[PATCH for 6.6.0] news: Document recent CVE fix

Michal Privoznik posted 1 patch 2 weeks ago
Test syntax-check failed
Patches applied successfully (tree, apply log)
git fetch https://github.com/patchew-project/libvirt tags/patchew/b499e388349d73b4b6bb982ff5cc6546168192df.1595836475.git.mprivozn@redhat.com
NEWS.rst | 7 +++++++
1 file changed, 7 insertions(+)

[PATCH for 6.6.0] news: Document recent CVE fix

Posted by Michal Privoznik 2 weeks ago
Document the fix of leaking /dev/mapper/control to QEMU (fixed in
v6.6.0-rc1-3-g2249455654).

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
---
 NEWS.rst | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/NEWS.rst b/NEWS.rst
index ff977968c7..8b53d21b8a 100644
--- a/NEWS.rst
+++ b/NEWS.rst
@@ -33,6 +33,13 @@ v6.6.0 (unreleased)
 
 * **Bug fixes**
 
+  * virdevmapper: Don't use libdevmapper to obtain dependencies
+
+    When building domain's private ``/dev`` in a namespace, libdevmapper was
+    consulted for getting full dependency tree of domain's disks. However, this
+    meant that libdevmapper opened ``/dev/mapper/control`` which wasn't closed
+    and was leaked to QEMU. CVE-2020-14339
+
 
 v6.5.0 (2020-07-03)
 ===================
-- 
2.26.2

Re: [PATCH for 6.6.0] news: Document recent CVE fix

Posted by Andrea Bolognani 2 weeks ago
On Mon, 2020-07-27 at 09:54 +0200, Michal Privoznik wrote:
> Document the fix of leaking /dev/mapper/control to QEMU (fixed in
> v6.6.0-rc1-3-g2249455654).
> 
> Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
> ---
>  NEWS.rst | 7 +++++++
>  1 file changed, 7 insertions(+)

Reviewed-by: Andrea Bolognani <abologna@redhat.com>

-- 
Andrea Bolognani / Red Hat / Virtualization

Re: [PATCH for 6.6.0] news: Document recent CVE fix

Posted by Peter Krempa 2 weeks ago
On Mon, Jul 27, 2020 at 09:54:50 +0200, Michal Privoznik wrote:
> Document the fix of leaking /dev/mapper/control to QEMU (fixed in
> v6.6.0-rc1-3-g2249455654).
> 
> Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
> ---
>  NEWS.rst | 7 +++++++
>  1 file changed, 7 insertions(+)
> 
> diff --git a/NEWS.rst b/NEWS.rst
> index ff977968c7..8b53d21b8a 100644
> --- a/NEWS.rst
> +++ b/NEWS.rst
> @@ -33,6 +33,13 @@ v6.6.0 (unreleased)
>  
>  * **Bug fixes**
>  
> +  * virdevmapper: Don't use libdevmapper to obtain dependencies
> +
> +    When building domain's private ``/dev`` in a namespace, libdevmapper was
> +    consulted for getting full dependency tree of domain's disks. However, this
> +    meant that libdevmapper opened ``/dev/mapper/control`` which wasn't closed
> +    and was leaked to QEMU. CVE-2020-14339

I see that these were pushed now, but I can't find them in the list. I
presume you went through libvirt-security for review. Please post them
to libvir-list anyways for future reference.

Re: [PATCH for 6.6.0] news: Document recent CVE fix

Posted by Michal Privoznik 2 weeks ago
On 7/27/20 10:04 AM, Peter Krempa wrote:
> On Mon, Jul 27, 2020 at 09:54:50 +0200, Michal Privoznik wrote:
>> Document the fix of leaking /dev/mapper/control to QEMU (fixed in
>> v6.6.0-rc1-3-g2249455654).
>>
>> Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
>> ---
>>   NEWS.rst | 7 +++++++
>>   1 file changed, 7 insertions(+)
>>
>> diff --git a/NEWS.rst b/NEWS.rst
>> index ff977968c7..8b53d21b8a 100644
>> --- a/NEWS.rst
>> +++ b/NEWS.rst
>> @@ -33,6 +33,13 @@ v6.6.0 (unreleased)
>>   
>>   * **Bug fixes**
>>   
>> +  * virdevmapper: Don't use libdevmapper to obtain dependencies
>> +
>> +    When building domain's private ``/dev`` in a namespace, libdevmapper was
>> +    consulted for getting full dependency tree of domain's disks. However, this
>> +    meant that libdevmapper opened ``/dev/mapper/control`` which wasn't closed
>> +    and was leaked to QEMU. CVE-2020-14339
> 
> I see that these were pushed now, but I can't find them in the list. I
> presume you went through libvirt-security for review. Please post them
> to libvir-list anyways for future reference.
> 

Indeed. The bug was made private (mistakenly) for a brief moment thus I 
figured to send the patches on the -security list. Then the mistake was 
fixed and now I look like I don't know what I'm doing (which is not 
necessarily untrue :-D).

Michal