[gentoo-commits] repo/gentoo:master commit in: app-emulation/libvirt/files/, app-emulation/libvirt/ - gentoo-commits

From:	Matthias Maier <tamiko@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] repo/gentoo:master commit in: app-emulation/libvirt/files/, app-emulation/libvirt/
Date:	Wed, 25 Oct 2017 19:48:38
Message-Id:	`1508960762.834dafc5a7928ecf8c1e643dd2879837d32d233c.tamiko@gentoo`

1

commit:     834dafc5a7928ecf8c1e643dd2879837d32d233c

2

Author:     Matthias Maier <tamiko <AT> gentoo <DOT> org>

3

AuthorDate: Wed Oct 25 19:46:02 2017 +0000

4

Commit:     Matthias Maier <tamiko <AT> gentoo <DOT> org>

5

CommitDate: Wed Oct 25 19:46:02 2017 +0000

6

URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=834dafc5

7

8

app-emulation/libvirt: fix CVE-2017-1000256, bug #635174

9

10

Package-Manager: Portage-2.3.8, Repoman-2.3.3

11

12

 .../files/libvirt-3.8.0-CVE-2017-1000256.patch     | 74 ++++++++++++++++++++++

13

 ...ibvirt-3.8.0.ebuild => libvirt-3.8.0-r1.ebuild} |  1 +

14

 2 files changed, 75 insertions(+)

15

16

diff --git a/app-emulation/libvirt/files/libvirt-3.8.0-CVE-2017-1000256.patch b/app-emulation/libvirt/files/libvirt-3.8.0-CVE-2017-1000256.patch

17

new file mode 100644

18

index 00000000000..8c347cd799a

19

--- /dev/null

20

+++ b/app-emulation/libvirt/files/libvirt-3.8.0-CVE-2017-1000256.patch

21

@@ -0,0 +1,74 @@

22

+From 441d3eb6d1be940a67ce45a286602a967601b157 Mon Sep 17 00:00:00 2001

23

+From: "Daniel P. Berrange" <berrange@××××××.com>

24

+Date: Thu, 5 Oct 2017 17:54:28 +0100

25

+Subject: [PATCH] qemu: ensure TLS clients always verify the server certificate

26

+

27

+The default_tls_x509_verify (and related) parameters in qemu.conf

28

+control whether the QEMU TLS servers request & verify certificates

29

+from clients. This works as a simple access control system for

30

+servers by requiring the CA to issue certs to permitted clients.

31

+This use of client certificates is disabled by default, since it

32

+requires extra work to issue client certificates.

33

+

34

+Unfortunately the code was using this configuration parameter when

35

+setting up both TLS clients and servers in QEMU. The result was that

36

+TLS clients for character devices and disk devices had verification

37

+turned off, meaning they would ignore errors while validating the

38

+server certificate.

39

+

40

+This allows for trivial MITM attacks between client and server,

41

+as any certificate returned by the attacker will be accepted by

42

+the client.

43

+

44

+This is assigned CVE-2017-1000256  / LSN-2017-0002

45

+

46

+Reviewed-by: Eric Blake <eblake@××××××.com>

47

+Signed-off-by: Daniel P. Berrange <berrange@××××××.com>

48

+---

49

+ src/qemu/qemu_command.c                                                 | 2 +-

50

+ tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev.args     | 2 +-

51

+ .../qemuxml2argv-serial-tcp-tlsx509-secret-chardev.args                 | 2 +-

52

+ 3 files changed, 3 insertions(+), 3 deletions(-)

53

+

54

+diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c

55

+index 46f0bdd18..f68b82d08 100644

56

+--- a/src/qemu/qemu_command.c

57

++++ b/src/qemu/qemu_command.c

58

+@@ -721,7 +721,7 @@ qemuBuildTLSx509BackendProps(const char *tlspath,

59

+     if (virJSONValueObjectCreate(propsret,

60

+                                  "s:dir", path,

61

+                                  "s:endpoint", (isListen ? "server": "client"),

62

+-                                 "b:verify-peer", verifypeer,

63

++                                 "b:verify-peer", (isListen ? verifypeer : true),

64

+                                  NULL) < 0)

65

+         goto cleanup;

66

+

67

+diff --git a/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev.args b/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev.args

68

+index 5aff7734e..ab5f7e27f 100644

69

+--- a/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev.args

70

++++ b/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev.args

71

+@@ -26,7 +26,7 @@ server,nowait \

72

+ localport=1111 \

73

+ -device isa-serial,chardev=charserial0,id=serial0 \

74

+ -object tls-creds-x509,id=objcharserial1_tls0,dir=/etc/pki/libvirt-chardev,\

75

+-endpoint=client,verify-peer=no \

76

++endpoint=client,verify-peer=yes \

77

+ -chardev socket,id=charserial1,host=127.0.0.1,port=5555,\

78

+ tls-creds=objcharserial1_tls0 \

79

+ -device isa-serial,chardev=charserial1,id=serial1 \

80

+diff --git a/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-secret-chardev.args b/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-secret-chardev.args

81

+index 91f1fe0cd..2567abbfa 100644

82

+--- a/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-secret-chardev.args

83

++++ b/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-secret-chardev.args

84

+@@ -31,7 +31,7 @@ localport=1111 \

85

+ data=9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1,\

86

+ keyid=masterKey0,iv=AAECAwQFBgcICQoLDA0ODw==,format=base64 \

87

+ -object tls-creds-x509,id=objcharserial1_tls0,dir=/etc/pki/libvirt-chardev,\

88

+-endpoint=client,verify-peer=no,passwordid=charserial1-secret0 \

89

++endpoint=client,verify-peer=yes,passwordid=charserial1-secret0 \

90

+ -chardev socket,id=charserial1,host=127.0.0.1,port=5555,\

91

+ tls-creds=objcharserial1_tls0 \

92

+ -device isa-serial,chardev=charserial1,id=serial1 \

93

+--

94

+2.13.6

95

+

96

97

diff --git a/app-emulation/libvirt/libvirt-3.8.0.ebuild b/app-emulation/libvirt/libvirt-3.8.0-r1.ebuild

98

similarity index 99%

99

rename from app-emulation/libvirt/libvirt-3.8.0.ebuild

100

rename to app-emulation/libvirt/libvirt-3.8.0-r1.ebuild

101

index 68e7ff8f0ab..7ac23060bb1 100644

102

--- a/app-emulation/libvirt/libvirt-3.8.0.ebuild

103

+++ b/app-emulation/libvirt/libvirt-3.8.0-r1.ebuild

104

@@ -125,6 +125,7 @@ PATCHES=(

105

 	"${FILESDIR}"/${PN}-3.0.0-fix_paths_for_apparmor.patch

106

 	"${FILESDIR}"/${PN}-1.3.4-glibc-2.23.patch

107

 	"${FILESDIR}"/${PN}-3.1.0-musl-fix-includes.patch          # bug #609488

108

+	"${FILESDIR}"/${PN}-3.8.0-CVE-2017-1000256.patch           # bug #635174

109

)

110

111

 pkg_setup() {

1	commit: 834dafc5a7928ecf8c1e643dd2879837d32d233c
2	Author: Matthias Maier <tamiko <AT> gentoo <DOT> org>
3	AuthorDate: Wed Oct 25 19:46:02 2017 +0000
4	Commit: Matthias Maier <tamiko <AT> gentoo <DOT> org>
5	CommitDate: Wed Oct 25 19:46:02 2017 +0000
6	URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=834dafc5
7
8	app-emulation/libvirt: fix CVE-2017-1000256, bug #635174
9
10	Package-Manager: Portage-2.3.8, Repoman-2.3.3
11
12	.../files/libvirt-3.8.0-CVE-2017-1000256.patch \| 74 ++++++++++++++++++++++
13	...ibvirt-3.8.0.ebuild => libvirt-3.8.0-r1.ebuild} \| 1 +
14	2 files changed, 75 insertions(+)
15
16	diff --git a/app-emulation/libvirt/files/libvirt-3.8.0-CVE-2017-1000256.patch b/app-emulation/libvirt/files/libvirt-3.8.0-CVE-2017-1000256.patch
17	new file mode 100644
18	index 00000000000..8c347cd799a
19	--- /dev/null
20	+++ b/app-emulation/libvirt/files/libvirt-3.8.0-CVE-2017-1000256.patch
21	@@ -0,0 +1,74 @@
22	+From 441d3eb6d1be940a67ce45a286602a967601b157 Mon Sep 17 00:00:00 2001
23	+From: "Daniel P. Berrange" <berrange@××××××.com>
24	+Date: Thu, 5 Oct 2017 17:54:28 +0100
25	+Subject: [PATCH] qemu: ensure TLS clients always verify the server certificate
26	+
27	+The default_tls_x509_verify (and related) parameters in qemu.conf
28	+control whether the QEMU TLS servers request & verify certificates
29	+from clients. This works as a simple access control system for
30	+servers by requiring the CA to issue certs to permitted clients.
31	+This use of client certificates is disabled by default, since it
32	+requires extra work to issue client certificates.
33	+
34	+Unfortunately the code was using this configuration parameter when
35	+setting up both TLS clients and servers in QEMU. The result was that
36	+TLS clients for character devices and disk devices had verification
37	+turned off, meaning they would ignore errors while validating the
38	+server certificate.
39	+
40	+This allows for trivial MITM attacks between client and server,
41	+as any certificate returned by the attacker will be accepted by
42	+the client.
43	+
44	+This is assigned CVE-2017-1000256 / LSN-2017-0002
45	+
46	+Reviewed-by: Eric Blake <eblake@××××××.com>
47	+Signed-off-by: Daniel P. Berrange <berrange@××××××.com>
48	+---
49	+ src/qemu/qemu_command.c \| 2 +-
50	+ tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev.args \| 2 +-
51	+ .../qemuxml2argv-serial-tcp-tlsx509-secret-chardev.args \| 2 +-
52	+ 3 files changed, 3 insertions(+), 3 deletions(-)
53	+
54	+diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c
55	+index 46f0bdd18..f68b82d08 100644
56	+--- a/src/qemu/qemu_command.c
57	++++ b/src/qemu/qemu_command.c
58	+@@ -721,7 +721,7 @@ qemuBuildTLSx509BackendProps(const char *tlspath,
59	+ if (virJSONValueObjectCreate(propsret,
60	+ "s:dir", path,
61	+ "s:endpoint", (isListen ? "server": "client"),
62	+- "b:verify-peer", verifypeer,
63	++ "b:verify-peer", (isListen ? verifypeer : true),
64	+ NULL) < 0)
65	+ goto cleanup;
66	+
67	+diff --git a/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev.args b/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev.args
68	+index 5aff7734e..ab5f7e27f 100644
69	+--- a/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev.args
70	++++ b/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev.args
71	+@@ -26,7 +26,7 @@ server,nowait \
72	+ localport=1111 \
73	+ -device isa-serial,chardev=charserial0,id=serial0 \
74	+ -object tls-creds-x509,id=objcharserial1_tls0,dir=/etc/pki/libvirt-chardev,\
75	+-endpoint=client,verify-peer=no \
76	++endpoint=client,verify-peer=yes \
77	+ -chardev socket,id=charserial1,host=127.0.0.1,port=5555,\
78	+ tls-creds=objcharserial1_tls0 \
79	+ -device isa-serial,chardev=charserial1,id=serial1 \
80	+diff --git a/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-secret-chardev.args b/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-secret-chardev.args
81	+index 91f1fe0cd..2567abbfa 100644
82	+--- a/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-secret-chardev.args
83	++++ b/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-secret-chardev.args
84	+@@ -31,7 +31,7 @@ localport=1111 \
85	+ data=9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1,\
86	+ keyid=masterKey0,iv=AAECAwQFBgcICQoLDA0ODw==,format=base64 \
87	+ -object tls-creds-x509,id=objcharserial1_tls0,dir=/etc/pki/libvirt-chardev,\
88	+-endpoint=client,verify-peer=no,passwordid=charserial1-secret0 \
89	++endpoint=client,verify-peer=yes,passwordid=charserial1-secret0 \
90	+ -chardev socket,id=charserial1,host=127.0.0.1,port=5555,\
91	+ tls-creds=objcharserial1_tls0 \
92	+ -device isa-serial,chardev=charserial1,id=serial1 \
93	+--
94	+2.13.6
95	+
96
97	diff --git a/app-emulation/libvirt/libvirt-3.8.0.ebuild b/app-emulation/libvirt/libvirt-3.8.0-r1.ebuild
98	similarity index 99%
99	rename from app-emulation/libvirt/libvirt-3.8.0.ebuild
100	rename to app-emulation/libvirt/libvirt-3.8.0-r1.ebuild
101	index 68e7ff8f0ab..7ac23060bb1 100644
102	--- a/app-emulation/libvirt/libvirt-3.8.0.ebuild
103	+++ b/app-emulation/libvirt/libvirt-3.8.0-r1.ebuild
104	@@ -125,6 +125,7 @@ PATCHES=(
105	"${FILESDIR}"/${PN}-3.0.0-fix_paths_for_apparmor.patch
106	"${FILESDIR}"/${PN}-1.3.4-glibc-2.23.patch
107	"${FILESDIR}"/${PN}-3.1.0-musl-fix-includes.patch # bug #609488
108	+ "${FILESDIR}"/${PN}-3.8.0-CVE-2017-1000256.patch # bug #635174
109	)
110
111	pkg_setup() {

Gentoo Archives: gentoo-commits