forgot patch ... Daniel

Daniel

.cvsignore

@@ -3,4 +3,4 @@
 i686
 x86_64
 libvirt-*.tar.gz
-libvirt-0.4.2.tar.gz
+libvirt-0.4.6.tar.gz

branch

@@ -1 +1 @@
-F-9
+F-10

libvirt-0.5.1-read-only-checks.patch

@@ -0,0 +1,152 @@
+diff --git a/src/libvirt.c b/src/libvirt.c
+--- a/src/libvirt.c
++++ b/src/libvirt.c
+@@ -2296,6 +2296,16 @@ virDomainMigrate (virDomainPtr domain,
+     conn = domain->conn;        /* Source connection. */
+     if (!VIR_IS_CONNECT (dconn)) {
+         virLibConnError (conn, VIR_ERR_INVALID_CONN, __FUNCTION__);
++        return NULL;
++    }
++
++    if (domain->conn->flags & VIR_CONNECT_RO) {
++        virLibDomainError(domain, VIR_ERR_OPERATION_DENIED, __FUNCTION__);
++        return NULL;
++    }
++    if (dconn->flags & VIR_CONNECT_RO) {
++        /* NB, delibrately report error against source object, not dest here */
++        virLibDomainError(domain, VIR_ERR_OPERATION_DENIED, __FUNCTION__);
+         return NULL;
+     }
+ 
+@@ -2426,6 +2436,11 @@ virDomainMigratePrepare (virConnectPtr d
+         return -1;
+     }
+ 
++    if (dconn->flags & VIR_CONNECT_RO) {
++        virLibConnError(dconn, VIR_ERR_OPERATION_DENIED, __FUNCTION__);
++        return -1;
++    }
++
+     if (dconn->driver->domainMigratePrepare)
+         return dconn->driver->domainMigratePrepare (dconn, cookie, cookielen,
+                                                     uri_in, uri_out,
+@@ -2457,6 +2472,11 @@ virDomainMigratePerform (virDomainPtr do
+     }
+     conn = domain->conn;
+ 
++    if (domain->conn->flags & VIR_CONNECT_RO) {
++        virLibDomainError(domain, VIR_ERR_OPERATION_DENIED, __FUNCTION__);
++        return -1;
++    }
++
+     if (conn->driver->domainMigratePerform)
+         return conn->driver->domainMigratePerform (domain, cookie, cookielen,
+                                                    uri,
+@@ -2482,6 +2502,11 @@ virDomainMigrateFinish (virConnectPtr dc
+ 
+     if (!VIR_IS_CONNECT (dconn)) {
+         virLibConnError (NULL, VIR_ERR_INVALID_CONN, __FUNCTION__);
++        return NULL;
++    }
++
++    if (dconn->flags & VIR_CONNECT_RO) {
++        virLibConnError(dconn, VIR_ERR_OPERATION_DENIED, __FUNCTION__);
+         return NULL;
+     }
+ 
+@@ -2517,6 +2542,11 @@ virDomainMigratePrepare2 (virConnectPtr 
+         return -1;
+     }
+ 
++    if (dconn->flags & VIR_CONNECT_RO) {
++        virLibConnError(dconn, VIR_ERR_OPERATION_DENIED, __FUNCTION__);
++        return -1;
++    }
++
+     if (dconn->driver->domainMigratePrepare2)
+         return dconn->driver->domainMigratePrepare2 (dconn, cookie, cookielen,
+                                                      uri_in, uri_out,
+@@ -2547,6 +2577,11 @@ virDomainMigrateFinish2 (virConnectPtr d
+         return NULL;
+     }
+ 
++    if (dconn->flags & VIR_CONNECT_RO) {
++        virLibConnError(dconn, VIR_ERR_OPERATION_DENIED, __FUNCTION__);
++        return NULL;
++    }
++
+     if (dconn->driver->domainMigrateFinish2)
+         return dconn->driver->domainMigrateFinish2 (dconn, dname,
+                                                     cookie, cookielen,
+@@ -2905,6 +2940,11 @@ virDomainBlockPeek (virDomainPtr dom,
+     }
+     conn = dom->conn;
+ 
++    if (dom->conn->flags & VIR_CONNECT_RO) {
++        virLibDomainError(dom, VIR_ERR_OPERATION_DENIED, __FUNCTION__);
++        return (-1);
++    }
++
+     if (!path) {
+         virLibDomainError (dom, VIR_ERR_INVALID_ARG,
+                            _("path is NULL"));
+@@ -2980,6 +3020,11 @@ virDomainMemoryPeek (virDomainPtr dom,
+     }
+     conn = dom->conn;
+ 
++    if (dom->conn->flags & VIR_CONNECT_RO) {
++        virLibDomainError(dom, VIR_ERR_OPERATION_DENIED, __FUNCTION__);
++        return (-1);
++    }
++
+     /* Flags must be VIR_MEMORY_VIRTUAL at the moment.
+      *
+      * Note on access to physical memory: A VIR_MEMORY_PHYSICAL flag is
+@@ -3246,6 +3291,11 @@ virDomainSetAutostart(virDomainPtr domai
+     }
+ 
+     conn = domain->conn;
++
++    if (domain->conn->flags & VIR_CONNECT_RO) {
++        virLibDomainError(domain, VIR_ERR_OPERATION_DENIED, __FUNCTION__);
++        return (-1);
++    }
+ 
+     if (conn->driver->domainSetAutostart)
+         return conn->driver->domainSetAutostart (domain, autostart);
+@@ -4197,6 +4247,11 @@ virNetworkSetAutostart(virNetworkPtr net
+         return (-1);
+     }
+ 
++    if (network->conn->flags & VIR_CONNECT_RO) {
++        virLibNetworkError(network, VIR_ERR_OPERATION_DENIED, __FUNCTION__);
++        return (-1);
++    }
++
+     conn = network->conn;
+ 
+     if (conn->networkDriver && conn->networkDriver->networkSetAutostart)
+@@ -4395,6 +4450,11 @@ virConnectFindStoragePoolSources(virConn
+         return NULL;
+     }
+ 
++    if (conn->flags & VIR_CONNECT_RO) {
++        virLibConnError(conn, VIR_ERR_OPERATION_DENIED, __FUNCTION__);
++        return NULL;
++    }
++
+     if (conn->storageDriver && conn->storageDriver->findPoolSources)
+         return conn->storageDriver->findPoolSources(conn, type, srcSpec, flags);
+ 
+@@ -5068,6 +5128,11 @@ virStoragePoolSetAutostart(virStoragePoo
+         return (-1);
+     }
+ 
++    if (pool->conn->flags & VIR_CONNECT_RO) {
++        virLibStoragePoolError(pool, VIR_ERR_OPERATION_DENIED, __FUNCTION__);
++        return (-1);
++    }
++
+     conn = pool->conn;
+ 
+     if (conn->storageDriver && conn->storageDriver->poolSetAutostart)

libvirt.spec

@@ -21,7 +21,7 @@
 %define with_xen_proxy 0
 %endif
 
-%if "%{fedora}"
+%if 0%{?fedora}
 %ifarch ppc64
 %define with_qemu 0
 %endif
@@ -35,11 +35,12 @@
 Summary: Library providing a simple API virtualization
 Name: libvirt
 Version: 0.5.1
-Release: 1%{?dist}%{?extra_release}
+Release: 2%{?dist}%{?extra_release}
 License: LGPLv2+
 Group: Development/Libraries
 Source: libvirt-%{version}.tar.gz
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
+Patch0: libvirt-0.5.1-read-only-checks.patch
 URL: http://libvirt.org/
 BuildRequires: python python-devel
 Requires: libxml2
@@ -163,6 +164,7 @@ of recent versions of Linux (and other OSes).
 
 %prep
 %setup -q
+%patch0 -p1
 
 %build
 %if ! %{with_xen}
@@ -403,57 +405,69 @@ fi
 %endif
 
 %changelog
-* Fri Dec  5 2008 Daniel Veillard <veillard@redhat.com> - 0.5.1-1.fc9
+* Wed Dec 17 2008 Daniel Veillard <veillard@redhat.com> - 0.5.1-2.fc10
+- fix missing read-only access checks, fixes CVE-2008-5086
+
+* Fri Dec  5 2008 Daniel Veillard <veillard@redhat.com> - 0.5.1-1.fc10
 - upstream release 0.5.1
 - mostly bugfixes e.g #473071
 - some driver improvments
 
-* Wed Nov 26 2008 Daniel Veillard <veillard@redhat.com> - 0.5.0-1.fc9
+* Wed Nov 26 2008 Daniel Veillard <veillard@redhat.com> - 0.5.0-1.fc10
 - upstream release 0.5.0
 - domain lifecycle event support
 - node device enumeration
 - KVM/QEmu migration support
 - improved LXC support
 - SDL display configuration
-- User Mode Linux driver
+- User Mode Linux driver (Daniel Berrange)
 
-* Wed Sep 24 2008 Daniel Veillard <veillard@redhat.com> - 0.4.6-2.fc9
-- a subtle bug in python submakefile broke the 0.4.6-1.fc9 build #463733
+* Wed Sep 24 2008 Daniel Veillard <veillard@redhat.com> - 0.4.6-3.fc10
+- apply the python makefile patch for #463733
 
-* Wed Sep 24 2008 Daniel Veillard <veillard@redhat.com> - 0.4.6-1.fc9
+* Wed Sep 24 2008 Daniel Veillard <veillard@redhat.com> - 0.4.6-2.fc10
 - upstream release 0.4.6
-- fixes a couple of serious bugs in the previous release
+- fixes some problems with 0.4.5
 
-* Tue Sep  9 2008 Daniel Veillard <veillard@redhat.com> - 0.4.5-2.fc9
+* Tue Sep  9 2008 Daniel Veillard <veillard@redhat.com> - 0.4.5-2.fc10
 - fix a crash if a QEmu/KVM domain is defined without an emulator path
 
-* Mon Sep  8 2008 Daniel Veillard <veillard@redhat.com> - 0.4.5-1.fc9
+* Mon Sep  8 2008 Daniel Veillard <veillard@redhat.com> - 0.4.5-1.fc10
 - upstream release 0.4.5
 - a lot of bug fixes
 - major updates to QEmu/KVM and Linux containers drivers
 - support for OpenVZ if installed
 
-* Tue Jul  8 2008 Daniel P. Berrange <berrange@redhat.com> - 0.4.4-2.fc9
+* Thu Aug  7 2008 Tom "spot" Callaway <tcallawa@redhat.com> - 0.4.4-3.fc10
+- fix license tag
+
+* Tue Jul  8 2008 Daniel P. Berrange <berrange@redhat.com> - 0.4.4-2.fc10
 - Fix booting of CDROM images with KVM (rhbz #452355)
 
-* Thu Jun 25 2008 Daniel Veillard <veillard@redhat.com> - 0.4.4-1.fc9
-- upstream release of 0.4.4
-- fixes a few bug in previous release
+* Wed Jun 25 2008 Daniel Veillard <veillard@redhat.com> - 0.4.4-1.fc10
+- upstream release 0.4.4
+- fix a few bugs in previous release
 
-* Thu Jun 12 2008 Daniel Veillard <veillard@redhat.com> - 0.4.3-1.fc9
+* Thu Jun 12 2008 Daniel Veillard <veillard@redhat.com> - 0.4.3-1.fc10
 - upstream release 0.4.3
 - many bug fixes
 - many small improvements
 - serious xenner fixes
 
-* Wed Jun  4 2008 Mark McLoughlin <markmc@redhat.com> - 0.4.2-4.fc9
+* Wed Jun  4 2008 Mark McLoughlin <markmc@redhat.com> - 0.4.2-6.fc10
 - Disable lokkit support again (#449996, #447633)
-- Ensure PolicyKit is enabled (#446616)
+- Ensure %{fedora} is evaluated correctly
 
-* Fri May  9 2008 Daniel P. Berrange <berrange@redhat.com> - 0.4.2-3.fc9
+* Thu May 15 2008 Daniel P. Berrange <berrange@redhat.com> - 0.4.2-5.fc10
+- Rebuild with policy enabled (rhbz #446616)
+
+* Fri May  9 2008 Daniel P. Berrange <berrange@redhat.com> - 0.4.2-4.fc10
 - Added directory for initrd/kernel images for SELinux policy
 
-* Mon Apr 28 2008 Mark McLoughlin <markmc@redhat.com> - 0.4.2-2.fc9
+* Mon Apr 28 2008 Mark McLoughlin <markmc@redhat.com> - 0.4.2-3.fc10
+- Simplify the way arch conditionals are handled
+
+* Mon Apr 28 2008 Mark McLoughlin <markmc@redhat.com> - 0.4.2-2.fc10
 - Enable lokkit support (#443796)
 
 * Tue Apr  8 2008 Daniel Veillard <veillard@redhat.com> - 0.4.2-1.fc9