fix missing read-only access checks, fixes CVE-2008-5086

daniel

.cvsignore

@@ -4,3 +4,5 @@ i686
 x86_64
 libvirt-*.tar.gz
 libvirt-0.4.6.tar.gz
+libvirt-0.5.0.tar.gz
+libvirt-0.5.1.tar.gz

libvirt-0.5.1-read-only-checks.patch

@@ -0,0 +1,152 @@
+diff --git a/src/libvirt.c b/src/libvirt.c
+--- a/src/libvirt.c
++++ b/src/libvirt.c
+@@ -2296,6 +2296,16 @@ virDomainMigrate (virDomainPtr domain,
+     conn = domain->conn;        /* Source connection. */
+     if (!VIR_IS_CONNECT (dconn)) {
+         virLibConnError (conn, VIR_ERR_INVALID_CONN, __FUNCTION__);
++        return NULL;
++    }
++
++    if (domain->conn->flags & VIR_CONNECT_RO) {
++        virLibDomainError(domain, VIR_ERR_OPERATION_DENIED, __FUNCTION__);
++        return NULL;
++    }
++    if (dconn->flags & VIR_CONNECT_RO) {
++        /* NB, delibrately report error against source object, not dest here */
++        virLibDomainError(domain, VIR_ERR_OPERATION_DENIED, __FUNCTION__);
+         return NULL;
+     }
+ 
+@@ -2426,6 +2436,11 @@ virDomainMigratePrepare (virConnectPtr d
+         return -1;
+     }
+ 
++    if (dconn->flags & VIR_CONNECT_RO) {
++        virLibConnError(dconn, VIR_ERR_OPERATION_DENIED, __FUNCTION__);
++        return -1;
++    }
++
+     if (dconn->driver->domainMigratePrepare)
+         return dconn->driver->domainMigratePrepare (dconn, cookie, cookielen,
+                                                     uri_in, uri_out,
+@@ -2457,6 +2472,11 @@ virDomainMigratePerform (virDomainPtr do
+     }
+     conn = domain->conn;
+ 
++    if (domain->conn->flags & VIR_CONNECT_RO) {
++        virLibDomainError(domain, VIR_ERR_OPERATION_DENIED, __FUNCTION__);
++        return -1;
++    }
++
+     if (conn->driver->domainMigratePerform)
+         return conn->driver->domainMigratePerform (domain, cookie, cookielen,
+                                                    uri,
+@@ -2482,6 +2502,11 @@ virDomainMigrateFinish (virConnectPtr dc
+ 
+     if (!VIR_IS_CONNECT (dconn)) {
+         virLibConnError (NULL, VIR_ERR_INVALID_CONN, __FUNCTION__);
++        return NULL;
++    }
++
++    if (dconn->flags & VIR_CONNECT_RO) {
++        virLibConnError(dconn, VIR_ERR_OPERATION_DENIED, __FUNCTION__);
+         return NULL;
+     }
+ 
+@@ -2517,6 +2542,11 @@ virDomainMigratePrepare2 (virConnectPtr 
+         return -1;
+     }
+ 
++    if (dconn->flags & VIR_CONNECT_RO) {
++        virLibConnError(dconn, VIR_ERR_OPERATION_DENIED, __FUNCTION__);
++        return -1;
++    }
++
+     if (dconn->driver->domainMigratePrepare2)
+         return dconn->driver->domainMigratePrepare2 (dconn, cookie, cookielen,
+                                                      uri_in, uri_out,
+@@ -2547,6 +2577,11 @@ virDomainMigrateFinish2 (virConnectPtr d
+         return NULL;
+     }
+ 
++    if (dconn->flags & VIR_CONNECT_RO) {
++        virLibConnError(dconn, VIR_ERR_OPERATION_DENIED, __FUNCTION__);
++        return NULL;
++    }
++
+     if (dconn->driver->domainMigrateFinish2)
+         return dconn->driver->domainMigrateFinish2 (dconn, dname,
+                                                     cookie, cookielen,
+@@ -2905,6 +2940,11 @@ virDomainBlockPeek (virDomainPtr dom,
+     }
+     conn = dom->conn;
+ 
++    if (dom->conn->flags & VIR_CONNECT_RO) {
++        virLibDomainError(dom, VIR_ERR_OPERATION_DENIED, __FUNCTION__);
++        return (-1);
++    }
++
+     if (!path) {
+         virLibDomainError (dom, VIR_ERR_INVALID_ARG,
+                            _("path is NULL"));
+@@ -2980,6 +3020,11 @@ virDomainMemoryPeek (virDomainPtr dom,
+     }
+     conn = dom->conn;
+ 
++    if (dom->conn->flags & VIR_CONNECT_RO) {
++        virLibDomainError(dom, VIR_ERR_OPERATION_DENIED, __FUNCTION__);
++        return (-1);
++    }
++
+     /* Flags must be VIR_MEMORY_VIRTUAL at the moment.
+      *
+      * Note on access to physical memory: A VIR_MEMORY_PHYSICAL flag is
+@@ -3246,6 +3291,11 @@ virDomainSetAutostart(virDomainPtr domai
+     }
+ 
+     conn = domain->conn;
++
++    if (domain->conn->flags & VIR_CONNECT_RO) {
++        virLibDomainError(domain, VIR_ERR_OPERATION_DENIED, __FUNCTION__);
++        return (-1);
++    }
+ 
+     if (conn->driver->domainSetAutostart)
+         return conn->driver->domainSetAutostart (domain, autostart);
+@@ -4197,6 +4247,11 @@ virNetworkSetAutostart(virNetworkPtr net
+         return (-1);
+     }
+ 
++    if (network->conn->flags & VIR_CONNECT_RO) {
++        virLibNetworkError(network, VIR_ERR_OPERATION_DENIED, __FUNCTION__);
++        return (-1);
++    }
++
+     conn = network->conn;
+ 
+     if (conn->networkDriver && conn->networkDriver->networkSetAutostart)
+@@ -4395,6 +4450,11 @@ virConnectFindStoragePoolSources(virConn
+         return NULL;
+     }
+ 
++    if (conn->flags & VIR_CONNECT_RO) {
++        virLibConnError(conn, VIR_ERR_OPERATION_DENIED, __FUNCTION__);
++        return NULL;
++    }
++
+     if (conn->storageDriver && conn->storageDriver->findPoolSources)
+         return conn->storageDriver->findPoolSources(conn, type, srcSpec, flags);
+ 
+@@ -5068,6 +5128,11 @@ virStoragePoolSetAutostart(virStoragePoo
+         return (-1);
+     }
+ 
++    if (pool->conn->flags & VIR_CONNECT_RO) {
++        virLibStoragePoolError(pool, VIR_ERR_OPERATION_DENIED, __FUNCTION__);
++        return (-1);
++    }
++
+     conn = pool->conn;
+ 
+     if (conn->storageDriver && conn->storageDriver->poolSetAutostart)

libvirt.spec

@@ -10,6 +10,7 @@
 %define with_polkit    0%{!?_without_polkit:0}
 %define with_python    0%{!?_without_python:1}
 %define with_libvirtd  0%{!?_without_libvirtd:1}
+%define with_uml       0%{!?_without_uml:1}
 
 # Xen is available only on i386 x86_64 ia64
 %ifnarch i386 i686 x86_64 ia64
@@ -20,7 +21,7 @@
 %define with_xen_proxy 0
 %endif
 
-%if "%{fedora}"
+%if 0%{?fedora}
 %ifarch ppc64
 %define with_qemu 0
 %endif
@@ -33,13 +34,13 @@
 
 Summary: Library providing a simple API virtualization
 Name: libvirt
-Version: 0.4.6
+Version: 0.5.1
-Release: 3%{?dist}%{?extra_release}
+Release: 2%{?dist}%{?extra_release}
 License: LGPLv2+
 Group: Development/Libraries
 Source: libvirt-%{version}.tar.gz
-Patch0: python_make.patch
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
+Patch0: libvirt-0.5.1-read-only-checks.patch
 URL: http://libvirt.org/
 BuildRequires: python python-devel
 Requires: libxml2
@@ -48,6 +49,8 @@ Requires: ncurses
 Requires: dnsmasq
 Requires: bridge-utils
 Requires: iptables
+# needed for device enumeration
+Requires: hal
 # So remote clients can access libvirt over SSH tunnel
 # (client invokes 'nc' against the UNIX socket on the server)
 Requires: nc
@@ -89,6 +92,7 @@ BuildRequires: readline-devel
 BuildRequires: ncurses-devel
 BuildRequires: gettext
 BuildRequires: gnutls-devel
+BuildRequires: hal-devel
 %if %{with_avahi}
 BuildRequires: avahi-devel
 %endif
@@ -160,7 +164,7 @@ of recent versions of Linux (and other OSes).
 
 %prep
 %setup -q
-%patch0 -p0
+%patch0 -p1
 
 %build
 %if ! %{with_xen}
@@ -199,6 +203,10 @@ of recent versions of Linux (and other OSes).
 %define _without_libvirtd --without-libvirtd
 %endif
 
+%if ! %{with_uml}
+%define _without_uml --without-uml
+%endif
+
 %configure %{?_without_xen} \
            %{?_without_qemu} \
            %{?_without_openvz} \
@@ -208,6 +216,7 @@ of recent versions of Linux (and other OSes).
            %{?_without_polkit} \
            %{?_without_python} \
            %{?_without_libvirtd} \
+           %{?_without_uml} \
            --with-init-script=redhat \
            --with-qemud-pid-file=%{_localstatedir}/run/libvirt_qemud.pid \
            --with-remote-file=%{_localstatedir}/run/libvirtd.pid
@@ -396,6 +405,26 @@ fi
 %endif
 
 %changelog
+* Wed Dec 17 2008 Daniel Veillard <veillard@redhat.com> - 0.5.1-2.fc11
+- fix missing read-only access checks, fixes CVE-2008-5086
+
+* Fri Dec  5 2008 Daniel Veillard <veillard@redhat.com> - 0.5.1-1.fc11
+- upstream release 0.5.1
+- mostly bugfixes e.g #473071
+- some driver improvments
+
+* Sat Nov 29 2008 Ignacio Vazquez-Abrams <ivazqueznet+rpm@gmail.com> - 0.5.0-2
+- Rebuild for Python 2.6
+
+* Wed Nov 26 2008 Daniel Veillard <veillard@redhat.com> - 0.5.0-1.fc11
+- upstream release 0.5.0
+- domain lifecycle event support
+- node device enumeration
+- KVM/QEmu migration support
+- improved LXC support
+- SDL display configuration
+- User Mode Linux driver (Daniel Berrange)
+
 * Wed Sep 24 2008 Daniel Veillard <veillard@redhat.com> - 0.4.6-3.fc10
 - apply the python makefile patch for #463733
 

python_make.patch

@@ -1,35 +0,0 @@
-Index: python/Makefile.am
-===================================================================
-RCS file: /data/cvs/libxen/python/Makefile.am,v
-retrieving revision 1.13
-diff -u -p -r1.13 Makefile.am
---- python/Makefile.am	5 Feb 2008 19:27:37 -0000	1.13
-+++ python/Makefile.am	24 Sep 2008 13:21:06 -0000
-@@ -50,7 +50,7 @@ GENERATED= libvirt-export.c \
- $(GENERATED): $(srcdir)/$(GENERATE) $(API_DESC)
- 	$(PYTHON) $(srcdir)/$(GENERATE) $(srcdir)
- 
--libvirt.py: $(srcdir)/libvir.py libvirtclass.py
-+libvirt.py: $(srcdir)/libvir.py $(GENERATED)
- 	cat $(srcdir)/libvir.py libvirtclass.py > $@-t
- 	mv $@-t $@
- 
-*** python/Makefile.in.orig	2008-09-24 15:19:20.000000000 +0200
---- python/Makefile.in	2008-09-24 15:20:07.000000000 +0200
-*************** uninstall-am: uninstall-local uninstall-
-*** 1027,1033 ****
-  @WITH_PYTHON_TRUE@$(GENERATED): $(srcdir)/$(GENERATE) $(API_DESC)
-  @WITH_PYTHON_TRUE@	$(PYTHON) $(srcdir)/$(GENERATE) $(srcdir)
-  
-! @WITH_PYTHON_TRUE@libvirt.py: $(srcdir)/libvir.py libvirtclass.py
-  @WITH_PYTHON_TRUE@	cat $(srcdir)/libvir.py libvirtclass.py > $@-t
-  @WITH_PYTHON_TRUE@	mv $@-t $@
-  
---- 1027,1033 ----
-  @WITH_PYTHON_TRUE@$(GENERATED): $(srcdir)/$(GENERATE) $(API_DESC)
-  @WITH_PYTHON_TRUE@	$(PYTHON) $(srcdir)/$(GENERATE) $(srcdir)
-  
-! @WITH_PYTHON_TRUE@libvirt.py: $(srcdir)/libvir.py $(GENERATED)
-  @WITH_PYTHON_TRUE@	cat $(srcdir)/libvir.py libvirtclass.py > $@-t
-  @WITH_PYTHON_TRUE@	mv $@-t $@
-  

sources

@@ -1 +1 @@
-abdf727deaffd868172f7243eb75ffe3  libvirt-0.4.6.tar.gz
+abc697978e9c66cbc8d8db4fa3f1c1b6  libvirt-0.5.1.tar.gz