Fix CVE-2010-2237, CVE-2010-2238, CVE-2010-2239, CVE-2010-2242

- Snapshotting support (QEmu/VBox/ESX)
- Network filtering API
- XenAPI driver
- new APIs for domain events
- Libvirt managed save API
- timer subselection for domain clock
- synchronous hooks
- API to update guest CPU to host CPU
- virDomainUpdateDeviceFlags new API
- migrate max downtime API
- volume wiping API
- and many bug fixes
Daniel

branch

@@ -1 +0,0 @@
-F-13

libvirt-0.8.2-avoid-resetting-errors.patch

@@ -1,51 +0,0 @@
-From 66aaaf1af42d6f1e9f9b75bd1514c0c097e244e6 Mon Sep 17 00:00:00 2001
-From: Jiri Denemark <jdenemar@redhat.com>
-Date: Fri, 25 Mar 2011 16:45:45 +0100
-Subject: [PATCH 2/2] daemon: Avoid resetting errors before they are reported
-
-https://bugzilla.redhat.com/show_bug.cgi?id=690733
-
-Commit f44bfb7 was supposed to make sure no additional libvirt API (esp.
-*Free) is called before remoteDispatchConnError() is called on error.
-However, the patch missed two instances.
-(cherry picked from commit 55cc591fc18e87b29febf78dc5b424b7c12f7349)
----
- daemon/remote.c |    6 ++++--
- 1 files changed, 4 insertions(+), 2 deletions(-)
-
-diff --git a/daemon/remote.c b/daemon/remote.c
-index abf9cf3..8a25f05 100644
---- a/daemon/remote.c
-+++ b/daemon/remote.c
-@@ -4531,12 +4531,13 @@ remoteDispatchStoragePoolListVolumes (struct qemud_server *server ATTRIBUTE_UNUS
-     ret->names.names_len =
-         virStoragePoolListVolumes (pool,
-                                    ret->names.names_val, args->maxnames);
--    virStoragePoolFree(pool);
-     if (ret->names.names_len == -1) {
-         VIR_FREE(ret->names.names_val);
-         remoteDispatchConnError(rerr, conn);
-+        virStoragePoolFree(pool);
-         return -1;
-     }
-+    virStoragePoolFree(pool);
- 
-     return 0;
- }
-@@ -4560,11 +4561,12 @@ remoteDispatchStoragePoolNumOfVolumes (struct qemud_server *server ATTRIBUTE_UNU
-     }
- 
-     ret->num = virStoragePoolNumOfVolumes (pool);
--    virStoragePoolFree(pool);
-     if (ret->num == -1) {
-         remoteDispatchConnError(rerr, conn);
-+        virStoragePoolFree(pool);
-         return -1;
-     }
-+    virStoragePoolFree(pool);
- 
-     return 0;
- }
--- 
-1.7.3.4
-

libvirt-0.8.2-fix-var-lib-libvirt-permissions.patch

@@ -1,44 +0,0 @@
-From f970d802ab805f1a37af384f148f34e108714034 Mon Sep 17 00:00:00 2001
-From: Eric Blake <eblake@redhat.com>
-Date: Wed, 3 Nov 2010 15:20:24 -0600
-Subject: [PATCH] rpm: fix /var/lib/libvirt permissions
-
-https://bugzilla.redhat.com/show_bug.cgi?id=649511
-
-Regression of forcing 0700 permissions (which breaks guest startup
-because the qemu user can't see /var/lib/libvirt/*.monitor) was
-introduced in commit 66823690e, as part of libvirt 0.8.2.
-
-* libvirt.spec.in (%files): Drop %{_localstatedir}/lib/libvirt,
-since libvirt depends on libvirt-client.
-(%files client): Guarantee 755 permissions on
-%(_localstatedir}/lib/libvirt, since the qemu user must be able to
-do pathname resolution to a subdirectory.
----
- libvirt.spec.in |    3 +--
- 1 files changed, 1 insertions(+), 2 deletions(-)
-
-diff --git a/libvirt.spec.in b/libvirt.spec.in
-index 813e0c0..f77626e 100644
---- a/libvirt.spec.in
-+++ b/libvirt.spec.in
-@@ -770,7 +770,6 @@ fi
- 
- %dir %{_localstatedir}/run/libvirt/
- 
--%dir %{_localstatedir}/lib/libvirt/
- %dir %attr(0711, root, root) %{_localstatedir}/lib/libvirt/images/
- %dir %attr(0711, root, root) %{_localstatedir}/lib/libvirt/boot/
- %dir %attr(0700, root, root) %{_localstatedir}/cache/libvirt/
-@@ -862,7 +861,7 @@ fi
- 
- %{_sysconfdir}/rc.d/init.d/libvirt-guests
- %config(noreplace) %{_sysconfdir}/sysconfig/libvirt-guests
--%dir %attr(0700, root, root) %{_localstatedir}/lib/libvirt
-+%dir %attr(0755, root, root) %{_localstatedir}/lib/libvirt/
- 
- %if %{with_sasl}
- %config(noreplace) %{_sysconfdir}/sasl2/libvirt.conf
--- 
-1.7.3.4
-

libvirt-0.8.2-read-only-checks.patch

@@ -1,95 +0,0 @@
-From: Guido Günther <agx@sigxcpu.org>
-Date: Mon, 14 Mar 2011 02:56:28 +0000 (+0800)
-Subject: Add missing checks for read only connections
-X-Git-Url: http://libvirt.org/git/?p=libvirt.git;a=commitdiff_plain;h=71753cb7f7a16ff800381c0b5ee4e99eea92fed3;hp=13c00dde3171b3a38d23cceb3f9151cb6cac3dad
-
-Add missing checks for read only connections
-
-As pointed on CVE-2011-1146, some API forgot to check the read-only
-status of the connection for entry point which modify the state
-of the system or may lead to a remote execution using user data.
-The entry points concerned are:
-  - virConnectDomainXMLToNative
-  - virNodeDeviceDettach
-  - virNodeDeviceReAttach
-  - virNodeDeviceReset
-  - virDomainRevertToSnapshot
-  - virDomainSnapshotDelete
-
-* src/libvirt.c: fix the above set of entry points to error on read-only
-                 connections
-
-Rebased to 0.8.2, mostly changed the call of the error routines
----
-
---- src/libvirt.c.orig	2011-03-14 17:03:45.000000000 +0800
-+++ src/libvirt.c	2011-03-14 17:10:41.000000000 +0800
-@@ -3190,6 +3190,10 @@ char *virConnectDomainXMLToNative(virCon
-         virDispatchError(NULL);
-         return (NULL);
-     }
-+    if (conn->flags & VIR_CONNECT_RO) {
-+        virLibConnError(NULL, VIR_ERR_OPERATION_DENIED, __FUNCTION__);
-+        goto error;
-+    }
- 
-     if (nativeFormat == NULL || domainXml == NULL) {
-         virLibConnError(conn, VIR_ERR_INVALID_ARG, __FUNCTION__);
-@@ -9432,6 +9436,11 @@ virNodeDeviceDettach(virNodeDevicePtr de
-         return (-1);
-     }
- 
-+    if (dev->conn->flags & VIR_CONNECT_RO) {
-+        virLibConnError(dev->conn, VIR_ERR_OPERATION_DENIED, __FUNCTION__);
-+        goto error;
-+    }
-+
-     if (dev->conn->driver->nodeDeviceDettach) {
-         int ret;
-         ret = dev->conn->driver->nodeDeviceDettach (dev);
-@@ -9475,6 +9484,11 @@ virNodeDeviceReAttach(virNodeDevicePtr d
-         return (-1);
-     }
- 
-+    if (dev->conn->flags & VIR_CONNECT_RO) {
-+        virLibConnError(dev->conn, VIR_ERR_OPERATION_DENIED, __FUNCTION__);
-+        goto error;
-+    }
-+
-     if (dev->conn->driver->nodeDeviceReAttach) {
-         int ret;
-         ret = dev->conn->driver->nodeDeviceReAttach (dev);
-@@ -9520,6 +9534,11 @@ virNodeDeviceReset(virNodeDevicePtr dev)
-         return (-1);
-     }
- 
-+    if (dev->conn->flags & VIR_CONNECT_RO) {
-+        virLibConnError(dev->conn, VIR_ERR_OPERATION_DENIED, __FUNCTION__);
-+        goto error;
-+    }
-+
-     if (dev->conn->driver->nodeDeviceReset) {
-         int ret;
-         ret = dev->conn->driver->nodeDeviceReset (dev);
-@@ -12775,6 +12794,10 @@ virDomainRevertToSnapshot(virDomainSnaps
-     }
- 
-     conn = snapshot->domain->conn;
-+    if (conn->flags & VIR_CONNECT_RO) {
-+        virLibConnError(conn, VIR_ERR_OPERATION_DENIED, __FUNCTION__);
-+        goto error;
-+    }
- 
-     if (conn->driver->domainRevertToSnapshot) {
-         int ret = conn->driver->domainRevertToSnapshot(snapshot, flags);
-@@ -12821,6 +12844,10 @@ virDomainSnapshotDelete(virDomainSnapsho
-     }
- 
-     conn = snapshot->domain->conn;
-+    if (conn->flags & VIR_CONNECT_RO) {
-+        virLibConnError(conn, VIR_ERR_OPERATION_DENIED, __FUNCTION__);
-+        goto error;
-+    }
- 
-     if (conn->driver->domainSnapshotDelete) {
-         int ret = conn->driver->domainSnapshotDelete(snapshot, flags);

libvirt.spec

@@ -185,7 +185,7 @@
 Summary: Library providing a simple API virtualization
 Name: libvirt
 Version: 0.8.2
-Release: 6%{?dist}%{?extra_release}
+Release: 2%{?dist}%{?extra_release}
 License: LGPLv2+
 Group: Development/Libraries
 Source: http://libvirt.org/sources/libvirt-%{version}.tar.gz
@@ -203,13 +203,6 @@ Patch10: libvirt-0.8.2-10-qemu-img-format-handling.patch
 Patch11: libvirt-0.8.2-11-storage-vol-backing.patch
 # CVE-2010-2242
 Patch12: libvirt-0.8.2-apply-iptables-sport-mapping.patch
-# CVE-2011-1146
-Patch13: libvirt-0.8.2-read-only-checks.patch
-Patch14: libvirt-0.8.2-fix-var-lib-libvirt-permissions.patch
-# Patches 15, 16  CVE-2011-1486
-Patch15: libvirt-0.8.2-threadsafe-libvirtd-error-reporting.patch
-Patch16: libvirt-0.8.2-avoid-resetting-errors.patch
-
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
 URL: http://libvirt.org/
 BuildRequires: python-devel
@@ -457,10 +450,6 @@ of recent versions of Linux (and other OSes).
 %patch10 -p1
 %patch11 -p1
 %patch12 -p1
-%patch13 -p0
-%patch14 -p1
-%patch15 -p1
-%patch16 -p1
 
 %build
 %if ! %{with_xen}
@@ -815,6 +804,7 @@ fi
 
 %dir %{_localstatedir}/run/libvirt/
 
+%dir %{_localstatedir}/lib/libvirt/
 %dir %attr(0711, root, root) %{_localstatedir}/lib/libvirt/images/
 %dir %attr(0711, root, root) %{_localstatedir}/lib/libvirt/boot/
 %dir %attr(0700, root, root) %{_localstatedir}/cache/libvirt/
@@ -906,7 +896,7 @@ fi
 
 %{_sysconfdir}/rc.d/init.d/libvirt-guests
 %config(noreplace) %{_sysconfdir}/sysconfig/libvirt-guests
-%dir %attr(0755, root, root) %{_localstatedir}/lib/libvirt
+%dir %attr(0700, root, root) %{_localstatedir}/lib/libvirt
 
 %if %{with_sasl}
 %config(noreplace) %{_sysconfdir}/sasl2/libvirt.conf
@@ -947,43 +937,48 @@ fi
 %endif
 
 %changelog
-* Tue Apr  5 2011 Laine Stump <laine@redhat.com> 0.8.2-6
-- Add changes to fedora-specific libvirt.spec forgotten in 0.8.2-4
+* Mon Jul 12 2010 Daniel P. Berrange <berrange@redhat.com> - 0.8.2-2
+- CVE-2010-2237 ignoring defined main disk format when looking up disk backing stores
+- CVE-2010-2238 ignoring defined disk backing store format when recursing into disk
+  image backing stores
+- CVE-2010-2239 not setting user defined backing store format when creating new image
+- CVE-2010-2242 libvirt: improperly mapped source privileged ports may allow for
+  obtaining privileged resources on the host
 
-* Tue Apr  5 2011 Laine Stump <laine@redhat.com> 0.8.2-5
-- Fix for CVE-2011-1486, error reporting in libvirtd is not thread safe,
-  bug 693457
+* Mon Jul  5 2010 Daniel Veillard <veillard@redhat.com> - 0.8.2-1
+- Upstream release 0.8.2
+- phyp: adding support for IVM
+- libvirt: introduce domainCreateWithFlags API
+- add 802.1Qbh and 802.1Qbg switches handling
+- Support for VirtualBox version 3.2
+- Init script for handling guests on shutdown/boot
+- qemu: live migration with non-shared storage for kvm
 
-* Mon Apr  4 2011 Laine Stump <laine@redhat.com> 0.8.2-4
-- fix permissions on /var/lib/libvirt
+* Fri Apr 30 2010 Daniel Veillard <veillard@redhat.com> - 0.8.1-1
+- Upstream release 0.8.1
+- Starts dnsmasq from libvirtd with --dhcp-hostsfile
+- Add virDomainGetBlockInfo API to query disk sizing
+- a lot of bug fixes and cleanups
 
-* Wed Mar 16 2011 Daniel Veillard <veillard@redhat.com> - 0.8.2-3
-- fix one crash in the the error handling for previous patch
+* Mon Apr 12 2010 Daniel Veillard <veillard@redhat.com> - 0.8.0-1
+- Upstream release 0.8.0
+- Snapshotting support (QEmu/VBox/ESX)
+- Network filtering API
+- XenAPI driver
+- new APIs for domain events
+- Libvirt managed save API
+- timer subselection for domain clock
+- synchronous hooks
+- API to update guest CPU to host CPU
+- virDomainUpdateDeviceFlags new API
+- migrate max downtime API
+- volume wiping API
+- and many bug fixes
 
-* Tue Mar 15 2011 Daniel Veillard <veillard@redhat.com> - 0.8.2-2
-- Fix for CVE-2011-1146, missing checks on read-only connections bug 683655
+* Tue Mar 30 2010 Richard W.M. Jones <rjones@redhat.com> - 0.7.7-3.fc14
+- No change, just rebuild against new libparted with bumped soname.
 
-* Thu Jun 17 2010 Cole Robinson <crobinso@redhat.com> - 0.7.7-5.fc13
-- Add qemu.conf options for audio workaround
-- Fix parsing certain USB sysfs files (bz 598272)
-- Sanitize pool target paths (bz 494005)
-- Add qemu.conf for clear emulator capabilities
-- Prevent libvirtd inside a VM from breaking network access (bz 235961)
-- Mention --all in 'virsh list' docs (bz 575512)
-- Initscript fixes (bz 565238)
-- List wireless interfaces via nodedev-list (bz 596928)
-
-* Tue May 18 2010 Cole Robinson <crobinso@redhat.com> - 0.7.7-4.fc13
-- Fix nodedev XML conversion errors (bz 591262)
-- Fix PCI xml decimal parsing (bz 582752)
-- Fix CDROM media connect/eject (bz 582005)
-- Always report qemu startup output on error (bz 581381)
-- Fix crash from 'virsh dominfo' if secdriver disabled (bz 581166)
-
-* Tue Apr 20 2010 Cole Robinson <crobinso@redhat.com> - 0.7.7-3.fc13
-- Fix slow storage volume allocation (bz 582356)
-
-* Mon Mar 22 2010 Cole Robinson <crobinso@redhat.com> - 0.7.7-2.fc13
+* Mon Mar 22 2010 Cole Robinson <crobinso@redhat.com> - 0.7.7-2.fc14
 - Fix USB devices by product with security enabled (bz 574136)
 - Set kernel/initrd in security driver, fixes some URL installs (bz 566425)