File b1674ad5-CVE-2014-7823.patch of Package libvirt.11695

commit 2cfd147c49d696a3641145ac8edb9e49a85a515d
Author: Eric Blake <>
Date:   Thu Nov 6 09:42:24 2014 +0100

    CVE-2014-7823: dumpxml: security hole with migratable flag
    Commit 28f8dfd (v1.0.0) introduced a security hole: in at least
    the qemu implementation of virDomainGetXMLDesc, the use of the
    flag VIR_DOMAIN_XML_MIGRATABLE (which is usable from a read-only
    connection) triggers the implicit use of VIR_DOMAIN_XML_SECURE
    prior to calling qemuDomainFormatXML.  However, the use of
    VIR_DOMAIN_XML_SECURE is supposed to be restricted to read-write
    clients only.  This patch treats the migratable flag as requiring
    the same permissions, rather than analyzing what might break if
    migratable xml no longer includes secret information.
    Fortunately, the information leak is low-risk: all that is gated
    by the VIR_DOMAIN_XML_SECURE flag is the VNC connection password;
    but VNC passwords are already weak (FIPS forbids their use, and
    on a non-FIPS machine, anyone stupid enough to trust a max-8-byte
    password sent in plaintext over the network deserves what they
    get).  SPICE offers better security than VNC, and all other
    secrets are properly protected by use of virSecret associations
    rather than direct output in domain XML.
    * src/remote/remote_protocol.x (REMOTE_PROC_DOMAIN_GET_XML_DESC):
    Tighten rules on use of migratable flag.
    * src/libvirt-domain.c (virDomainGetXMLDesc): Likewise.
    Signed-off-by: Eric Blake <>
    (cherry picked from commit b1674ad5a97441b7e1bd5f5ebaff498ef2fbb11b)
    	src/libvirt-domain.c - file split from older src/libvirt.c
    Signed-off-by: Eric Blake <>

Index: libvirt-1.2.5/src/libvirt.c
--- libvirt-1.2.5.orig/src/libvirt.c
+++ libvirt-1.2.5/src/libvirt.c
@@ -4348,7 +4348,8 @@ virDomainGetXMLDesc(virDomainPtr domain,
     virCheckDomainReturn(domain, NULL);
     conn = domain->conn;
-    if ((conn->flags & VIR_CONNECT_RO) && (flags & VIR_DOMAIN_XML_SECURE)) {
+    if ((conn->flags & VIR_CONNECT_RO) &&
         virReportError(VIR_ERR_OPERATION_DENIED, "%s",
                        _("virDomainGetXMLDesc with secure flag"));
         goto error;
Index: libvirt-1.2.5/src/remote/remote_protocol.x
--- libvirt-1.2.5.orig/src/remote/remote_protocol.x
+++ libvirt-1.2.5/src/remote/remote_protocol.x
@@ -3144,6 +3144,7 @@ enum remote_procedure {
      * @generate: both
      * @acl: domain:read
      * @acl: domain:read_secure:VIR_DOMAIN_XML_SECURE
+     * @acl: domain:read_secure:VIR_DOMAIN_XML_MIGRATABLE