External/libvirt
1
0
Fork 0
mirror of https://gitlab.com/libvirt/libvirt.git synced 2025-01-02 11:05:22 +00:00
Code Issues Packages Projects Releases Wiki Activity
Libvirt provides a portable, long term stable C API for managing the virtualization technologies provided by many operating systems. It includes support for QEMU, KVM, Xen, LXC, bhyve, Virtuozzo, VMware vCenter and ESX, VMware Desktop, Hyper-V, VirtualBox and the POWER Hypervisor.
9,890 Commits 67 Branches 629 Tags 867 MiB
C 94.8%
Python 2%
Meson 0.9%
Shell 0.8%
Dockerfile 0.6%
Other 0.8%
9eb2b57325
Go to file
Laine Stump 9eb2b57325 network: prevent dnsmasq from listening on localhost 
This patch resolves the problem reported in:

   https://bugzilla.redhat.com/show_bug.cgi?id=886663

The source of the problem was the fix for CVE 2011-3411:

   https://bugzilla.redhat.com/show_bug.cgi?id=833033

which was originally committed upstream in commit
753ff83a50. That commit improperly
removed the "--except-interface lo" from dnsmasq commandlines when
--bind-dynamic was used (based on comments in the latter bug).

It turns out that the problem reported in the CVE could be eliminated
without removing "--except-interface lo", and removing it actually
caused each instance of dnsmasq to listen on localhost on port 53,
which created a new problem:

If another instance of dnsmasq using "bind-interfaces" (instead of
"bind-dynamic") had already been started (or if another instance
started later used "bind-dynamic"), this wouldn't have any immediately
visible ill effects, but if you tried to start another dnsmasq
instance using "bind-interfaces" *after* starting any libvirt
networks, the new dnsmasq would fail to start, because there was
already another process listening on port 53.

This patch changes the network driver to *always* add
"except-interface=lo" to dnsmasq conf files, regardless of whether we use
bind-dynamic or bind-interfaces. This way no libvirt dnsmasq instances
are listening on localhost (and the CVE is still fixed).

The actual code change is miniscule, but must be propogated through all
of the test files as well.

(This is *not* a cherry-pick of the upstream commit that fixes the bug
(commit d66eb78667), because subsequent
to the CVE fix, another patch changed the network driver to put
dnsmasq options in a conf file rather than directly on the dnsmasq
commandline preserving the same options), so a cherry-pick is just one
very large conflict.)
2012-12-13 12:43:58 -05:00
.gnulib@dbd914496c build: update to latest gnulib, for secure tarball 2012-07-27 11:52:31 -06:00
daemon daemon: Avoid 'Could not find keytab file' in syslog 2012-10-27 15:28:20 -04:00
docs docs: Fix installation of internals/*.html 2012-10-27 15:33:03 -04:00
examples adding handling EINTR to poll to make it more robust 2012-08-12 21:15:46 -04:00
gnulib build: fix fresh checkout on RHEL5 2012-04-25 16:36:26 -04:00
include snapshot: add atomic create flag 2012-03-23 16:38:20 -06:00
m4 maint: make it easier to copy FORTIFY_SOURCE snippet 2012-06-14 18:38:26 -04:00
po Prep for release 0.9.11.8 2012-12-09 18:20:39 -05:00
python python: fix snapshot listing bugs 2012-06-14 18:38:27 -04:00
src network: prevent dnsmasq from listening on localhost 2012-12-13 12:43:58 -05:00
tests network: prevent dnsmasq from listening on localhost 2012-12-13 12:43:58 -05:00
tools docs: virsh: clarify behavior of send-key 2012-10-27 15:28:32 -04:00
.dir-locals.el maint: let emacs avoid tabs in rng files 2011-08-13 08:56:26 -06:00
.gitignore Add /tools/libvirt-guests.service to .gitignore 2012-08-12 19:22:30 -04:00
.gitmodules make .gnulib a submodule 2009-07-08 16:17:51 +02:00
.mailmap qemu: add rbd to whitelist of migration-safe formats 2012-08-12 19:22:51 -04:00
AUTHORS qemu: Do not ignore address for USB disks 2012-12-09 17:48:11 -05:00
autobuild.sh Enable all warnings permanently & default to -Werror for GIT builds 2012-03-27 17:08:06 +01:00
autogen.sh autogen: Always abide --system 2012-08-12 18:34:54 -04:00
bootstrap build: update to latest gnulib, for secure tarball 2012-07-27 11:52:31 -06:00
bootstrap.conf build: update to latest gnulib, for secure tarball 2012-07-27 11:52:31 -06:00
cfg.mk build: update to latest gnulib, for secure tarball 2012-07-27 11:52:31 -06:00
ChangeLog-old virterror.c: Fix several spelling mistakes 2012-02-03 11:32:51 -07:00
configure.ac Prep for release 0.9.11.8 2012-12-09 18:20:39 -05:00
COPYING.LIB remove all trailing blank lines 2009-07-16 15:06:42 +02:00
HACKING Document STREQ_NULLABLE and STRNEQ_NULLABLE 2011-10-06 16:50:38 +02:00
libvirt.pc.in build: silence warning from autoconf 2012-06-14 18:23:21 -04:00
libvirt.spec.in Prep for release 0.9.11.8 2012-12-09 18:20:39 -05:00
Makefile.am maint: add missing copyright notices 2011-07-28 15:01:17 -06:00
Makefile.nonreentrant Ban use of all inet_* functions 2010-10-22 11:59:23 +01:00
mingw32-libvirt.spec.in Fix typos in API XML file paths 2012-02-15 11:29:38 +00:00
README Correct typos in the documentation (Atsushi SAKAI) 2008-01-24 10:15:13 +00:00
README-hacking maint: relax git minimum version 2010-02-24 14:29:27 -05:00
TODO Update todo list file to point at bugzilla/website 2010-10-13 16:45:26 +01:00

README 

         LibVirt : simple API for virtualization

  Libvirt is a C toolkit to interact with the virtualization capabilities
of recent versions of Linux (and other OSes). It is free software
available under the GNU Lesser General Public License. Virtualization of
the Linux Operating System means the ability to run multiple instances of
Operating Systems concurrently on a single hardware system where the basic
resources are driven by a Linux instance. The library aim at providing
long term stable C API initially for the Xen paravirtualization but
should be able to integrate other virtualization mechanisms if needed.

Daniel Veillard <veillard@redhat.com>