Package: libvirt / 3.0.0-4+deb9u4

Metadata

Package Version Patches format
libvirt 3.0.0-4+deb9u4 3.0 (quilt)

Patch series

view the series file
Patch File delta Description
debian/remove RHism.diff.patch | (download)

tools/virsh.pod | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 remove-rhism.diff


debian/Don t enable default network on boot.patch | (download)

src/Makefile.am | 3 1 + 2 - 0 !
src/Makefile.in | 3 1 + 2 - 0 !
2 files changed, 2 insertions(+), 4 deletions(-)

 don't enable default network on boot

to not interfere with existing network configurations

debian/fix Debian specific path to hvm loader.patch | (download)

src/xen/xen_hypervisor.c | 2 1 + 1 - 0 !
tests/xencapsdata/xen-i686-pae-hvm.xml | 2 1 + 1 - 0 !
tests/xencapsdata/xen-ia64-be-hvm.xml | 2 1 + 1 - 0 !
tests/xencapsdata/xen-ia64-hvm.xml | 2 1 + 1 - 0 !
tests/xencapsdata/xen-x86_64-hvm.xml | 4 2 + 2 - 0 !
5 files changed, 6 insertions(+), 6 deletions(-)

 fix debian specific path to hvm loader

Closes: #517059

debian/Debianize libvirt guests.patch | (download)

tools/libvirt-guests.sh.in | 45 28 + 17 - 0 !
tools/libvirt-guests.sysconf | 4 2 + 2 - 0 !
2 files changed, 30 insertions(+), 19 deletions(-)

 debianize libvirt-guests

patch qemuMonitorTextGetMigrationStatus to intercept.patch | (download)

src/qemu/qemu_monitor_text.c | 10 9 + 1 - 0 !
1 file changed, 9 insertions(+), 1 deletion(-)

 patch qemumonitortextgetmigrationstatus to intercept unknown command
 'info migrate'

Debian package kvm up to version 72 has not implemented the command 'info migrate'.
This command interface returns help page of info commands and looks like this:


Disable gnulib s test nonplocking pipe.sh.patch | (download)

gnulib/tests/test-nonblocking-pipe.sh | 4 4 + 0 - 0 !
1 file changed, 4 insertions(+)

 disable gnulib's test-nonplocking-pipe.sh

since it fails on at least sparc and mips from time to time.

Issue reported upstresm.

Reduce udevadm settle timeout to 10 seconds.patch | (download)

src/util/virutil.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 reduce udevadm settle timeout to 10 seconds

This isn't a proper fix but it will make virt-manager at least start.

Closes: #663931

debian/Debianize systemd service files.patch | (download)

daemon/libvirtd.service.in | 4 2 + 2 - 0 !
tools/libvirt-guests.service.in | 2 1 + 1 - 0 !
2 files changed, 3 insertions(+), 3 deletions(-)

 debianize systemd service files


Allow xen toolstack to find it s binaries.patch | (download)

docs/schemas/capability.rng | 4 2 + 2 - 0 !
src/xen/xen_hypervisor.c | 6 2 + 4 - 0 !
tests/xencapsdata/xen-i686-pae-hvm.xml | 6 3 + 3 - 0 !
tests/xencapsdata/xen-i686-pae.xml | 2 1 + 1 - 0 !
tests/xencapsdata/xen-i686.xml | 2 1 + 1 - 0 !
tests/xencapsdata/xen-ia64-be-hvm.xml | 6 3 + 3 - 0 !
tests/xencapsdata/xen-ia64-be.xml | 2 1 + 1 - 0 !
tests/xencapsdata/xen-ia64-hvm.xml | 6 3 + 3 - 0 !
tests/xencapsdata/xen-ia64.xml | 2 1 + 1 - 0 !
tests/xencapsdata/xen-ppc64.xml | 2 1 + 1 - 0 !
tests/xencapsdata/xen-x86_64-hvm.xml | 10 5 + 5 - 0 !
tests/xencapsdata/xen-x86_64.xml | 2 1 + 1 - 0 !
12 files changed, 24 insertions(+), 26 deletions(-)

 allow xen toolstack to find it's binaries

Closes: #685749

Skip vircgrouptest.patch | (download)

tests/vircgrouptest.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 skip vircgrouptest

We don't have a mock for nodeGetCPUCount yet so we fail in a chroot
without sysfs mounted.

debian/Debianize virtlockd.patch | (download)

src/locking/virtlockd.service.in | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 debianize virtlockd


debian/Use upstreams polkit rule.patch | (download)

daemon/Makefile.am | 4 2 + 2 - 0 !
1 file changed, 2 insertions(+), 2 deletions(-)

 use upstreams polkit rule

As of 1.2.16 upstream ships a Polkit rule like Debian does.

Allow access to libnl 3 config files.patch | (download)

examples/apparmor/usr.lib.libvirt.virt-aa-helper | 7 7 + 0 - 0 !
1 file changed, 7 insertions(+)

 allow access to libnl-3 config files

Closes: #786650

debian/apparmor_profiles_local_include.patch | (download)

examples/apparmor/usr.lib.libvirt.virt-aa-helper | 3 3 + 0 - 0 !
examples/apparmor/usr.sbin.libvirtd | 3 3 + 0 - 0 !
2 files changed, 6 insertions(+)

 apparmor_profiles_local_include

Include local apparmor profile

virt aa helper apparmor allow usr share OVMF too.patch | (download)

examples/apparmor/libvirt-qemu | 1 1 + 0 - 0 !
src/security/virt-aa-helper.c | 1 1 + 0 - 0 !
tests/virt-aa-helper-test | 7 6 + 1 - 0 !
3 files changed, 8 insertions(+), 1 deletion(-)

 virt-aa-helper, apparmor: allow /usr/share/ovmf/ too

The split firmware and variables files introduced by
Set defaults for zfs tools.patch | (download)

m4/virt-storage-zfs.m4 | 4 2 + 2 - 0 !
1 file changed, 2 insertions(+), 2 deletions(-)

 set defaults for zfs tools

so we don't have to build-depend on a program in contrib

Pass GPG_TTY env var to the ssh binary.patch | (download)

src/rpc/virnetsocket.c | 1 1 + 0 - 0 !
1 file changed, 1 insertion(+)

 pass gpg_tty env var to the ssh binary


openpty Skip test if no pty is available.patch | (download)

gnulib/tests/test-openpty.c | 9 7 + 2 - 0 !
1 file changed, 7 insertions(+), 2 deletions(-)

 openpty: skip test if no pty is available

In chroots for package builds with recent debootstrap there may be
no ptys or they might not be accessible. This both manifests as ENOENT
on Linux.

Works around #817236

test posix_openpt don t fail on EACCESS.patch | (download)

gnulib/tests/test-posix_openpt.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 test-posix_openpt: don't fail on eaccess

In chroots created with recent debootstrap /dev/ptmx might not be accessible.

Works around #817236

Disable use of namespaces by default.patch | (download)

src/qemu/qemu_conf.c | 7 0 + 7 - 0 !
1 file changed, 7 deletions(-)

 disable use of namespaces by default

When namespaces are enabled there is currently breakage when
using disk hotplug and when using AppArmor

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>

debian/Debianize virtlogd.patch | (download)

src/logging/virtlogd.service.in | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 debianize virtlogd


CVE 2017 2635 qemu Don t update physical storage size of .patch | (download)

src/qemu/qemu_driver.c | 3 3 + 0 - 0 !
1 file changed, 3 insertions(+)

 cve-2017-2635: qemu: don't update physical storage size of empty
 drives

Previously the code called virStorageSourceUpdateBlockPhysicalSize which
did not do anything on empty drives since it worked only on block
devices. After the refactor in c5f6151390 it's called for all devices
and thus attempts to deref the NULL path of empty drives.

Add a check that skips the update of the physical size if the storage
source is empty.

Upstream-Commit: c3de387380f6057ee0e46cd9f2f0a092e8070875
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1420718

apparmor allow usr lib qemu qemu bridge helper.patch | (download)

examples/apparmor/usr.sbin.libvirtd | 4 2 + 2 - 0 !
1 file changed, 2 insertions(+), 2 deletions(-)

 apparmor: allow /usr/lib/qemu/qemu-bridge-helper

This unbreaks e.g. gnome-boxes

qemu skip QMP probing of CPU definitions when missing.patch | (download)

src/qemu/qemu_capabilities.c | 5 5 + 0 - 0 !
src/qemu/qemu_capabilities.h | 1 1 + 0 - 0 !
tests/qemucapabilitiesdata/caps_1.2.2.x86_64.xml | 1 1 + 0 - 0 !
tests/qemucapabilitiesdata/caps_1.3.1.x86_64.xml | 1 1 + 0 - 0 !
tests/qemucapabilitiesdata/caps_1.4.2.x86_64.xml | 1 1 + 0 - 0 !
tests/qemucapabilitiesdata/caps_1.5.3.x86_64.xml | 1 1 + 0 - 0 !
tests/qemucapabilitiesdata/caps_1.6.0.x86_64.xml | 1 1 + 0 - 0 !
tests/qemucapabilitiesdata/caps_1.7.0.x86_64.xml | 1 1 + 0 - 0 !
tests/qemucapabilitiesdata/caps_2.1.1.x86_64.xml | 1 1 + 0 - 0 !
tests/qemucapabilitiesdata/caps_2.4.0.x86_64.xml | 1 1 + 0 - 0 !
tests/qemucapabilitiesdata/caps_2.5.0.x86_64.xml | 1 1 + 0 - 0 !
tests/qemucapabilitiesdata/caps_2.6.0-gicv2.aarch64.xml | 1 1 + 0 - 0 !
tests/qemucapabilitiesdata/caps_2.6.0-gicv3.aarch64.xml | 1 1 + 0 - 0 !
tests/qemucapabilitiesdata/caps_2.6.0.ppc64le.xml | 1 1 + 0 - 0 !
tests/qemucapabilitiesdata/caps_2.6.0.x86_64.xml | 1 1 + 0 - 0 !
tests/qemucapabilitiesdata/caps_2.7.0.s390x.xml | 1 1 + 0 - 0 !
tests/qemucapabilitiesdata/caps_2.7.0.x86_64.xml | 1 1 + 0 - 0 !
tests/qemucapabilitiesdata/caps_2.8.0.s390x.xml | 1 1 + 0 - 0 !
tests/qemucapabilitiesdata/caps_2.8.0.x86_64.xml | 1 1 + 0 - 0 !
tests/qemucapabilitiesdata/caps_2.9.0.x86_64.xml | 769 769 + 0 - 0 !
20 files changed, 792 insertions(+)

 qemu: skip qmp probing of cpu definitions when missing

This unbreaks emulators that don't support this command such as
qemu-system-mips*.

Closes: #854125

security/qemu ensure TLS clients always verify the server certific.patch | (download)

src/qemu/qemu_command.c | 2 1 + 1 - 0 !
tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev.args | 2 1 + 1 - 0 !
tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-secret-chardev.args | 2 1 + 1 - 0 !
3 files changed, 3 insertions(+), 3 deletions(-)

 qemu: ensure tls clients always verify the server certificate

The default_tls_x509_verify (and related) parameters in qemu.conf
control whether the QEMU TLS servers request & verify certificates
from clients. This works as a simple access control system for
servers by requiring the CA to issue certs to permitted clients.
This use of client certificates is disabled by default, since it
requires extra work to issue client certificates.

Unfortunately the code was using this configuration parameter when
setting up both TLS clients and servers in QEMU. The result was that
TLS clients for character devices and disk devices had verification
turned off, meaning they would ignore errors while validating the
server certificate.

This allows for trivial MITM attacks between client and server,
as any certificate returned by the attacker will be accepted by
the client.

This is assigned CVE-2017-1000256  / LSN-2017-0002

qemu shared disks with cache directsync should be safe fo.patch | (download)

src/qemu/qemu_migration.c | 7 4 + 3 - 0 !
1 file changed, 4 insertions(+), 3 deletions(-)

 qemu: shared disks with cache=directsync should be safe for
 migration

At present shared disks can be migrated with either readonly or cache=none. But
cache=directsync should be safe for migration, because both cache=directsync and cache=none
don't use the host page cache, and cache=direct write through qemu block layer cache.

Signed-off-by: Peng Hao <peng.hao2@zte.com.cn>
qemu avoid denial of service reading from QEMU monitor CV.patch | (download)

src/qemu/qemu_monitor.c | 15 15 + 0 - 0 !
1 file changed, 15 insertions(+)

 qemu: avoid denial of service reading from qemu monitor
 (CVE-2018-5748)

We read from QEMU until seeing a \r\n pair to indicate a completed reply
or event. To avoid memory denial-of-service though, we must have a size
limit on amount of data we buffer. 10 MB is large enough that it ought
to cope with normal QEMU replies, and small enough that we're not
consuming unreasonable mem.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>

security/CVE 2018 1064 qemu avoid denial of service reading from Q.patch | (download)

src/qemu/qemu_agent.c | 15 15 + 0 - 0 !
1 file changed, 15 insertions(+)

 cve-2018-1064: qemu: avoid denial of service reading from qemu guest
 agent
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit

We read from the agent until seeing a \r\n pair to indicate a completed
reply or event. To avoid memory denial-of-service though, we must have a
size limit on amount of data we buffer. 10 MB is large enough that it
ought to cope with normal agent replies, and small enough that we're not
consuming unreasonable mem.

This is identical to the flaw we had reading from the QEMU monitor
as CVE-2018-5748, so rather embarrassing that we forgot to fix
the agent code at the same time.

Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>

security/CVE 2018 6764 virlog determine the hostname on startup.patch | (download)

cfg.mk | 2 1 + 1 - 0 !
src/util/virlog.c | 27 19 + 8 - 0 !
2 files changed, 20 insertions(+), 9 deletions(-)

 cve-2018-6764: virlog: determine the hostname on startup

At later point it might not be possible or even safe to use getaddrinfo(). It
can in turn result in a load of NSS module.

(cherry picked from commit 759b4d1b0fe5f4d84d98b99153dfa7ac289dd167
 cherry picked from commit 6ce3acc129bfdbe7fd02bcb8bbe8af6d13903684
 cherry picked from commit c2dc6698c88fb591639e542c8ecb0076c54f3dfb)

security/cpu_map Define md clear CPUID bit.patch | (download)

src/cpu/cpu_map.xml | 3 3 + 0 - 0 !
1 file changed, 3 insertions(+)

 cpu_map: define md-clear cpuid bit

CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091

The bit is set when microcode provides the mechanism to invoke a flush
of various exploitable CPU buffers by invoking the VERW instruction.

This is a backport of upstream commit 538d873571d7a682852dc1d70e5f4478f4d64e85

security/cpu add CPU features for indirect branch prediction prote.patch | (download)

src/cpu/cpu_map.xml | 8 8 + 0 - 0 !
1 file changed, 8 insertions(+)

 cpu: add cpu features for indirect branch prediction protection

Added in QEMU commits TBD and TBD.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
security/cpu Add Nehalem IBRS CPU model.patch | (download)

src/cpu/cpu_map.xml | 37 37 + 0 - 0 !
1 file changed, 37 insertions(+)

 cpu: add nehalem-ibrs cpu model

This is a variant of Nehalem with indirect branch prediction protection.
security/cpu Add Westmere IBRS CPU model.patch | (download)

src/cpu/cpu_map.xml | 38 38 + 0 - 0 !
1 file changed, 38 insertions(+)

 cpu: add westmere-ibrs cpu model

This is a variant of Westmere with indirect branch prediction
security/cpu Add SandyBridge IBRS CPU model.patch | (download)

src/cpu/cpu_map.xml | 44 44 + 0 - 0 !
1 file changed, 44 insertions(+)

 cpu: add sandybridge-ibrs cpu model

This is a variant of SandyBridge with indirect branch prediction
security/cpu Add IvyBridge IBRS CPU model.patch | (download)

src/cpu/cpu_map.xml | 50 50 + 0 - 0 !
1 file changed, 50 insertions(+)

 cpu: add ivybridge-ibrs cpu model

This is a variant of IvyBridge with indirect branch prediction
security/cpu Add Haswell noTSX IBRS CPU model.patch | (download)

src/cpu/cpu_map.xml | 54 54 + 0 - 0 !
1 file changed, 54 insertions(+)

 cpu: add haswell-notsx-ibrs cpu model

This is a variant of Haswell-noTSX with indirect branch prediction
security/cpu Add Haswell IBRS CPU model.patch | (download)

src/cpu/cpu_map.xml | 56 56 + 0 - 0 !
1 file changed, 56 insertions(+)

 cpu: add haswell-ibrs cpu model

This is a variant of Haswell with indirect branch prediction protection.
security/cpu Add Broadwell noTSX IBRS CPU model.patch | (download)

src/cpu/cpu_map.xml | 58 58 + 0 - 0 !
1 file changed, 58 insertions(+)

 cpu: add broadwell-notsx-ibrs cpu model

This is a variant of Broadwell-noTSX with indirect branch prediction
security/cpu Add Broadwell IBRS CPU model.patch | (download)

src/cpu/cpu_map.xml | 60 60 + 0 - 0 !
1 file changed, 60 insertions(+)

 cpu: add broadwell-ibrs cpu model

This is a variant of Broadwell with indirect branch prediction
security/cpu Add Skylake Client IBRS CPU model.patch | (download)

src/cpu/cpu_map.xml | 69 69 + 0 - 0 !
1 file changed, 69 insertions(+)

 cpu: add skylake-client-ibrs cpu model

This is a variant of Skylake-Client with indirect branch prediction
cpu define the ssbd CPUID feature bit CVE 2018 3639.patch | (download)

src/cpu/cpu_map.xml | 3 3 + 0 - 0 !
1 file changed, 3 insertions(+)

 cpu: define the 'ssbd' cpuid feature bit (cve-2018-3639)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit

New microcode introduces the "Speculative Store Bypass Disable"
CPUID feature bit. This needs to be exposed to guest OS to allow
them to protect against CVE-2018-3639.

Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
cpu define the virt ssbd CPUID feature bit CVE 2018 3639.patch | (download)

src/cpu/cpu_map.xml | 3 3 + 0 - 0 !
1 file changed, 3 insertions(+)

 cpu: define the 'virt-ssbd' cpuid feature bit (cve-2018-3639)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit

Some AMD processors only support a non-architectural means of
enabling Speculative Store Bypass Disable. To allow simplified
handling in virtual environments, hypervisors will expose an
architectural definition through CPUID bit 0x80000008_EBX[25].
This needs to be exposed to guest OS running on AMD x86 hosts to
allow them to protect against CVE-2018-3639.

Note that since this CPUID bit won't be present in the host CPUID
results on physical hosts, it will not be enabled automatically
in guests configured with "host-model" CPU unless using QEMU
version >= 2.9.0. Thus for older versions of QEMU, this feature
must be manually enabled using policy=force. Guests using the
"host-passthrough" CPU mode do not need special handling.

Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
cpu add amd ssbd and amd no ssb CPU features CVE 2018 363.patch | (download)

src/cpu/cpu_map.xml | 6 6 + 0 - 0 !
1 file changed, 6 insertions(+)

 cpu: add 'amd-ssbd' and 'amd-no-ssb' cpu features (cve-2018-3639)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit

AMD x86 CPUs have two separate ways to mitigate the Speculative Store
Bypass hardware flaw. In current processors only non-architectural MSRs
are available, and so hypervisors must expose a virtualized MSR and CPU
flag "virt-ssbd" (CPUID Function 8000_0008, EBX[25]=1).

In future processors AMD will provide an architectural MSR, indicated by
existance of the CPUID Function 8000_0008, EBX[24]=1, to which QEMU has
given the name "amd-ssbd".

The "amd-ssbd" flag should be used in preference to "virt-ssbd", if it
is available, since it provides improved performance. For virtual
machine configuration, both should be exposed when available, to allow
for maximal guest OS compatibility as not all guests yet support both.

If future processes are not vulnerable to the flaw, this will be
indicated by the existance of CPUID Function 8000_0008, EBX[26]=1,
to which QEMU has given the name "amd-no-ssb".

See also 124441_AMD64_SpeculativeStoreBypassDisable_Whitepaper_final.pdf
security/CVE 2019 10161 api disallow virDomainSaveImageGetXMLDesc .patch | (download)

src/libvirt-domain.c | 9 2 + 7 - 0 !
src/qemu/qemu_driver.c | 2 1 + 1 - 0 !
src/remote/remote_protocol.x | 3 1 + 2 - 0 !
3 files changed, 4 insertions(+), 10 deletions(-)

 cve-2019-10161: api: disallow virdomainsaveimagegetxmldesc on
 read-only connections
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit

This is a backport of

The virDomainSaveImageGetXMLDesc API is taking a path parameter,
which can point to any path on the system. This file will then be
read and parsed by libvirtd running with root privileges.

Forbid it on read-only connections.

Fixes: CVE-2019-10161
Reported-by: Matthias Gerstner <mgerstner@suse.de>
Signed-off-by: Ján Tomko <jtomko@redhat.com>

security/api disallow virConnectGetDomainCapabilities on read only.patch | (download)

src/libvirt-domain.c | 1 1 + 0 - 0 !
1 file changed, 1 insertion(+)

 api: disallow virconnectgetdomaincapabilities on read-only
 connections
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit

This API can be used to execute arbitrary emulators.
Forbid it on read-only connections.

Fixes: CVE-2019-10167
Signed-off-by: Ján Tomko <jtomko@redhat.com>