From 4204309872da5cb401cbb2729d9e2d4869a87f42 Mon Sep 17 00:00:00 2001
From: takeshi_hoshina <takeshi_hoshina@mail.toyota.co.jp>
Date: Thu, 22 Oct 2020 14:58:56 +0900
Subject: agl-basesystem 0.1

---
 .../libvirt/libvirt/CVE-2019-10161.patch           | 99 ++++++++++++++++++++++
 1 file changed, 99 insertions(+)
 create mode 100644 external/meta-virtualization/recipes-extended/libvirt/libvirt/CVE-2019-10161.patch

(limited to 'external/meta-virtualization/recipes-extended/libvirt/libvirt/CVE-2019-10161.patch')

diff --git a/external/meta-virtualization/recipes-extended/libvirt/libvirt/CVE-2019-10161.patch b/external/meta-virtualization/recipes-extended/libvirt/libvirt/CVE-2019-10161.patch
new file mode 100644
index 00000000..118ece4c
--- /dev/null
+++ b/external/meta-virtualization/recipes-extended/libvirt/libvirt/CVE-2019-10161.patch
@@ -0,0 +1,99 @@
+From 3352c8af264a7b9b741208790ecca0bbc6733f42 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?J=C3=A1n=20Tomko?= <jtomko@redhat.com>
+Date: Fri, 14 Jun 2019 08:47:42 +0200
+Subject: [PATCH 08/11] api: disallow virDomainSaveImageGetXMLDesc on read-only
+ connections
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The virDomainSaveImageGetXMLDesc API is taking a path parameter,
+which can point to any path on the system. This file will then be
+read and parsed by libvirtd running with root privileges.
+
+Forbid it on read-only connections.
+
+Fixes: CVE-2019-10161
+Reported-by: Matthias Gerstner <mgerstner@suse.de>
+Signed-off-by: Ján Tomko <jtomko@redhat.com>
+Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
+(cherry picked from commit aed6a032cead4386472afb24b16196579e239580)
+Signed-off-by: Ján Tomko <jtomko@redhat.com>
+
+Conflicts:
+  src/libvirt-domain.c
+  src/remote/remote_protocol.x
+
+Upstream commit 12a51f372 which introduced the VIR_DOMAIN_SAVE_IMAGE_XML_SECURE
+alias for VIR_DOMAIN_XML_SECURE is not backported.
+Just skip the commit since we now disallow the whole API on read-only
+connections, regardless of the flag.
+
+Signed-off-by: Ján Tomko <jtomko@redhat.com>
+
+Upstream-Status: Backport
+CVE: CVE-2019-10161
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ src/libvirt-domain.c         | 11 ++---------
+ src/qemu/qemu_driver.c       |  2 +-
+ src/remote/remote_protocol.x |  3 +--
+ 3 files changed, 4 insertions(+), 12 deletions(-)
+
+Index: libvirt-4.7.0/src/libvirt-domain.c
+===================================================================
+--- libvirt-4.7.0.orig/src/libvirt-domain.c
++++ libvirt-4.7.0/src/libvirt-domain.c
+@@ -1073,9 +1073,7 @@ virDomainRestoreFlags(virConnectPtr conn
+  * previously by virDomainSave() or virDomainSaveFlags().
+  *
+  * No security-sensitive data will be included unless @flags contains
+- * VIR_DOMAIN_XML_SECURE; this flag is rejected on read-only
+- * connections.  For this API, @flags should not contain either
+- * VIR_DOMAIN_XML_INACTIVE or VIR_DOMAIN_XML_UPDATE_CPU.
++ * VIR_DOMAIN_XML_SECURE.
+  *
+  * Returns a 0 terminated UTF-8 encoded XML instance, or NULL in case of
+  * error.  The caller must free() the returned value.
+@@ -1091,12 +1089,7 @@ virDomainSaveImageGetXMLDesc(virConnectP
+ 
+     virCheckConnectReturn(conn, NULL);
+     virCheckNonNullArgGoto(file, error);
+-
+-    if ((conn->flags & VIR_CONNECT_RO) && (flags & VIR_DOMAIN_XML_SECURE)) {
+-        virReportError(VIR_ERR_OPERATION_DENIED, "%s",
+-                       _("virDomainSaveImageGetXMLDesc with secure flag"));
+-        goto error;
+-    }
++    virCheckReadOnlyGoto(conn->flags, error);
+ 
+     if (conn->driver->domainSaveImageGetXMLDesc) {
+         char *ret;
+Index: libvirt-4.7.0/src/qemu/qemu_driver.c
+===================================================================
+--- libvirt-4.7.0.orig/src/qemu/qemu_driver.c
++++ libvirt-4.7.0/src/qemu/qemu_driver.c
+@@ -6791,7 +6791,7 @@ qemuDomainSaveImageGetXMLDesc(virConnect
+     if (fd < 0)
+         goto cleanup;
+ 
+-    if (virDomainSaveImageGetXMLDescEnsureACL(conn, def, flags) < 0)
++    if (virDomainSaveImageGetXMLDescEnsureACL(conn, def) < 0)
+         goto cleanup;
+ 
+     ret = qemuDomainDefFormatXML(driver, def, flags);
+Index: libvirt-4.7.0/src/remote/remote_protocol.x
+===================================================================
+--- libvirt-4.7.0.orig/src/remote/remote_protocol.x
++++ libvirt-4.7.0/src/remote/remote_protocol.x
+@@ -5226,8 +5226,7 @@ enum remote_procedure {
+     /**
+      * @generate: both
+      * @priority: high
+-     * @acl: domain:read
+-     * @acl: domain:read_secure:VIR_DOMAIN_XML_SECURE
++     * @acl: domain:write
+      */
+     REMOTE_PROC_DOMAIN_SAVE_IMAGE_GET_XML_DESC = 235,
+ 
-- 
cgit 1.2.3-korg