[gentoo-commits] repo/gentoo:master commit in: app-emulation/libvirt/, app-emulation/libvirt/files/ - gentoo-commits

From:	Matthias Maier <tamiko@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] repo/gentoo:master commit in: app-emulation/libvirt/, app-emulation/libvirt/files/
Date:	Thu, 30 Jun 2016 18:02:44
Message-Id:	`1467309750.376e22508ab65ce5ebe3e1f1b977d013a860f84e.tamiko@gentoo`

1

commit:     376e22508ab65ce5ebe3e1f1b977d013a860f84e

2

Author:     Matthias Maier <tamiko <AT> gentoo <DOT> org>

3

AuthorDate: Thu Jun 30 17:59:59 2016 +0000

4

Commit:     Matthias Maier <tamiko <AT> gentoo <DOT> org>

5

CommitDate: Thu Jun 30 18:02:30 2016 +0000

6

URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=376e2250

7

8

app-emulation/libvirt: Apply upstream patch for CVE-2016-5008, bug #587570

9

10

Package-Manager: portage-2.2.28

11

12

 .../files/libvirt-1.3.5-CVE-2016-5008.patch        | 72 ++++++++++++++++++++++

13

 ...ibvirt-1.3.5.ebuild => libvirt-1.3.5-r1.ebuild} |  3 +-

14

 2 files changed, 74 insertions(+), 1 deletion(-)

15

16

diff --git a/app-emulation/libvirt/files/libvirt-1.3.5-CVE-2016-5008.patch b/app-emulation/libvirt/files/libvirt-1.3.5-CVE-2016-5008.patch

17

new file mode 100644

18

index 0000000..a47b408

19

--- /dev/null

20

+++ b/app-emulation/libvirt/files/libvirt-1.3.5-CVE-2016-5008.patch

21

@@ -0,0 +1,72 @@

22

+From bb848feec0f3f10e92dd8e5231ae7aa89b5598f3 Mon Sep 17 00:00:00 2001

23

+From: Jiri Denemark <jdenemar@××××××.com>

24

+Date: Tue, 28 Jun 2016 14:39:58 +0200

25

+Subject: [PATCH] qemu: Let empty default VNC password work as documented

26

+

27

+CVE-2016-5008

28

+

29

+Setting an empty graphics password is documented as a way to disable

30

+VNC/SPICE access, but QEMU does not always behaves like that. VNC would

31

+happily accept the empty password. Let's enforce the behavior by setting

32

+password expiration to "now".

33

+

34

+https://bugzilla.redhat.com/show_bug.cgi?id=1180092

35

+

36

+Signed-off-by: Jiri Denemark <jdenemar@××××××.com>

37

+---

38

+ src/qemu/qemu_hotplug.c | 14 +++++++-------

39

+ 1 file changed, 7 insertions(+), 7 deletions(-)

40

+

41

+diff --git a/src/qemu/qemu_hotplug.c b/src/qemu/qemu_hotplug.c

42

+index e0b8230..bf6430d 100644

43

+--- a/src/qemu/qemu_hotplug.c

44

++++ b/src/qemu/qemu_hotplug.c

45

+@@ -3933,6 +3933,7 @@ qemuDomainChangeGraphicsPasswords(virQEMUDriverPtr driver,

46

+     time_t now = time(NULL);

47

+     char expire_time [64];

48

+     const char *connected = NULL;

49

++    const char *password;

50

+     int ret = -1;

51

+     virQEMUDriverConfigPtr cfg = virQEMUDriverGetConfig(driver);

52

+

53

+@@ -3940,16 +3941,14 @@ qemuDomainChangeGraphicsPasswords(virQEMUDriverPtr driver,

54

+         ret = 0;

55

+         goto cleanup;

56

+     }

57

++    password = auth->passwd ? auth->passwd : defaultPasswd;

58

+

59

+     if (auth->connected)

60

+         connected = virDomainGraphicsAuthConnectedTypeToString(auth->connected);

61

+

62

+     if (qemuDomainObjEnterMonitorAsync(driver, vm, asyncJob) < 0)

63

+         goto cleanup;

64

+-    ret = qemuMonitorSetPassword(priv->mon,

65

+-                                 type,

66

+-                                 auth->passwd ? auth->passwd : defaultPasswd,

67

+-                                 connected);

68

++    ret = qemuMonitorSetPassword(priv->mon, type, password, connected);

69

+

70

+     if (ret == -2) {

71

+         if (type != VIR_DOMAIN_GRAPHICS_TYPE_VNC) {

72

+@@ -3957,14 +3956,15 @@ qemuDomainChangeGraphicsPasswords(virQEMUDriverPtr driver,

73

+                            _("Graphics password only supported for VNC"));

74

+             ret = -1;

75

+         } else {

76

+-            ret = qemuMonitorSetVNCPassword(priv->mon,

77

+-                                            auth->passwd ? auth->passwd : defaultPasswd);

78

++            ret = qemuMonitorSetVNCPassword(priv->mon, password);

79

+         }

80

+     }

81

+     if (ret != 0)

82

+         goto end_job;

83

+

84

+-    if (auth->expires) {

85

++    if (password[0] == '\0') {

86

++        snprintf(expire_time, sizeof(expire_time), "now");

87

++    } else if (auth->expires) {

88

+         time_t lifetime = auth->validTo - now;

89

+         if (lifetime <= 0)

90

+             snprintf(expire_time, sizeof(expire_time), "now");

91

+--

92

+2.7.3

93

+

94

95

diff --git a/app-emulation/libvirt/libvirt-1.3.5.ebuild b/app-emulation/libvirt/libvirt-1.3.5-r1.ebuild

96

similarity index 99%

97

rename from app-emulation/libvirt/libvirt-1.3.5.ebuild

98

rename to app-emulation/libvirt/libvirt-1.3.5-r1.ebuild

99

index dc601a4..dcff0fd 100644

100

--- a/app-emulation/libvirt/libvirt-1.3.5.ebuild

101

+++ b/app-emulation/libvirt/libvirt-1.3.5-r1.ebuild

102

@@ -222,7 +222,8 @@ src_prepare() {

103

 		"${FILESDIR}"/${PN}-1.2.16-fix_paths_in_libvirt-guests_sh.patch \

104

 		"${FILESDIR}"/${PN}-1.3.1-fix_paths_for_apparmor.patch \

105

 		"${FILESDIR}"/${PN}-1.2.21-avoid_deprecated_pc_file.patch \

106

-		"${FILESDIR}"/${PN}-1.3.4-glibc-2.23.patch

107

+		"${FILESDIR}"/${PN}-1.3.4-glibc-2.23.patch \

108

+		"${FILESDIR}"/${P}-CVE-2016-5008.patch

109

110

 	[[ -n ${BACKPORTS} ]] &&

111

 		EPATCH_FORCE=yes EPATCH_SUFFIX="patch" \

1	commit: 376e22508ab65ce5ebe3e1f1b977d013a860f84e
2	Author: Matthias Maier <tamiko <AT> gentoo <DOT> org>
3	AuthorDate: Thu Jun 30 17:59:59 2016 +0000
4	Commit: Matthias Maier <tamiko <AT> gentoo <DOT> org>
5	CommitDate: Thu Jun 30 18:02:30 2016 +0000
6	URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=376e2250
7
8	app-emulation/libvirt: Apply upstream patch for CVE-2016-5008, bug #587570
9
10	Package-Manager: portage-2.2.28
11
12	.../files/libvirt-1.3.5-CVE-2016-5008.patch \| 72 ++++++++++++++++++++++
13	...ibvirt-1.3.5.ebuild => libvirt-1.3.5-r1.ebuild} \| 3 +-
14	2 files changed, 74 insertions(+), 1 deletion(-)
15
16	diff --git a/app-emulation/libvirt/files/libvirt-1.3.5-CVE-2016-5008.patch b/app-emulation/libvirt/files/libvirt-1.3.5-CVE-2016-5008.patch
17	new file mode 100644
18	index 0000000..a47b408
19	--- /dev/null
20	+++ b/app-emulation/libvirt/files/libvirt-1.3.5-CVE-2016-5008.patch
21	@@ -0,0 +1,72 @@
22	+From bb848feec0f3f10e92dd8e5231ae7aa89b5598f3 Mon Sep 17 00:00:00 2001
23	+From: Jiri Denemark <jdenemar@××××××.com>
24	+Date: Tue, 28 Jun 2016 14:39:58 +0200
25	+Subject: [PATCH] qemu: Let empty default VNC password work as documented
26	+
27	+CVE-2016-5008
28	+
29	+Setting an empty graphics password is documented as a way to disable
30	+VNC/SPICE access, but QEMU does not always behaves like that. VNC would
31	+happily accept the empty password. Let's enforce the behavior by setting
32	+password expiration to "now".
33	+
34	+https://bugzilla.redhat.com/show_bug.cgi?id=1180092
35	+
36	+Signed-off-by: Jiri Denemark <jdenemar@××××××.com>
37	+---
38	+ src/qemu/qemu_hotplug.c \| 14 +++++++-------
39	+ 1 file changed, 7 insertions(+), 7 deletions(-)
40	+
41	+diff --git a/src/qemu/qemu_hotplug.c b/src/qemu/qemu_hotplug.c
42	+index e0b8230..bf6430d 100644
43	+--- a/src/qemu/qemu_hotplug.c
44	++++ b/src/qemu/qemu_hotplug.c
45	+@@ -3933,6 +3933,7 @@ qemuDomainChangeGraphicsPasswords(virQEMUDriverPtr driver,
46	+ time_t now = time(NULL);
47	+ char expire_time [64];
48	+ const char *connected = NULL;
49	++ const char *password;
50	+ int ret = -1;
51	+ virQEMUDriverConfigPtr cfg = virQEMUDriverGetConfig(driver);
52	+
53	+@@ -3940,16 +3941,14 @@ qemuDomainChangeGraphicsPasswords(virQEMUDriverPtr driver,
54	+ ret = 0;
55	+ goto cleanup;
56	+ }
57	++ password = auth->passwd ? auth->passwd : defaultPasswd;
58	+
59	+ if (auth->connected)
60	+ connected = virDomainGraphicsAuthConnectedTypeToString(auth->connected);
61	+
62	+ if (qemuDomainObjEnterMonitorAsync(driver, vm, asyncJob) < 0)
63	+ goto cleanup;
64	+- ret = qemuMonitorSetPassword(priv->mon,
65	+- type,
66	+- auth->passwd ? auth->passwd : defaultPasswd,
67	+- connected);
68	++ ret = qemuMonitorSetPassword(priv->mon, type, password, connected);
69	+
70	+ if (ret == -2) {
71	+ if (type != VIR_DOMAIN_GRAPHICS_TYPE_VNC) {
72	+@@ -3957,14 +3956,15 @@ qemuDomainChangeGraphicsPasswords(virQEMUDriverPtr driver,
73	+ _("Graphics password only supported for VNC"));
74	+ ret = -1;
75	+ } else {
76	+- ret = qemuMonitorSetVNCPassword(priv->mon,
77	+- auth->passwd ? auth->passwd : defaultPasswd);
78	++ ret = qemuMonitorSetVNCPassword(priv->mon, password);
79	+ }
80	+ }
81	+ if (ret != 0)
82	+ goto end_job;
83	+
84	+- if (auth->expires) {
85	++ if (password[0] == '\0') {
86	++ snprintf(expire_time, sizeof(expire_time), "now");
87	++ } else if (auth->expires) {
88	+ time_t lifetime = auth->validTo - now;
89	+ if (lifetime <= 0)
90	+ snprintf(expire_time, sizeof(expire_time), "now");
91	+--
92	+2.7.3
93	+
94
95	diff --git a/app-emulation/libvirt/libvirt-1.3.5.ebuild b/app-emulation/libvirt/libvirt-1.3.5-r1.ebuild
96	similarity index 99%
97	rename from app-emulation/libvirt/libvirt-1.3.5.ebuild
98	rename to app-emulation/libvirt/libvirt-1.3.5-r1.ebuild
99	index dc601a4..dcff0fd 100644
100	--- a/app-emulation/libvirt/libvirt-1.3.5.ebuild
101	+++ b/app-emulation/libvirt/libvirt-1.3.5-r1.ebuild
102	@@ -222,7 +222,8 @@ src_prepare() {
103	"${FILESDIR}"/${PN}-1.2.16-fix_paths_in_libvirt-guests_sh.patch \
104	"${FILESDIR}"/${PN}-1.3.1-fix_paths_for_apparmor.patch \
105	"${FILESDIR}"/${PN}-1.2.21-avoid_deprecated_pc_file.patch \
106	- "${FILESDIR}"/${PN}-1.3.4-glibc-2.23.patch
107	+ "${FILESDIR}"/${PN}-1.3.4-glibc-2.23.patch \
108	+ "${FILESDIR}"/${P}-CVE-2016-5008.patch
109
110	[[ -n ${BACKPORTS} ]] &&
111	EPATCH_FORCE=yes EPATCH_SUFFIX="patch" \

Gentoo Archives: gentoo-commits