From 96e2d486595c309885e4e58fee3b92c877211889 Mon Sep 17 00:00:00 2001 From: Adit Jha Date: Tue, 26 Mar 2024 18:30:37 -0700 Subject: [PATCH 1/3] Adding upstream patch file for CVE-2024-2496 --- SPECS/libvirt/libvirt.spec | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/SPECS/libvirt/libvirt.spec b/SPECS/libvirt/libvirt.spec index 9048c996af3..451fbbfa1ba 100644 --- a/SPECS/libvirt/libvirt.spec +++ b/SPECS/libvirt/libvirt.spec @@ -9,7 +9,7 @@ Summary: Virtualization API library that supports KVM, QEMU, Xen, ESX etc Name: libvirt Version: 7.10.0 -Release: 7%{?dist} +Release: 8%{?dist} License: LGPLv2+ Vendor: Microsoft Corporation Distribution: Mariner @@ -19,6 +19,7 @@ Source0: https://libvirt.org/sources/%{name}-%{version}.tar.xz # CVE-2023-2700 is fixed by https://gitlab.com/libvirt/libvirt/-/commit/6425a311b8ad19d6f9c0b315bf1d722551ea3585 Patch1: CVE-2023-2700.patch Patch2: CVE-2024-1441.patch +Patch3: CVE-2024-2496.patch BuildRequires: audit-libs-devel BuildRequires: augeas @@ -1056,6 +1057,9 @@ exit 0 %{_libdir}/libnss_libvirt_guest.so.2 %changelog +* Tue Mar 26 2024 Adit Jha - 7.10.0-8 +- Introduce patch to address CVE-2024-2496 + * Tue Mar 19 2024 Muhammad Falak - 7.10.0-7 - Introduce patch to address CVE-2024-1441 From 5cab39ea53c50440385f4a93f77396d3daec2999 Mon Sep 17 00:00:00 2001 From: Adit Jha Date: Tue, 26 Mar 2024 18:30:58 -0700 Subject: [PATCH 2/3] Adding patch file --- SPECS/libvirt/CVE-2024-2496.patch | 88 +++++++++++++++++++++++++++++++ 1 file changed, 88 insertions(+) create mode 100644 SPECS/libvirt/CVE-2024-2496.patch diff --git a/SPECS/libvirt/CVE-2024-2496.patch b/SPECS/libvirt/CVE-2024-2496.patch new file mode 100644 index 00000000000..d318ca93e74 --- /dev/null +++ b/SPECS/libvirt/CVE-2024-2496.patch @@ -0,0 +1,88 @@ +From 2ca94317ac642a70921947150ced8acc674ccdc8 Mon Sep 17 00:00:00 2001 +From: Dmitry Frolov +Date: Tue, 12 Sep 2023 15:56:47 +0300 +Subject: [PATCH] interface: fix udev_device_get_sysattr_value return value + check + +Reviewing the code I found that return value of function +udev_device_get_sysattr_value() is dereferenced without a check. +udev_device_get_sysattr_value() may return NULL by number of reasons. + +v2: VIR_DEBUG added, replaced STREQ(NULLSTR()) with STREQ_NULLABLE() +v3: More checks added, to skip earlier. More verbose VIR_DEBUG. + +Signed-off-by: Dmitry Frolov +Reviewed-by: Martin Kletzander +--- + src/interface/interface_backend_udev.c | 26 +++++++++++++++++++------- + 1 file changed, 19 insertions(+), 7 deletions(-) + +diff --git a/src/interface/interface_backend_udev.c b/src/interface/interface_backend_udev.c +index a0485ddd21..fb6799ed94 100644 +--- a/src/interface/interface_backend_udev.c ++++ b/src/interface/interface_backend_udev.c +@@ -23,6 +23,7 @@ + #include + #include + ++#include "virlog.h" + #include "virerror.h" + #include "virfile.h" + #include "datatypes.h" +@@ -40,6 +41,8 @@ + + #define VIR_FROM_THIS VIR_FROM_INTERFACE + ++VIR_LOG_INIT("interface.interface_backend_udev"); ++ + struct udev_iface_driver { + struct udev *udev; + /* pid file FD, ensures two copies of the driver can't use the same root */ +@@ -354,11 +357,20 @@ udevConnectListAllInterfaces(virConnectPtr conn, + const char *macaddr; + g_autoptr(virInterfaceDef) def = NULL; + +- path = udev_list_entry_get_name(dev_entry); +- dev = udev_device_new_from_syspath(udev, path); +- name = udev_device_get_sysname(dev); ++ if (!(path = udev_list_entry_get_name(dev_entry))) { ++ VIR_DEBUG("Skipping interface, path == NULL"); ++ continue; ++ } ++ if (!(dev = udev_device_new_from_syspath(udev, path))) { ++ VIR_DEBUG("Skipping interface '%s', dev == NULL", path); ++ continue; ++ } ++ if (!(name = udev_device_get_sysname(dev))) { ++ VIR_DEBUG("Skipping interface '%s', name == NULL", path); ++ continue; ++ } + macaddr = udev_device_get_sysattr_value(dev, "address"); +- status = STREQ(udev_device_get_sysattr_value(dev, "operstate"), "up"); ++ status = STREQ_NULLABLE(udev_device_get_sysattr_value(dev, "operstate"), "up"); + + def = udevGetMinimalDefForDevice(dev); + if (!virConnectListAllInterfacesCheckACL(conn, def)) { +@@ -964,9 +976,9 @@ udevGetIfaceDef(struct udev *udev, const char *name) + + /* MTU */ + mtu_str = udev_device_get_sysattr_value(dev, "mtu"); +- if (virStrToLong_ui(mtu_str, NULL, 10, &mtu) < 0) { ++ if (!mtu_str || virStrToLong_ui(mtu_str, NULL, 10, &mtu) < 0) { + virReportError(VIR_ERR_INTERNAL_ERROR, +- _("Could not parse MTU value '%1$s'"), mtu_str); ++ _("Could not parse MTU value '%1$s'"), NULLSTR(mtu_str)); + goto error; + } + ifacedef->mtu = mtu; +@@ -1089,7 +1101,7 @@ udevInterfaceIsActive(virInterfacePtr ifinfo) + goto cleanup; + + /* Check if it's active or not */ +- status = STREQ(udev_device_get_sysattr_value(dev, "operstate"), "up"); ++ status = STREQ_NULLABLE(udev_device_get_sysattr_value(dev, "operstate"), "up"); + + udev_device_unref(dev); + +-- +GitLab From c20794a905ec5cbe3813a3a36efb310c140eff0b Mon Sep 17 00:00:00 2001 From: Adit Jha Date: Wed, 27 Mar 2024 17:19:29 -0700 Subject: [PATCH 3/3] fixing patch issue --- SPECS/libvirt/CVE-2024-2496.patch | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/SPECS/libvirt/CVE-2024-2496.patch b/SPECS/libvirt/CVE-2024-2496.patch index d318ca93e74..86151b48fb7 100644 --- a/SPECS/libvirt/CVE-2024-2496.patch +++ b/SPECS/libvirt/CVE-2024-2496.patch @@ -70,8 +70,8 @@ index a0485ddd21..fb6799ed94 100644 - if (virStrToLong_ui(mtu_str, NULL, 10, &mtu) < 0) { + if (!mtu_str || virStrToLong_ui(mtu_str, NULL, 10, &mtu) < 0) { virReportError(VIR_ERR_INTERNAL_ERROR, -- _("Could not parse MTU value '%1$s'"), mtu_str); -+ _("Could not parse MTU value '%1$s'"), NULLSTR(mtu_str)); +- _("Could not parse MTU value '%s'"), mtu_str); ++ _("Could not parse MTU value '%s'"), NULLSTR(mtu_str)); goto error; } ifacedef->mtu = mtu;