Package: guix-patches;
Reported by: Leo Famulari <leo <at> famulari.name>
Date: Sat, 3 Jun 2017 22:36:02 UTC
Severity: normal
Tags: patch
Done: Leo Famulari <leo <at> famulari.name>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 27221 in the body.
You can then email your comments to 27221 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
View this report as an mbox folder, status mbox, maintainer mbox
guix-patches <at> gnu.org:bug#27221; Package guix-patches.
(Sat, 03 Jun 2017 22:36:02 GMT) Full text and rfc822 format available.Leo Famulari <leo <at> famulari.name>:guix-patches <at> gnu.org.
(Sat, 03 Jun 2017 22:36:02 GMT) Full text and rfc822 format available.Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
From: Leo Famulari <leo <at> famulari.name>
To: guix-patches <at> gnu.org
Subject: [PATCH] gnu: qemu: Fix CVE-2017-{8112,8309,8379,8380}.
Date: Sat, 3 Jun 2017 18:35:04 -0400
* gnu/packages/patches/qemu-CVE-2017-8112.patch,
gnu/packages/patches/qemu-CVE-2017-8309.patch,
gnu/packages/patches/qemu-CVE-2017-8379.patch,
gnu/packages/patches/qemu-CVE-2017-8380.patch: New files.
* gnu/local.mk (dist_patch_DATA): Add them.
* gnu/packages/qemu.scm (qemu)[source]: Use them.
---
gnu/local.mk | 4 ++
gnu/packages/patches/qemu-CVE-2017-8112.patch | 41 +++++++++++
gnu/packages/patches/qemu-CVE-2017-8309.patch | 46 +++++++++++++
gnu/packages/patches/qemu-CVE-2017-8379.patch | 98 +++++++++++++++++++++++++++
gnu/packages/patches/qemu-CVE-2017-8380.patch | 53 +++++++++++++++
gnu/packages/qemu.scm | 6 +-
6 files changed, 247 insertions(+), 1 deletion(-)
create mode 100644 gnu/packages/patches/qemu-CVE-2017-8112.patch
create mode 100644 gnu/packages/patches/qemu-CVE-2017-8309.patch
create mode 100644 gnu/packages/patches/qemu-CVE-2017-8379.patch
create mode 100644 gnu/packages/patches/qemu-CVE-2017-8380.patch
diff --git a/gnu/local.mk b/gnu/local.mk
index e7d5ee2f4..85bcbd632 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -953,6 +953,10 @@ dist_patch_DATA = \
%D%/packages/patches/python-pygpgme-fix-pinentry-tests.patch \
%D%/packages/patches/python2-subprocess32-disable-input-test.patch \
%D%/packages/patches/qemu-CVE-2017-7493.patch \
+ %D%/packages/patches/qemu-CVE-2017-8112.patch \
+ %D%/packages/patches/qemu-CVE-2017-8309.patch \
+ %D%/packages/patches/qemu-CVE-2017-8379.patch \
+ %D%/packages/patches/qemu-CVE-2017-8380.patch \
%D%/packages/patches/qt4-ldflags.patch \
%D%/packages/patches/qtscript-disable-tests.patch \
%D%/packages/patches/quickswitch-fix-dmenu-check.patch \
diff --git a/gnu/packages/patches/qemu-CVE-2017-8112.patch b/gnu/packages/patches/qemu-CVE-2017-8112.patch
new file mode 100644
index 000000000..88b33aa2f
--- /dev/null
+++ b/gnu/packages/patches/qemu-CVE-2017-8112.patch
@@ -0,0 +1,41 @@
+Fix CVE-2017-8112:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8112
+
+Patch copied from upstream source repository:
+
+http://git.qemu.org/?p=qemu.git;a=commitdiff;h=f68826989cd4d1217797251339579c57b3c0934e
+
+From f68826989cd4d1217797251339579c57b3c0934e Mon Sep 17 00:00:00 2001
+From: P J P <ppandit <at> redhat.com>
+Date: Tue, 25 Apr 2017 18:36:23 +0530
+Subject: [PATCH] vmw_pvscsi: check message ring page count at initialisation
+
+A guest could set the message ring page count to zero, resulting in
+infinite loop. Add check to avoid it.
+
+Reported-by: YY Z <bigbird475958471 <at> gmail.com>
+Signed-off-by: P J P <ppandit <at> redhat.com>
+Message-Id: <20170425130623.3649-1-ppandit <at> redhat.com>
+Reviewed-by: Dmitry Fleytman <dmitry <at> daynix.com>
+Signed-off-by: Paolo Bonzini <pbonzini <at> redhat.com>
+---
+ hw/scsi/vmw_pvscsi.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/scsi/vmw_pvscsi.c b/hw/scsi/vmw_pvscsi.c
+index 75575461e2..4a106da856 100644
+--- a/hw/scsi/vmw_pvscsi.c
++++ b/hw/scsi/vmw_pvscsi.c
+@@ -202,7 +202,7 @@ pvscsi_ring_init_msg(PVSCSIRingInfo *m, PVSCSICmdDescSetupMsgRing *ri)
+ uint32_t len_log2;
+ uint32_t ring_size;
+
+- if (ri->numPages > PVSCSI_SETUP_MSG_RING_MAX_NUM_PAGES) {
++ if (!ri->numPages || ri->numPages > PVSCSI_SETUP_MSG_RING_MAX_NUM_PAGES) {
+ return -1;
+ }
+ ring_size = ri->numPages * PVSCSI_MAX_NUM_MSG_ENTRIES_PER_PAGE;
+--
+2.13.0
+
diff --git a/gnu/packages/patches/qemu-CVE-2017-8309.patch b/gnu/packages/patches/qemu-CVE-2017-8309.patch
new file mode 100644
index 000000000..dc4b4006b
--- /dev/null
+++ b/gnu/packages/patches/qemu-CVE-2017-8309.patch
@@ -0,0 +1,46 @@
+Fix CVE-2017-8309:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8309
+
+Patch copied from upstream source repository:
+
+http://git.qemu.org/?p=qemu.git;a=commitdiff;h=3268a845f41253fb55852a8429c32b50f36f349a
+
+From 3268a845f41253fb55852a8429c32b50f36f349a Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel <at> redhat.com>
+Date: Fri, 28 Apr 2017 09:56:12 +0200
+Subject: [PATCH] audio: release capture buffers
+
+AUD_add_capture() allocates two buffers which are never released.
+Add the missing calls to AUD_del_capture().
+
+Impact: Allows vnc clients to exhaust host memory by repeatedly
+starting and stopping audio capture.
+
+Fixes: CVE-2017-8309
+Cc: P J P <ppandit <at> redhat.com>
+Cc: Huawei PSIRT <PSIRT <at> huawei.com>
+Reported-by: "Jiangxin (hunter, SCC)" <jiangxin1 <at> huawei.com>
+Signed-off-by: Gerd Hoffmann <kraxel <at> redhat.com>
+Reviewed-by: Prasad J Pandit <pjp <at> fedoraproject.org>
+Message-id: 20170428075612.9997-1-kraxel <at> redhat.com
+---
+ audio/audio.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/audio/audio.c b/audio/audio.c
+index c8898d8422..beafed209b 100644
+--- a/audio/audio.c
++++ b/audio/audio.c
+@@ -2028,6 +2028,8 @@ void AUD_del_capture (CaptureVoiceOut *cap, void *cb_opaque)
+ sw = sw1;
+ }
+ QLIST_REMOVE (cap, entries);
++ g_free (cap->hw.mix_buf);
++ g_free (cap->buf);
+ g_free (cap);
+ }
+ return;
+--
+2.13.0
+
diff --git a/gnu/packages/patches/qemu-CVE-2017-8379.patch b/gnu/packages/patches/qemu-CVE-2017-8379.patch
new file mode 100644
index 000000000..200b133d3
--- /dev/null
+++ b/gnu/packages/patches/qemu-CVE-2017-8379.patch
@@ -0,0 +1,98 @@
+Fix CVE-2017-8379:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8379
+
+Patch copied from upstream source repository:
+
+http://git.qemu.org/?p=qemu.git;a=commitdiff;h=fa18f36a461984eae50ab957e47ec78dae3c14fc
+
+From fa18f36a461984eae50ab957e47ec78dae3c14fc Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel <at> redhat.com>
+Date: Fri, 28 Apr 2017 10:42:37 +0200
+Subject: [PATCH] input: limit kbd queue depth
+
+Apply a limit to the number of items we accept into the keyboard queue.
+
+Impact: Without this limit vnc clients can exhaust host memory by
+sending keyboard events faster than qemu feeds them to the guest.
+
+Fixes: CVE-2017-8379
+Cc: P J P <ppandit <at> redhat.com>
+Cc: Huawei PSIRT <PSIRT <at> huawei.com>
+Reported-by: jiangxin1 <at> huawei.com
+Signed-off-by: Gerd Hoffmann <kraxel <at> redhat.com>
+Message-id: 20170428084237.23960-1-kraxel <at> redhat.com
+---
+ ui/input.c | 14 +++++++++++---
+ 1 file changed, 11 insertions(+), 3 deletions(-)
+
+diff --git a/ui/input.c b/ui/input.c
+index ed88cda6d6..fb1f404095 100644
+--- a/ui/input.c
++++ b/ui/input.c
+@@ -41,6 +41,8 @@ static QTAILQ_HEAD(QemuInputEventQueueHead, QemuInputEventQueue) kbd_queue =
+ QTAILQ_HEAD_INITIALIZER(kbd_queue);
+ static QEMUTimer *kbd_timer;
+ static uint32_t kbd_default_delay_ms = 10;
++static uint32_t queue_count;
++static uint32_t queue_limit = 1024;
+
+ QemuInputHandlerState *qemu_input_handler_register(DeviceState *dev,
+ QemuInputHandler *handler)
+@@ -268,6 +270,7 @@ static void qemu_input_queue_process(void *opaque)
+ break;
+ }
+ QTAILQ_REMOVE(queue, item, node);
++ queue_count--;
+ g_free(item);
+ }
+ }
+@@ -282,6 +285,7 @@ static void qemu_input_queue_delay(struct QemuInputEventQueueHead *queue,
+ item->delay_ms = delay_ms;
+ item->timer = timer;
+ QTAILQ_INSERT_TAIL(queue, item, node);
++ queue_count++;
+
+ if (start_timer) {
+ timer_mod(item->timer, qemu_clock_get_ms(QEMU_CLOCK_VIRTUAL)
+@@ -298,6 +302,7 @@ static void qemu_input_queue_event(struct QemuInputEventQueueHead *queue,
+ item->src = src;
+ item->evt = evt;
+ QTAILQ_INSERT_TAIL(queue, item, node);
++ queue_count++;
+ }
+
+ static void qemu_input_queue_sync(struct QemuInputEventQueueHead *queue)
+@@ -306,6 +311,7 @@ static void qemu_input_queue_sync(struct QemuInputEventQueueHead *queue)
+
+ item->type = QEMU_INPUT_QUEUE_SYNC;
+ QTAILQ_INSERT_TAIL(queue, item, node);
++ queue_count++;
+ }
+
+ void qemu_input_event_send_impl(QemuConsole *src, InputEvent *evt)
+@@ -381,7 +387,7 @@ void qemu_input_event_send_key(QemuConsole *src, KeyValue *key, bool down)
+ qemu_input_event_send(src, evt);
+ qemu_input_event_sync();
+ qapi_free_InputEvent(evt);
+- } else {
++ } else if (queue_count < queue_limit) {
+ qemu_input_queue_event(&kbd_queue, src, evt);
+ qemu_input_queue_sync(&kbd_queue);
+ }
+@@ -409,8 +415,10 @@ void qemu_input_event_send_key_delay(uint32_t delay_ms)
+ kbd_timer = timer_new_ms(QEMU_CLOCK_VIRTUAL, qemu_input_queue_process,
+ &kbd_queue);
+ }
+- qemu_input_queue_delay(&kbd_queue, kbd_timer,
+- delay_ms ? delay_ms : kbd_default_delay_ms);
++ if (queue_count < queue_limit) {
++ qemu_input_queue_delay(&kbd_queue, kbd_timer,
++ delay_ms ? delay_ms : kbd_default_delay_ms);
++ }
+ }
+
+ InputEvent *qemu_input_event_new_btn(InputButton btn, bool down)
+--
+2.13.0
+
diff --git a/gnu/packages/patches/qemu-CVE-2017-8380.patch b/gnu/packages/patches/qemu-CVE-2017-8380.patch
new file mode 100644
index 000000000..65e49fc88
--- /dev/null
+++ b/gnu/packages/patches/qemu-CVE-2017-8380.patch
@@ -0,0 +1,53 @@
+Fix CVE-2017-8380:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8380
+
+Patch copied from upstream source repository:
+
+http://git.qemu.org/?p=qemu.git;a=commitdiff;h=24dfa9fa2f90a95ac33c7372de4f4f2c8a2c141f
+
+From 24dfa9fa2f90a95ac33c7372de4f4f2c8a2c141f Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp <at> fedoraproject.org>
+Date: Mon, 24 Apr 2017 17:36:34 +0530
+Subject: [PATCH] scsi: avoid an off-by-one error in megasas_mmio_write
+
+While reading magic sequence(MFI_SEQ) in megasas_mmio_write,
+an off-by-one error could occur as 's->adp_reset' index is not
+reset after reading the last sequence.
+
+Reported-by: YY Z <bigbird475958471 <at> gmail.com>
+Signed-off-by: Prasad J Pandit <pjp <at> fedoraproject.org>
+Message-Id: <20170424120634.12268-1-ppandit <at> redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini <at> redhat.com>
+---
+ hw/scsi/megasas.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c
+index 84b8caf901..804122ab05 100644
+--- a/hw/scsi/megasas.c
++++ b/hw/scsi/megasas.c
+@@ -2138,15 +2138,15 @@ static void megasas_mmio_write(void *opaque, hwaddr addr,
+ case MFI_SEQ:
+ trace_megasas_mmio_writel("MFI_SEQ", val);
+ /* Magic sequence to start ADP reset */
+- if (adp_reset_seq[s->adp_reset] == val) {
+- s->adp_reset++;
++ if (adp_reset_seq[s->adp_reset++] == val) {
++ if (s->adp_reset == 6) {
++ s->adp_reset = 0;
++ s->diag = MFI_DIAG_WRITE_ENABLE;
++ }
+ } else {
+ s->adp_reset = 0;
+ s->diag = 0;
+ }
+- if (s->adp_reset == 6) {
+- s->diag = MFI_DIAG_WRITE_ENABLE;
+- }
+ break;
+ case MFI_DIAG:
+ trace_megasas_mmio_writel("MFI_DIAG", val);
+--
+2.13.0
+
diff --git a/gnu/packages/qemu.scm b/gnu/packages/qemu.scm
index 0734b6d0f..31354b25d 100644
--- a/gnu/packages/qemu.scm
+++ b/gnu/packages/qemu.scm
@@ -74,7 +74,11 @@
(method url-fetch)
(uri (string-append "http://wiki.qemu-project.org/download/qemu-"
version ".tar.xz"))
- (patches (search-patches "qemu-CVE-2017-7493.patch"))
+ (patches (search-patches "qemu-CVE-2017-7493.patch"
+ "qemu-CVE-2017-8112.patch"
+ "qemu-CVE-2017-8309.patch"
+ "qemu-CVE-2017-8379.patch"
+ "qemu-CVE-2017-8380.patch"))
(sha256
(base32
"08mhfs0ndbkyqgw7fjaa9vjxf4dinrly656f6hjzvmaz7hzc677h"))))
--
2.13.0
guix-patches <at> gnu.org:bug#27221; Package guix-patches.
(Sat, 03 Jun 2017 23:52:01 GMT) Full text and rfc822 format available.Message #8 received at 27221 <at> debbugs.gnu.org (full text, mbox):
From: Marius Bakke <mbakke <at> fastmail.com>
To: Leo Famulari <leo <at> famulari.name>, 27221 <at> debbugs.gnu.org
Subject: Re: bug#27221: [PATCH] gnu: qemu: Fix CVE-2017-{8112, 8309, 8379,
8380}.
Date: Sun, 04 Jun 2017 01:51:00 +0200
[Message part 1 (text/plain, inline)]
Leo Famulari <leo <at> famulari.name> writes: > * gnu/packages/patches/qemu-CVE-2017-8112.patch, > gnu/packages/patches/qemu-CVE-2017-8309.patch, > gnu/packages/patches/qemu-CVE-2017-8379.patch, > gnu/packages/patches/qemu-CVE-2017-8380.patch: New files. > * gnu/local.mk (dist_patch_DATA): Add them. > * gnu/packages/qemu.scm (qemu)[source]: Use them. LGTM. Thanks for keeping up with this.
[signature.asc (application/pgp-signature, inline)]
Leo Famulari <leo <at> famulari.name>:Leo Famulari <leo <at> famulari.name>:Message #13 received at 27221-done <at> debbugs.gnu.org (full text, mbox):
From: Leo Famulari <leo <at> famulari.name>
To: Marius Bakke <mbakke <at> fastmail.com>
Cc: 27221-done <at> debbugs.gnu.org
Subject: Re: bug#27221: [PATCH] gnu: qemu: Fix CVE-2017-{8112, 8309, 8379,
8380}.
Date: Sat, 3 Jun 2017 21:12:38 -0400
[Message part 1 (text/plain, inline)]
On Sun, Jun 04, 2017 at 01:51:00AM +0200, Marius Bakke wrote: > Leo Famulari <leo <at> famulari.name> writes: > > > * gnu/packages/patches/qemu-CVE-2017-8112.patch, > > gnu/packages/patches/qemu-CVE-2017-8309.patch, > > gnu/packages/patches/qemu-CVE-2017-8379.patch, > > gnu/packages/patches/qemu-CVE-2017-8380.patch: New files. > > * gnu/local.mk (dist_patch_DATA): Add them. > > * gnu/packages/qemu.scm (qemu)[source]: Use them. > > LGTM. Thanks for keeping up with this. Thanks! Pushed as 8b5cb8d0542115b840b0086be1dbc00c116c7877.
[signature.asc (application/pgp-signature, inline)]
Debbugs Internal Request <help-debbugs <at> gnu.org>
to internal_control <at> debbugs.gnu.org.
(Sun, 02 Jul 2017 11:24:05 GMT) Full text and rfc822 format available.
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.