commit: 834dafc5a7928ecf8c1e643dd2879837d32d233c Author: Matthias Maier <tamiko <AT> gentoo <DOT> org> AuthorDate: Wed Oct 25 19:46:02 2017 +0000 Commit: Matthias Maier <tamiko <AT> gentoo <DOT> org> CommitDate: Wed Oct 25 19:46:02 2017 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=834dafc5
app-emulation/libvirt: fix CVE-2017-1000256, bug #635174 Package-Manager: Portage-2.3.8, Repoman-2.3.3 .../files/libvirt-3.8.0-CVE-2017-1000256.patch | 74 ++++++++++++++++++++++ ...ibvirt-3.8.0.ebuild => libvirt-3.8.0-r1.ebuild} | 1 + 2 files changed, 75 insertions(+) diff --git a/app-emulation/libvirt/files/libvirt-3.8.0-CVE-2017-1000256.patch b/app-emulation/libvirt/files/libvirt-3.8.0-CVE-2017-1000256.patch new file mode 100644 index 00000000000..8c347cd799a --- /dev/null +++ b/app-emulation/libvirt/files/libvirt-3.8.0-CVE-2017-1000256.patch @@ -0,0 +1,74 @@ +From 441d3eb6d1be940a67ce45a286602a967601b157 Mon Sep 17 00:00:00 2001 +From: "Daniel P. Berrange" <berra...@redhat.com> +Date: Thu, 5 Oct 2017 17:54:28 +0100 +Subject: [PATCH] qemu: ensure TLS clients always verify the server certificate + +The default_tls_x509_verify (and related) parameters in qemu.conf +control whether the QEMU TLS servers request & verify certificates +from clients. This works as a simple access control system for +servers by requiring the CA to issue certs to permitted clients. +This use of client certificates is disabled by default, since it +requires extra work to issue client certificates. + +Unfortunately the code was using this configuration parameter when +setting up both TLS clients and servers in QEMU. The result was that +TLS clients for character devices and disk devices had verification +turned off, meaning they would ignore errors while validating the +server certificate. + +This allows for trivial MITM attacks between client and server, +as any certificate returned by the attacker will be accepted by +the client. + +This is assigned CVE-2017-1000256 / LSN-2017-0002 + +Reviewed-by: Eric Blake <ebl...@redhat.com> +Signed-off-by: Daniel P. Berrange <berra...@redhat.com> +--- + src/qemu/qemu_command.c | 2 +- + tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev.args | 2 +- + .../qemuxml2argv-serial-tcp-tlsx509-secret-chardev.args | 2 +- + 3 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c +index 46f0bdd18..f68b82d08 100644 +--- a/src/qemu/qemu_command.c ++++ b/src/qemu/qemu_command.c +@@ -721,7 +721,7 @@ qemuBuildTLSx509BackendProps(const char *tlspath, + if (virJSONValueObjectCreate(propsret, + "s:dir", path, + "s:endpoint", (isListen ? "server": "client"), +- "b:verify-peer", verifypeer, ++ "b:verify-peer", (isListen ? verifypeer : true), + NULL) < 0) + goto cleanup; + +diff --git a/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev.args b/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev.args +index 5aff7734e..ab5f7e27f 100644 +--- a/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev.args ++++ b/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev.args +@@ -26,7 +26,7 @@ server,nowait \ + localport=1111 \ + -device isa-serial,chardev=charserial0,id=serial0 \ + -object tls-creds-x509,id=objcharserial1_tls0,dir=/etc/pki/libvirt-chardev,\ +-endpoint=client,verify-peer=no \ ++endpoint=client,verify-peer=yes \ + -chardev socket,id=charserial1,host=127.0.0.1,port=5555,\ + tls-creds=objcharserial1_tls0 \ + -device isa-serial,chardev=charserial1,id=serial1 \ +diff --git a/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-secret-chardev.args b/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-secret-chardev.args +index 91f1fe0cd..2567abbfa 100644 +--- a/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-secret-chardev.args ++++ b/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-secret-chardev.args +@@ -31,7 +31,7 @@ localport=1111 \ + data=9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1,\ + keyid=masterKey0,iv=AAECAwQFBgcICQoLDA0ODw==,format=base64 \ + -object tls-creds-x509,id=objcharserial1_tls0,dir=/etc/pki/libvirt-chardev,\ +-endpoint=client,verify-peer=no,passwordid=charserial1-secret0 \ ++endpoint=client,verify-peer=yes,passwordid=charserial1-secret0 \ + -chardev socket,id=charserial1,host=127.0.0.1,port=5555,\ + tls-creds=objcharserial1_tls0 \ + -device isa-serial,chardev=charserial1,id=serial1 \ +-- +2.13.6 + diff --git a/app-emulation/libvirt/libvirt-3.8.0.ebuild b/app-emulation/libvirt/libvirt-3.8.0-r1.ebuild similarity index 99% rename from app-emulation/libvirt/libvirt-3.8.0.ebuild rename to app-emulation/libvirt/libvirt-3.8.0-r1.ebuild index 68e7ff8f0ab..7ac23060bb1 100644 --- a/app-emulation/libvirt/libvirt-3.8.0.ebuild +++ b/app-emulation/libvirt/libvirt-3.8.0-r1.ebuild @@ -125,6 +125,7 @@ PATCHES=( "${FILESDIR}"/${PN}-3.0.0-fix_paths_for_apparmor.patch "${FILESDIR}"/${PN}-1.3.4-glibc-2.23.patch "${FILESDIR}"/${PN}-3.1.0-musl-fix-includes.patch # bug #609488 + "${FILESDIR}"/${PN}-3.8.0-CVE-2017-1000256.patch # bug #635174 ) pkg_setup() {