diff options
-rw-r--r-- | gnu/local.mk | 2 | ||||
-rw-r--r-- | gnu/packages/patches/qemu-CVE-2018-16872.patch | 88 | ||||
-rw-r--r-- | gnu/packages/patches/qemu-CVE-2019-6778.patch | 43 | ||||
-rw-r--r-- | gnu/packages/virtualization.scm | 19 |
4 files changed, 14 insertions, 138 deletions
diff --git a/gnu/local.mk b/gnu/local.mk index 08bc205623..0002f49409 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1253,8 +1253,6 @@ dist_patch_DATA = \ %D%/packages/patches/python-unittest2-remove-argparse.patch \ %D%/packages/patches/python-waitress-fix-tests.patch \ %D%/packages/patches/qemu-glibc-2.27.patch \ - %D%/packages/patches/qemu-CVE-2018-16872.patch \ - %D%/packages/patches/qemu-CVE-2019-6778.patch \ %D%/packages/patches/qt4-ldflags.patch \ %D%/packages/patches/qtbase-old-kernel.patch \ %D%/packages/patches/qtbase-use-TZDIR.patch \ diff --git a/gnu/packages/patches/qemu-CVE-2018-16872.patch b/gnu/packages/patches/qemu-CVE-2018-16872.patch deleted file mode 100644 index 094e823ee4..0000000000 --- a/gnu/packages/patches/qemu-CVE-2018-16872.patch +++ /dev/null @@ -1,88 +0,0 @@ -Fixes CVE-2018-16872: - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16872 - -Patch copied from upstream source repository: - -https://git.qemu.org/?p=qemu.git;a=commitdiff;h=bab9df35ce73d1c8e19a37e2737717ea1c984dc1 - -From bab9df35ce73d1c8e19a37e2737717ea1c984dc1 Mon Sep 17 00:00:00 2001 -From: Gerd Hoffmann <kraxel@redhat.com> -Date: Thu, 13 Dec 2018 13:25:11 +0100 -Subject: [PATCH] usb-mtp: use O_NOFOLLOW and O_CLOEXEC. - -Open files and directories with O_NOFOLLOW to avoid symlinks attacks. -While being at it also add O_CLOEXEC. - -usb-mtp only handles regular files and directories and ignores -everything else, so users should not see a difference. - -Because qemu ignores symlinks, carrying out a successful symlink attack -requires swapping an existing file or directory below rootdir for a -symlink and winning the race against the inotify notification to qemu. - -Fixes: CVE-2018-16872 -Cc: Prasad J Pandit <ppandit@redhat.com> -Cc: Bandan Das <bsd@redhat.com> -Reported-by: Michael Hanselmann <public@hansmi.ch> -Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> -Reviewed-by: Michael Hanselmann <public@hansmi.ch> -Message-id: 20181213122511.13853-1-kraxel@redhat.com ---- - hw/usb/dev-mtp.c | 13 +++++++++---- - 1 file changed, 9 insertions(+), 4 deletions(-) - -diff --git a/hw/usb/dev-mtp.c b/hw/usb/dev-mtp.c -index 100b7171f4..36c43b8c20 100644 ---- a/hw/usb/dev-mtp.c -+++ b/hw/usb/dev-mtp.c -@@ -653,13 +653,18 @@ static void usb_mtp_object_readdir(MTPState *s, MTPObject *o) - { - struct dirent *entry; - DIR *dir; -+ int fd; - - if (o->have_children) { - return; - } - o->have_children = true; - -- dir = opendir(o->path); -+ fd = open(o->path, O_DIRECTORY | O_CLOEXEC | O_NOFOLLOW); -+ if (fd < 0) { -+ return; -+ } -+ dir = fdopendir(fd); - if (!dir) { - return; - } -@@ -1007,7 +1012,7 @@ static MTPData *usb_mtp_get_object(MTPState *s, MTPControl *c, - - trace_usb_mtp_op_get_object(s->dev.addr, o->handle, o->path); - -- d->fd = open(o->path, O_RDONLY); -+ d->fd = open(o->path, O_RDONLY | O_CLOEXEC | O_NOFOLLOW); - if (d->fd == -1) { - usb_mtp_data_free(d); - return NULL; -@@ -1031,7 +1036,7 @@ static MTPData *usb_mtp_get_partial_object(MTPState *s, MTPControl *c, - c->argv[1], c->argv[2]); - - d = usb_mtp_data_alloc(c); -- d->fd = open(o->path, O_RDONLY); -+ d->fd = open(o->path, O_RDONLY | O_CLOEXEC | O_NOFOLLOW); - if (d->fd == -1) { - usb_mtp_data_free(d); - return NULL; -@@ -1658,7 +1663,7 @@ static void usb_mtp_write_data(MTPState *s) - 0, 0, 0, 0); - goto done; - } -- d->fd = open(path, O_CREAT | O_WRONLY, mask); -+ d->fd = open(path, O_CREAT | O_WRONLY | O_CLOEXEC | O_NOFOLLOW, mask); - if (d->fd == -1) { - usb_mtp_queue_result(s, RES_STORE_FULL, d->trans, - 0, 0, 0, 0); --- -2.20.1 - diff --git a/gnu/packages/patches/qemu-CVE-2019-6778.patch b/gnu/packages/patches/qemu-CVE-2019-6778.patch deleted file mode 100644 index 315f2922da..0000000000 --- a/gnu/packages/patches/qemu-CVE-2019-6778.patch +++ /dev/null @@ -1,43 +0,0 @@ -Fixes CVE-2019-6778: - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6778 - -Patch copied from upstream source repository: - -https://git.qemu.org/?p=qemu.git;a=commitdiff;h=a7104eda7dab99d0cdbd3595c211864cba415905 - -From a7104eda7dab99d0cdbd3595c211864cba415905 Mon Sep 17 00:00:00 2001 -From: Prasad J Pandit <pjp@fedoraproject.org> -Date: Sun, 13 Jan 2019 23:29:48 +0530 -Subject: [PATCH] slirp: check data length while emulating ident function - -While emulating identification protocol, tcp_emu() does not check -available space in the 'sc_rcv->sb_data' buffer. It could lead to -heap buffer overflow issue. Add check to avoid it. - -Reported-by: Kira <864786842@qq.com> -Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> -Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org> ---- - slirp/tcp_subr.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/slirp/tcp_subr.c b/slirp/tcp_subr.c -index 4a9a5b5edc..23a841f26e 100644 ---- a/slirp/tcp_subr.c -+++ b/slirp/tcp_subr.c -@@ -634,6 +634,11 @@ tcp_emu(struct socket *so, struct mbuf *m) - socklen_t addrlen = sizeof(struct sockaddr_in); - struct sbuf *so_rcv = &so->so_rcv; - -+ if (m->m_len > so_rcv->sb_datalen -+ - (so_rcv->sb_wptr - so_rcv->sb_data)) { -+ return 1; -+ } -+ - memcpy(so_rcv->sb_wptr, m->m_data, m->m_len); - so_rcv->sb_wptr += m->m_len; - so_rcv->sb_rptr += m->m_len; --- -2.20.1 - diff --git a/gnu/packages/virtualization.scm b/gnu/packages/virtualization.scm index 5535d7a421..2e5b1ce16e 100644 --- a/gnu/packages/virtualization.scm +++ b/gnu/packages/virtualization.scm @@ -107,16 +107,14 @@ (define-public qemu (package (name "qemu") - (version "3.1.0") + (version "4.1.0") (source (origin (method url-fetch) (uri (string-append "https://download.qemu.org/qemu-" version ".tar.xz")) - (patches (search-patches "qemu-CVE-2018-16872.patch" - "qemu-CVE-2019-6778.patch")) (sha256 (base32 - "1z5bd5nfyjvhfi1s95labc82y4hjdjjkdabw931362ls0zghh1ba")))) + "1ih9v6gxgild3m4g80ld4dr3wp9db3bpy203k73fxgc9hqhn0vk5")))) (build-system gnu-build-system) (arguments '(;; Running tests in parallel can occasionally lead to failures, like: @@ -180,13 +178,24 @@ exec smbd $@"))) (chmod "samba-wrapper" #o755) (install-file "samba-wrapper" libexec)) #t)) - (add-before 'check 'disable-test-qga + (add-before 'configure 'prevent-network-configuration (lambda _ + ;; Prevent the build from trying to use git to fetch from the net. + (substitute* "Makefile" + (("@./config.status") + "")) #t)) + (add-before 'check 'disable-unusable-tests + (lambda* (#:key inputs outputs #:allow-other-keys) (substitute* "tests/Makefile.include" ;; Comment out the test-qga test, which needs /sys and ;; fails within the build environment. (("check-unit-.* tests/test-qga" all) (string-append "# " all))) + (substitute* "tests/Makefile.include" + ;; Comment out the test-char test, which needs networking and + ;; fails within the build environment. + (("check-unit-.* tests/test-char" all) + (string-append "# " all))) #t))))) (inputs ; TODO: Add optional inputs. `(("alsa-lib" ,alsa-lib) |