Hello community, here is the log from the commit of package libvirt for openSUSE:Factory checked in at 2013-10-15 10:42:29 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libvirt (Old) and /work/SRC/openSUSE:Factory/.libvirt.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libvirt" Changes: -------- --- /work/SRC/openSUSE:Factory/libvirt/libvirt.changes 2013-10-11 08:55:03.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.libvirt.new/libvirt.changes 2013-10-15 10:42:30.000000000 +0200 @@ -1,0 +2,47 @@ +Mon Oct 14 22:20:41 MDT 2013 - jfeh...@suse.com + +- Move virt-login-shell to new subpackage libvirt-login-shell, + requiring users to opt-in for this setuid binary. Note: For now, + virt-login-shell will not have setuid permissions, pending + resolution of bnc#837609 + +------------------------------------------------------------------- +Mon Oct 14 21:25:49 MDT 2013 - jfeh...@suse.com + +- qemu: Fix seamless SPICE migration + 484cc321-fix-spice-migration.patch + bnc#842301 + +------------------------------------------------------------------- +Mon Oct 14 20:33:43 MDT 2013 - jfeh...@suse.com + +- CVE-2013-4399: Fix crash in libvirtd when events are registered + and ACLs active + 8294aa0c-CVE-2013-4399.patch + bnc#844052, bnc#842300 + +------------------------------------------------------------------- +Mon Oct 14 16:40:25 MDT 2013 - jfeh...@suse.com + +- Update the stale gettext BuildRequires and Requires dependencies + in the spec file + bnc#841325 + +------------------------------------------------------------------- +Mon Oct 14 16:01:46 MDT 2013 - jfeh...@suse.com + +- virt-aa-helper apparmor profile was denying read access to + /proc/$PID/*. Give read accesss to these files. + Updated install-apparmor-profiles.patch + bnc#841720 + +------------------------------------------------------------------- +Mon Oct 14 13:46:14 MDT 2013 - jfeh...@suse.com + +- libvirtd apparmor profile was denying access to + /usr/lib/xen/bin/qemu-system-i386, which is now the default + emulator used with Xen guests + Updated install-apparmor-profiles.patch + bnc#845648 + +------------------------------------------------------------------- New: ---- 484cc321-fix-spice-migration.patch 8294aa0c-CVE-2013-4399.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libvirt.spec ++++++ --- /var/tmp/diff_new_pack.9PUfai/_old 2013-10-15 10:42:31.000000000 +0200 +++ /var/tmp/diff_new_pack.9PUfai/_new 2013-10-15 10:42:31.000000000 +0200 @@ -273,7 +273,7 @@ # listed against each sub-RPM BuildRequires: autoconf BuildRequires: automake -BuildRequires: gettext-devel +BuildRequires: gettext-tools BuildRequires: libtool %if %{with_systemd} BuildRequires: systemd @@ -282,7 +282,6 @@ BuildRequires: xen-devel %endif BuildRequires: fdupes -BuildRequires: gettext BuildRequires: libattr-devel BuildRequires: libgcrypt-devel BuildRequires: libgnutls-devel @@ -410,6 +409,8 @@ Patch3: e65667c0-CVE-2013-4311.patch Patch4: 922b7fda-CVE-2013-4311.patch Patch5: e4697b92-CVE-2013-4311.patch +Patch6: 8294aa0c-CVE-2013-4399.patch +Patch7: 484cc321-fix-spice-migration.patch # Need to go upstream Patch100: xen-name-for-devid.patch Patch101: clone.patch @@ -849,7 +850,7 @@ # (client invokes 'nc' against the UNIX socket on the server) Requires: netcat-openbsd # Needed by libvirt-guests init script. -Requires: gettext +Requires: gettext-runtime # Needed by virt-pki-validate script. Requires: gnutls # Needed for probing the power management features of the host. @@ -891,6 +892,15 @@ Includes the Sanlock lock manager plugin for the QEMU driver %endif +%package login-shell +Summary: Login shell for containers +Group: Development/Libraries/C and C++ +Requires: %{name}-client = %{version}-%{release} + +%description login-shell +Povides virt-login-shell, a tool to execute a shell within a container +matching the users name + %if %{with_python} %package python @@ -914,6 +924,8 @@ %patch3 -p1 %patch4 -p1 %patch5 -p1 +%patch6 -p1 +%patch7 -p1 %patch100 -p1 %patch101 %patch102 -p1 @@ -1594,17 +1606,11 @@ %doc %{_mandir}/man1/virt-xml-validate.1* %doc %{_mandir}/man1/virt-pki-validate.1* %doc %{_mandir}/man1/virt-host-validate.1* -%doc %{_mandir}/man1/virt-login-shell.1* %config(noreplace) %{_sysconfdir}/%{name}/libvirt.conf -%config(noreplace) %{_sysconfdir}/libvirt/virt-login-shell.conf %{_bindir}/virsh %{_bindir}/virt-xml-validate %{_bindir}/virt-pki-validate %{_bindir}/virt-host-validate -# setuid binary that needs security audit - bnc#837609 -# In the meantime, don't install setuid -#%attr(4755, root, root) %{_bindir}/virt-login-shell -%{_bindir}/virt-login-shell %dir %{_libdir}/%{name} %{_libdir}/lib*.so.* %attr(0755, root, root) %{_libdir}/%{name}/libvirt-guests.sh @@ -1684,6 +1690,15 @@ %attr(0755, root, root) %{_libdir}/%{name}/libvirt_sanlock_helper %endif +%files login-shell +%defattr(-, root, root) +%config(noreplace) %{_sysconfdir}/libvirt/virt-login-shell.conf +%doc %{_mandir}/man1/virt-login-shell.1* +# setuid binary that needs security audit - bnc#837609 +# In the meantime, don't install setuid +#%attr(4755, root, root) %{_bindir}/virt-login-shell +%{_bindir}/virt-login-shell + %if %{with_python} %files python ++++++ 484cc321-fix-spice-migration.patch ++++++ commit 484cc3217b73b865f00bf42a9c12187b37200699 Author: Martin Kletzander <mklet...@redhat.com> Date: Fri Sep 20 16:40:20 2013 +0200 qemu: Fix seamless SPICE migration Since the wait is done during migration (still inside QEMU_ASYNC_JOB_MIGRATION_OUT), the code should enter the monitor as such in order to prohibit all other jobs from interfering in the meantime. This patch fixes bug #1009886 in which qemuDomainGetBlockInfo was waiting on the monitor condition and after GetSpiceMigrationStatus mangled its internal data, the daemon crashed. Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1009886 Index: libvirt-1.1.2/src/qemu/qemu_migration.c =================================================================== --- libvirt-1.1.2.orig/src/qemu/qemu_migration.c +++ libvirt-1.1.2/src/qemu/qemu_migration.c @@ -1598,7 +1598,10 @@ qemuMigrationWaitForSpice(virQEMUDriverP /* Poll every 50ms for progress & to allow cancellation */ struct timespec ts = { .tv_sec = 0, .tv_nsec = 50 * 1000 * 1000ull }; - qemuDomainObjEnterMonitor(driver, vm); + if (qemuDomainObjEnterMonitorAsync(driver, vm, + QEMU_ASYNC_JOB_MIGRATION_OUT) < 0) + return -1; + if (qemuMonitorGetSpiceMigrationStatus(priv->mon, &spice_migrated) < 0) { qemuDomainObjExitMonitor(driver, vm); ++++++ 8294aa0c-CVE-2013-4399.patch ++++++ commit 8294aa0c1750dcb49d6345cd9bd97bf421580d8b Author: Daniel P. Berrange <berra...@redhat.com> Date: Fri Sep 27 15:46:07 2013 +0100 Fix crash in libvirtd when events are registered & ACLs active When a client disconnects from libvirtd, all event callbacks must be removed. This involves running the public API virConnectDomainEventDeregisterAny This code does not run in normal API dispatch context, so no identity was set. The result was that the access control drivers denied the attempt to deregister callbacks. The callbacks thus continued to trigger after the client was free'd causing fairly predictable use of free memory & a crash. This can be triggered by any client with readonly access when the ACL drivers are active. Signed-off-by: Daniel P. Berrange <berra...@redhat.com> Index: libvirt-1.1.2/daemon/remote.c =================================================================== --- libvirt-1.1.2.orig/daemon/remote.c +++ libvirt-1.1.2/daemon/remote.c @@ -666,8 +666,11 @@ void remoteClientFreeFunc(void *data) /* Deregister event delivery callback */ if (priv->conn) { + virIdentityPtr sysident = virIdentityGetSystem(); size_t i; + virIdentitySetCurrent(sysident); + for (i = 0; i < VIR_DOMAIN_EVENT_ID_LAST; i++) { if (priv->domainEventCallbackID[i] != -1) { VIR_DEBUG("Deregistering to relay remote events %zu", i); @@ -678,6 +681,9 @@ void remoteClientFreeFunc(void *data) } virConnectClose(priv->conn); + + virIdentitySetCurrent(NULL); + virObjectUnref(sysident); } VIR_FREE(priv); ++++++ install-apparmor-profiles.patch ++++++ --- /var/tmp/diff_new_pack.9PUfai/_old 2013-10-15 10:42:31.000000000 +0200 +++ /var/tmp/diff_new_pack.9PUfai/_new 2013-10-15 10:42:31.000000000 +0200 @@ -57,7 +57,7 @@ =================================================================== --- /dev/null +++ libvirt-1.1.2/examples/apparmor/usr.lib.libvirt.virt-aa-helper.in -@@ -0,0 +1,40 @@ +@@ -0,0 +1,41 @@ +# Last Modified: Fri Aug 19 11:21:48 2011 +#include <tunables/global> + @@ -71,6 +71,7 @@ + # needed for when disk is on a network filesystem + network inet, + ++ @{PROC}/[0-9]** r, + deny @{PROC}/[0-9]*/mounts r, + @{PROC}/filesystems r, + @@ -202,7 +203,7 @@ =================================================================== --- /dev/null +++ libvirt-1.1.2/examples/apparmor/usr.sbin.libvirtd.in -@@ -0,0 +1,58 @@ +@@ -0,0 +1,59 @@ +# Last Modified: Fri Aug 19 11:20:36 2011 +#include <tunables/global> +@{LIBVIRT}="libvirt" @@ -244,6 +245,7 @@ + /usr/bin/* Ux, + /usr/sbin/* Ux, + /usr/lib/xen/bin/qemu-dm Ux, ++ /usr/lib/xen/bin/qemu-system-i386 Ux, + /usr/lib/PolicyKit/polkit-read-auth-helper Px, + + # force the use of virt-aa-helper -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org