cloudstack-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bhais...@apache.org
Subject git commit: updated refs/heads/master to 5d29b63
Date Fri, 14 Aug 2015 05:28:28 GMT
Repository: cloudstack
Updated Branches:
  refs/heads/master ef44c7d30 -> 5d29b63cf


CLOUDSTACK-8613, CLOUDSTACK-6301: Dump KVM domain XML with secure flag

When dumping XML use appropriate flags:

1, VIR_DOMAIN_XML_SECURE (dump security sensitive information too)
8, VIR_DOMAIN_XML_MIGRATABLE (dump XML suitable for migration)

Source:
https://libvirt.org/html/libvirt-libvirt-domain.html#virDomainXMLFlags

This fixes CVE 2015-3252: VNC password lost during VM migration across KVM
hosts. The issue is also seen when a VM is rebooted.

(cherry picked from commit cb2aca751630ea60ad2fffed3d12e3fa2a5e93b5)
Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>


Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/5d29b63c
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/5d29b63c
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/5d29b63c

Branch: refs/heads/master
Commit: 5d29b63cfa98a15d7734798c5b29a43658d7f112
Parents: ef44c7d
Author: Rohit Yadav <rohit.yadav@shapeblue.com>
Authored: Fri Aug 14 10:57:36 2015 +0530
Committer: Rohit Yadav <rohit.yadav@shapeblue.com>
Committed: Fri Aug 14 10:57:36 2015 +0530

----------------------------------------------------------------------
 .../hypervisor/kvm/resource/LibvirtComputingResource.java      | 5 ++++-
 .../kvm/resource/wrapper/LibvirtMigrateCommandWrapper.java     | 6 +++++-
 2 files changed, 9 insertions(+), 2 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cloudstack/blob/5d29b63c/plugins/hypervisors/kvm/src/com/cloud/hypervisor/kvm/resource/LibvirtComputingResource.java
----------------------------------------------------------------------
diff --git a/plugins/hypervisors/kvm/src/com/cloud/hypervisor/kvm/resource/LibvirtComputingResource.java
b/plugins/hypervisors/kvm/src/com/cloud/hypervisor/kvm/resource/LibvirtComputingResource.java
index 6d22603..6bf5ccd 100644
--- a/plugins/hypervisors/kvm/src/com/cloud/hypervisor/kvm/resource/LibvirtComputingResource.java
+++ b/plugins/hypervisors/kvm/src/com/cloud/hypervisor/kvm/resource/LibvirtComputingResource.java
@@ -2615,7 +2615,10 @@ public class LibvirtComputingResource extends ServerResourceBase implements
Serv
         String msg = null;
         try {
             dm = conn.domainLookupByName(vmName);
-            String vmDef = dm.getXMLDesc(0);
+            // Get XML Dump including the secure information such as VNC password
+            // By passing 1, or VIR_DOMAIN_XML_SECURE flag
+            // https://libvirt.org/html/libvirt-libvirt-domain.html#virDomainXMLFlags
+            String vmDef = dm.getXMLDesc(1);
             final LibvirtDomainXMLParser parser = new LibvirtDomainXMLParser();
             parser.parseDomainXML(vmDef);
             for (final InterfaceDef nic : parser.getInterfaces()) {

http://git-wip-us.apache.org/repos/asf/cloudstack/blob/5d29b63c/plugins/hypervisors/kvm/src/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtMigrateCommandWrapper.java
----------------------------------------------------------------------
diff --git a/plugins/hypervisors/kvm/src/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtMigrateCommandWrapper.java
b/plugins/hypervisors/kvm/src/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtMigrateCommandWrapper.java
index 1847818..a6bb591 100644
--- a/plugins/hypervisors/kvm/src/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtMigrateCommandWrapper.java
+++ b/plugins/hypervisors/kvm/src/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtMigrateCommandWrapper.java
@@ -83,8 +83,12 @@ public final class LibvirtMigrateCommandWrapper extends CommandWrapper<MigrateCo
                 description for the instance to be used on the target host.
 
                 This is supported by libvirt-java from version 0.50.0
+
+                CVE-2015-3252: Get XML with sensitive information suitable for migration
by using
+                               VIR_DOMAIN_XML_MIGRATABLE flag (value = 8)
+                               https://libvirt.org/html/libvirt-libvirt-domain.html#virDomainXMLFlags
              */
-            xmlDesc = dm.getXMLDesc(0).replace(libvirtComputingResource.getPrivateIp(), command.getDestinationIp());
+            xmlDesc = dm.getXMLDesc(8).replace(libvirtComputingResource.getPrivateIp(), command.getDestinationIp());
 
             dconn = libvirtUtilitiesHelper.retrieveQemuConnection("qemu+tcp://" + command.getDestinationIp()
+ "/system");
 


Mime
View raw message