Bug 45635 - libvirt: Multiple issues (4.2)
libvirt: Multiple issues (4.2)
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Security updates
UCS 4.2
Other Linux
: P5 normal (vote)
: UCS 4.2-3-errata
Assigned To: Philipp Hahn
Arvid Requate
:
Depends on:
Blocks: 41719
  Show dependency treegraph
 
Reported: 2017-11-01 17:06 CET by Arvid Requate
Modified: 2018-05-09 14:46 CEST (History)
1 user (show)

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Ticket number:
Bug group (optional):
Max CVSS v3 score: 4.2 (CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L)
requate: Patch_Available+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Arvid Requate univentionstaff 2017-11-01 17:06:36 CET
Upstream Debian (stretch) package version 3.0.0-4+deb9u1 fixes:

* Libvirt does not properly handle the default_tls_x509_verify (and
related) parameters in qemu.conf when setting up TLS clients and servers
in QEMU, resulting in TLS clients for character devices and disk devices
having verification turned off and ignoring any errors while validating
the server certificate (CVE-2017-1000256)


In UCS 4.2 we shipped 3.0.0-2, which also has:

* Null pointer dereference when updating storage size on empty drives (CVE-2017-2635)

That has been fixed in 3.0.0-3.
Comment 1 Philipp Hahn univentionstaff 2018-01-26 20:09:24 CET
r17995 | Bug #45635: libvirt

Package: libvirt
Version: 3.0.0-4~bpo8+1A~4.2.0.201801261804
Branch: ucs_4.2-0
Scope: errata4.2-3

9899da8936 Bug #45635: libvirt
Comment 2 Quality Assurance univentionstaff 2018-05-04 16:58:02 CEST
--- mirror/ftp/4.2/unmaintained/4.2-0/source/libvirt_3.0.0-2A~4.2.0.201702200932.dsc
+++ apt/ucs_4.2-0-errata4.2-3/source/libvirt_3.0.0-4~bpo8+1A~4.2.0.201801261804.dsc
@@ -1,14 +1,35 @@
-3.0.0-2A~4.2.0.201702200932 [Mon, 20 Feb 2017 09:32:09 +0100] Univention builddaemon <buildd@univention.de>:
+3.0.0-4~bpo8+1A~4.2.0.201801261804 [Fri, 26 Jan 2018 18:04:07 +0100] Univention builddaemon <buildd@univention.de>:
 
   * UCS auto build. The following patches have been applied to the original source package
     0001-Bug-35768-Bug-39685-Remove-UCS-dependencies
-    0002-Revert-Add-Breaks-for-older-systemd
     0021-Bug-19329-Allow-MD5-signatures
     0022-Bug-21860-Default-to-kvm32
     0023-Allow-to-migrate-and-undefine-domains-with-snapshots
     0024-Bug-22072-Re-scan-for-snapshots-after-migration-and-
     0025-Bug-40318-libvirt-Handle-qemu-kvm-1.1.2-migration-in
     0026-Bug-21501-add-slash-screen-support
+    0030-CVE-2017-1000256-qemu-ensure-TLS-clients-always-verify-the-server-cer
+
+3.0.0-4~bpo8+1 [Tue, 18 Apr 2017 23:09:46 +0200] Gaudenz Steinlin <gaudenz@debian.org>:
+
+  * Rebuild for jessie-backports.
+  * [43f5a1] Revert "Enable numad support"
+  * [db9711] Change libxml2-dev build dependency to fixed version from jessie
+  * [bceb2c] Revert "Add Breaks for older systemd"
+
+3.0.0-4 [Fri, 17 Mar 2017 11:20:13 +0100] Guido Günther <agx@sigxcpu.org>:
+
+  * [2a23b23] qemu: skip QMP probing of CPU definitions when missing.
+    Don't probe CPU definitions if we lack the monitor command. This
+    unbreaks e.g. mips based VMs. (Closes: #85412)
+  * [21bc332] apprarmor: unbreak lbvirt invoking qemu-bridge-helpers
+    This makes VM creation in gnome-boxes work with apparmor enabled.
+
+3.0.0-3 [Mon, 27 Feb 2017 20:07:41 +0100] Guido Günther <agx@sigxcpu.org>:
+
+  * [62ad289] Debianize virtlogd
+  * [cb216b5] CVE-2017-2635: qemu: Don't update physical storage size of empty drives
+    (Closes: #856313)
 
 3.0.0-2 [Wed, 25 Jan 2017 07:04:08 +0100] Guido Günther <agx@sigxcpu.org>:
Comment 3 Arvid Requate univentionstaff 2018-05-08 12:52:08 CEST
* Obsolete patch removed:
  4.2-0-0-ucs/3.0.0-2/0002-Revert-Add-Breaks-for-older-systemd.patch
  which was introduced via
  http://forge.univention.org/bugzilla/show_bug.cgi?id=38877#c5

* New patch
  4.2-0-0-ucs/3.0.0-4~bpo8+1-errata4.2-3/0030-CVE-2017-1000256-qemu-ensure-TLS-clients-always-verify-the-server-cer.quilt
  origin unknown, please explain:
  +Message-Id: <441d3eb6d1be940a67ce45a286602a967601b157.1516983401.git.hahn@univention.de>

* Missing upstream patches: Upstream there is 3.0.0-4+deb9u3, which fixes
  * CVE-2018-1064: qemu: avoid denial of service reading from QEMU guest agent
  * CVE-2018-5748: qemu: avoid denial of service reading from QEMU monitor
  * CVE-2018-6764: virlog: determine the hostname on startup


These other points are verified until now:
* All other UCS specific patches applied during rebuild
* Comparison to previously shipped version ok
* Installation Ok
* Advisory adjusted:
  80c94b8420 | Sort CVEs
Comment 4 Philipp Hahn univentionstaff 2018-05-08 19:54:15 CEST
(In reply to Arvid Requate from comment #3)
> * Obsolete patch removed:
>   4.2-0-0-ucs/3.0.0-2/0002-Revert-Add-Breaks-for-older-systemd.patch
>   which was introduced via
>   http://forge.univention.org/bugzilla/show_bug.cgi?id=38877#c5

FYI: The patch is in Debian now and was thus dropped from UCS:
+3.0.0-4~bpo8+1 [Tue, 18 Apr 2017 23:09:46 +0200]
+  * [bceb2c] Revert "Add Breaks for older systemd"

> 4.2-0-0-ucs/3.0.0-4~bpo8+1-errata4.2-3/0030-CVE-2017-1000256-qemu-ensure-TLS-
> clients-always-verify-the-server-cer.quilt
>   origin unknown, please explain:
>   +Message-Id:
> <441d3eb6d1be940a67ce45a286602a967601b157.1516983401.git.hahn@univention.de>

Back in January the vulnerability was just published, but not yet included in the Debian package. The patch is from upstream-git:

$ git describe --tags --contains 441d3eb6d1be940a67ce45a286602a967601b157 
CVE-2017-1000256^0
$ git describe --tags --contains 441d3eb6d1be940a67ce45a286602a967601b157 --match v\*
v3.9.0-rc1~150

> * Missing upstream patches: Upstream there is 3.0.0-4+deb9u3, which fixes
>   * CVE-2018-1064: qemu: avoid denial of service reading from QEMU guest agent
>   * CVE-2018-5748: qemu: avoid denial of service reading from QEMU monitor
>   * CVE-2018-6764: virlog: determine the hostname on startup

1. and 3. are only in Debian-Stretch:

3.0.0-4+deb9u3 [Mon, 12 Mar 2018 19:11:51 +0100]
  * gbp: switch branch to stretch
  * CVE-2018-1064: qemu: avoid denial of service reading from QEMU guest agent
  * CVE-2018-6764: virlog: determine the hostname on startup
    (Closes: #889839)

but not yet in the Debian-Jessie backport:

3.0.0-4+deb9u2~bpo8+1 [Mon, 19 Mar 2018 09:08:45 +0100]
  * Rebuild for jessie-backports.
3.0.0-4+deb9u2 [Sat, 20 Jan 2018 17:51:39 +0100]
  * CVE-2018-5748: qemu: avoid denial of service reading from QEMU monitor
    (Closes: #887700)
  * qemu: shared disks with cache=directsync should be safe for migration.
    Thanks to Carsten Burkhardt (Closes: #883208)
3.0.0-4+deb9u1 [Mon, 16 Oct 2017 22:48:55 +0200]
  * CVE-2017-1000256: qemu: ensure TLS clients always verify the server
    certificate (Closes: #878799)
3.0.0-4~bpo8+1 [Tue, 18 Apr 2017 23:09:46 +0200]

I took deb9u2~bpo8,
- dropped 0030-CVE-2017-100025 as is is included in 3.0.0-4+deb9u1,
= skipped CVE-2018-5748 as it is in 3.0.0-4+deb9u2,
+ picked 0030-CVE-2018-1064 from 3.0.0-4+deb9u3
+ picked 0031-CVE-2018-6764 from 3.0.0-4+deb9u3

r18124 | Bug #45635: libvirt 4.2-3

$ repo_admin.py -U -p libvirt -d jessie-backports -r 4.2 -s errata4.2-3

Package: libvirt
Version: 3.0.0-4+deb9u2~bpo8+1A~4.2.0.201805081928
Branch: ucs_4.2-0
Scope: errata4.2-3

[4.2-3] 059e5701c0 Bug #45635: libvirt 3.0.0-4+deb9u2~bpo8+1
 doc/errata/staging/libvirt.yaml | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

QA: my quick test on xen1 was successful
Comment 5 Quality Assurance univentionstaff 2018-05-08 20:14:35 CEST
--- mirror/ftp/4.2/unmaintained/4.2-0/source/libvirt_3.0.0-2A~4.2.0.201702200932.dsc
+++ apt/ucs_4.2-0-errata4.2-3/source/libvirt_3.0.0-4+deb9u2~bpo8+1A~4.2.0.201805081928.dsc
@@ -1,14 +1,52 @@
-3.0.0-2A~4.2.0.201702200932 [Mon, 20 Feb 2017 09:32:09 +0100] Univention builddaemon <buildd@univention.de>:
+3.0.0-4+deb9u2~bpo8+1A~4.2.0.201805081928 [Tue, 08 May 2018 19:28:21 +0200] Univention builddaemon <buildd@univention.de>:
 
   * UCS auto build. The following patches have been applied to the original source package
     0001-Bug-35768-Bug-39685-Remove-UCS-dependencies
-    0002-Revert-Add-Breaks-for-older-systemd
     0021-Bug-19329-Allow-MD5-signatures
     0022-Bug-21860-Default-to-kvm32
     0023-Allow-to-migrate-and-undefine-domains-with-snapshots
     0024-Bug-22072-Re-scan-for-snapshots-after-migration-and-
     0025-Bug-40318-libvirt-Handle-qemu-kvm-1.1.2-migration-in
     0026-Bug-21501-add-slash-screen-support
+    0030-CVE-2018-1064-qemu-avoid-denial-of-service-reading-from-Q
+    0031-CVE-2018-6764-virlog-determine-the-hostname-on-startup
+
+3.0.0-4+deb9u2~bpo8+1 [Mon, 19 Mar 2018 09:08:45 +0100] Gaudenz Steinlin <gaudenz@debian.org>:
+
+  * Rebuild for jessie-backports.
+
+3.0.0-4+deb9u2 [Sat, 20 Jan 2018 17:51:39 +0100] Guido Günther <agx@sigxcpu.org>:
+
+  * CVE-2018-5748: qemu: avoid denial of service reading from QEMU monitor
+    (Closes: #887700)
+  * qemu: shared disks with cache=directsync should be safe for migration.
+    Thanks to Carsten Burkhardt (Closes: #883208)
+
+3.0.0-4+deb9u1 [Mon, 16 Oct 2017 22:48:55 +0200] Guido Günther <agx@sigxcpu.org>:
+
+  * CVE-2017-1000256: qemu: ensure TLS clients always verify the server
+    certificate (Closes: #878799)
+
+3.0.0-4~bpo8+1 [Tue, 18 Apr 2017 23:09:46 +0200] Gaudenz Steinlin <gaudenz@debian.org>:
+
+  * Rebuild for jessie-backports.
+  * [43f5a1] Revert "Enable numad support"
+  * [db9711] Change libxml2-dev build dependency to fixed version from jessie
+  * [bceb2c] Revert "Add Breaks for older systemd"
+
+3.0.0-4 [Fri, 17 Mar 2017 11:20:13 +0100] Guido Günther <agx@sigxcpu.org>:
+
+  * [2a23b23] qemu: skip QMP probing of CPU definitions when missing.
+    Don't probe CPU definitions if we lack the monitor command. This
+    unbreaks e.g. mips based VMs. (Closes: #85412)
+  * [21bc332] apprarmor: unbreak lbvirt invoking qemu-bridge-helpers
+    This makes VM creation in gnome-boxes work with apparmor enabled.
+
+3.0.0-3 [Mon, 27 Feb 2017 20:07:41 +0100] Guido Günther <agx@sigxcpu.org>:
+
+  * [62ad289] Debianize virtlogd
+  * [cb216b5] CVE-2017-2635: qemu: Don't update physical storage size of empty drives
+    (Closes: #856313)
 
 3.0.0-2 [Wed, 25 Jan 2017 07:04:08 +0100] Guido Günther <agx@sigxcpu.org>:
Comment 6 Philipp Hahn univentionstaff 2018-05-08 20:15:28 CEST
Piuparts-result @ <http://10.200.17.11/4.2-3/#4537047368370645603>
Comment 7 Arvid Requate univentionstaff 2018-05-09 13:29:56 CEST
Verified:
* Backported patches validated
* Patches applied during rebuilt
* Binary package update Ok
* Advisory Ok

Reopen:
* Version in errata4.2-3 is now higher than version in ucs_4.3-0:

root@master10:~# dpkg --compare-versions \
   3.0.0-4+deb9u2~bpo8+1A~4.2.0.201805081928 lt \
   3.0.0-4+deb9u1A~4.3.0.201711231149 || echo fail
fail
Comment 8 Philipp Hahn univentionstaff 2018-05-09 14:10:32 CEST
(In reply to Arvid Requate from comment #7)
> Reopen:
> * Version in errata4.2-3 is now higher than version in ucs_4.3-0:
> 
> root@master10:~# dpkg --compare-versions \
>    3.0.0-4+deb9u2~bpo8+1A~4.2.0.201805081928 lt \
>    3.0.0-4+deb9u1A~4.3.0.201711231149 || echo fail
> fail

    $ ~/bin/deb-ver-comp ...
    ucs-4.2-3       3.0.0-2A~4.2.0.201702200932
    errata-4.2-3    3.0.0-4~bpo8+1A~4.2.0.201801261804
    NEW-4.2-3       3.0.0-4~bpo8+deb9u2A~4.2.0.201805091348
    ucs-4.3-0       3.0.0-4+deb9u1A~4.3.0.201711231149
    BROKEN-4.2-3    3.0.0-4+deb9u2~bpo8+1A~4.2.0.201805081928
    errata-4.3-0    3.0.0-4+deb9u3A~4.3.0.201803150704
<http://xen1.knut.univention.de:8000/packages/source/libvirt/?since=4.2-0>

$ build-package-ng -r 4.2 -s errata4.2-3 -p libvirt -v 3.0.0-4~bpo8+deb9u2A~4.2.0.201805091348

Package: libvirt
Version: 3.0.0-4~bpo8+deb9u2A~4.2.0.201805091348
Branch: ucs_4.2-0
Scope: errata4.2-3

[4.2-3] afecd85183 Bug #45635: libvirt 3.0.0-4+deb9u2~bpo8+1
 doc/errata/staging/libvirt.yaml | 2 +-


OK: errata-announce -V --only libvirt.yaml
OK: <http://10.200.17.11/4.2-3/#932684729351261464>
Comment 9 Quality Assurance univentionstaff 2018-05-09 14:10:44 CEST
--- mirror/ftp/4.2/unmaintained/4.2-0/source/libvirt_3.0.0-2A~4.2.0.201702200932.dsc
+++ apt/ucs_4.2-0-errata4.2-3/source/libvirt_3.0.0-4~bpo8+deb9u2A~4.2.0.201805091348.dsc
@@ -1,14 +1,52 @@
-3.0.0-2A~4.2.0.201702200932 [Mon, 20 Feb 2017 09:32:09 +0100] Univention builddaemon <buildd@univention.de>:
+3.0.0-4~bpo8+deb9u2A~4.2.0.201805091348 [Wed, 09 May 2018 13:48:43 +0200] Univention builddaemon <buildd@univention.de>:
 
   * UCS auto build. The following patches have been applied to the original source package
     0001-Bug-35768-Bug-39685-Remove-UCS-dependencies
-    0002-Revert-Add-Breaks-for-older-systemd
     0021-Bug-19329-Allow-MD5-signatures
     0022-Bug-21860-Default-to-kvm32
     0023-Allow-to-migrate-and-undefine-domains-with-snapshots
     0024-Bug-22072-Re-scan-for-snapshots-after-migration-and-
     0025-Bug-40318-libvirt-Handle-qemu-kvm-1.1.2-migration-in
     0026-Bug-21501-add-slash-screen-support
+    0030-CVE-2018-1064-qemu-avoid-denial-of-service-reading-from-Q
+    0031-CVE-2018-6764-virlog-determine-the-hostname-on-startup
+
+3.0.0-4+deb9u2~bpo8+1 [Mon, 19 Mar 2018 09:08:45 +0100] Gaudenz Steinlin <gaudenz@debian.org>:
+
+  * Rebuild for jessie-backports.
+
+3.0.0-4+deb9u2 [Sat, 20 Jan 2018 17:51:39 +0100] Guido Günther <agx@sigxcpu.org>:
+
+  * CVE-2018-5748: qemu: avoid denial of service reading from QEMU monitor
+    (Closes: #887700)
+  * qemu: shared disks with cache=directsync should be safe for migration.
+    Thanks to Carsten Burkhardt (Closes: #883208)
+
+3.0.0-4+deb9u1 [Mon, 16 Oct 2017 22:48:55 +0200] Guido Günther <agx@sigxcpu.org>:
+
+  * CVE-2017-1000256: qemu: ensure TLS clients always verify the server
+    certificate (Closes: #878799)
+
+3.0.0-4~bpo8+1 [Tue, 18 Apr 2017 23:09:46 +0200] Gaudenz Steinlin <gaudenz@debian.org>:
+
+  * Rebuild for jessie-backports.
+  * [43f5a1] Revert "Enable numad support"
+  * [db9711] Change libxml2-dev build dependency to fixed version from jessie
+  * [bceb2c] Revert "Add Breaks for older systemd"
+
+3.0.0-4 [Fri, 17 Mar 2017 11:20:13 +0100] Guido Günther <agx@sigxcpu.org>:
+
+  * [2a23b23] qemu: skip QMP probing of CPU definitions when missing.
+    Don't probe CPU definitions if we lack the monitor command. This
+    unbreaks e.g. mips based VMs. (Closes: #85412)
+  * [21bc332] apprarmor: unbreak lbvirt invoking qemu-bridge-helpers
+    This makes VM creation in gnome-boxes work with apparmor enabled.
+
+3.0.0-3 [Mon, 27 Feb 2017 20:07:41 +0100] Guido Günther <agx@sigxcpu.org>:
+
+  * [62ad289] Debianize virtlogd
+  * [cb216b5] CVE-2017-2635: qemu: Don't update physical storage size of empty drives
+    (Closes: #856313)
 
 3.0.0-2 [Wed, 25 Jan 2017 07:04:08 +0100] Guido Günther <agx@sigxcpu.org>:
Comment 10 Arvid Requate univentionstaff 2018-05-09 14:21:54 CEST
Ok works now.
Comment 11 Arvid Requate univentionstaff 2018-05-09 14:46:43 CEST
<http://errata.software-univention.de/ucs/4.2/415.html>