Change-Id: I37b35dd2ca7429354623a1bd19812a6aeae400f8
Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/4435
Tested-by: gerrit-photon <photon-checkins@vmware.com>
Reviewed-by: Sharath George
1 | 1 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,73 @@ |
0 |
+From 441d3eb6d1be940a67ce45a286602a967601b157 Mon Sep 17 00:00:00 2001 |
|
1 |
+From: Daniel P. Berrange <berrange@redhat.com> |
|
2 |
+Date: Thu, 5 Oct 2017 17:54:28 +0100 |
|
3 |
+Subject: [PATCH] qemu: ensure TLS clients always verify the server certificate |
|
4 |
+ |
|
5 |
+The default_tls_x509_verify (and related) parameters in qemu.conf |
|
6 |
+control whether the QEMU TLS servers request & verify certificates |
|
7 |
+from clients. This works as a simple access control system for |
|
8 |
+servers by requiring the CA to issue certs to permitted clients. |
|
9 |
+This use of client certificates is disabled by default, since it |
|
10 |
+requires extra work to issue client certificates. |
|
11 |
+ |
|
12 |
+Unfortunately the code was using this configuration parameter when |
|
13 |
+setting up both TLS clients and servers in QEMU. The result was that |
|
14 |
+TLS clients for character devices and disk devices had verification |
|
15 |
+turned off, meaning they would ignore errors while validating the |
|
16 |
+server certificate. |
|
17 |
+ |
|
18 |
+This allows for trivial MITM attacks between client and server, |
|
19 |
+as any certificate returned by the attacker will be accepted by |
|
20 |
+the client. |
|
21 |
+ |
|
22 |
+This is assigned CVE-2017-1000256 / LSN-2017-0002 |
|
23 |
+ |
|
24 |
+Reviewed-by: Eric Blake <eblake@redhat.com> |
|
25 |
+Signed-off-by: Daniel P. Berrange <berrange@redhat.com> |
|
26 |
+--- |
|
27 |
+ src/qemu/qemu_command.c | 2 +- |
|
28 |
+ .../qemuxml2argv-serial-tcp-tlsx509-chardev.args | 2 +- |
|
29 |
+ ...xml2argv-serial-tcp-tlsx509-secret-chardev.args | 2 +- |
|
30 |
+ 3 files changed, 3 insertions(+), 3 deletions(-) |
|
31 |
+ |
|
32 |
+diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c |
|
33 |
+index 46f0bdd..f68b82d 100644 |
|
34 |
+--- a/src/qemu/qemu_command.c |
|
35 |
+@@ -721,7 +721,7 @@ qemuBuildTLSx509BackendProps(const char *tlspath, |
|
36 |
+ if (virJSONValueObjectCreate(propsret, |
|
37 |
+ "s:dir", path, |
|
38 |
+ "s:endpoint", (isListen ? "server": "client"), |
|
39 |
+- "b:verify-peer", verifypeer, |
|
40 |
++ "b:verify-peer", (isListen ? verifypeer : true), |
|
41 |
+ NULL) < 0) |
|
42 |
+ goto cleanup; |
|
43 |
+ |
|
44 |
+diff --git a/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev.args b/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev.args |
|
45 |
+index 5aff773..ab5f7e2 100644 |
|
46 |
+--- a/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev.args |
|
47 |
+@@ -26,7 +26,7 @@ server,nowait \ |
|
48 |
+ localport=1111 \ |
|
49 |
+ -device isa-serial,chardev=charserial0,id=serial0 \ |
|
50 |
+ -object tls-creds-x509,id=objcharserial1_tls0,dir=/etc/pki/libvirt-chardev,\ |
|
51 |
+-endpoint=client,verify-peer=no \ |
|
52 |
++endpoint=client,verify-peer=yes \ |
|
53 |
+ -chardev socket,id=charserial1,host=127.0.0.1,port=5555,\ |
|
54 |
+ tls-creds=objcharserial1_tls0 \ |
|
55 |
+ -device isa-serial,chardev=charserial1,id=serial1 \ |
|
56 |
+diff --git a/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-secret-chardev.args b/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-secret-chardev.args |
|
57 |
+index 91f1fe0..2567abb 100644 |
|
58 |
+--- a/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-secret-chardev.args |
|
59 |
+@@ -31,7 +31,7 @@ localport=1111 \ |
|
60 |
+ data=9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1,\ |
|
61 |
+ keyid=masterKey0,iv=AAECAwQFBgcICQoLDA0ODw==,format=base64 \ |
|
62 |
+ -object tls-creds-x509,id=objcharserial1_tls0,dir=/etc/pki/libvirt-chardev,\ |
|
63 |
+-endpoint=client,verify-peer=no,passwordid=charserial1-secret0 \ |
|
64 |
++endpoint=client,verify-peer=yes,passwordid=charserial1-secret0 \ |
|
65 |
+ -chardev socket,id=charserial1,host=127.0.0.1,port=5555,\ |
|
66 |
+ tls-creds=objcharserial1_tls0 \ |
|
67 |
+ -device isa-serial,chardev=charserial1,id=serial1 \ |
|
68 |
+-- |
|
69 |
+1.7.1 |
... | ... |
@@ -1,14 +1,15 @@ |
1 |
-Summary: Virtualization API library that supports KVM, QEMU, Xen, ESX etc |
|
2 |
-Name: libvirt |
|
3 |
-Version: 3.2.0 |
|
4 |
-Release: 2%{?dist} |
|
5 |
-License: LGPL |
|
6 |
-URL: http://libvirt.org/ |
|
7 |
-Source0: http://libvirt.org/sources/%{name}-%{version}.tar.xz |
|
8 |
-%define sha1 libvirt=47d4b443fdf1e268589529018c436bbc4b413a7c |
|
9 |
-Group: Virtualization/Libraries |
|
10 |
-Vendor: VMware, Inc. |
|
11 |
-Distribution: Photon |
|
1 |
+Summary: Virtualization API library that supports KVM, QEMU, Xen, ESX etc |
|
2 |
+Name: libvirt |
|
3 |
+Version: 3.2.0 |
|
4 |
+Release: 3%{?dist} |
|
5 |
+License: LGPL |
|
6 |
+URL: http://libvirt.org/ |
|
7 |
+Source0: http://libvirt.org/sources/%{name}-%{version}.tar.xz |
|
8 |
+%define sha1 libvirt=47d4b443fdf1e268589529018c436bbc4b413a7c |
|
9 |
+Patch0: libvirt-CVE-2017-1000256.patch |
|
10 |
+Group: Virtualization/Libraries |
|
11 |
+Vendor: VMware, Inc. |
|
12 |
+Distribution: Photon |
|
12 | 13 |
BuildRequires: cyrus-sasl |
13 | 14 |
BuildRequires: device-mapper-devel |
14 | 15 |
BuildRequires: gnutls-devel |
... | ... |
@@ -54,15 +55,15 @@ This contains development tools and libraries for libvirt. |
54 | 54 |
|
55 | 55 |
%prep |
56 | 56 |
%setup -q |
57 |
- |
|
57 |
+%patch0 -p1 |
|
58 | 58 |
%build |
59 | 59 |
./configure \ |
60 |
- --disable-silent-rules \ |
|
61 |
- --prefix=%{_prefix} \ |
|
62 |
- --bindir=%{_bindir} \ |
|
63 |
- --libdir=%{_libdir} \ |
|
64 |
- --with-udev=no \ |
|
65 |
- --with-pciaccess=no |
|
60 |
+ --disable-silent-rules \ |
|
61 |
+ --prefix=%{_prefix} \ |
|
62 |
+ --bindir=%{_bindir} \ |
|
63 |
+ --libdir=%{_libdir} \ |
|
64 |
+ --with-udev=no \ |
|
65 |
+ --with-pciaccess=no |
|
66 | 66 |
|
67 | 67 |
make %{?_smp_mflags} |
68 | 68 |
|
... | ... |
@@ -111,9 +112,11 @@ find %{buildroot} -name '*.la' -delete |
111 | 111 |
%{_mandir}/* |
112 | 112 |
|
113 | 113 |
%changelog |
114 |
-* Wed Aug 23 2017 Rui Gu <ruig@vmware.com> 3.2.0-2 |
|
115 |
-- Fix missing deps in devel package |
|
116 |
-* Thu Apr 06 2017 Kumar Kaushik <kaushikk@vmware.com> 3.2.0-1 |
|
117 |
-- Upgrading version to 3.2.0 |
|
118 |
-* Fri Feb 03 2017 Vinay Kulkarni <kulkarniv@vmware.com> 3.0.0-1 |
|
119 |
-- Initial version of libvirt package for Photon. |
|
114 |
+* Mon Dec 04 2017 Xiaolin Li <xiaolinl@vmware.com> 3.2.0-3 |
|
115 |
+- Fix CVE-2017-1000256 |
|
116 |
+* Wed Aug 23 2017 Rui Gu <ruig@vmware.com> 3.2.0-2 |
|
117 |
+- Fix missing deps in devel package |
|
118 |
+* Thu Apr 06 2017 Kumar Kaushik <kaushikk@vmware.com> 3.2.0-1 |
|
119 |
+- Upgrading version to 3.2.0 |
|
120 |
+* Fri Feb 03 2017 Vinay Kulkarni <kulkarniv@vmware.com> 3.0.0-1 |
|
121 |
+- Initial version of libvirt package for Photon. |