summary refs log tree commit diff
diff options
context:
space:
mode:
authorLeo Famulari <leo@famulari.name>2017-10-20 13:02:54 -0400
committerLeo Famulari <leo@famulari.name>2017-10-20 15:36:43 -0400
commit7827032a7cf7f68922de99b044969f1f823869fd (patch)
treee8fcbcdb2177bde297bc15ae2c11ec2d94f0d73e
parent48f8b0708234ac5516860639c8650488454a8fab (diff)
downloadguix-7827032a7cf7f68922de99b044969f1f823869fd.tar.gz
gnu: libvirt: Fix CVE-2017-1000256.
* gnu/packages/patches/libvirt-CVE-2017-1000256.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/virtualization.scm (libvirt)[source]: Use it.
-rw-r--r--gnu/local.mk1
-rw-r--r--gnu/packages/patches/libvirt-CVE-2017-1000256.patch84
-rw-r--r--gnu/packages/virtualization.scm1
3 files changed, 86 insertions, 0 deletions
diff --git a/gnu/local.mk b/gnu/local.mk
index fd4f1bed97..a4e3426f55 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -815,6 +815,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/libunistring-gnulib-multi-core.patch	\
   %D%/packages/patches/libusb-0.1-disable-tests.patch		\
   %D%/packages/patches/libusb-for-axoloti.patch			\
+  %D%/packages/patches/libvirt-CVE-2017-1000256.patch		\
   %D%/packages/patches/libvisio-fix-tests.patch			\
   %D%/packages/patches/libvpx-CVE-2016-2818.patch		\
   %D%/packages/patches/libxcb-python-3.5-compat.patch		\
diff --git a/gnu/packages/patches/libvirt-CVE-2017-1000256.patch b/gnu/packages/patches/libvirt-CVE-2017-1000256.patch
new file mode 100644
index 0000000000..d577e1eb50
--- /dev/null
+++ b/gnu/packages/patches/libvirt-CVE-2017-1000256.patch
@@ -0,0 +1,84 @@
+Fix CVE-2017-1000256:
+
+https://security.libvirt.org/2017/0002.html
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000256
+
+Patch copied from upstream source repository:
+
+https://libvirt.org/git/?p=libvirt.git;a=commit;h=dc6c41798d1eb5c52c75365ffa22f7672709dfa7
+
+From dc6c41798d1eb5c52c75365ffa22f7672709dfa7 Mon Sep 17 00:00:00 2001
+From: Daniel P. Berrange <berrange@redhat.com>
+Date: Thu, 5 Oct 2017 17:54:28 +0100
+Subject: [PATCH] qemu: ensure TLS clients always verify the server certificate
+
+The default_tls_x509_verify (and related) parameters in qemu.conf
+control whether the QEMU TLS servers request & verify certificates
+from clients. This works as a simple access control system for
+servers by requiring the CA to issue certs to permitted clients.
+This use of client certificates is disabled by default, since it
+requires extra work to issue client certificates.
+
+Unfortunately the code was using this configuration parameter when
+setting up both TLS clients and servers in QEMU. The result was that
+TLS clients for character devices and disk devices had verification
+turned off, meaning they would ignore errors while validating the
+server certificate.
+
+This allows for trivial MITM attacks between client and server,
+as any certificate returned by the attacker will be accepted by
+the client.
+
+This is assigned CVE-2017-1000256  / LSN-2017-0002
+
+Reviewed-by: Eric Blake <eblake@redhat.com>
+Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
+(cherry picked from commit 441d3eb6d1be940a67ce45a286602a967601b157)
+---
+ src/qemu/qemu_command.c                            |    2 +-
+ .../qemuxml2argv-serial-tcp-tlsx509-chardev.args   |    2 +-
+ ...xml2argv-serial-tcp-tlsx509-secret-chardev.args |    2 +-
+ 3 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c
+index 9a27987..ae78cd1 100644
+--- a/src/qemu/qemu_command.c
++++ b/src/qemu/qemu_command.c
+@@ -718,7 +718,7 @@ qemuBuildTLSx509BackendProps(const char *tlspath,
+     if (virJSONValueObjectCreate(propsret,
+                                  "s:dir", path,
+                                  "s:endpoint", (isListen ? "server": "client"),
+-                                 "b:verify-peer", verifypeer,
++                                 "b:verify-peer", (isListen ? verifypeer : true),
+                                  NULL) < 0)
+         goto cleanup;
+ 
+diff --git a/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev.args b/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev.args
+index 5aff773..ab5f7e2 100644
+--- a/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev.args
++++ b/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev.args
+@@ -26,7 +26,7 @@ server,nowait \
+ localport=1111 \
+ -device isa-serial,chardev=charserial0,id=serial0 \
+ -object tls-creds-x509,id=objcharserial1_tls0,dir=/etc/pki/libvirt-chardev,\
+-endpoint=client,verify-peer=no \
++endpoint=client,verify-peer=yes \
+ -chardev socket,id=charserial1,host=127.0.0.1,port=5555,\
+ tls-creds=objcharserial1_tls0 \
+ -device isa-serial,chardev=charserial1,id=serial1 \
+diff --git a/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-secret-chardev.args b/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-secret-chardev.args
+index 91f1fe0..2567abb 100644
+--- a/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-secret-chardev.args
++++ b/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-secret-chardev.args
+@@ -31,7 +31,7 @@ localport=1111 \
+ data=9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1,\
+ keyid=masterKey0,iv=AAECAwQFBgcICQoLDA0ODw==,format=base64 \
+ -object tls-creds-x509,id=objcharserial1_tls0,dir=/etc/pki/libvirt-chardev,\
+-endpoint=client,verify-peer=no,passwordid=charserial1-secret0 \
++endpoint=client,verify-peer=yes,passwordid=charserial1-secret0 \
+ -chardev socket,id=charserial1,host=127.0.0.1,port=5555,\
+ tls-creds=objcharserial1_tls0 \
+ -device isa-serial,chardev=charserial1,id=serial1 \
+-- 
+1.7.1
+
diff --git a/gnu/packages/virtualization.scm b/gnu/packages/virtualization.scm
index c4461c3da2..8fce545dbe 100644
--- a/gnu/packages/virtualization.scm
+++ b/gnu/packages/virtualization.scm
@@ -322,6 +322,7 @@ manage system or application containers.")
               (method url-fetch)
               (uri (string-append "https://libvirt.org/sources/libvirt-"
                                   version ".tar.xz"))
+              (patches (search-patches "libvirt-CVE-2017-1000256.patch"))
               (sha256
                (base32
                 "1fk75cdzg59y9hnfdpdwv83fsc1yffy3lac4ch19zygfkqhcnysf"))))