=src/(util/vircommand|libvirt|lxc/lxc_controller|locking/lock_daemon|loggin
exclude_file_name_regexp--sc_prohibit_fork_wrappers = \
(^($(_src2)|tests/testutils|daemon/libvirtd)\.c$$)
-exclude_file_name_regexp--sc_prohibit_gethostname = ^src/util/virutil\.c$$
+exclude_file_name_regexp--sc_prohibit_gethostname = ^src/util/vir(util|log)\.c$$
exclude_file_name_regexp--sc_prohibit_internal_functions = \
^src/(util/(viralloc|virutil|virfile)\.[hc]|esx/esx_vi\.c)$$
diff --git a/src/util/virlog.c b/src/util/virlog.c
index 7b584f8..4e33d38 100644
--- a/src/util/virlog.c
+++ b/src/util/virlog.c
@@ -63,6 +63,7 @@
VIR_LOG_INIT("util.log");
static regex_t *virLogRegex;
+static char virLogHostname[HOST_NAME_MAX+1];
#define VIR_LOG_DATE_REGEX "[0-9]{4}-[0-9]{2}-[0-9]{2}"
@@ -259,6 +260,8 @@ virLogPriorityString(virLogPriority lvl)
static int
virLogOnceInit(void)
{
+ int r;
+
if (virMutexInit(&virLogMutex) < 0)
return -1;
@@ -270,6 +273,21 @@ virLogOnceInit(void)
VIR_FREE(virLogRegex);
}
+ /* We get and remember the hostname early, because at later time
+ * it might not be possible to load NSS modules via getaddrinfo()
+ * (e.g. at container startup the host filesystem will not be
+ * accessible anymore.
+ * Must not use virGetHostname though as that causes re-entrancy
+ * problems if it triggers logging codepaths
+ */
+ r = gethostname(virLogHostname, sizeof(virLogHostname));
+ if (r == -1) {
+ ignore_value(virStrcpy(virLogHostname,
+ "(unknown)", sizeof(virLogHostname)));
+ } else {
+ NUL_TERMINATE(virLogHostname);
+ }
+
virLogUnlock();
return 0;
}
@@ -465,17 +483,10 @@ static int
virLogHostnameString(char **rawmsg,
char **msg)
{
- char *hostname = virGetHostnameQuiet();
char *hoststr;
- if (!hostname)
- return -1;
-
- if (virAsprintfQuiet(&hoststr, "hostname: %s", hostname) < 0) {
- VIR_FREE(hostname);
+ if (virAsprintfQuiet(&hoststr, "hostname: %s", virLogHostname) < 0)
return -1;
- }
- VIR_FREE(hostname);
if (virLogFormatString(msg, 0, NULL, VIR_LOG_INFO, hoststr) < 0) {
VIR_FREE(hoststr);
debian/patches/series
View file @ 4116b452
......@@ -25,3 +25,5 @@ qemu-skip-QMP-probing-of-CPU-definitions-when-missing.patch
security/qemu-ensure-TLS-clients-always-verify-the-server-certific.patch
qemu-shared-disks-with-cache-directsync-should-be-safe-fo.patch
qemu-avoid-denial-of-service-reading-from-QEMU-monitor-CV.patch
security/CVE-2018-1064-qemu-avoid-denial-of-service-reading-from-Q.patch
security/CVE-2018-6764-virlog-determine-the-hostname-on-startup.patch