File e4cb8500-avoid-malicious-ssh-hostname-as-args.patch of Package libvirt.8364

commit e4cb8500810a310a10a6cb359e1b53fac03ed597
Author: Daniel P. Berrange <>
Date:   Fri Aug 11 17:19:53 2017 +0100

    rpc: avoid ssh interpreting malicious hostname as arguments
    Inspired by the recent GIT / Mercurial security flaws
    consider someone/something manages to feed libvirt a bogus
    URI such as:
      virsh -c qemu+ssh://-oProxyCommand=gnome-calculator/system
    In this case, the hosname "-oProxyCommand=gnome-calculator"
    will get interpreted as an argument to ssh, not a hostname.
    Fortunately, due to the set of args we have following the
    hostname, SSH will then interpret our bit of shell script
    that runs 'nc' on the remote host as a cipher name, which is
    clearly invalid. This makes ssh exit during argv parsing and
    so it never tries to run gnome-calculator.
    We are lucky this time, but lets be more paranoid, by using
    '--' to explicitly tell SSH when it has finished seeing
    command line options. This forces it to interpret
    "-oProxyCommand=gnome-calculator" as a hostname, and thus
    see a fail from hostname lookup.
    Signed-off-by: Daniel P. Berrange <>

Index: libvirt-2.0.0/src/rpc/virnetsocket.c
--- libvirt-2.0.0.orig/src/rpc/virnetsocket.c
+++ libvirt-2.0.0/src/rpc/virnetsocket.c
@@ -858,7 +858,7 @@ int virNetSocketNewConnectSSH(const char
     if (!netcat)
         netcat = "nc";
-    virCommandAddArgList(cmd, nodename, "sh", "-c", NULL);
+    virCommandAddArgList(cmd, "--", nodename, "sh", "-c", NULL);
     virBufferEscapeShell(&buf, netcat);
     if (virBufferCheckError(&buf) < 0) {
openSUSE Build Service is sponsored by