[libvirt] [PATCH] CVE-2014-7823: dumpxml: security hole with migratable flag

Eric Blake eblake at redhat.com
Thu Nov 6 07:18:45 UTC 2014

On 11/05/2014 05:30 PM, Eric Blake wrote:
> Commit 28f8dfd (v1.0.0) introduced a security hole: in at least
> the qemu implementation of virDomainGetXMLDesc, the use of the
> flag VIR_DOMAIN_XML_MIGRATABLE (which is usable from a read-only
> connection) triggers the implicit use of VIR_DOMAIN_XML_SECURE
> prior to calling qemuDomainFormatXML.  However, the use of
> VIR_DOMAIN_XML_SECURE is supposed to be restricted to read-write
> clients only.  This patch treats the migratable flag as requiring
> the same permissions, rather than analyzing what might break if
> migratable xml no longer includes secret information.
> Fortunately, the information leak is low-risk: all that is gated
> by the VIR_DOMAIN_XML_SECURE flag is the VNC connection password;
> but VNC passwords are already weak (FIPS forbids their use, and
> on a non-FIPS machine, anyone stupid enough to trust a max-8-byte
> password sent in plaintext over the network deserves what they
> get).  SPICE offers better security than VNC, and all other
> secrets are properly protected by use of virSecret associations
> rather than direct output in domain XML.
> * src/remote/remote_protocol.x (REMOTE_PROC_DOMAIN_GET_XML_DESC):
> Tighten rules on use of migratable flag.
> * src/libvirt-domain.c (virDomainGetXMLDesc): Likewise.
> Signed-off-by: Eric Blake <eblake at redhat.com>
> ---
> The libvirt-security list agreed that this did not need an embargo
> because it is low-risk; but I'm on the road this week, so while
> this patch for master can go in now, I won't complete the backport
> to all the affected stable branches (everything since v1.0.0) or
> do the Libvirt Security Notice writeup until Monday.

Pushed based on positive review on the libvirt-security list.

Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 539 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20141106/4e9dbc25/attachment-0001.sig>

More information about the libvir-list mailing list