Package: libvirt / 5.0.0-4

security/remote-enforce-ACL-write-permission-for-getting-guest-tim.patch Patch series | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
From: =?utf-8?b?IkRhbmllbCBQLiBCZXJyYW5nw6ki?= <berrange@redhat.com>
Date: Wed, 3 Apr 2019 15:00:50 +0100
Subject: remote: enforce ACL write permission for getting guest time &
 hostname
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit

Getting the guest time and hostname both require use of guest agent
commands. These must not be allowed for read-only users, so the
permissions check must validate "write" permission not "read".

Fixes CVE-2019-3886
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
 src/remote/remote_protocol.x | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/remote/remote_protocol.x b/src/remote/remote_protocol.x
index b9d26b1..1246df5 100644
--- a/src/remote/remote_protocol.x
+++ b/src/remote/remote_protocol.x
@@ -5505,7 +5505,7 @@ enum remote_procedure {
 
     /**
      * @generate: both
-     * @acl: domain:read
+     * @acl: domain:write
      */
     REMOTE_PROC_DOMAIN_GET_HOSTNAME = 277,
 
@@ -5900,7 +5900,7 @@ enum remote_procedure {
 
     /**
      * @generate: none
-     * @acl: domain:read
+     * @acl: domain:write
      */
     REMOTE_PROC_DOMAIN_GET_TIME = 337,