Hello community,
here is the log from the commit of package libvirt for openSUSE:Factory checked
in at 2013-10-15 10:42:29
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/libvirt (Old)
and /work/SRC/openSUSE:Factory/.libvirt.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libvirt"
Changes:
--------
--- /work/SRC/openSUSE:Factory/libvirt/libvirt.changes 2013-10-11
08:55:03.000000000 +0200
+++ /work/SRC/openSUSE:Factory/.libvirt.new/libvirt.changes 2013-10-15
10:42:30.000000000 +0200
@@ -1,0 +2,47 @@
+Mon Oct 14 22:20:41 MDT 2013 - jfeh...@suse.com
+
+- Move virt-login-shell to new subpackage libvirt-login-shell,
+ requiring users to opt-in for this setuid binary. Note: For now,
+ virt-login-shell will not have setuid permissions, pending
+ resolution of bnc#837609
+
+-------------------------------------------------------------------
+Mon Oct 14 21:25:49 MDT 2013 - jfeh...@suse.com
+
+- qemu: Fix seamless SPICE migration
+ 484cc321-fix-spice-migration.patch
+ bnc#842301
+
+-------------------------------------------------------------------
+Mon Oct 14 20:33:43 MDT 2013 - jfeh...@suse.com
+
+- CVE-2013-4399: Fix crash in libvirtd when events are registered
+ and ACLs active
+ 8294aa0c-CVE-2013-4399.patch
+ bnc#844052, bnc#842300
+
+-------------------------------------------------------------------
+Mon Oct 14 16:40:25 MDT 2013 - jfeh...@suse.com
+
+- Update the stale gettext BuildRequires and Requires dependencies
+ in the spec file
+ bnc#841325
+
+-------------------------------------------------------------------
+Mon Oct 14 16:01:46 MDT 2013 - jfeh...@suse.com
+
+- virt-aa-helper apparmor profile was denying read access to
+ /proc/$PID/*. Give read accesss to these files.
+ Updated install-apparmor-profiles.patch
+ bnc#841720
+
+-------------------------------------------------------------------
+Mon Oct 14 13:46:14 MDT 2013 - jfeh...@suse.com
+
+- libvirtd apparmor profile was denying access to
+ /usr/lib/xen/bin/qemu-system-i386, which is now the default
+ emulator used with Xen guests
+ Updated install-apparmor-profiles.patch
+ bnc#845648
+
+-------------------------------------------------------------------
New:
----
484cc321-fix-spice-migration.patch
8294aa0c-CVE-2013-4399.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ libvirt.spec ++++++
--- /var/tmp/diff_new_pack.9PUfai/_old 2013-10-15 10:42:31.000000000 +0200
+++ /var/tmp/diff_new_pack.9PUfai/_new 2013-10-15 10:42:31.000000000 +0200
@@ -273,7 +273,7 @@
# listed against each sub-RPM
BuildRequires: autoconf
BuildRequires: automake
-BuildRequires: gettext-devel
+BuildRequires: gettext-tools
BuildRequires: libtool
%if %{with_systemd}
BuildRequires: systemd
@@ -282,7 +282,6 @@
BuildRequires: xen-devel
%endif
BuildRequires: fdupes
-BuildRequires: gettext
BuildRequires: libattr-devel
BuildRequires: libgcrypt-devel
BuildRequires: libgnutls-devel
@@ -410,6 +409,8 @@
Patch3: e65667c0-CVE-2013-4311.patch
Patch4: 922b7fda-CVE-2013-4311.patch
Patch5: e4697b92-CVE-2013-4311.patch
+Patch6: 8294aa0c-CVE-2013-4399.patch
+Patch7: 484cc321-fix-spice-migration.patch
# Need to go upstream
Patch100: xen-name-for-devid.patch
Patch101: clone.patch
@@ -849,7 +850,7 @@
# (client invokes 'nc' against the UNIX socket on the server)
Requires: netcat-openbsd
# Needed by libvirt-guests init script.
-Requires: gettext
+Requires: gettext-runtime
# Needed by virt-pki-validate script.
Requires: gnutls
# Needed for probing the power management features of the host.
@@ -891,6 +892,15 @@
Includes the Sanlock lock manager plugin for the QEMU driver
%endif
+%package login-shell
+Summary: Login shell for containers
+Group: Development/Libraries/C and C++
+Requires: %{name}-client = %{version}-%{release}
+
+%description login-shell
+Povides virt-login-shell, a tool to execute a shell within a container
+matching the users name
+
%if %{with_python}
%package python
@@ -914,6 +924,8 @@
%patch3 -p1
%patch4 -p1
%patch5 -p1
+%patch6 -p1
+%patch7 -p1
%patch100 -p1
%patch101
%patch102 -p1
@@ -1594,17 +1606,11 @@
%doc %{_mandir}/man1/virt-xml-validate.1*
%doc %{_mandir}/man1/virt-pki-validate.1*
%doc %{_mandir}/man1/virt-host-validate.1*
-%doc %{_mandir}/man1/virt-login-shell.1*
%config(noreplace) %{_sysconfdir}/%{name}/libvirt.conf
-%config(noreplace) %{_sysconfdir}/libvirt/virt-login-shell.conf
%{_bindir}/virsh
%{_bindir}/virt-xml-validate
%{_bindir}/virt-pki-validate
%{_bindir}/virt-host-validate
-# setuid binary that needs security audit - bnc#837609
-# In the meantime, don't install setuid
-#%attr(4755, root, root) %{_bindir}/virt-login-shell
-%{_bindir}/virt-login-shell
%dir %{_libdir}/%{name}
%{_libdir}/lib*.so.*
%attr(0755, root, root) %{_libdir}/%{name}/libvirt-guests.sh
@@ -1684,6 +1690,15 @@
%attr(0755, root, root) %{_libdir}/%{name}/libvirt_sanlock_helper
%endif
+%files login-shell
+%defattr(-, root, root)
+%config(noreplace) %{_sysconfdir}/libvirt/virt-login-shell.conf
+%doc %{_mandir}/man1/virt-login-shell.1*
+# setuid binary that needs security audit - bnc#837609
+# In the meantime, don't install setuid
+#%attr(4755, root, root) %{_bindir}/virt-login-shell
+%{_bindir}/virt-login-shell
+
%if %{with_python}
%files python
++++++ 484cc321-fix-spice-migration.patch ++++++
commit 484cc3217b73b865f00bf42a9c12187b37200699
Author: Martin Kletzander <mklet...@redhat.com>
Date: Fri Sep 20 16:40:20 2013 +0200
qemu: Fix seamless SPICE migration
Since the wait is done during migration (still inside
QEMU_ASYNC_JOB_MIGRATION_OUT), the code should enter the monitor as such
in order to prohibit all other jobs from interfering in the meantime.
This patch fixes bug #1009886 in which qemuDomainGetBlockInfo was
waiting on the monitor condition and after GetSpiceMigrationStatus
mangled its internal data, the daemon crashed.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1009886
Index: libvirt-1.1.2/src/qemu/qemu_migration.c
===================================================================
--- libvirt-1.1.2.orig/src/qemu/qemu_migration.c
+++ libvirt-1.1.2/src/qemu/qemu_migration.c
@@ -1598,7 +1598,10 @@ qemuMigrationWaitForSpice(virQEMUDriverP
/* Poll every 50ms for progress & to allow cancellation */
struct timespec ts = { .tv_sec = 0, .tv_nsec = 50 * 1000 * 1000ull };
- qemuDomainObjEnterMonitor(driver, vm);
+ if (qemuDomainObjEnterMonitorAsync(driver, vm,
+ QEMU_ASYNC_JOB_MIGRATION_OUT) < 0)
+ return -1;
+
if (qemuMonitorGetSpiceMigrationStatus(priv->mon,
&spice_migrated) < 0) {
qemuDomainObjExitMonitor(driver, vm);
++++++ 8294aa0c-CVE-2013-4399.patch ++++++
commit 8294aa0c1750dcb49d6345cd9bd97bf421580d8b
Author: Daniel P. Berrange <berra...@redhat.com>
Date: Fri Sep 27 15:46:07 2013 +0100
Fix crash in libvirtd when events are registered & ACLs active
When a client disconnects from libvirtd, all event callbacks
must be removed. This involves running the public API
virConnectDomainEventDeregisterAny
This code does not run in normal API dispatch context, so no
identity was set. The result was that the access control drivers
denied the attempt to deregister callbacks. The callbacks thus
continued to trigger after the client was free'd causing fairly
predictable use of free memory & a crash.
This can be triggered by any client with readonly access when
the ACL drivers are active.
Signed-off-by: Daniel P. Berrange <berra...@redhat.com>
Index: libvirt-1.1.2/daemon/remote.c
===================================================================
--- libvirt-1.1.2.orig/daemon/remote.c
+++ libvirt-1.1.2/daemon/remote.c
@@ -666,8 +666,11 @@ void remoteClientFreeFunc(void *data)
/* Deregister event delivery callback */
if (priv->conn) {
+ virIdentityPtr sysident = virIdentityGetSystem();
size_t i;
+ virIdentitySetCurrent(sysident);
+
for (i = 0; i < VIR_DOMAIN_EVENT_ID_LAST; i++) {
if (priv->domainEventCallbackID[i] != -1) {
VIR_DEBUG("Deregistering to relay remote events %zu", i);
@@ -678,6 +681,9 @@ void remoteClientFreeFunc(void *data)
}
virConnectClose(priv->conn);
+
+ virIdentitySetCurrent(NULL);
+ virObjectUnref(sysident);
}
VIR_FREE(priv);
++++++ install-apparmor-profiles.patch ++++++
--- /var/tmp/diff_new_pack.9PUfai/_old 2013-10-15 10:42:31.000000000 +0200
+++ /var/tmp/diff_new_pack.9PUfai/_new 2013-10-15 10:42:31.000000000 +0200
@@ -57,7 +57,7 @@
===================================================================
--- /dev/null
+++ libvirt-1.1.2/examples/apparmor/usr.lib.libvirt.virt-aa-helper.in
-@@ -0,0 +1,40 @@
+@@ -0,0 +1,41 @@
+# Last Modified: Fri Aug 19 11:21:48 2011
+#include <tunables/global>
+
@@ -71,6 +71,7 @@
+ # needed for when disk is on a network filesystem
+ network inet,
+
++ @{PROC}/[0-9]** r,
+ deny @{PROC}/[0-9]*/mounts r,
+ @{PROC}/filesystems r,
+
@@ -202,7 +203,7 @@
===================================================================
--- /dev/null
+++ libvirt-1.1.2/examples/apparmor/usr.sbin.libvirtd.in
-@@ -0,0 +1,58 @@
+@@ -0,0 +1,59 @@
+# Last Modified: Fri Aug 19 11:20:36 2011
+#include <tunables/global>
+@{LIBVIRT}="libvirt"
@@ -244,6 +245,7 @@
+ /usr/bin/* Ux,
+ /usr/sbin/* Ux,
+ /usr/lib/xen/bin/qemu-dm Ux,
++ /usr/lib/xen/bin/qemu-system-i386 Ux,
+ /usr/lib/PolicyKit/polkit-read-auth-helper Px,
+
+ # force the use of virt-aa-helper
--
To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org
For additional commands, e-mail: opensuse-commit+h...@opensuse.org
