On Thu, Jul 29, 2010 at 04:02:53PM +0200, Guido Günther wrote: > Hi, > I'd like to upload a new version of libvirt to stable fixing two issues: > > * CVE-2010-2242: Apply a source port mapping to virtual network > masquerading > * Fix path to hvmloader. (Closes: #573808) > > The first fixes a minor security issue, the update is the backport of an > upstream fix: > > http://git.debian.org/?p=pkg-libvirt/libvirt.git;a=commit;h=dcdab940c808defb589559567e38b94ecfebb793 > > The later one fixes a major annoyance for people using Xen with libvirt > by fixing the path to the HVM loader: > > http://git.debian.org/?p=pkg-libvirt/libvirt.git;a=commit;h=ce08070c680dc3a3deea50cca36d598636ff7aac > > The debdiff is attached. O.k. to upload? Find the debdiff attached now. -- Guido
diff -u libvirt-0.4.6/debian/changelog libvirt-0.4.6/debian/changelog --- libvirt-0.4.6/debian/changelog +++ libvirt-0.4.6/debian/changelog @@ -1,3 +1,11 @@ +libvirt (0.4.6-10+lenny1) stable; urgency=low + + * [dcdab94] CVE-2010-2242: Apply a source port mapping to virtual network + masquerading + * [ce08070] Fix path to hvmloader. (Closes: #573808) + + -- Guido Günther <a...@sigxcpu.org> Thu, 29 Jul 2010 15:38:03 +0200 + libvirt (0.4.6-10) unstable; urgency=low * [5878698] cherry-pick patch for CVE-2008-5086 from experimental diff -u libvirt-0.4.6/debian/patches/series libvirt-0.4.6/debian/patches/series --- libvirt-0.4.6/debian/patches/series +++ libvirt-0.4.6/debian/patches/series @@ -11,0 +12,2 @@ +0012-fix-Debian-specific-path-to-hvm-loader.patch +0013-CVE-2010-2242-Apply-a-source-port-mapping-to-virtual.patch only in patch2: unchanged: --- libvirt-0.4.6.orig/debian/patches/0013-CVE-2010-2242-Apply-a-source-port-mapping-to-virtual.patch +++ libvirt-0.4.6/debian/patches/0013-CVE-2010-2242-Apply-a-source-port-mapping-to-virtual.patch @@ -0,0 +1,246 @@ +From: =?UTF-8?q?Guido=20G=C3=BCnther?= <a...@sigxcpu.org> +Date: Thu, 29 Jul 2010 13:50:19 +0200 +Subject: [PATCH] CVE-2010-2242: Apply a source port mapping to virtual network masquerading + +IPtables will seek to preserve the source port unchanged when +doing masquerading, if possible. NFS has a pseudo-security +option where it checks for the source port <= 1023 before +allowing a mount request. If an admin has used this to make the +host OS trusted for mounts, the default iptables behaviour will +potentially allow NAT'd guests access too. This needs to be +stopped. + +Origin: vendor, c567853089a2764c964002dd752e09e318524a38 +--- + src/iptables.c | 64 ++++++++++++++++++++++++++++++++++------------- + src/iptables.h | 6 +++- + src/qemu_driver.c | 71 ++++++++++++++++++++++++++++++++++++++++++++++++++--- + 3 files changed, 117 insertions(+), 24 deletions(-) + +diff --git a/src/iptables.c b/src/iptables.c +index 726141a..a1eab96 100644 +--- a/src/iptables.c ++++ b/src/iptables.c +@@ -1087,23 +1087,47 @@ static int + iptablesForwardMasquerade(iptablesContext *ctx, + const char *network, + const char *physdev, ++ const char *protocol, + int action) + { +- if (physdev && physdev[0]) { +- return iptablesAddRemoveRule(ctx->nat_postrouting, +- action, +- "--source", network, +- "--destination", "!", network, +- "--out-interface", physdev, +- "--jump", "MASQUERADE", +- NULL); ++ if (protocol && protocol[0]) { ++ if (physdev && physdev[0]) { ++ return iptablesAddRemoveRule(ctx->nat_postrouting, ++ action, ++ "--source", network, ++ "-p", protocol, ++ "!", "--destination", network, ++ "--out-interface", physdev, ++ "--jump", "MASQUERADE", ++ "--to-ports", "1024-65535", ++ NULL); ++ } else { ++ return iptablesAddRemoveRule(ctx->nat_postrouting, ++ action, ++ "--source", network, ++ "-p", protocol, ++ "!", "--destination", network, ++ "--jump", "MASQUERADE", ++ "--to-ports", "1024-65535", ++ NULL); ++ } + } else { +- return iptablesAddRemoveRule(ctx->nat_postrouting, +- action, +- "--source", network, +- "--destination", "!", network, +- "--jump", "MASQUERADE", +- NULL); ++ if (physdev && physdev[0]) { ++ return iptablesAddRemoveRule(ctx->nat_postrouting, ++ action, ++ "--source", network, ++ "!", "--destination", network, ++ "--out-interface", physdev, ++ "--jump", "MASQUERADE", ++ NULL); ++ } else { ++ return iptablesAddRemoveRule(ctx->nat_postrouting, ++ action, ++ "--source", network, ++ "!", "--destination", network, ++ "--jump", "MASQUERADE", ++ NULL); ++ } + } + } + +@@ -1112,6 +1136,7 @@ iptablesForwardMasquerade(iptablesContext *ctx, + * @ctx: pointer to the IP table context + * @network: the source network name + * @physdev: the physical input device or NULL ++ * @protocol: the network protocol or NULL + * + * Add rules to the IP table context to allow masquerading + * network @network on @physdev. This allow the bridge to +@@ -1122,9 +1147,10 @@ iptablesForwardMasquerade(iptablesContext *ctx, + int + iptablesAddForwardMasquerade(iptablesContext *ctx, + const char *network, +- const char *physdev) ++ const char *physdev, ++ const char *protocol) + { +- return iptablesForwardMasquerade(ctx, network, physdev, ADD); ++ return iptablesForwardMasquerade(ctx, network, physdev, protocol, ADD); + } + + /** +@@ -1132,6 +1158,7 @@ iptablesAddForwardMasquerade(iptablesContext *ctx, + * @ctx: pointer to the IP table context + * @network: the source network name + * @physdev: the physical input device or NULL ++ * @protocol: the network protocol or NULL + * + * Remove rules from the IP table context to stop masquerading + * network @network on @physdev. This stops the bridge from +@@ -1142,9 +1169,10 @@ iptablesAddForwardMasquerade(iptablesContext *ctx, + int + iptablesRemoveForwardMasquerade(iptablesContext *ctx, + const char *network, +- const char *physdev) ++ const char *physdev, ++ const char *protocol) + { +- return iptablesForwardMasquerade(ctx, network, physdev, REMOVE); ++ return iptablesForwardMasquerade(ctx, network, physdev, protocol, REMOVE); + } + + #endif /* WITH_QEMU */ +diff --git a/src/iptables.h b/src/iptables.h +index 95f07de..87f994a 100644 +--- a/src/iptables.h ++++ b/src/iptables.h +@@ -90,10 +90,12 @@ int iptablesRemoveForwardRejectIn (iptablesContext *ctx, + + int iptablesAddForwardMasquerade (iptablesContext *ctx, + const char *network, +- const char *physdev); ++ const char *physdev, ++ const char *protocol); + int iptablesRemoveForwardMasquerade (iptablesContext *ctx, + const char *network, +- const char *physdev); ++ const char *physdev, ++ const char *protocol); + + #endif /* WITH_QEMU */ + +diff --git a/src/qemu_driver.c b/src/qemu_driver.c +index c9bf8d7..9050f96 100644 +--- a/src/qemu_driver.c ++++ b/src/qemu_driver.c +@@ -1275,18 +1275,73 @@ qemudAddMasqueradingIptablesRules(virConnectPtr conn, + goto masqerr2; + } + +- /* enable masquerading */ ++ /* ++ * Enable masquerading. ++ * ++ * We need to end up with 3 rules in the table in this order ++ * ++ * 1. protocol=tcp with sport mapping restricton ++ * 2. protocol=udp with sport mapping restricton ++ * 3. generic any protocol ++ * ++ * The sport mappings are required, because default IPtables ++ * MASQUERADE is maintain port number unchanged where possible. ++ * ++ * NFS can be configured to only "trust" port numbers < 1023. ++ * ++ * Guests using NAT thus need to be prevented from having port ++ * numbers < 1023, otherwise they can bypass the NFS "security" ++ * check on the source port number. ++ * ++ * Since we use '--insert' to add rules to the header of the ++ * chain, we actually need to add them in the reverse of the ++ * order just mentioned ! ++ */ ++ ++ /* First the generic masquerade rule for other protocols */ + if ((err = iptablesAddForwardMasquerade(driver->iptables, + network->def->network, +- network->def->forwardDev))) { ++ network->def->forwardDev, ++ NULL))) { + qemudReportError(conn, NULL, NULL, VIR_ERR_INTERNAL_ERROR, + _("failed to add iptables rule to enable masquerading : %s\n"), + strerror(err)); + goto masqerr3; + } ++ /* UDP with a source port restriction */ ++ if ((err = iptablesAddForwardMasquerade(driver->iptables, ++ network->def->network, ++ network->def->forwardDev, ++ "udp"))) { ++ qemudReportError(conn, NULL, NULL, VIR_ERR_INTERNAL_ERROR, ++ _("failed to add iptables rule to enable UDP masquerading to '%s'"), ++ network->def->forwardDev ? network->def->forwardDev : NULL); ++ goto masqerr4; ++ } ++ ++ /* TCP with a source port restriction */ ++ if ((err = iptablesAddForwardMasquerade(driver->iptables, ++ network->def->network, ++ network->def->forwardDev, ++ "tcp"))) { ++ qemudReportError(conn, NULL, NULL, VIR_ERR_INTERNAL_ERROR, ++ _("failed to add iptables rule to enable TCP masquerading to '%s'"), ++ network->def->forwardDev ? network->def->forwardDev : NULL); ++ goto masqerr5; ++ } + + return 1; + ++ masqerr5: ++ iptablesRemoveForwardMasquerade(driver->iptables, ++ network->def->network, ++ network->def->forwardDev, ++ "udp"); ++ masqerr4: ++ iptablesRemoveForwardMasquerade(driver->iptables, ++ network->def->network, ++ network->def->forwardDev, ++ NULL); + masqerr3: + iptablesRemoveForwardAllowRelatedIn(driver->iptables, + network->def->network, +@@ -1449,8 +1504,16 @@ qemudRemoveIptablesRules(struct qemud_driver *driver, + if (network->def->forwardType != VIR_NETWORK_FORWARD_NONE) { + iptablesRemoveForwardMasquerade(driver->iptables, + network->def->network, +- network->def->forwardDev); +- ++ network->def->forwardDev, ++ "tcp"); ++ iptablesRemoveForwardMasquerade(driver->iptables, ++ network->def->network, ++ network->def->forwardDev, ++ "udp"); ++ iptablesRemoveForwardMasquerade(driver->iptables, ++ network->def->network, ++ network->def->forwardDev, ++ NULL); + if (network->def->forwardType == VIR_NETWORK_FORWARD_NAT) + iptablesRemoveForwardAllowRelatedIn(driver->iptables, + network->def->network, +-- only in patch2: unchanged: --- libvirt-0.4.6.orig/debian/patches/0012-fix-Debian-specific-path-to-hvm-loader.patch +++ libvirt-0.4.6/debian/patches/0012-fix-Debian-specific-path-to-hvm-loader.patch @@ -0,0 +1,23 @@ +From: =?UTF-8?q?Guido=20G=C3=BCnther?= <a...@sigxcpu.org> +Date: Thu, 26 Feb 2009 14:29:58 +0100 +Subject: [PATCH] fix Debian specific path to hvm loader + +Closes: #517059 +--- + src/xen_internal.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +diff --git a/src/xen_internal.c b/src/xen_internal.c +index d80ecfb..d04fb4f 100644 +--- a/src/xen_internal.c ++++ b/src/xen_internal.c +@@ -2204,7 +2204,7 @@ xenHypervisorBuildCapabilities(virConnectPtr conn, + "/usr/lib64/xen/bin/qemu-dm" : + "/usr/lib/xen/bin/qemu-dm"), + (guest_archs[i].hvm ? +- "/usr/lib/xen/boot/hvmloader" : ++ "/usr/lib/xen-default/boot/hvmloader" : + NULL), + 1, + machines)) == NULL) +--