Guido Günther · Guido Günther · e8858268 · e8858268 · e8858268 · e8858268
--- a/debian/changelog
+++ b/debian/changelog
+libvirt (5.0.0-2) unstable; urgency=medium
+
+  [ Laurent Bigonville ]
+  * [76e2cb7] Don't recommend ebtables.  It's part of the iptables package now.
+    (Closes: #918472)
+
+  [ intrigeri ]
+  * [d7a7218] Fix virtio-gpu + virgl support by cherry-picking upstream
+    commits virt-manager in current sid still creates new VMs with QXL
+    graphics by default, so this bug only affects users who opt in for
+    virtio-gpu 3D acceleration.  Still, the option for virtio-gpu + 3D
+    acceleration is offered in the virt-manager GUI, so having it broken by
+    default is an important problem.
+    (Closes: #916587)
+
+  [ Christian Ehrhardt ]
+  * [3997186] d/libvirt-daemon-system.maintscript: remove obsolete conffile
+    /etc/logrotate.d/libvirtd.uml became obsolete since UML was dropped in
+    libvirt 5.0 (Closes: #920574)
+  * [c64d020] d/libvirt-daemon-system.libvirtd.default: clarify libvirtd_opts
+    example (Closes: #921713)
+
+  [ Guido Günther ]
+  * [790365e] CVE-2019-3886: Don't allow unprivileged users to use the guest
+    agent. Apply upstream patches
+    remote-enforce-ACL-write-permission-for-getting-guest-tim.patch
+    api-disallow-virDomainGetHostname-for-read-only-connectio.patch
+    (Closes: #926418)
+
+ -- Guido Günther <agx@sigxcpu.org>  Sun, 07 Apr 2019 12:36:21 +0200
+
 libvirt (5.0.0-1) unstable; urgency=medium

  * [7346f30] New upstream version 5.0.0

--- a/debian/patches/api-disallow-virDomainGetHostname-for-read-only-connectio.patch
+++ b/debian/patches/api-disallow-virDomainGetHostname-for-read-only-connectio.patch
+From: =?utf-8?b?IkRhbmllbCBQLiBCZXJyYW5nw6ki?= <berrange@redhat.com>
+Date: Wed, 3 Apr 2019 15:00:49 +0100
+Subject: api: disallow virDomainGetHostname for read-only connections
+MIME-Version: 1.0
+Content-Type: text/plain; charset="utf-8"
+Content-Transfer-Encoding: 8bit
+
+The virDomainGetHostname API is fetching guest information and this may
+involve use of an untrusted guest agent. As such its use must be
+forbidden on a read-only connection to libvirt.
+
+Fixes CVE-2019-3886
+Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
+---
+ src/libvirt-domain.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/libvirt-domain.c b/src/libvirt-domain.c
+index 75c9014..9aca54a 100644
+--- a/src/libvirt-domain.c
+++ b/src/libvirt-domain.c
+@@ -11028,6 +11028,8 @@ virDomainGetHostname(virDomainPtr domain, unsigned int flags)
+     virCheckDomainReturn(domain, NULL);
+     conn = domain->conn;
+ 
+    virCheckReadOnlyGoto(domain->conn->flags, error);
+
+     if (conn->driver->domainGetHostname) {
+         char *ret;
+         ret = conn->driver->domainGetHostname(domain, flags);
--- a/debian/patches/remote-enforce-ACL-write-permission-for-getting-guest-tim.patch
+++ b/debian/patches/remote-enforce-ACL-write-permission-for-getting-guest-tim.patch
+From: =?utf-8?b?IkRhbmllbCBQLiBCZXJyYW5nw6ki?= <berrange@redhat.com>
+Date: Wed, 3 Apr 2019 15:00:50 +0100
+Subject: remote: enforce ACL write permission for getting guest time &
+ hostname
+MIME-Version: 1.0
+Content-Type: text/plain; charset="utf-8"
+Content-Transfer-Encoding: 8bit
+
+Getting the guest time and hostname both require use of guest agent
+commands. These must not be allowed for read-only users, so the
+permissions check must validate "write" permission not "read".
+
+Fixes CVE-2019-3886
+Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
+---
+ src/remote/remote_protocol.x | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/remote/remote_protocol.x b/src/remote/remote_protocol.x
+index b9d26b1..1246df5 100644
+--- a/src/remote/remote_protocol.x
+++ b/src/remote/remote_protocol.x
+@@ -5505,7 +5505,7 @@ enum remote_procedure {
+ 
+     /**
+      * @generate: both
+-     * @acl: domain:read
+     * @acl: domain:write
+      */
+     REMOTE_PROC_DOMAIN_GET_HOSTNAME = 277,
+ 
+@@ -5900,7 +5900,7 @@ enum remote_procedure {
+ 
+     /**
+      * @generate: none
+-     * @acl: domain:read
+     * @acl: domain:write
+      */
+     REMOTE_PROC_DOMAIN_GET_TIME = 337,
+ 
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -19,3 +19,5 @@ security-aa-helper-allow-virt-aa-helper-to-read-dev-dri.patch
 security-aa-helper-generate-more-rules-for-gl-devices.patch
 security-aa-helper-nvidia-rules-for-gl-devices.patch
 security-aa-helper-gl-devices-in-sysfs-at-arbitrary-depth.patch
+api-disallow-virDomainGetHostname-for-read-only-connectio.patch
+remote-enforce-ACL-write-permission-for-getting-guest-tim.patch