Hi, sorry for the delay but attached is the diff for the stable update. This addrsses #701649 (CVE-2013-1766) as well as #699224 (kind of CVE-2013-0170). Is this enough for the security team to issue the DSA? Let me know if I can help further. Cheers, -- Guido
diff --git a/debian/README.Debian b/debian/README.Debian index b8c97e0..02c0a49 100644 --- a/debian/README.Debian +++ b/debian/README.Debian @@ -56,6 +56,9 @@ Access Control Access to the libvirt socket is controlled by membership in the "libvirt" group. If you want to manage VMs as non root you need to add a user to that group. +System QEMU/KVM processes are run as user and group libvirt-qemu. This can be +adjusted via /etc/libvirt/qemu.conf. + QEMU/KVM: Dropping Capabilties ============================== Network interfaces of type "ethernet" use a script like /etc/qemu-ifup to set up diff --git a/debian/changelog b/debian/changelog index bd3ec0d..719b74e 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,17 @@ +libvirt (0.8.3-5+squeeze4) stable-security; urgency=low + + * [9d7846f] CVE-2013-1766: Use libvirt-qemu as group to run qemu/kvm + instances. This makes sure we don't chown files to groups possibly used + by other programs. (Closes: #701649) + + -- Guido Günther <a...@sigxcpu.org> Sat, 09 Mar 2013 17:03:01 +0100 + +libvirt (0.8.3-5+squeeze3) stable-security; urgency=low + + * [0bbbca1] Add missing return on error path (Closes: #699224) + + -- Guido Günther <a...@sigxcpu.org> Fri, 22 Feb 2013 20:32:53 +0100 + libvirt (0.8.3-5+squeeze2) stable-security; urgency=low * [ac67c93] CVE-2011-1486: Make error reporting in libvirtd thread safe diff --git a/debian/libvirt-bin.NEWS b/debian/libvirt-bin.NEWS index ee32190..c6c40f6 100644 --- a/debian/libvirt-bin.NEWS +++ b/debian/libvirt-bin.NEWS @@ -1,3 +1,12 @@ +libvirt (0.8.3-5+squeeze4) experimental; urgency=low + + For qemu:///system KVM/QEMU processes now run as group libvirt-qemu. This + makes sure image files and volumes aren't accessible by users in the more + general and previously used kvm group. To change this behaviour adjust the + group option in /etc/libvirt/qemu.conf. + + -- Guido Günther <a...@sigxcpu.org> Tue, 26 Feb 2013 06:30:48 +0100 + libvirt (0.8.3-2) unstable; urgency=low Disk format probing is disabled now by default for security reasons diff --git a/debian/libvirt-bin.postinst b/debian/libvirt-bin.postinst index ea85ad2..fed481b 100644 --- a/debian/libvirt-bin.postinst +++ b/debian/libvirt-bin.postinst @@ -17,17 +17,16 @@ set -e # for details, see http://www.debian.org/doc/debian-policy/ or # the debian-policy package - case "$1" in configure) if ! getent group libvirt >/dev/null; then addgroup --system libvirt fi - # user and group libvirt runs qemu/kvm instances with if ! getent group kvm >/dev/null; then addgroup --quiet --system kvm fi + # user and group libvirt runs qemu/kvm instances with if ! getent passwd libvirt-qemu >/dev/null; then adduser --quiet \ --system \ @@ -40,6 +39,10 @@ case "$1" in -gecos "Libvirt Qemu" \ libvirt-qemu fi + if ! getent group libvirt-qemu >/dev/null; then + addgroup --quiet --system libvirt-qemu + adduser libvirt-qemu libvirt-qemu + fi # libvirt from 0.6.0 on is safe to restart with running vms: if [ -n "$2" ] && dpkg --compare-versions "$2" ge 0.6.0; then diff --git a/debian/libvirt-bin.postrm b/debian/libvirt-bin.postrm index d6e9b99..086fda3 100644 --- a/debian/libvirt-bin.postrm +++ b/debian/libvirt-bin.postrm @@ -24,7 +24,14 @@ case "$1" in if getent group libvirt >/dev/null; then delgroup libvirt || true fi - + + if getent passwd libvirt-qemu >/dev/null; then + deluser libvirt-qemu || true + fi + + if getent group libvirt-qemu >/dev/null; then + delgroup libvirt-qemu || true + fi ;; remove|upgrade|failed-upgrade|abort-install|abort-upgrade|disappear) ;; diff --git a/debian/patches/0016-Add-missing-return-on-error-path.patch b/debian/patches/0016-Add-missing-return-on-error-path.patch new file mode 100644 index 0000000..2da0deb --- /dev/null +++ b/debian/patches/0016-Add-missing-return-on-error-path.patch @@ -0,0 +1,20 @@ +From: =?UTF-8?q?Guido=20G=C3=BCnther?= <a...@sigxcpu.org> +Date: Fri, 22 Feb 2013 20:06:25 +0100 +Subject: Add missing return on error path + +--- + daemon/libvirtd.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/daemon/libvirtd.c b/daemon/libvirtd.c +index 711360b..9b88aac 100644 +--- a/daemon/libvirtd.c ++++ b/daemon/libvirtd.c +@@ -1820,6 +1820,7 @@ readmore: + if (remoteDecodeClientMessageHeader(msg) < 0) { + VIR_FREE(msg); + qemudDispatchClientFailure(client); ++ return; + } + + /* Check if any filters match this message */ diff --git a/debian/patches/series b/debian/patches/series index e98d06b..1c3ce85 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -13,3 +13,4 @@ security/0013-Add-missing-checks-for-read-only-connections.patch security/0014-Make-error-reporting-in-libvirtd-thread-safe.patch security/0015-Fix-integer-overflow-in-VirDomainGetVcpus.patch +0016-Add-missing-return-on-error-path.patch diff --git a/debian/rules b/debian/rules index 159797d..63559e5 100755 --- a/debian/rules +++ b/debian/rules @@ -25,7 +25,7 @@ DEB_CONFIGURE_EXTRA_FLAGS := \ --disable-rpath \ --with-qemu \ --with-qemu-user=libvirt-qemu \ - --with-qemu-group=kvm \ + --with-qemu-group=libvirt-qemu \ --with-openvz \ --with-avahi \ --with-sasl \
