new file mode 100644

@@ -0,0 +1,73 @@

+From 441d3eb6d1be940a67ce45a286602a967601b157 Mon Sep 17 00:00:00 2001

+From: Daniel P. Berrange <berrange@redhat.com>

+Date: Thu, 5 Oct 2017 17:54:28 +0100

+Subject: [PATCH] qemu: ensure TLS clients always verify the server certificate

+

+The default_tls_x509_verify (and related) parameters in qemu.conf

+control whether the QEMU TLS servers request & verify certificates

+from clients. This works as a simple access control system for

+servers by requiring the CA to issue certs to permitted clients.

+This use of client certificates is disabled by default, since it

+requires extra work to issue client certificates.

+

+Unfortunately the code was using this configuration parameter when

+setting up both TLS clients and servers in QEMU. The result was that

+TLS clients for character devices and disk devices had verification

+turned off, meaning they would ignore errors while validating the

+server certificate.

+

+This allows for trivial MITM attacks between client and server,

+as any certificate returned by the attacker will be accepted by

+the client.

+

+This is assigned CVE-2017-1000256  / LSN-2017-0002

+

+Reviewed-by: Eric Blake <eblake@redhat.com>

+Signed-off-by: Daniel P. Berrange <berrange@redhat.com>

+---

+ src/qemu/qemu_command.c                            |    2 +-

+ .../qemuxml2argv-serial-tcp-tlsx509-chardev.args   |    2 +-

+ ...xml2argv-serial-tcp-tlsx509-secret-chardev.args |    2 +-

+ 3 files changed, 3 insertions(+), 3 deletions(-)

+

+diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c

+index 46f0bdd..f68b82d 100644

+--- a/src/qemu/qemu_command.c

+@@ -721,7 +721,7 @@ qemuBuildTLSx509BackendProps(const char *tlspath,

+     if (virJSONValueObjectCreate(propsret,

+                                  "s:dir", path,

+                                  "s:endpoint", (isListen ? "server": "client"),

+-                                 "b:verify-peer", verifypeer,

++                                 "b:verify-peer", (isListen ? verifypeer : true),

+                                  NULL) < 0)

+         goto cleanup;

+ 

+diff --git a/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev.args b/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev.args

+index 5aff773..ab5f7e2 100644

+--- a/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev.args

+@@ -26,7 +26,7 @@ server,nowait \

+ localport=1111 \

+ -device isa-serial,chardev=charserial0,id=serial0 \

+ -object tls-creds-x509,id=objcharserial1_tls0,dir=/etc/pki/libvirt-chardev,\

+-endpoint=client,verify-peer=no \

++endpoint=client,verify-peer=yes \

+ -chardev socket,id=charserial1,host=127.0.0.1,port=5555,\

+ tls-creds=objcharserial1_tls0 \

+ -device isa-serial,chardev=charserial1,id=serial1 \

+diff --git a/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-secret-chardev.args b/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-secret-chardev.args

+index 91f1fe0..2567abb 100644

+--- a/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-secret-chardev.args

+@@ -31,7 +31,7 @@ localport=1111 \

+ data=9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1,\

+ keyid=masterKey0,iv=AAECAwQFBgcICQoLDA0ODw==,format=base64 \

+ -object tls-creds-x509,id=objcharserial1_tls0,dir=/etc/pki/libvirt-chardev,\

+-endpoint=client,verify-peer=no,passwordid=charserial1-secret0 \

++endpoint=client,verify-peer=yes,passwordid=charserial1-secret0 \

+ -chardev socket,id=charserial1,host=127.0.0.1,port=5555,\

+ tls-creds=objcharserial1_tls0 \

+ -device isa-serial,chardev=charserial1,id=serial1 \

+-- 

+1.7.1

@@ -1,14 +1,15 @@

-Summary:	Virtualization API library that supports KVM, QEMU, Xen, ESX etc

-Name:		libvirt

-Version:	3.2.0

-Release:	2%{?dist}

-License:	LGPL

-URL:		http://libvirt.org/

-Source0:	http://libvirt.org/sources/%{name}-%{version}.tar.xz

-%define sha1 libvirt=47d4b443fdf1e268589529018c436bbc4b413a7c

-Group:		Virtualization/Libraries

-Vendor:		VMware, Inc.

-Distribution: 	Photon

+Summary:        Virtualization API library that supports KVM, QEMU, Xen, ESX etc

+Name:           libvirt

+Version:        3.2.0

+Release:        3%{?dist}

+License:        LGPL

+URL:            http://libvirt.org/

+Source0:        http://libvirt.org/sources/%{name}-%{version}.tar.xz

+%define sha1    libvirt=47d4b443fdf1e268589529018c436bbc4b413a7c

+Patch0:         libvirt-CVE-2017-1000256.patch

+Group:          Virtualization/Libraries

+Vendor:         VMware, Inc.

+Distribution:   Photon

 BuildRequires:  cyrus-sasl

 BuildRequires:  device-mapper-devel

 BuildRequires:  gnutls-devel

@@ -54,15 +55,15 @@ This contains development tools and libraries for libvirt.

 %prep

 %setup -q

-

+%patch0 -p1

 %build

 ./configure \

-	--disable-silent-rules \

-	--prefix=%{_prefix} \

-	--bindir=%{_bindir} \

-	--libdir=%{_libdir} \

-        --with-udev=no \

-        --with-pciaccess=no

+    --disable-silent-rules \

+    --prefix=%{_prefix} \

+    --bindir=%{_bindir} \

+    --libdir=%{_libdir} \

+    --with-udev=no \

+    --with-pciaccess=no

 make %{?_smp_mflags}

@@ -111,9 +112,11 @@ find %{buildroot} -name '*.la' -delete

 %{_mandir}/*

 %changelog

-*    Wed Aug 23 2017 Rui Gu <ruig@vmware.com> 3.2.0-2

--    Fix missing deps in devel package 

-*    Thu Apr 06 2017 Kumar Kaushik <kaushikk@vmware.com> 3.2.0-1

--    Upgrading version to 3.2.0

-*    Fri Feb 03 2017 Vinay Kulkarni <kulkarniv@vmware.com> 3.0.0-1

--    Initial version of libvirt package for Photon.

+*   Mon Dec 04 2017 Xiaolin Li <xiaolinl@vmware.com> 3.2.0-3

+-   Fix CVE-2017-1000256

+*   Wed Aug 23 2017 Rui Gu <ruig@vmware.com> 3.2.0-2

+-   Fix missing deps in devel package 

+*   Thu Apr 06 2017 Kumar Kaushik <kaushikk@vmware.com> 3.2.0-1

+-   Upgrading version to 3.2.0

+*   Fri Feb 03 2017 Vinay Kulkarni <kulkarniv@vmware.com> 3.0.0-1

+-   Initial version of libvirt package for Photon.