diff options
Diffstat (limited to 'external/meta-virtualization/recipes-extended/libvirt/libvirt/CVE-2019-10132_p3.patch')
-rw-r--r-- | external/meta-virtualization/recipes-extended/libvirt/libvirt/CVE-2019-10132_p3.patch | 56 |
1 files changed, 56 insertions, 0 deletions
diff --git a/external/meta-virtualization/recipes-extended/libvirt/libvirt/CVE-2019-10132_p3.patch b/external/meta-virtualization/recipes-extended/libvirt/libvirt/CVE-2019-10132_p3.patch new file mode 100644 index 00000000..ddd0740e --- /dev/null +++ b/external/meta-virtualization/recipes-extended/libvirt/libvirt/CVE-2019-10132_p3.patch @@ -0,0 +1,56 @@ +From 030fdf57255f97289a407529194bf26c77548acb Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com> +Date: Tue, 30 Apr 2019 17:27:41 +0100 +Subject: [PATCH 07/11] logging: restrict sockets to mode 0600 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The virtlogd daemon's only intended client is the libvirtd daemon. As +such it should never allow clients from other user accounts to connect. +The code already enforces this and drops clients from other UIDs, but +we can get earlier (and thus stronger) protection against DoS by setting +the socket permissions to 0600 + +Fixes CVE-2019-10132 + +Reviewed-by: Ján Tomko <jtomko@redhat.com> +Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> +(cherry picked from commit e37bd65f9948c1185456b2cdaa3bd6e875af680f) + +Upstream-Status: Backport +CVE: CVE-2019-10132 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + src/logging/virtlogd-admin.socket.in | 1 + + src/logging/virtlogd.socket.in | 1 + + 2 files changed, 2 insertions(+) + +diff --git a/src/logging/virtlogd-admin.socket.in b/src/logging/virtlogd-admin.socket.in +index 595e6c4..5c41dfe 100644 +--- a/src/logging/virtlogd-admin.socket.in ++++ b/src/logging/virtlogd-admin.socket.in +@@ -5,6 +5,7 @@ Before=libvirtd.service + [Socket] + ListenStream=@localstatedir@/run/libvirt/virtlogd-admin-sock + Service=virtlogd.service ++SocketMode=0600 + + [Install] + WantedBy=sockets.target +diff --git a/src/logging/virtlogd.socket.in b/src/logging/virtlogd.socket.in +index 22b9360..ae48cda 100644 +--- a/src/logging/virtlogd.socket.in ++++ b/src/logging/virtlogd.socket.in +@@ -4,6 +4,7 @@ Before=libvirtd.service + + [Socket] + ListenStream=@localstatedir@/run/libvirt/virtlogd-sock ++SocketMode=0600 + + [Install] + WantedBy=sockets.target +-- +2.7.4 + |