diff --git a/0001-libxl-fix-framebuffer-port-setting-for-HVM-domains.patch b/0001-libxl-fix-framebuffer-port-setting-for-HVM-domains.patch new file mode 100644 index 0000000..21c1da3 --- /dev/null +++ b/0001-libxl-fix-framebuffer-port-setting-for-HVM-domains.patch @@ -0,0 +1,53 @@ +From 811738592be072be6329d320219a288194b5bb3e Mon Sep 17 00:00:00 2001 +From: Jim Fehlig +Date: Mon, 17 Mar 2014 14:22:44 -0600 +Subject: [PATCH] libxl: fix framebuffer port setting for HVM domains + +libxl uses the libxl_vnc_info and libxl_sdl_info fields from the +hvm union in libxl_domain_build_info struct when generating QEMU +args for VNC or SDL. These fields were left unset by the libxl +driver, causing libxl to ignore any user settings. E.g. with + + + +port would be ignored and QEMU would instead be invoked with + + -vnc 127.0.0.1:0,to=99 + +Unlike the libxl_domain_config struct, the libxl_domain_build_info +contains only a single libxl_vnc_info and libxl_sdl_info, so +populate these fields from the first vfb in +libxl_domain_config->vfbs. + +Signed-off-by: Jim Fehlig +Signed-off-by: David Kiarie +(cherry picked from commit b55cc5f4e31b488c4f9c3c8470c992c1f8f5d09c) +--- + src/libxl/libxl_conf.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +diff --git a/src/libxl/libxl_conf.c b/src/libxl/libxl_conf.c +index d4226b8..f796804 100644 +--- a/src/libxl/libxl_conf.c ++++ b/src/libxl/libxl_conf.c +@@ -1003,6 +1003,20 @@ libxlMakeVfbList(libxlDriverPrivatePtr driver, + d_config->vkbs = x_vkbs; + d_config->num_vfbs = d_config->num_vkbs = nvfbs; + ++ /* ++ * VNC or SDL info must also be set in libxl_domain_build_info ++ * for HVM domains. Use the first vfb device. ++ */ ++ if (STREQ(def->os.type, "hvm")) { ++ libxl_domain_build_info *b_info = &d_config->b_info; ++ libxl_device_vfb vfb = d_config->vfbs[0]; ++ ++ if (libxl_defbool_val(vfb.vnc.enable)) ++ memcpy(&b_info->u.hvm.vnc, &vfb.vnc, sizeof(libxl_vnc_info)); ++ else if (libxl_defbool_val(vfb.sdl.enable)) ++ memcpy(&b_info->u.hvm.sdl, &vfb.sdl, sizeof(libxl_sdl_info)); ++ } ++ + return 0; + + error: diff --git a/0002-LSN-2014-0003-Don-t-expand-entities-when-parsing-XML.patch b/0002-LSN-2014-0003-Don-t-expand-entities-when-parsing-XML.patch new file mode 100644 index 0000000..c030d3e --- /dev/null +++ b/0002-LSN-2014-0003-Don-t-expand-entities-when-parsing-XML.patch @@ -0,0 +1,37 @@ +From 46de45d079ae2622660fe147cf237ee617cc461c Mon Sep 17 00:00:00 2001 +From: "Daniel P. Berrange" +Date: Tue, 15 Apr 2014 11:20:29 +0100 +Subject: [PATCH] LSN-2014-0003: Don't expand entities when parsing XML + +If the XML_PARSE_NOENT flag is passed to libxml2, then any +entities in the input document will be fully expanded. This +allows the user to read arbitrary files on the host machine +by creating an entity pointing to a local file. Removing +the XML_PARSE_NOENT flag means that any entities are left +unchanged by the parser, or expanded to "" by the XPath +APIs. + +Signed-off-by: Daniel P. Berrange +(cherry picked from commit d6b27d3e4c40946efa79e91d134616b41b1666c4) +--- + src/util/virxml.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/util/virxml.c b/src/util/virxml.c +index 5852374..de1e1e0 100644 +--- a/src/util/virxml.c ++++ b/src/util/virxml.c +@@ -746,11 +746,11 @@ virXMLParseHelper(int domcode, + + if (filename) { + xml = xmlCtxtReadFile(pctxt, filename, NULL, +- XML_PARSE_NOENT | XML_PARSE_NONET | ++ XML_PARSE_NONET | + XML_PARSE_NOWARNING); + } else { + xml = xmlCtxtReadDoc(pctxt, BAD_CAST xmlStr, url, NULL, +- XML_PARSE_NOENT | XML_PARSE_NONET | ++ XML_PARSE_NONET | + XML_PARSE_NOWARNING); + } + if (!xml) diff --git a/0003-libxl-Check-for-control_d-string-to-decide-about-dom.patch b/0003-libxl-Check-for-control_d-string-to-decide-about-dom.patch new file mode 100644 index 0000000..2f55192 --- /dev/null +++ b/0003-libxl-Check-for-control_d-string-to-decide-about-dom.patch @@ -0,0 +1,49 @@ +From 5fd44adb6baeeb686a9c3ac89a5188ace1fb5e40 Mon Sep 17 00:00:00 2001 +From: Stefan Bader +Date: Wed, 12 Mar 2014 13:03:26 +0100 +Subject: [PATCH] libxl: Check for control_d string to decide about dom0 + +As soon as any guest mounts xenfs to /proc/xen, there is a capabilities +file in that directory. However it returns nothing when reading from it. +Change the test to actually check the contents of the file. + +BugLink: http://bugs.launchpad.net/bugs/1248025 + +Signed-off-by: Stefan Bader +(cherry picked from commit 8c869ad9f9c5d57ba0ef516835a08afdba7ad828) +--- + src/libxl/libxl_driver.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +diff --git a/src/libxl/libxl_driver.c b/src/libxl/libxl_driver.c +index 764a686..fb2a7cc 100644 +--- a/src/libxl/libxl_driver.c ++++ b/src/libxl/libxl_driver.c +@@ -783,6 +783,7 @@ libxlDriverShouldLoad(bool privileged) + bool ret = false; + virCommandPtr cmd; + int status; ++ char *output = NULL; + + /* Don't load if non-root */ + if (!privileged) { +@@ -790,8 +791,17 @@ libxlDriverShouldLoad(bool privileged) + return ret; + } + +- /* Don't load if not running on a Xen control domain (dom0) */ +- if (!virFileExists("/proc/xen/capabilities")) { ++ /* ++ * Don't load if not running on a Xen control domain (dom0). It is not ++ * sufficient to check for the file to exist as any guest can mount ++ * xenfs to /proc/xen. ++ */ ++ status = virFileReadAll("/proc/xen/capabilities", 10, &output); ++ if (status >= 0) { ++ status = strncmp(output, "control_d", 9); ++ } ++ VIR_FREE(output); ++ if (status) { + VIR_INFO("No Xen capabilities detected, probably not running " + "in a Xen Dom0. Disabling libxenlight driver"); + diff --git a/libvirt.spec b/libvirt.spec index 2847f47..04255c9 100644 --- a/libvirt.spec +++ b/libvirt.spec @@ -367,7 +367,7 @@ Summary: Library providing a simple virtualization API Name: libvirt Version: 1.1.3.5 -Release: 1%{?dist}%{?extra_release} +Release: 2%{?dist}%{?extra_release} License: LGPLv2+ Group: Development/Libraries BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root @@ -378,6 +378,14 @@ URL: http://libvirt.org/ %endif Source: http://libvirt.org/sources/%{?mainturl}libvirt-%{version}.tar.gz +# Fix xen hvm VNC port (bz #1094262) +Patch0001: 0001-libxl-fix-framebuffer-port-setting-for-HVM-domains.patch +# CVE-2014-0179: Unsafe XML parsing (bz #1094792, bz #1088290) +Patch0002: 0002-LSN-2014-0003-Don-t-expand-entities-when-parsing-XML.patch +# Fix failure to start xen instances (rackspace in particular) (bz +# #1098376) +Patch0003: 0003-libxl-Check-for-control_d-string-to-decide-about-dom.patch + %if %{with_libvirtd} Requires: libvirt-daemon = %{version}-%{release} %if %{with_network} @@ -1161,6 +1169,14 @@ of recent versions of Linux (and other OSes). %prep %setup -q +# Fix xen hvm VNC port (bz #1094262) +%patch0001 -p1 +# CVE-2014-0179: Unsafe XML parsing (bz #1094792, bz #1088290) +%patch0002 -p1 +# Fix failure to start xen instances (rackspace in particular) (bz +# #1098376) +%patch0003 -p1 + %build %if ! %{with_xen} %define _without_xen --without-xen @@ -2118,6 +2134,11 @@ fi %endif %changelog +* Mon May 19 2014 Cole Robinson - 1.1.3.5-2 +- Fix xen hvm VNC port (bz #1094262) +- CVE-2014-0179: Unsafe XML parsing (bz #1094792, bz #1088290) +- Fix failure to start xen instances (rackspace in particular) (bz #1098376) + * Sat May 03 2014 Cole Robinson - 1.1.3.5-1 - Rebased to version 1.1.3.5 - Fix QXL PCI address conflict (bz #1016775)