[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [libvirt] [PATCH] CVE-2014-7823: dumpxml: security hole with migratable flag



On 11/05/2014 05:30 PM, Eric Blake wrote:
> Commit 28f8dfd (v1.0.0) introduced a security hole: in at least
> the qemu implementation of virDomainGetXMLDesc, the use of the
> flag VIR_DOMAIN_XML_MIGRATABLE (which is usable from a read-only
> connection) triggers the implicit use of VIR_DOMAIN_XML_SECURE
> prior to calling qemuDomainFormatXML.  However, the use of
> VIR_DOMAIN_XML_SECURE is supposed to be restricted to read-write
> clients only.  This patch treats the migratable flag as requiring
> the same permissions, rather than analyzing what might break if
> migratable xml no longer includes secret information.
> 
> Fortunately, the information leak is low-risk: all that is gated
> by the VIR_DOMAIN_XML_SECURE flag is the VNC connection password;
> but VNC passwords are already weak (FIPS forbids their use, and
> on a non-FIPS machine, anyone stupid enough to trust a max-8-byte
> password sent in plaintext over the network deserves what they
> get).  SPICE offers better security than VNC, and all other
> secrets are properly protected by use of virSecret associations
> rather than direct output in domain XML.
> 
> * src/remote/remote_protocol.x (REMOTE_PROC_DOMAIN_GET_XML_DESC):
> Tighten rules on use of migratable flag.
> * src/libvirt-domain.c (virDomainGetXMLDesc): Likewise.
> 
> Signed-off-by: Eric Blake <eblake redhat com>
> ---
> 
> The libvirt-security list agreed that this did not need an embargo
> because it is low-risk; but I'm on the road this week, so while
> this patch for master can go in now, I won't complete the backport
> to all the affected stable branches (everything since v1.0.0) or
> do the Libvirt Security Notice writeup until Monday.

Pushed based on positive review on the libvirt-security list.

-- 
Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org

Attachment: signature.asc
Description: OpenPGP digital signature


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]