diff options
| author |   Michael Marineau <marineam@gentoo.org> | 2009-01-09 04:31:31 +0000 |
|---|---|---|
| committer | Michael Marineau <marineam@gentoo.org> | 2009-01-09 04:31:31 +0000 |
| commit | ac119d7b4186109f18343af631c5ef856f27693e (patch) | |
| tree | ca8e1fbe6927a3ce579e7a5438bdbda2f1cb9465 /app-emulation | |
| parent | Add lxc and uml use flags for libvirt (diff) | |
| download | gentoo-2-ac119d7b4186109f18343af631c5ef856f27693e.tar.gz gentoo-2-ac119d7b4186109f18343af631c5ef856f27693e.tar.bz2 gentoo-2-ac119d7b4186109f18343af631c5ef856f27693e.zip | |
Bump libvirt to 0.5.1 and fix CVE-2008-5086
(Portage version: 2.1.6.4/cvs/Linux 2.6.28-00001-g607f448 x86_64)
Diffstat (limited to 'app-emulation')
| -rw-r--r-- | app-emulation/libvirt/ChangeLog | 15 | ||||
| -rw-r--r-- | app-emulation/libvirt/files/libvirt-0.4.6-add-missing-permission-checks.patch | 127 | ||||
| -rw-r--r-- | app-emulation/libvirt/files/libvirt-0.5.1-add-missing-permission-checks.patch | 161 | ||||
| -rw-r--r-- | app-emulation/libvirt/files/libvirt-0.5.1-libgnu-reposition.patch | 21 | ||||
| -rw-r--r-- | app-emulation/libvirt/libvirt-0.4.6-r1.ebuild (renamed from app-emulation/libvirt/libvirt-0.4.6.ebuild) | 5 | ||||
| -rw-r--r-- | app-emulation/libvirt/libvirt-0.5.1.ebuild (renamed from app-emulation/libvirt/libvirt-0.4.4-r2.ebuild) | 43 | ||||
| -rw-r--r-- | app-emulation/libvirt/metadata.xml | 3 |
7 files changed, 357 insertions, 18 deletions
diff --git a/app-emulation/libvirt/ChangeLog b/app-emulation/libvirt/ChangeLog index cdb63ec20d88..73ed7e1ea1ce 100644 --- a/app-emulation/libvirt/ChangeLog +++ b/app-emulation/libvirt/ChangeLog @@ -1,6 +1,17 @@ # ChangeLog for app-emulation/libvirt -# Copyright 1999-2008 Gentoo Foundation; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/app-emulation/libvirt/ChangeLog,v 1.18 2008/11/23 22:54:37 marineam Exp $ +# Copyright 1999-2009 Gentoo Foundation; Distributed under the GPL v2 +# $Header: /var/cvsroot/gentoo-x86/app-emulation/libvirt/ChangeLog,v 1.19 2009/01/09 04:31:31 marineam Exp $ + +*libvirt-0.5.1 (09 Jan 2009) +*libvirt-0.4.6-r1 (09 Jan 2009) + + 09 Jan 2009; Michael Marineau <marineam@gentoo.org> + +files/libvirt-0.4.6-add-missing-permission-checks.patch, + +files/libvirt-0.5.1-add-missing-permission-checks.patch, + +files/libvirt-0.5.1-libgnu-reposition.patch, -libvirt-0.4.4-r2.ebuild, + -libvirt-0.4.6.ebuild, +libvirt-0.4.6-r1.ebuild, +libvirt-0.5.1.ebuild: + Fix security bypass (CVE-2008-5086), resolves bug #252205 + Bump to 0.5.1, resolves bug #249102 23 Nov 2008; Michael Marineau <marineam@gentoo.org> libvirt-0.4.4-r2.ebuild, libvirt-0.4.6.ebuild: diff --git a/app-emulation/libvirt/files/libvirt-0.4.6-add-missing-permission-checks.patch b/app-emulation/libvirt/files/libvirt-0.4.6-add-missing-permission-checks.patch new file mode 100644 index 000000000000..02b359f0903d --- /dev/null +++ b/app-emulation/libvirt/files/libvirt-0.4.6-add-missing-permission-checks.patch @@ -0,0 +1,127 @@ +--- libvirt-0.4.6/src/libvirt.c.orig 2008-09-22 09:12:12.000000000 -0400 ++++ libvirt-0.4.6/src/libvirt.c 2009-01-08 23:11:35.000000000 -0500 +@@ -2180,6 +2180,16 @@ + return NULL; + } + ++ if (domain->conn->flags & VIR_CONNECT_RO) { ++ virLibDomainError(domain, VIR_ERR_OPERATION_DENIED, __FUNCTION__); ++ return NULL; ++ } ++ if (dconn->flags & VIR_CONNECT_RO) { ++ /* NB, delibrately report error against source object, not dest here */ ++ virLibDomainError(domain, VIR_ERR_OPERATION_DENIED, __FUNCTION__); ++ return NULL; ++ } ++ + /* Check that migration is supported by both drivers. */ + if (!VIR_DRV_SUPPORTS_FEATURE (conn->driver, conn, + VIR_DRV_FEATURE_MIGRATION_V1) || +@@ -2257,6 +2267,11 @@ + return -1; + } + ++ if (dconn->flags & VIR_CONNECT_RO) { ++ virLibConnError(dconn, VIR_ERR_OPERATION_DENIED, __FUNCTION__); ++ return -1; ++ } ++ + if (dconn->driver->domainMigratePrepare) + return dconn->driver->domainMigratePrepare (dconn, cookie, cookielen, + uri_in, uri_out, +@@ -2287,6 +2302,11 @@ + } + conn = domain->conn; + ++ if (domain->conn->flags & VIR_CONNECT_RO) { ++ virLibDomainError(domain, VIR_ERR_OPERATION_DENIED, __FUNCTION__); ++ return -1; ++ } ++ + if (conn->driver->domainMigratePerform) + return conn->driver->domainMigratePerform (domain, cookie, cookielen, + uri, +@@ -2314,6 +2334,11 @@ + return NULL; + } + ++ if (dconn->flags & VIR_CONNECT_RO) { ++ virLibConnError(dconn, VIR_ERR_OPERATION_DENIED, __FUNCTION__); ++ return NULL; ++ } ++ + if (dconn->driver->domainMigrateFinish) + return dconn->driver->domainMigrateFinish (dconn, dname, + cookie, cookielen, +@@ -2671,6 +2696,11 @@ + } + conn = dom->conn; + ++ if (dom->conn->flags & VIR_CONNECT_RO) { ++ virLibDomainError(dom, VIR_ERR_OPERATION_DENIED, __FUNCTION__); ++ return (-1); ++ } ++ + if (!path) { + virLibDomainError (dom, VIR_ERR_INVALID_ARG, + _("path is NULL")); +@@ -2746,6 +2776,11 @@ + } + conn = dom->conn; + ++ if (dom->conn->flags & VIR_CONNECT_RO) { ++ virLibDomainError(dom, VIR_ERR_OPERATION_DENIED, __FUNCTION__); ++ return (-1); ++ } ++ + /* Flags must be VIR_MEMORY_VIRTUAL at the moment. + * + * Note on access to physical memory: A VIR_MEMORY_PHYSICAL flag is +@@ -3013,6 +3048,11 @@ + + conn = domain->conn; + ++ if (domain->conn->flags & VIR_CONNECT_RO) { ++ virLibDomainError(domain, VIR_ERR_OPERATION_DENIED, __FUNCTION__); ++ return (-1); ++ } ++ + if (conn->driver->domainSetAutostart) + return conn->driver->domainSetAutostart (domain, autostart); + +@@ -3963,6 +4003,11 @@ + return (-1); + } + ++ if (network->conn->flags & VIR_CONNECT_RO) { ++ virLibNetworkError(network, VIR_ERR_OPERATION_DENIED, __FUNCTION__); ++ return (-1); ++ } ++ + conn = network->conn; + + if (conn->networkDriver && conn->networkDriver->networkSetAutostart) +@@ -4161,6 +4206,11 @@ + return NULL; + } + ++ if (conn->flags & VIR_CONNECT_RO) { ++ virLibConnError(conn, VIR_ERR_OPERATION_DENIED, __FUNCTION__); ++ return NULL; ++ } ++ + if (conn->storageDriver && conn->storageDriver->findPoolSources) + return conn->storageDriver->findPoolSources(conn, type, srcSpec, flags); + +@@ -4834,6 +4884,11 @@ + return (-1); + } + ++ if (pool->conn->flags & VIR_CONNECT_RO) { ++ virLibStoragePoolError(pool, VIR_ERR_OPERATION_DENIED, __FUNCTION__); ++ return (-1); ++ } ++ + conn = pool->conn; + + if (conn->storageDriver && conn->storageDriver->poolSetAutostart) diff --git a/app-emulation/libvirt/files/libvirt-0.5.1-add-missing-permission-checks.patch b/app-emulation/libvirt/files/libvirt-0.5.1-add-missing-permission-checks.patch new file mode 100644 index 000000000000..8f45718e000d --- /dev/null +++ b/app-emulation/libvirt/files/libvirt-0.5.1-add-missing-permission-checks.patch @@ -0,0 +1,161 @@ +From: Daniel P. Berrange <berrange@redhat.com> +Date: Wed, 17 Dec 2008 16:45:22 +0000 (+0000) +Subject: Add missing checks for read-only connection flag (CVE-2008-5086) +X-Git-Url: http://git.et.redhat.com/?p=libvirt.git;a=commitdiff_plain;h=e87a5440dff8020d7247656368023e1b2d57415c + +Add missing checks for read-only connection flag (CVE-2008-5086) +--- + +diff --git a/src/libvirt.c b/src/libvirt.c +index a4a0df5..7efe1d0 100644 +--- a/src/libvirt.c ++++ b/src/libvirt.c +@@ -2299,6 +2299,16 @@ virDomainMigrate (virDomainPtr domain, + return NULL; + } + ++ if (domain->conn->flags & VIR_CONNECT_RO) { ++ virLibDomainError(domain, VIR_ERR_OPERATION_DENIED, __FUNCTION__); ++ return NULL; ++ } ++ if (dconn->flags & VIR_CONNECT_RO) { ++ /* NB, delibrately report error against source object, not dest here */ ++ virLibDomainError(domain, VIR_ERR_OPERATION_DENIED, __FUNCTION__); ++ return NULL; ++ } ++ + /* Check that migration is supported by both drivers. */ + if (VIR_DRV_SUPPORTS_FEATURE (conn->driver, conn, + VIR_DRV_FEATURE_MIGRATION_V1) && +@@ -2426,6 +2436,11 @@ virDomainMigratePrepare (virConnectPtr dconn, + return -1; + } + ++ if (dconn->flags & VIR_CONNECT_RO) { ++ virLibConnError(dconn, VIR_ERR_OPERATION_DENIED, __FUNCTION__); ++ return -1; ++ } ++ + if (dconn->driver->domainMigratePrepare) + return dconn->driver->domainMigratePrepare (dconn, cookie, cookielen, + uri_in, uri_out, +@@ -2457,6 +2472,11 @@ virDomainMigratePerform (virDomainPtr domain, + } + conn = domain->conn; + ++ if (domain->conn->flags & VIR_CONNECT_RO) { ++ virLibDomainError(domain, VIR_ERR_OPERATION_DENIED, __FUNCTION__); ++ return -1; ++ } ++ + if (conn->driver->domainMigratePerform) + return conn->driver->domainMigratePerform (domain, cookie, cookielen, + uri, +@@ -2485,6 +2505,11 @@ virDomainMigrateFinish (virConnectPtr dconn, + return NULL; + } + ++ if (dconn->flags & VIR_CONNECT_RO) { ++ virLibConnError(dconn, VIR_ERR_OPERATION_DENIED, __FUNCTION__); ++ return NULL; ++ } ++ + if (dconn->driver->domainMigrateFinish) + return dconn->driver->domainMigrateFinish (dconn, dname, + cookie, cookielen, +@@ -2517,6 +2542,11 @@ virDomainMigratePrepare2 (virConnectPtr dconn, + return -1; + } + ++ if (dconn->flags & VIR_CONNECT_RO) { ++ virLibConnError(dconn, VIR_ERR_OPERATION_DENIED, __FUNCTION__); ++ return -1; ++ } ++ + if (dconn->driver->domainMigratePrepare2) + return dconn->driver->domainMigratePrepare2 (dconn, cookie, cookielen, + uri_in, uri_out, +@@ -2547,6 +2577,11 @@ virDomainMigrateFinish2 (virConnectPtr dconn, + return NULL; + } + ++ if (dconn->flags & VIR_CONNECT_RO) { ++ virLibConnError(dconn, VIR_ERR_OPERATION_DENIED, __FUNCTION__); ++ return NULL; ++ } ++ + if (dconn->driver->domainMigrateFinish2) + return dconn->driver->domainMigrateFinish2 (dconn, dname, + cookie, cookielen, +@@ -2905,6 +2940,11 @@ virDomainBlockPeek (virDomainPtr dom, + } + conn = dom->conn; + ++ if (dom->conn->flags & VIR_CONNECT_RO) { ++ virLibDomainError(dom, VIR_ERR_OPERATION_DENIED, __FUNCTION__); ++ return (-1); ++ } ++ + if (!path) { + virLibDomainError (dom, VIR_ERR_INVALID_ARG, + _("path is NULL")); +@@ -2980,6 +3020,11 @@ virDomainMemoryPeek (virDomainPtr dom, + } + conn = dom->conn; + ++ if (dom->conn->flags & VIR_CONNECT_RO) { ++ virLibDomainError(dom, VIR_ERR_OPERATION_DENIED, __FUNCTION__); ++ return (-1); ++ } ++ + /* Flags must be VIR_MEMORY_VIRTUAL at the moment. + * + * Note on access to physical memory: A VIR_MEMORY_PHYSICAL flag is +@@ -3247,6 +3292,11 @@ virDomainSetAutostart(virDomainPtr domain, + + conn = domain->conn; + ++ if (domain->conn->flags & VIR_CONNECT_RO) { ++ virLibDomainError(domain, VIR_ERR_OPERATION_DENIED, __FUNCTION__); ++ return (-1); ++ } ++ + if (conn->driver->domainSetAutostart) + return conn->driver->domainSetAutostart (domain, autostart); + +@@ -4197,6 +4247,11 @@ virNetworkSetAutostart(virNetworkPtr network, + return (-1); + } + ++ if (network->conn->flags & VIR_CONNECT_RO) { ++ virLibNetworkError(network, VIR_ERR_OPERATION_DENIED, __FUNCTION__); ++ return (-1); ++ } ++ + conn = network->conn; + + if (conn->networkDriver && conn->networkDriver->networkSetAutostart) +@@ -4395,6 +4450,11 @@ virConnectFindStoragePoolSources(virConnectPtr conn, + return NULL; + } + ++ if (conn->flags & VIR_CONNECT_RO) { ++ virLibConnError(conn, VIR_ERR_OPERATION_DENIED, __FUNCTION__); ++ return NULL; ++ } ++ + if (conn->storageDriver && conn->storageDriver->findPoolSources) + return conn->storageDriver->findPoolSources(conn, type, srcSpec, flags); + +@@ -5068,6 +5128,11 @@ virStoragePoolSetAutostart(virStoragePoolPtr pool, + return (-1); + } + ++ if (pool->conn->flags & VIR_CONNECT_RO) { ++ virLibStoragePoolError(pool, VIR_ERR_OPERATION_DENIED, __FUNCTION__); ++ return (-1); ++ } ++ + conn = pool->conn; + + if (conn->storageDriver && conn->storageDriver->poolSetAutostart) diff --git a/app-emulation/libvirt/files/libvirt-0.5.1-libgnu-reposition.patch b/app-emulation/libvirt/files/libvirt-0.5.1-libgnu-reposition.patch new file mode 100644 index 000000000000..aad576cc1ae7 --- /dev/null +++ b/app-emulation/libvirt/files/libvirt-0.5.1-libgnu-reposition.patch @@ -0,0 +1,21 @@ +--- libvirt-0.5.1/qemud/Makefile.am.orig 2009-01-08 22:47:27.000000000 -0500 ++++ libvirt-0.5.1/qemud/Makefile.am 2009-01-08 22:55:17.000000000 -0500 +@@ -87,8 +87,7 @@ + $(COVERAGE_LDFLAGS) \ + $(POLKIT_LIBS) + +-libvirtd_LDADD = \ +- ../gnulib/lib/libgnu.la ++libvirtd_LDADD = + + if ! WITH_DRIVER_MODULES + if WITH_QEMU +@@ -223,6 +222,8 @@ + + endif # DBUS_INIT_SCRIPTS_RED_HAT + ++libvirtd_LDADD += ../gnulib/lib/libgnu.la ++ + endif # WITH_LIBVIRTD + + CLEANFILES = libvirtd.init diff --git a/app-emulation/libvirt/libvirt-0.4.6.ebuild b/app-emulation/libvirt/libvirt-0.4.6-r1.ebuild index 1d6fad6038c7..26fb70a79253 100644 --- a/app-emulation/libvirt/libvirt-0.4.6.ebuild +++ b/app-emulation/libvirt/libvirt-0.4.6-r1.ebuild @@ -1,6 +1,6 @@ -# Copyright 1999-2008 Gentoo Foundation +# Copyright 1999-2009 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/app-emulation/libvirt/libvirt-0.4.6.ebuild,v 1.2 2008/11/23 22:54:37 marineam Exp $ +# $Header: /var/cvsroot/gentoo-x86/app-emulation/libvirt/libvirt-0.4.6-r1.ebuild,v 1.1 2009/01/09 04:31:31 marineam Exp $ inherit eutils autotools @@ -41,6 +41,7 @@ src_unpack() { epatch "${FILESDIR}"/"${P}"-qemu-img-name.patch epatch "${FILESDIR}"/"${P}"-parallel-build-fix.patch + epatch "${FILESDIR}"/"${P}"-add-missing-permission-checks.patch eautoreconf } diff --git a/app-emulation/libvirt/libvirt-0.4.4-r2.ebuild b/app-emulation/libvirt/libvirt-0.5.1.ebuild index 962eb35b6232..1d3647f68613 100644 --- a/app-emulation/libvirt/libvirt-0.4.4-r2.ebuild +++ b/app-emulation/libvirt/libvirt-0.5.1.ebuild @@ -1,6 +1,6 @@ -# Copyright 1999-2008 Gentoo Foundation +# Copyright 1999-2009 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/app-emulation/libvirt/libvirt-0.4.4-r2.ebuild,v 1.2 2008/11/23 22:54:37 marineam Exp $ +# $Header: /var/cvsroot/gentoo-x86/app-emulation/libvirt/libvirt-0.5.1.ebuild,v 1.1 2009/01/09 04:31:31 marineam Exp $ inherit eutils autotools @@ -11,7 +11,9 @@ SRC_URI="http://libvirt.org/sources/${P}.tar.gz" LICENSE="LGPL-2.1" SLOT="0" KEYWORDS="~amd64 ~x86" -IUSE="avahi iscsi lvm kvm openvz parted qemu sasl selinux xen" #policykit is in package.mask +IUSE="avahi iscsi lvm lxc hal kvm openvz parted qemu sasl selinux uml xen" +# policykit is in package.mask +# devicekit isn't in portage DEPEND="sys-libs/readline sys-libs/ncurses @@ -38,22 +40,25 @@ DEPEND="sys-libs/readline src_unpack() { unpack ${A} cd "${S}" - epatch "${FILESDIR}"/"${P}"-kvm-cdrom-fix.patch - - # app-emulation/kvm renames its binaries with kvm-* prefixes, deal with it - # in a sane manner for libvirt but use qemu-img if the useflag is set - if use kvm && ! use qemu ; then - epatch "${FILESDIR}"/"${P}"-binary-paths.patch - epatch "${FILESDIR}"/"${P}"-capabilities-kvm-path.patch - fi + epatch "${FILESDIR}"/"${PN}"-0.4.6-qemu-img-name.patch epatch "${FILESDIR}"/"${PN}"-0.4.6-parallel-build-fix.patch + epatch "${FILESDIR}"/"${P}"-libgnu-reposition.patch + epatch "${FILESDIR}"/"${P}"-add-missing-permission-checks.patch eautoreconf } pkg_setup() { - if ! use qemu && ! use xen && ! use openvz && ! use kvm ; then - local msg="You must enable one of these USE flags: qemu xen openvz kvm" + local hasbackend=0 + local backends="lxc kvm openvz qemu uml xen" + local backend + + for backend in $backends ; do + use $backend && hasbackend=1 + done + + if [ "$hasbackend" == 0 ]; then + local msg="You must enable one of these USE flags: $backends" eerror "$msg" die "$msg" fi @@ -62,6 +67,7 @@ pkg_setup() { src_compile() { local my_conf="" if use qemu || use kvm ; then + # fix path for kvm-img but use qemu-img if the useflag is set my_conf="--with-qemu \ $(use_with !qemu qemu-img-name kvm-img)" else @@ -71,14 +77,18 @@ src_compile() { econf \ $(use_with avahi) \ $(use_with iscsi storage-iscsi) \ - $(use_with kvm qemu-kvm-path /usr/bin/kvm) \ $(use_with lvm storage-lvm) \ + $(use_with lxc) \ + $(use_with hal) \ $(use_with openvz) \ $(use_with parted storage-disk) \ $(use_with sasl) \ $(use_with selinux) \ + $(use_with uml) \ $(use_with xen) \ ${my_conf} \ + --without-devkit \ + --without-polkit \ --with-remote \ --disable-iptables-lokkit \ --localstatedir=/var \ @@ -94,3 +104,8 @@ src_install() { newinitd "${FILESDIR}"/libvirtd.init libvirtd newconfd "${FILESDIR}"/libvirtd.confd libvirtd } + +pkg_postinst() { + elog "To allow normal users to connect to libvirtd you must change the" + elog " unix sock group and/or perms in /etc/libvirt/libvirtd.conf" +} diff --git a/app-emulation/libvirt/metadata.xml b/app-emulation/libvirt/metadata.xml index 1689562d30ee..218e515a2fb8 100644 --- a/app-emulation/libvirt/metadata.xml +++ b/app-emulation/libvirt/metadata.xml @@ -21,10 +21,13 @@ virtual machines</flag> <flag name='lvm'>Add support for the Logical Volume Manager <pkg>sys-apps/lvm2</pkg></flag> + <flag name='lxc'>Add support for the Linux Containers</flag> <flag name='openvz'>Add support for <pkg>sys-kernel/openvz-sources</pkg> OpenVZ-based virtual machines</flag> <flag name='parted'>Add support for the <pkg>sys-apps/parted</pkg> partition editor</flag> + <flag name='uml'>Add support for User Mode Linux based virtual + machines</flag> <flag name='qemu'>Add support for <pkg>app-emulation/qemu</pkg> based virtual machines</flag> <flag name='xen'>Add support for <pkg>app-emulation/xen</pkg> based |