On 11/05/2014 05:30 PM, Eric Blake wrote: > Commit 28f8dfd (v1.0.0) introduced a security hole: in at least > the qemu implementation of virDomainGetXMLDesc, the use of the > flag VIR_DOMAIN_XML_MIGRATABLE (which is usable from a read-only > connection) triggers the implicit use of VIR_DOMAIN_XML_SECURE > prior to calling qemuDomainFormatXML. However, the use of > VIR_DOMAIN_XML_SECURE is supposed to be restricted to read-write > clients only. This patch treats the migratable flag as requiring > the same permissions, rather than analyzing what might break if > migratable xml no longer includes secret information. > > Fortunately, the information leak is low-risk: all that is gated > by the VIR_DOMAIN_XML_SECURE flag is the VNC connection password; > but VNC passwords are already weak (FIPS forbids their use, and > on a non-FIPS machine, anyone stupid enough to trust a max-8-byte > password sent in plaintext over the network deserves what they > get). SPICE offers better security than VNC, and all other > secrets are properly protected by use of virSecret associations > rather than direct output in domain XML. > > * src/remote/remote_protocol.x (REMOTE_PROC_DOMAIN_GET_XML_DESC): > Tighten rules on use of migratable flag. > * src/libvirt-domain.c (virDomainGetXMLDesc): Likewise. > > Signed-off-by: Eric Blake <eblake@xxxxxxxxxx> > --- > > The libvirt-security list agreed that this did not need an embargo > because it is low-risk; but I'm on the road this week, so while > this patch for master can go in now, I won't complete the backport > to all the affected stable branches (everything since v1.0.0) or > do the Libvirt Security Notice writeup until Monday. Pushed based on positive review on the libvirt-security list. -- Eric Blake eblake redhat com +1-919-301-3266 Libvirt virtualization library http://libvirt.org
Attachment:
signature.asc
Description: OpenPGP digital signature
-- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list