1 |
commit: 834dafc5a7928ecf8c1e643dd2879837d32d233c |
2 |
Author: Matthias Maier <tamiko <AT> gentoo <DOT> org> |
3 |
AuthorDate: Wed Oct 25 19:46:02 2017 +0000 |
4 |
Commit: Matthias Maier <tamiko <AT> gentoo <DOT> org> |
5 |
CommitDate: Wed Oct 25 19:46:02 2017 +0000 |
6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=834dafc5 |
7 |
|
8 |
app-emulation/libvirt: fix CVE-2017-1000256, bug #635174 |
9 |
|
10 |
Package-Manager: Portage-2.3.8, Repoman-2.3.3 |
11 |
|
12 |
.../files/libvirt-3.8.0-CVE-2017-1000256.patch | 74 ++++++++++++++++++++++ |
13 |
...ibvirt-3.8.0.ebuild => libvirt-3.8.0-r1.ebuild} | 1 + |
14 |
2 files changed, 75 insertions(+) |
15 |
|
16 |
diff --git a/app-emulation/libvirt/files/libvirt-3.8.0-CVE-2017-1000256.patch b/app-emulation/libvirt/files/libvirt-3.8.0-CVE-2017-1000256.patch |
17 |
new file mode 100644 |
18 |
index 00000000000..8c347cd799a |
19 |
--- /dev/null |
20 |
+++ b/app-emulation/libvirt/files/libvirt-3.8.0-CVE-2017-1000256.patch |
21 |
@@ -0,0 +1,74 @@ |
22 |
+From 441d3eb6d1be940a67ce45a286602a967601b157 Mon Sep 17 00:00:00 2001 |
23 |
+From: "Daniel P. Berrange" <berrange@××××××.com> |
24 |
+Date: Thu, 5 Oct 2017 17:54:28 +0100 |
25 |
+Subject: [PATCH] qemu: ensure TLS clients always verify the server certificate |
26 |
+ |
27 |
+The default_tls_x509_verify (and related) parameters in qemu.conf |
28 |
+control whether the QEMU TLS servers request & verify certificates |
29 |
+from clients. This works as a simple access control system for |
30 |
+servers by requiring the CA to issue certs to permitted clients. |
31 |
+This use of client certificates is disabled by default, since it |
32 |
+requires extra work to issue client certificates. |
33 |
+ |
34 |
+Unfortunately the code was using this configuration parameter when |
35 |
+setting up both TLS clients and servers in QEMU. The result was that |
36 |
+TLS clients for character devices and disk devices had verification |
37 |
+turned off, meaning they would ignore errors while validating the |
38 |
+server certificate. |
39 |
+ |
40 |
+This allows for trivial MITM attacks between client and server, |
41 |
+as any certificate returned by the attacker will be accepted by |
42 |
+the client. |
43 |
+ |
44 |
+This is assigned CVE-2017-1000256 / LSN-2017-0002 |
45 |
+ |
46 |
+Reviewed-by: Eric Blake <eblake@××××××.com> |
47 |
+Signed-off-by: Daniel P. Berrange <berrange@××××××.com> |
48 |
+--- |
49 |
+ src/qemu/qemu_command.c | 2 +- |
50 |
+ tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev.args | 2 +- |
51 |
+ .../qemuxml2argv-serial-tcp-tlsx509-secret-chardev.args | 2 +- |
52 |
+ 3 files changed, 3 insertions(+), 3 deletions(-) |
53 |
+ |
54 |
+diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c |
55 |
+index 46f0bdd18..f68b82d08 100644 |
56 |
+--- a/src/qemu/qemu_command.c |
57 |
++++ b/src/qemu/qemu_command.c |
58 |
+@@ -721,7 +721,7 @@ qemuBuildTLSx509BackendProps(const char *tlspath, |
59 |
+ if (virJSONValueObjectCreate(propsret, |
60 |
+ "s:dir", path, |
61 |
+ "s:endpoint", (isListen ? "server": "client"), |
62 |
+- "b:verify-peer", verifypeer, |
63 |
++ "b:verify-peer", (isListen ? verifypeer : true), |
64 |
+ NULL) < 0) |
65 |
+ goto cleanup; |
66 |
+ |
67 |
+diff --git a/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev.args b/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev.args |
68 |
+index 5aff7734e..ab5f7e27f 100644 |
69 |
+--- a/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev.args |
70 |
++++ b/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev.args |
71 |
+@@ -26,7 +26,7 @@ server,nowait \ |
72 |
+ localport=1111 \ |
73 |
+ -device isa-serial,chardev=charserial0,id=serial0 \ |
74 |
+ -object tls-creds-x509,id=objcharserial1_tls0,dir=/etc/pki/libvirt-chardev,\ |
75 |
+-endpoint=client,verify-peer=no \ |
76 |
++endpoint=client,verify-peer=yes \ |
77 |
+ -chardev socket,id=charserial1,host=127.0.0.1,port=5555,\ |
78 |
+ tls-creds=objcharserial1_tls0 \ |
79 |
+ -device isa-serial,chardev=charserial1,id=serial1 \ |
80 |
+diff --git a/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-secret-chardev.args b/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-secret-chardev.args |
81 |
+index 91f1fe0cd..2567abbfa 100644 |
82 |
+--- a/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-secret-chardev.args |
83 |
++++ b/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-secret-chardev.args |
84 |
+@@ -31,7 +31,7 @@ localport=1111 \ |
85 |
+ data=9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1,\ |
86 |
+ keyid=masterKey0,iv=AAECAwQFBgcICQoLDA0ODw==,format=base64 \ |
87 |
+ -object tls-creds-x509,id=objcharserial1_tls0,dir=/etc/pki/libvirt-chardev,\ |
88 |
+-endpoint=client,verify-peer=no,passwordid=charserial1-secret0 \ |
89 |
++endpoint=client,verify-peer=yes,passwordid=charserial1-secret0 \ |
90 |
+ -chardev socket,id=charserial1,host=127.0.0.1,port=5555,\ |
91 |
+ tls-creds=objcharserial1_tls0 \ |
92 |
+ -device isa-serial,chardev=charserial1,id=serial1 \ |
93 |
+-- |
94 |
+2.13.6 |
95 |
+ |
96 |
|
97 |
diff --git a/app-emulation/libvirt/libvirt-3.8.0.ebuild b/app-emulation/libvirt/libvirt-3.8.0-r1.ebuild |
98 |
similarity index 99% |
99 |
rename from app-emulation/libvirt/libvirt-3.8.0.ebuild |
100 |
rename to app-emulation/libvirt/libvirt-3.8.0-r1.ebuild |
101 |
index 68e7ff8f0ab..7ac23060bb1 100644 |
102 |
--- a/app-emulation/libvirt/libvirt-3.8.0.ebuild |
103 |
+++ b/app-emulation/libvirt/libvirt-3.8.0-r1.ebuild |
104 |
@@ -125,6 +125,7 @@ PATCHES=( |
105 |
"${FILESDIR}"/${PN}-3.0.0-fix_paths_for_apparmor.patch |
106 |
"${FILESDIR}"/${PN}-1.3.4-glibc-2.23.patch |
107 |
"${FILESDIR}"/${PN}-3.1.0-musl-fix-includes.patch # bug #609488 |
108 |
+ "${FILESDIR}"/${PN}-3.8.0-CVE-2017-1000256.patch # bug #635174 |
109 |
) |
110 |
|
111 |
pkg_setup() { |