diff options
Diffstat (limited to 'gnu')
-rw-r--r-- | gnu/local.mk | 2 | ||||
-rw-r--r-- | gnu/packages/patches/qemu-CVE-2017-15038.patch | 51 | ||||
-rw-r--r-- | gnu/packages/patches/qemu-CVE-2017-15289.patch | 66 | ||||
-rw-r--r-- | gnu/packages/virtualization.scm | 6 |
4 files changed, 2 insertions, 123 deletions
diff --git a/gnu/local.mk b/gnu/local.mk index 35c7fb470a..530b8d5ea8 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1045,8 +1045,6 @@ dist_patch_DATA = \ %D%/packages/patches/python-unittest2-python3-compat.patch \ %D%/packages/patches/python-unittest2-remove-argparse.patch \ %D%/packages/patches/python-waitress-fix-tests.patch \ - %D%/packages/patches/qemu-CVE-2017-15038.patch \ - %D%/packages/patches/qemu-CVE-2017-15289.patch \ %D%/packages/patches/qt4-ldflags.patch \ %D%/packages/patches/qtbase-use-TZDIR.patch \ %D%/packages/patches/qtscript-disable-tests.patch \ diff --git a/gnu/packages/patches/qemu-CVE-2017-15038.patch b/gnu/packages/patches/qemu-CVE-2017-15038.patch deleted file mode 100644 index 4791a186bf..0000000000 --- a/gnu/packages/patches/qemu-CVE-2017-15038.patch +++ /dev/null @@ -1,51 +0,0 @@ -Fix CVE-2017-15038: - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15038 - -Patch copied from upstream source repository: - -https://git.qemu.org/?p=qemu.git;a=commitdiff;h=7bd92756303f2158a68d5166264dc30139b813b6 - -From 7bd92756303f2158a68d5166264dc30139b813b6 Mon Sep 17 00:00:00 2001 -From: Prasad J Pandit <pjp@fedoraproject.org> -Date: Mon, 16 Oct 2017 14:21:59 +0200 -Subject: [PATCH] 9pfs: use g_malloc0 to allocate space for xattr - -9p back-end first queries the size of an extended attribute, -allocates space for it via g_malloc() and then retrieves its -value into allocated buffer. Race between querying attribute -size and retrieving its could lead to memory bytes disclosure. -Use g_malloc0() to avoid it. - -Reported-by: Tuomas Tynkkynen <tuomas.tynkkynen@iki.fi> -Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> -Signed-off-by: Greg Kurz <groug@kaod.org> ---- - hw/9pfs/9p.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c -index 23ac7bb532..f8bbac251d 100644 ---- a/hw/9pfs/9p.c -+++ b/hw/9pfs/9p.c -@@ -3234,7 +3234,7 @@ static void coroutine_fn v9fs_xattrwalk(void *opaque) - xattr_fidp->fid_type = P9_FID_XATTR; - xattr_fidp->fs.xattr.xattrwalk_fid = true; - if (size) { -- xattr_fidp->fs.xattr.value = g_malloc(size); -+ xattr_fidp->fs.xattr.value = g_malloc0(size); - err = v9fs_co_llistxattr(pdu, &xattr_fidp->path, - xattr_fidp->fs.xattr.value, - xattr_fidp->fs.xattr.len); -@@ -3267,7 +3267,7 @@ static void coroutine_fn v9fs_xattrwalk(void *opaque) - xattr_fidp->fid_type = P9_FID_XATTR; - xattr_fidp->fs.xattr.xattrwalk_fid = true; - if (size) { -- xattr_fidp->fs.xattr.value = g_malloc(size); -+ xattr_fidp->fs.xattr.value = g_malloc0(size); - err = v9fs_co_lgetxattr(pdu, &xattr_fidp->path, - &name, xattr_fidp->fs.xattr.value, - xattr_fidp->fs.xattr.len); --- -2.15.0 - diff --git a/gnu/packages/patches/qemu-CVE-2017-15289.patch b/gnu/packages/patches/qemu-CVE-2017-15289.patch deleted file mode 100644 index d4b536a405..0000000000 --- a/gnu/packages/patches/qemu-CVE-2017-15289.patch +++ /dev/null @@ -1,66 +0,0 @@ -Fix CVE-2017-15289: - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15289 - -Patch copied from upstream source repository: - -https://git.qemu.org/?p=qemu.git;a=commitdiff;h=eb38e1bc3740725ca29a535351de94107ec58d51 - -From eb38e1bc3740725ca29a535351de94107ec58d51 Mon Sep 17 00:00:00 2001 -From: Gerd Hoffmann <kraxel@redhat.com> -Date: Wed, 11 Oct 2017 10:43:14 +0200 -Subject: [PATCH] cirrus: fix oob access in mode4and5 write functions - -Move dst calculation into the loop, so we apply the mask on each -interation and will not overflow vga memory. - -Cc: Prasad J Pandit <pjp@fedoraproject.org> -Reported-by: Niu Guoxiang <niuguoxiang@huawei.com> -Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> -Message-id: 20171011084314.21752-1-kraxel@redhat.com ---- - hw/display/cirrus_vga.c | 6 ++---- - 1 file changed, 2 insertions(+), 4 deletions(-) - -diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c -index b4d579857a..bc32bf1e39 100644 ---- a/hw/display/cirrus_vga.c -+++ b/hw/display/cirrus_vga.c -@@ -2038,15 +2038,14 @@ static void cirrus_mem_writeb_mode4and5_8bpp(CirrusVGAState * s, - unsigned val = mem_value; - uint8_t *dst; - -- dst = s->vga.vram_ptr + (offset &= s->cirrus_addr_mask); - for (x = 0; x < 8; x++) { -+ dst = s->vga.vram_ptr + ((offset + x) & s->cirrus_addr_mask); - if (val & 0x80) { - *dst = s->cirrus_shadow_gr1; - } else if (mode == 5) { - *dst = s->cirrus_shadow_gr0; - } - val <<= 1; -- dst++; - } - memory_region_set_dirty(&s->vga.vram, offset, 8); - } -@@ -2060,8 +2059,8 @@ static void cirrus_mem_writeb_mode4and5_16bpp(CirrusVGAState * s, - unsigned val = mem_value; - uint8_t *dst; - -- dst = s->vga.vram_ptr + (offset &= s->cirrus_addr_mask); - for (x = 0; x < 8; x++) { -+ dst = s->vga.vram_ptr + ((offset + 2 * x) & s->cirrus_addr_mask & ~1); - if (val & 0x80) { - *dst = s->cirrus_shadow_gr1; - *(dst + 1) = s->vga.gr[0x11]; -@@ -2070,7 +2069,6 @@ static void cirrus_mem_writeb_mode4and5_16bpp(CirrusVGAState * s, - *(dst + 1) = s->vga.gr[0x10]; - } - val <<= 1; -- dst += 2; - } - memory_region_set_dirty(&s->vga.vram, offset, 16); - } --- -2.15.0 - diff --git a/gnu/packages/virtualization.scm b/gnu/packages/virtualization.scm index d49cdc208a..f8f9de16fc 100644 --- a/gnu/packages/virtualization.scm +++ b/gnu/packages/virtualization.scm @@ -82,16 +82,14 @@ (define-public qemu (package (name "qemu") - (version "2.10.2") + (version "2.11.1") (source (origin (method url-fetch) (uri (string-append "https://download.qemu.org/qemu-" version ".tar.xz")) - (patches (search-patches "qemu-CVE-2017-15038.patch" - "qemu-CVE-2017-15289.patch")) (sha256 (base32 - "17w21spvaxaidi2am5lpsln8yjpyp2zi3s3gc6nsxj5arlgamzgw")))) + "11l6cs6mib16rgdrnqrhkqs033fjik316gkgfz3asbmxz38lalca")))) (build-system gnu-build-system) (arguments '(;; Running tests in parallel can occasionally lead to failures, like: |