gnu: libvirt: Fix CVE-2017-1000256.
* gnu/packages/patches/libvirt-CVE-2017-1000256.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/virtualization.scm (libvirt)[source]: Use it.
This commit is contained in:
parent
48f8b07082
commit
7827032a7c
|
@ -815,6 +815,7 @@ dist_patch_DATA = \
|
||||||
%D%/packages/patches/libunistring-gnulib-multi-core.patch \
|
%D%/packages/patches/libunistring-gnulib-multi-core.patch \
|
||||||
%D%/packages/patches/libusb-0.1-disable-tests.patch \
|
%D%/packages/patches/libusb-0.1-disable-tests.patch \
|
||||||
%D%/packages/patches/libusb-for-axoloti.patch \
|
%D%/packages/patches/libusb-for-axoloti.patch \
|
||||||
|
%D%/packages/patches/libvirt-CVE-2017-1000256.patch \
|
||||||
%D%/packages/patches/libvisio-fix-tests.patch \
|
%D%/packages/patches/libvisio-fix-tests.patch \
|
||||||
%D%/packages/patches/libvpx-CVE-2016-2818.patch \
|
%D%/packages/patches/libvpx-CVE-2016-2818.patch \
|
||||||
%D%/packages/patches/libxcb-python-3.5-compat.patch \
|
%D%/packages/patches/libxcb-python-3.5-compat.patch \
|
||||||
|
|
|
@ -0,0 +1,84 @@
|
||||||
|
Fix CVE-2017-1000256:
|
||||||
|
|
||||||
|
https://security.libvirt.org/2017/0002.html
|
||||||
|
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000256
|
||||||
|
|
||||||
|
Patch copied from upstream source repository:
|
||||||
|
|
||||||
|
https://libvirt.org/git/?p=libvirt.git;a=commit;h=dc6c41798d1eb5c52c75365ffa22f7672709dfa7
|
||||||
|
|
||||||
|
From dc6c41798d1eb5c52c75365ffa22f7672709dfa7 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daniel P. Berrange <berrange@redhat.com>
|
||||||
|
Date: Thu, 5 Oct 2017 17:54:28 +0100
|
||||||
|
Subject: [PATCH] qemu: ensure TLS clients always verify the server certificate
|
||||||
|
|
||||||
|
The default_tls_x509_verify (and related) parameters in qemu.conf
|
||||||
|
control whether the QEMU TLS servers request & verify certificates
|
||||||
|
from clients. This works as a simple access control system for
|
||||||
|
servers by requiring the CA to issue certs to permitted clients.
|
||||||
|
This use of client certificates is disabled by default, since it
|
||||||
|
requires extra work to issue client certificates.
|
||||||
|
|
||||||
|
Unfortunately the code was using this configuration parameter when
|
||||||
|
setting up both TLS clients and servers in QEMU. The result was that
|
||||||
|
TLS clients for character devices and disk devices had verification
|
||||||
|
turned off, meaning they would ignore errors while validating the
|
||||||
|
server certificate.
|
||||||
|
|
||||||
|
This allows for trivial MITM attacks between client and server,
|
||||||
|
as any certificate returned by the attacker will be accepted by
|
||||||
|
the client.
|
||||||
|
|
||||||
|
This is assigned CVE-2017-1000256 / LSN-2017-0002
|
||||||
|
|
||||||
|
Reviewed-by: Eric Blake <eblake@redhat.com>
|
||||||
|
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
|
||||||
|
(cherry picked from commit 441d3eb6d1be940a67ce45a286602a967601b157)
|
||||||
|
---
|
||||||
|
src/qemu/qemu_command.c | 2 +-
|
||||||
|
.../qemuxml2argv-serial-tcp-tlsx509-chardev.args | 2 +-
|
||||||
|
...xml2argv-serial-tcp-tlsx509-secret-chardev.args | 2 +-
|
||||||
|
3 files changed, 3 insertions(+), 3 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c
|
||||||
|
index 9a27987..ae78cd1 100644
|
||||||
|
--- a/src/qemu/qemu_command.c
|
||||||
|
+++ b/src/qemu/qemu_command.c
|
||||||
|
@@ -718,7 +718,7 @@ qemuBuildTLSx509BackendProps(const char *tlspath,
|
||||||
|
if (virJSONValueObjectCreate(propsret,
|
||||||
|
"s:dir", path,
|
||||||
|
"s:endpoint", (isListen ? "server": "client"),
|
||||||
|
- "b:verify-peer", verifypeer,
|
||||||
|
+ "b:verify-peer", (isListen ? verifypeer : true),
|
||||||
|
NULL) < 0)
|
||||||
|
goto cleanup;
|
||||||
|
|
||||||
|
diff --git a/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev.args b/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev.args
|
||||||
|
index 5aff773..ab5f7e2 100644
|
||||||
|
--- a/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev.args
|
||||||
|
+++ b/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev.args
|
||||||
|
@@ -26,7 +26,7 @@ server,nowait \
|
||||||
|
localport=1111 \
|
||||||
|
-device isa-serial,chardev=charserial0,id=serial0 \
|
||||||
|
-object tls-creds-x509,id=objcharserial1_tls0,dir=/etc/pki/libvirt-chardev,\
|
||||||
|
-endpoint=client,verify-peer=no \
|
||||||
|
+endpoint=client,verify-peer=yes \
|
||||||
|
-chardev socket,id=charserial1,host=127.0.0.1,port=5555,\
|
||||||
|
tls-creds=objcharserial1_tls0 \
|
||||||
|
-device isa-serial,chardev=charserial1,id=serial1 \
|
||||||
|
diff --git a/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-secret-chardev.args b/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-secret-chardev.args
|
||||||
|
index 91f1fe0..2567abb 100644
|
||||||
|
--- a/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-secret-chardev.args
|
||||||
|
+++ b/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-secret-chardev.args
|
||||||
|
@@ -31,7 +31,7 @@ localport=1111 \
|
||||||
|
data=9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1,\
|
||||||
|
keyid=masterKey0,iv=AAECAwQFBgcICQoLDA0ODw==,format=base64 \
|
||||||
|
-object tls-creds-x509,id=objcharserial1_tls0,dir=/etc/pki/libvirt-chardev,\
|
||||||
|
-endpoint=client,verify-peer=no,passwordid=charserial1-secret0 \
|
||||||
|
+endpoint=client,verify-peer=yes,passwordid=charserial1-secret0 \
|
||||||
|
-chardev socket,id=charserial1,host=127.0.0.1,port=5555,\
|
||||||
|
tls-creds=objcharserial1_tls0 \
|
||||||
|
-device isa-serial,chardev=charserial1,id=serial1 \
|
||||||
|
--
|
||||||
|
1.7.1
|
||||||
|
|
|
@ -322,6 +322,7 @@ manage system or application containers.")
|
||||||
(method url-fetch)
|
(method url-fetch)
|
||||||
(uri (string-append "https://libvirt.org/sources/libvirt-"
|
(uri (string-append "https://libvirt.org/sources/libvirt-"
|
||||||
version ".tar.xz"))
|
version ".tar.xz"))
|
||||||
|
(patches (search-patches "libvirt-CVE-2017-1000256.patch"))
|
||||||
(sha256
|
(sha256
|
||||||
(base32
|
(base32
|
||||||
"1fk75cdzg59y9hnfdpdwv83fsc1yffy3lac4ch19zygfkqhcnysf"))))
|
"1fk75cdzg59y9hnfdpdwv83fsc1yffy3lac4ch19zygfkqhcnysf"))))
|
||||||
|
|
Loading…
Reference in New Issue