summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTobias Geerinckx-Rice <me@tobias.gr>2018-08-16 02:38:32 +0200
committerTobias Geerinckx-Rice <me@tobias.gr>2018-08-16 02:41:42 +0200
commit5dc8437fc0ff3dedf75de2183e3bf9d493e4aa81 (patch)
tree0588c7b0a1e302394fa00f45513ee574f7cab71a
parent6512b96570f79c6d230363dfe2adbd159c7861f5 (diff)
downloadpatches-5dc8437fc0ff3dedf75de2183e3bf9d493e4aa81.tar
patches-5dc8437fc0ff3dedf75de2183e3bf9d493e4aa81.tar.gz
gnu: qemu: Update to 3.0.0 [mitigate CVE-2018-3639].
* gnu/packages/virtualization.scm (qemu): Update to 3.0.0. [source]: Remove patch. * gnu/packages/patches/qemu-CVE-2018-11806.patch: Delete file. * gnu/local.mk (dist_patch_DATA): Remove it.
-rw-r--r--gnu/local.mk1
-rw-r--r--gnu/packages/patches/qemu-CVE-2018-11806.patch105
-rw-r--r--gnu/packages/virtualization.scm5
3 files changed, 2 insertions, 109 deletions
diff --git a/gnu/local.mk b/gnu/local.mk
index e3ca237d87..606b3ace3c 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1097,7 +1097,6 @@ dist_patch_DATA = \
%D%/packages/patches/python-unittest2-remove-argparse.patch \
%D%/packages/patches/python-waitress-fix-tests.patch \
%D%/packages/patches/qemu-glibc-2.27.patch \
- %D%/packages/patches/qemu-CVE-2018-11806.patch \
%D%/packages/patches/qt4-ldflags.patch \
%D%/packages/patches/qtbase-use-TZDIR.patch \
%D%/packages/patches/qtoctave-qt-5.11-fix.patch \
diff --git a/gnu/packages/patches/qemu-CVE-2018-11806.patch b/gnu/packages/patches/qemu-CVE-2018-11806.patch
deleted file mode 100644
index f021dfa747..0000000000
--- a/gnu/packages/patches/qemu-CVE-2018-11806.patch
+++ /dev/null
@@ -1,105 +0,0 @@
-Fix CVE-2018-11806:
-
-https://lists.gnu.org/archive/html/qemu-devel/2018-06/msg01012.html
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11806
-
-Patch copied from upstream source repository:
-
-https://git.qemu.org/?p=qemu.git;a=commitdiff;h=864036e251f54c99d31df124aad7f34f01f5344c
-
-From 864036e251f54c99d31df124aad7f34f01f5344c Mon Sep 17 00:00:00 2001
-From: Prasad J Pandit <pjp@fedoraproject.org>
-Date: Tue, 5 Jun 2018 23:38:35 +0530
-Subject: [PATCH] slirp: correct size computation while concatenating mbuf
-
-While reassembling incoming fragmented datagrams, 'm_cat' routine
-extends the 'mbuf' buffer, if it has insufficient room. It computes
-a wrong buffer size, which leads to overwriting adjacent heap buffer
-area. Correct this size computation in m_cat.
-
-Reported-by: ZDI Disclosures <zdi-disclosures@trendmicro.com>
-Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
-Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
----
- slirp/mbuf.c | 11 +++++------
- slirp/mbuf.h | 8 +++-----
- 2 files changed, 8 insertions(+), 11 deletions(-)
-
-diff --git a/slirp/mbuf.c b/slirp/mbuf.c
-index 5ff24559fd..18cbf759a7 100644
---- a/slirp/mbuf.c
-+++ b/slirp/mbuf.c
-@@ -138,7 +138,7 @@ m_cat(struct mbuf *m, struct mbuf *n)
- * If there's no room, realloc
- */
- if (M_FREEROOM(m) < n->m_len)
-- m_inc(m,m->m_size+MINCSIZE);
-+ m_inc(m, m->m_len + n->m_len);
-
- memcpy(m->m_data+m->m_len, n->m_data, n->m_len);
- m->m_len += n->m_len;
-@@ -147,7 +147,7 @@ m_cat(struct mbuf *m, struct mbuf *n)
- }
-
-
--/* make m size bytes large */
-+/* make m 'size' bytes large from m_data */
- void
- m_inc(struct mbuf *m, int size)
- {
-@@ -158,12 +158,12 @@ m_inc(struct mbuf *m, int size)
-
- if (m->m_flags & M_EXT) {
- datasize = m->m_data - m->m_ext;
-- m->m_ext = g_realloc(m->m_ext, size);
-+ m->m_ext = g_realloc(m->m_ext, size + datasize);
- m->m_data = m->m_ext + datasize;
- } else {
- char *dat;
- datasize = m->m_data - m->m_dat;
-- dat = g_malloc(size);
-+ dat = g_malloc(size + datasize);
- memcpy(dat, m->m_dat, m->m_size);
-
- m->m_ext = dat;
-@@ -171,8 +171,7 @@ m_inc(struct mbuf *m, int size)
- m->m_flags |= M_EXT;
- }
-
-- m->m_size = size;
--
-+ m->m_size = size + datasize;
- }
-
-
-diff --git a/slirp/mbuf.h b/slirp/mbuf.h
-index 893601ff9d..33b84485d6 100644
---- a/slirp/mbuf.h
-+++ b/slirp/mbuf.h
-@@ -33,8 +33,6 @@
- #ifndef MBUF_H
- #define MBUF_H
-
--#define MINCSIZE 4096 /* Amount to increase mbuf if too small */
--
- /*
- * Macros for type conversion
- * mtod(m,t) - convert mbuf pointer to data pointer of correct type
-@@ -72,11 +70,11 @@ struct mbuf {
- struct mbuf *m_prevpkt; /* Flags aren't used in the output queue */
- int m_flags; /* Misc flags */
-
-- int m_size; /* Size of data */
-+ int m_size; /* Size of mbuf, from m_dat or m_ext */
- struct socket *m_so;
-
-- caddr_t m_data; /* Location of data */
-- int m_len; /* Amount of data in this mbuf */
-+ caddr_t m_data; /* Current location of data */
-+ int m_len; /* Amount of data in this mbuf, from m_data */
-
- Slirp *slirp;
- bool resolution_requested;
---
-2.17.1
-
diff --git a/gnu/packages/virtualization.scm b/gnu/packages/virtualization.scm
index 8e7eded5e1..a39f2fa58f 100644
--- a/gnu/packages/virtualization.scm
+++ b/gnu/packages/virtualization.scm
@@ -94,15 +94,14 @@
(define-public qemu
(package
(name "qemu")
- (version "2.12.1")
+ (version "3.0.0")
(source (origin
(method url-fetch)
(uri (string-append "https://download.qemu.org/qemu-"
version ".tar.xz"))
- (patches (search-patches "qemu-CVE-2018-11806.patch"))
(sha256
(base32
- "0krnp2wvggpchc7fdlmyasqy7j17baz8asr2g05x0v00w003hn1k"))))
+ "04sp3f1gp4bdb913jf7fw761njaqp2l32wgipp1sapmxx17zcyld"))))
(build-system gnu-build-system)
(arguments
'(;; Running tests in parallel can occasionally lead to failures, like: