[gentoo-commits] repo/gentoo:master commit in: app-emulation/libvirt/files/, app-emulation/libvirt/

Matthias Maier Wed, 25 Oct 2017 12:49:04 -0700

commit:     834dafc5a7928ecf8c1e643dd2879837d32d233c
Author:     Matthias Maier <tamiko <AT> gentoo <DOT> org>
AuthorDate: Wed Oct 25 19:46:02 2017 +0000
Commit:     Matthias Maier <tamiko <AT> gentoo <DOT> org>
CommitDate: Wed Oct 25 19:46:02 2017 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=834dafc5


app-emulation/libvirt: fix CVE-2017-1000256, bug #635174

Package-Manager: Portage-2.3.8, Repoman-2.3.3

 .../files/libvirt-3.8.0-CVE-2017-1000256.patch     | 74 ++++++++++++++++++++++
 ...ibvirt-3.8.0.ebuild => libvirt-3.8.0-r1.ebuild} |  1 +
 2 files changed, 75 insertions(+)

diff --git a/app-emulation/libvirt/files/libvirt-3.8.0-CVE-2017-1000256.patch 
b/app-emulation/libvirt/files/libvirt-3.8.0-CVE-2017-1000256.patch
new file mode 100644
index 00000000000..8c347cd799a
--- /dev/null
+++ b/app-emulation/libvirt/files/libvirt-3.8.0-CVE-2017-1000256.patch
@@ -0,0 +1,74 @@
+From 441d3eb6d1be940a67ce45a286602a967601b157 Mon Sep 17 00:00:00 2001
+From: "Daniel P. Berrange" <berra...@redhat.com>
+Date: Thu, 5 Oct 2017 17:54:28 +0100
+Subject: [PATCH] qemu: ensure TLS clients always verify the server certificate
+
+The default_tls_x509_verify (and related) parameters in qemu.conf
+control whether the QEMU TLS servers request & verify certificates
+from clients. This works as a simple access control system for
+servers by requiring the CA to issue certs to permitted clients.
+This use of client certificates is disabled by default, since it
+requires extra work to issue client certificates.
+
+Unfortunately the code was using this configuration parameter when
+setting up both TLS clients and servers in QEMU. The result was that
+TLS clients for character devices and disk devices had verification
+turned off, meaning they would ignore errors while validating the
+server certificate.
+
+This allows for trivial MITM attacks between client and server,
+as any certificate returned by the attacker will be accepted by
+the client.
+
+This is assigned CVE-2017-1000256  / LSN-2017-0002
+
+Reviewed-by: Eric Blake <ebl...@redhat.com>
+Signed-off-by: Daniel P. Berrange <berra...@redhat.com>
+---
+ src/qemu/qemu_command.c                                                 | 2 +-
+ tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev.args     | 2 +-
+ .../qemuxml2argv-serial-tcp-tlsx509-secret-chardev.args                 | 2 +-
+ 3 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c
+index 46f0bdd18..f68b82d08 100644
+--- a/src/qemu/qemu_command.c
++++ b/src/qemu/qemu_command.c
+@@ -721,7 +721,7 @@ qemuBuildTLSx509BackendProps(const char *tlspath,
+     if (virJSONValueObjectCreate(propsret,
+                                  "s:dir", path,
+                                  "s:endpoint", (isListen ? "server": 
"client"),
+-                                 "b:verify-peer", verifypeer,
++                                 "b:verify-peer", (isListen ? verifypeer : 
true),
+                                  NULL) < 0)
+         goto cleanup;
+ 
+diff --git 
a/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev.args 
b/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev.args
+index 5aff7734e..ab5f7e27f 100644
+--- a/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev.args
++++ b/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev.args
+@@ -26,7 +26,7 @@ server,nowait \
+ localport=1111 \
+ -device isa-serial,chardev=charserial0,id=serial0 \
+ -object tls-creds-x509,id=objcharserial1_tls0,dir=/etc/pki/libvirt-chardev,\
+-endpoint=client,verify-peer=no \
++endpoint=client,verify-peer=yes \
+ -chardev socket,id=charserial1,host=127.0.0.1,port=5555,\
+ tls-creds=objcharserial1_tls0 \
+ -device isa-serial,chardev=charserial1,id=serial1 \
+diff --git 
a/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-secret-chardev.args 
b/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-secret-chardev.args
+index 91f1fe0cd..2567abbfa 100644
+--- 
a/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-secret-chardev.args
++++ 
b/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-secret-chardev.args
+@@ -31,7 +31,7 @@ localport=1111 \
+ data=9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1,\
+ keyid=masterKey0,iv=AAECAwQFBgcICQoLDA0ODw==,format=base64 \
+ -object tls-creds-x509,id=objcharserial1_tls0,dir=/etc/pki/libvirt-chardev,\
+-endpoint=client,verify-peer=no,passwordid=charserial1-secret0 \
++endpoint=client,verify-peer=yes,passwordid=charserial1-secret0 \
+ -chardev socket,id=charserial1,host=127.0.0.1,port=5555,\
+ tls-creds=objcharserial1_tls0 \
+ -device isa-serial,chardev=charserial1,id=serial1 \
+-- 
+2.13.6
+

diff --git a/app-emulation/libvirt/libvirt-3.8.0.ebuild 
b/app-emulation/libvirt/libvirt-3.8.0-r1.ebuild
similarity index 99%
rename from app-emulation/libvirt/libvirt-3.8.0.ebuild
rename to app-emulation/libvirt/libvirt-3.8.0-r1.ebuild
index 68e7ff8f0ab..7ac23060bb1 100644
--- a/app-emulation/libvirt/libvirt-3.8.0.ebuild
+++ b/app-emulation/libvirt/libvirt-3.8.0-r1.ebuild
@@ -125,6 +125,7 @@ PATCHES=(
        "${FILESDIR}"/${PN}-3.0.0-fix_paths_for_apparmor.patch
        "${FILESDIR}"/${PN}-1.3.4-glibc-2.23.patch
        "${FILESDIR}"/${PN}-3.1.0-musl-fix-includes.patch          # bug #609488
+       "${FILESDIR}"/${PN}-3.8.0-CVE-2017-1000256.patch           # bug #635174
 )
 
 pkg_setup() {

[gentoo-commits] repo/gentoo:master commit in: app-emulation/libvirt/files/, app-emulation/libvirt/

Reply via email to