Add changes to fedora-specific libvirt.spec forgotten in 0.8.2-4

libvirt-0.8.2-avoid-resetting-errors.patch

@@ -0,0 +1,51 @@
+From 66aaaf1af42d6f1e9f9b75bd1514c0c097e244e6 Mon Sep 17 00:00:00 2001
+From: Jiri Denemark <jdenemar@redhat.com>
+Date: Fri, 25 Mar 2011 16:45:45 +0100
+Subject: [PATCH 2/2] daemon: Avoid resetting errors before they are reported
+
+https://bugzilla.redhat.com/show_bug.cgi?id=690733
+
+Commit f44bfb7 was supposed to make sure no additional libvirt API (esp.
+*Free) is called before remoteDispatchConnError() is called on error.
+However, the patch missed two instances.
+(cherry picked from commit 55cc591fc18e87b29febf78dc5b424b7c12f7349)
+---
+ daemon/remote.c |    6 ++++--
+ 1 files changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/daemon/remote.c b/daemon/remote.c
+index abf9cf3..8a25f05 100644
+--- a/daemon/remote.c
++++ b/daemon/remote.c
+@@ -4531,12 +4531,13 @@ remoteDispatchStoragePoolListVolumes (struct qemud_server *server ATTRIBUTE_UNUS
+     ret->names.names_len =
+         virStoragePoolListVolumes (pool,
+                                    ret->names.names_val, args->maxnames);
+-    virStoragePoolFree(pool);
+     if (ret->names.names_len == -1) {
+         VIR_FREE(ret->names.names_val);
+         remoteDispatchConnError(rerr, conn);
++        virStoragePoolFree(pool);
+         return -1;
+     }
++    virStoragePoolFree(pool);
+ 
+     return 0;
+ }
+@@ -4560,11 +4561,12 @@ remoteDispatchStoragePoolNumOfVolumes (struct qemud_server *server ATTRIBUTE_UNU
+     }
+ 
+     ret->num = virStoragePoolNumOfVolumes (pool);
+-    virStoragePoolFree(pool);
+     if (ret->num == -1) {
+         remoteDispatchConnError(rerr, conn);
++        virStoragePoolFree(pool);
+         return -1;
+     }
++    virStoragePoolFree(pool);
+ 
+     return 0;
+ }
+-- 
+1.7.3.4
+

libvirt-0.8.2-fix-var-lib-libvirt-permissions.patch

@@ -0,0 +1,44 @@
+From f970d802ab805f1a37af384f148f34e108714034 Mon Sep 17 00:00:00 2001
+From: Eric Blake <eblake@redhat.com>
+Date: Wed, 3 Nov 2010 15:20:24 -0600
+Subject: [PATCH] rpm: fix /var/lib/libvirt permissions
+
+https://bugzilla.redhat.com/show_bug.cgi?id=649511
+
+Regression of forcing 0700 permissions (which breaks guest startup
+because the qemu user can't see /var/lib/libvirt/*.monitor) was
+introduced in commit 66823690e, as part of libvirt 0.8.2.
+
+* libvirt.spec.in (%files): Drop %{_localstatedir}/lib/libvirt,
+since libvirt depends on libvirt-client.
+(%files client): Guarantee 755 permissions on
+%(_localstatedir}/lib/libvirt, since the qemu user must be able to
+do pathname resolution to a subdirectory.
+---
+ libvirt.spec.in |    3 +--
+ 1 files changed, 1 insertions(+), 2 deletions(-)
+
+diff --git a/libvirt.spec.in b/libvirt.spec.in
+index 813e0c0..f77626e 100644
+--- a/libvirt.spec.in
++++ b/libvirt.spec.in
+@@ -770,7 +770,6 @@ fi
+ 
+ %dir %{_localstatedir}/run/libvirt/
+ 
+-%dir %{_localstatedir}/lib/libvirt/
+ %dir %attr(0711, root, root) %{_localstatedir}/lib/libvirt/images/
+ %dir %attr(0711, root, root) %{_localstatedir}/lib/libvirt/boot/
+ %dir %attr(0700, root, root) %{_localstatedir}/cache/libvirt/
+@@ -862,7 +861,7 @@ fi
+ 
+ %{_sysconfdir}/rc.d/init.d/libvirt-guests
+ %config(noreplace) %{_sysconfdir}/sysconfig/libvirt-guests
+-%dir %attr(0700, root, root) %{_localstatedir}/lib/libvirt
++%dir %attr(0755, root, root) %{_localstatedir}/lib/libvirt/
+ 
+ %if %{with_sasl}
+ %config(noreplace) %{_sysconfdir}/sasl2/libvirt.conf
+-- 
+1.7.3.4
+

libvirt-0.8.2-read-only-checks.patch

@@ -0,0 +1,95 @@
+From: Guido Günther <agx@sigxcpu.org>
+Date: Mon, 14 Mar 2011 02:56:28 +0000 (+0800)
+Subject: Add missing checks for read only connections
+X-Git-Url: http://libvirt.org/git/?p=libvirt.git;a=commitdiff_plain;h=71753cb7f7a16ff800381c0b5ee4e99eea92fed3;hp=13c00dde3171b3a38d23cceb3f9151cb6cac3dad
+
+Add missing checks for read only connections
+
+As pointed on CVE-2011-1146, some API forgot to check the read-only
+status of the connection for entry point which modify the state
+of the system or may lead to a remote execution using user data.
+The entry points concerned are:
+  - virConnectDomainXMLToNative
+  - virNodeDeviceDettach
+  - virNodeDeviceReAttach
+  - virNodeDeviceReset
+  - virDomainRevertToSnapshot
+  - virDomainSnapshotDelete
+
+* src/libvirt.c: fix the above set of entry points to error on read-only
+                 connections
+
+Rebased to 0.8.2, mostly changed the call of the error routines
+---
+
+--- src/libvirt.c.orig	2011-03-14 17:03:45.000000000 +0800
++++ src/libvirt.c	2011-03-14 17:10:41.000000000 +0800
+@@ -3190,6 +3190,10 @@ char *virConnectDomainXMLToNative(virCon
+         virDispatchError(NULL);
+         return (NULL);
+     }
++    if (conn->flags & VIR_CONNECT_RO) {
++        virLibConnError(NULL, VIR_ERR_OPERATION_DENIED, __FUNCTION__);
++        goto error;
++    }
+ 
+     if (nativeFormat == NULL || domainXml == NULL) {
+         virLibConnError(conn, VIR_ERR_INVALID_ARG, __FUNCTION__);
+@@ -9432,6 +9436,11 @@ virNodeDeviceDettach(virNodeDevicePtr de
+         return (-1);
+     }
+ 
++    if (dev->conn->flags & VIR_CONNECT_RO) {
++        virLibConnError(dev->conn, VIR_ERR_OPERATION_DENIED, __FUNCTION__);
++        goto error;
++    }
++
+     if (dev->conn->driver->nodeDeviceDettach) {
+         int ret;
+         ret = dev->conn->driver->nodeDeviceDettach (dev);
+@@ -9475,6 +9484,11 @@ virNodeDeviceReAttach(virNodeDevicePtr d
+         return (-1);
+     }
+ 
++    if (dev->conn->flags & VIR_CONNECT_RO) {
++        virLibConnError(dev->conn, VIR_ERR_OPERATION_DENIED, __FUNCTION__);
++        goto error;
++    }
++
+     if (dev->conn->driver->nodeDeviceReAttach) {
+         int ret;
+         ret = dev->conn->driver->nodeDeviceReAttach (dev);
+@@ -9520,6 +9534,11 @@ virNodeDeviceReset(virNodeDevicePtr dev)
+         return (-1);
+     }
+ 
++    if (dev->conn->flags & VIR_CONNECT_RO) {
++        virLibConnError(dev->conn, VIR_ERR_OPERATION_DENIED, __FUNCTION__);
++        goto error;
++    }
++
+     if (dev->conn->driver->nodeDeviceReset) {
+         int ret;
+         ret = dev->conn->driver->nodeDeviceReset (dev);
+@@ -12775,6 +12794,10 @@ virDomainRevertToSnapshot(virDomainSnaps
+     }
+ 
+     conn = snapshot->domain->conn;
++    if (conn->flags & VIR_CONNECT_RO) {
++        virLibConnError(conn, VIR_ERR_OPERATION_DENIED, __FUNCTION__);
++        goto error;
++    }
+ 
+     if (conn->driver->domainRevertToSnapshot) {
+         int ret = conn->driver->domainRevertToSnapshot(snapshot, flags);
+@@ -12821,6 +12844,10 @@ virDomainSnapshotDelete(virDomainSnapsho
+     }
+ 
+     conn = snapshot->domain->conn;
++    if (conn->flags & VIR_CONNECT_RO) {
++        virLibConnError(conn, VIR_ERR_OPERATION_DENIED, __FUNCTION__);
++        goto error;
++    }
+ 
+     if (conn->driver->domainSnapshotDelete) {
+         int ret = conn->driver->domainSnapshotDelete(snapshot, flags);

libvirt.spec

@@ -185,7 +185,7 @@
 Summary: Library providing a simple API virtualization
 Name: libvirt
 Version: 0.8.2
-Release: 1%{?dist}%{?extra_release}
+Release: 6%{?dist}%{?extra_release}
 License: LGPLv2+
 Group: Development/Libraries
 Source: http://libvirt.org/sources/libvirt-%{version}.tar.gz
@@ -203,6 +203,13 @@ Patch10: libvirt-0.8.2-10-qemu-img-format-handling.patch
 Patch11: libvirt-0.8.2-11-storage-vol-backing.patch
 # CVE-2010-2242
 Patch12: libvirt-0.8.2-apply-iptables-sport-mapping.patch
+# CVE-2011-1146
+Patch13: libvirt-0.8.2-read-only-checks.patch
+Patch14: libvirt-0.8.2-fix-var-lib-libvirt-permissions.patch
+# Patches 15, 16  CVE-2011-1486
+Patch15: libvirt-0.8.2-threadsafe-libvirtd-error-reporting.patch
+Patch16: libvirt-0.8.2-avoid-resetting-errors.patch
+
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
 URL: http://libvirt.org/
 BuildRequires: python-devel
@@ -450,6 +457,10 @@ of recent versions of Linux (and other OSes).
 %patch10 -p1
 %patch11 -p1
 %patch12 -p1
+%patch13 -p0
+%patch14 -p1
+%patch15 -p1
+%patch16 -p1
 
 %build
 %if ! %{with_xen}
@@ -804,7 +815,6 @@ fi
 
 %dir %{_localstatedir}/run/libvirt/
 
-%dir %{_localstatedir}/lib/libvirt/
 %dir %attr(0711, root, root) %{_localstatedir}/lib/libvirt/images/
 %dir %attr(0711, root, root) %{_localstatedir}/lib/libvirt/boot/
 %dir %attr(0700, root, root) %{_localstatedir}/cache/libvirt/
@@ -896,7 +906,7 @@ fi
 
 %{_sysconfdir}/rc.d/init.d/libvirt-guests
 %config(noreplace) %{_sysconfdir}/sysconfig/libvirt-guests
-%dir %attr(0700, root, root) %{_localstatedir}/lib/libvirt
+%dir %attr(0755, root, root) %{_localstatedir}/lib/libvirt
 
 %if %{with_sasl}
 %config(noreplace) %{_sysconfdir}/sasl2/libvirt.conf
@@ -937,6 +947,22 @@ fi
 %endif
 
 %changelog
+* Tue Apr  5 2011 Laine Stump <laine@redhat.com> 0.8.2-6
+- Add changes to fedora-specific libvirt.spec forgotten in 0.8.2-4
+
+* Tue Apr  5 2011 Laine Stump <laine@redhat.com> 0.8.2-5
+- Fix for CVE-2011-1486, error reporting in libvirtd is not thread safe,
+  bug 693457
+
+* Mon Apr  4 2011 Laine Stump <laine@redhat.com> 0.8.2-4
+- fix permissions on /var/lib/libvirt
+
+* Wed Mar 16 2011 Daniel Veillard <veillard@redhat.com> - 0.8.2-3
+- fix one crash in the the error handling for previous patch
+
+* Tue Mar 15 2011 Daniel Veillard <veillard@redhat.com> - 0.8.2-2
+- Fix for CVE-2011-1146, missing checks on read-only connections bug 683655
+
 * Thu Jun 17 2010 Cole Robinson <crobinso@redhat.com> - 0.7.7-5.fc13
 - Add qemu.conf options for audio workaround
 - Fix parsing certain USB sysfs files (bz 598272)