diff options
Diffstat (limited to 'gnu/packages')
-rw-r--r-- | gnu/packages/patches/libvirt-CVE-2017-1000256.patch | 84 | ||||
-rw-r--r-- | gnu/packages/virtualization.scm | 6 |
2 files changed, 3 insertions, 87 deletions
diff --git a/gnu/packages/patches/libvirt-CVE-2017-1000256.patch b/gnu/packages/patches/libvirt-CVE-2017-1000256.patch deleted file mode 100644 index d577e1eb50..0000000000 --- a/gnu/packages/patches/libvirt-CVE-2017-1000256.patch +++ /dev/null @@ -1,84 +0,0 @@ -Fix CVE-2017-1000256: - -https://security.libvirt.org/2017/0002.html -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000256 - -Patch copied from upstream source repository: - -https://libvirt.org/git/?p=libvirt.git;a=commit;h=dc6c41798d1eb5c52c75365ffa22f7672709dfa7 - -From dc6c41798d1eb5c52c75365ffa22f7672709dfa7 Mon Sep 17 00:00:00 2001 -From: Daniel P. Berrange <berrange@redhat.com> -Date: Thu, 5 Oct 2017 17:54:28 +0100 -Subject: [PATCH] qemu: ensure TLS clients always verify the server certificate - -The default_tls_x509_verify (and related) parameters in qemu.conf -control whether the QEMU TLS servers request & verify certificates -from clients. This works as a simple access control system for -servers by requiring the CA to issue certs to permitted clients. -This use of client certificates is disabled by default, since it -requires extra work to issue client certificates. - -Unfortunately the code was using this configuration parameter when -setting up both TLS clients and servers in QEMU. The result was that -TLS clients for character devices and disk devices had verification -turned off, meaning they would ignore errors while validating the -server certificate. - -This allows for trivial MITM attacks between client and server, -as any certificate returned by the attacker will be accepted by -the client. - -This is assigned CVE-2017-1000256 / LSN-2017-0002 - -Reviewed-by: Eric Blake <eblake@redhat.com> -Signed-off-by: Daniel P. Berrange <berrange@redhat.com> -(cherry picked from commit 441d3eb6d1be940a67ce45a286602a967601b157) ---- - src/qemu/qemu_command.c | 2 +- - .../qemuxml2argv-serial-tcp-tlsx509-chardev.args | 2 +- - ...xml2argv-serial-tcp-tlsx509-secret-chardev.args | 2 +- - 3 files changed, 3 insertions(+), 3 deletions(-) - -diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c -index 9a27987..ae78cd1 100644 ---- a/src/qemu/qemu_command.c -+++ b/src/qemu/qemu_command.c -@@ -718,7 +718,7 @@ qemuBuildTLSx509BackendProps(const char *tlspath, - if (virJSONValueObjectCreate(propsret, - "s:dir", path, - "s:endpoint", (isListen ? "server": "client"), -- "b:verify-peer", verifypeer, -+ "b:verify-peer", (isListen ? verifypeer : true), - NULL) < 0) - goto cleanup; - -diff --git a/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev.args b/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev.args -index 5aff773..ab5f7e2 100644 ---- a/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev.args -+++ b/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev.args -@@ -26,7 +26,7 @@ server,nowait \ - localport=1111 \ - -device isa-serial,chardev=charserial0,id=serial0 \ - -object tls-creds-x509,id=objcharserial1_tls0,dir=/etc/pki/libvirt-chardev,\ --endpoint=client,verify-peer=no \ -+endpoint=client,verify-peer=yes \ - -chardev socket,id=charserial1,host=127.0.0.1,port=5555,\ - tls-creds=objcharserial1_tls0 \ - -device isa-serial,chardev=charserial1,id=serial1 \ -diff --git a/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-secret-chardev.args b/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-secret-chardev.args -index 91f1fe0..2567abb 100644 ---- a/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-secret-chardev.args -+++ b/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-secret-chardev.args -@@ -31,7 +31,7 @@ localport=1111 \ - data=9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1,\ - keyid=masterKey0,iv=AAECAwQFBgcICQoLDA0ODw==,format=base64 \ - -object tls-creds-x509,id=objcharserial1_tls0,dir=/etc/pki/libvirt-chardev,\ --endpoint=client,verify-peer=no,passwordid=charserial1-secret0 \ -+endpoint=client,verify-peer=yes,passwordid=charserial1-secret0 \ - -chardev socket,id=charserial1,host=127.0.0.1,port=5555,\ - tls-creds=objcharserial1_tls0 \ - -device isa-serial,chardev=charserial1,id=serial1 \ --- -1.7.1 - diff --git a/gnu/packages/virtualization.scm b/gnu/packages/virtualization.scm index 184ba0155c..d9fae08b25 100644 --- a/gnu/packages/virtualization.scm +++ b/gnu/packages/virtualization.scm @@ -6,6 +6,7 @@ ;;; Copyright © 2017 Alex Vong <alexvong1995@gmail.com> ;;; Copyright © 2017 Andy Patterson <ajpatter@uwaterloo.ca> ;;; Copyright © 2017 Rutger Helling <rhelling@mykolab.com> +;;; Copyright © 2017 Tobias Geerinckx-Rice <me@tobias.gr> ;;; ;;; This file is part of GNU Guix. ;;; @@ -329,15 +330,14 @@ manage system or application containers.") (define-public libvirt (package (name "libvirt") - (version "3.7.0") + (version "3.10.0") (source (origin (method url-fetch) (uri (string-append "https://libvirt.org/sources/libvirt-" version ".tar.xz")) - (patches (search-patches "libvirt-CVE-2017-1000256.patch")) (sha256 (base32 - "1fk75cdzg59y9hnfdpdwv83fsc1yffy3lac4ch19zygfkqhcnysf")))) + "03kb37iv3dvvdlslznlc0njvjpmq082lczmsslz5p4fcwb50kwfz")))) (build-system gnu-build-system) (arguments `(;; FAIL: virshtest |