From debbugs-submit-bounces@debbugs.gnu.org Sun Aug 13 09:39:10 2017 Received: (at submit) by debbugs.gnu.org; 13 Aug 2017 13:39:10 +0000 Received: from localhost ([127.0.0.1]:59316 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dgt6Z-0003ZG-Tu for submit@debbugs.gnu.org; Sun, 13 Aug 2017 09:39:10 -0400 Received: from eggs.gnu.org ([208.118.235.92]:55631) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dgt6S-0003Z8-Ju for submit@debbugs.gnu.org; Sun, 13 Aug 2017 09:38:59 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dgt6K-00081S-OM for submit@debbugs.gnu.org; Sun, 13 Aug 2017 09:38:47 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: * X-Spam-Status: No, score=1.1 required=5.0 tests=BAYES_50, FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,T_DKIM_INVALID autolearn=disabled version=3.3.2 Received: from lists.gnu.org ([2001:4830:134:3::11]:37401) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1dgt6K-00081J-Jp for submit@debbugs.gnu.org; Sun, 13 Aug 2017 09:38:44 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:46547) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dgt6H-00059U-MW for guix-patches@gnu.org; Sun, 13 Aug 2017 09:38:44 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dgt6E-0007wQ-8z for guix-patches@gnu.org; Sun, 13 Aug 2017 09:38:41 -0400 Received: from mail-pf0-x233.google.com ([2607:f8b0:400e:c00::233]:36716) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1dgt6D-0007uz-Tk for guix-patches@gnu.org; Sun, 13 Aug 2017 09:38:38 -0400 Received: by mail-pf0-x233.google.com with SMTP id c28so32367665pfe.3 for ; Sun, 13 Aug 2017 06:38:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:subject:date:message-id:user-agent:mime-version; bh=KrcmIXUDkOeAYc7RUi//5KLy0yy4NyU1yjxN6jO5sTE=; b=f7aOLtsnWhSie8VCHURcpWaewQWNTGJCml2y0x2nqcQR1NKos3QNxsOxj4YDC6EsFV lzjI3C3GykusYQsNmsKOQqpIV8P9opqRuQ/sfKrVp1FwM2ULqncz4oIrQNn164RIQgFq Qc/IpMaGVtODHA58f3aZC0DlJ+J89cvNoHCp9PtLKt0ELcNUDzmecFImbw+1w233pJCf sFX/M96ZNtXqWtx/A78ZVVTb6pnmV7Dl8wvr67LmS5zf+WQ3SeedshiR2eySISNRrgkI 1JnWklntxep3lHkoUX2n3808DO//EMvbqp0Ig8uRtOG41x/et65dfQz1QZUxMINF/OqZ rQ/A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:user-agent :mime-version; bh=KrcmIXUDkOeAYc7RUi//5KLy0yy4NyU1yjxN6jO5sTE=; b=YUtiH0ujDg8nyuHWbX8PSt8jD8Y+YMExcNXVbXXpJKAgEGRA9mEIepK5fRAqlXxFRV NomCwuaOMX1mgNhpqepCBEn6yh49dO/M2o8dm4V1ybMJ6zMkZtyXRzX8LUbQb0slv5XX urQUimBKuuzIUeljMDOZo+FeZ1tvdGN+SEC/+Q6ca+M3XnuxxalEEw+V9Q7JNJNYBEWx fCQ5nEj1qyUFS5gbficZF/FtMRT2fzqYpW3nzYpguF9TkB2xK8pyI5K1ZDOp3paXnId7 jzkSNFokBNxd/HrVmHRqg6GSSxSiGS39+zQz0OM4HB69IdV1HpqCCbAMissxz6o0Z7KC fS9A== X-Gm-Message-State: AHYfb5g/n2zKhk7ztG7JuIASBVujoiH8CqsS+wLwcHcXkKimGmS0HmHk CJKa5akN6f8UJQ== X-Received: by 10.98.31.7 with SMTP id f7mr22435883pff.27.1502631515339; Sun, 13 Aug 2017 06:38:35 -0700 (PDT) Received: from debian (1-36-201-133.static.netvigator.com. [1.36.201.133]) by smtp.gmail.com with ESMTPSA id o10sm9640677pgc.81.2017.08.13.06.38.32 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Sun, 13 Aug 2017 06:38:33 -0700 (PDT) From: Alex Vong To: guix-patches@gnu.org Subject: [PATCH] gnu: qemu: Fix CVE-2017-{10664,10806,10911,11434}. Date: Sun, 13 Aug 2017 21:38:18 +0800 Message-ID: <87pobz1tbp.fsf@gmail.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.2 (gnu/linux) MIME-Version: 1.0 Content-Type: multipart/signed; boundary="==-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x X-Received-From: 2001:4830:134:3::11 X-Spam-Score: -3.8 (---) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 1.2 (+) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Severity: important Tags: security Hello, This fixes a bunch of CVEs which were left unfixed. Most of the patches are copied from the upstream git repo. Except one is copied from Xen Security Advisory. [...] Content analysis details: (1.2 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 1.0 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail) 0.2 FREEMAIL_ENVFROM_END_DIGIT Envelope-from freemail username ends in digit (alexvong1995[at]gmail.com) 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (alexvong1995[at]gmail.com) 0.0 T_DKIM_INVALID DKIM-Signature header exists but is not valid --==-=-= Content-Type: multipart/mixed; boundary="=-=-=" --=-=-= Content-Type: text/plain Severity: important Tags: security Hello, This fixes a bunch of CVEs which were left unfixed. Most of the patches are copied from the upstream git repo. Except one is copied from Xen Security Advisory. --=-=-= Content-Type: text/x-diff; charset=utf-8 Content-Disposition: inline; filename=0001-gnu-qemu-Fix-CVE-2017-10664-10806-10911-11434.patch Content-Transfer-Encoding: quoted-printable From=20f513dd18602c0321bedce3f4ebf4b0b6a77288ac Mon Sep 17 00:00:00 2001 From: Alex Vong Date: Sun, 13 Aug 2017 19:42:59 +0800 Subject: [PATCH] gnu: qemu: Fix CVE-2017-{10664,10806,10911,11434}. * gnu/packages/patches/qemu-CVE-2017-10664.patch, gnu/packages/patches/qemu-CVE-2017-10806.patch, gnu/packages/patches/qemu-CVE-2017-10911.patch, gnu/packages/patches/qemu-CVE-2017-11434.patch: New files. * gnu/local.mk (dist_patch_DATA): Add them. * gnu/packages/virtualization.scm (qemu)[source]: Use them. =2D-- gnu/local.mk | 4 + gnu/packages/patches/qemu-CVE-2017-10664.patch | 58 ++++++++++++ gnu/packages/patches/qemu-CVE-2017-10806.patch | 61 ++++++++++++ gnu/packages/patches/qemu-CVE-2017-10911.patch | 123 +++++++++++++++++++++= ++++ gnu/packages/patches/qemu-CVE-2017-11434.patch | 46 +++++++++ gnu/packages/virtualization.scm | 7 +- 6 files changed, 298 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/qemu-CVE-2017-10664.patch create mode 100644 gnu/packages/patches/qemu-CVE-2017-10806.patch create mode 100644 gnu/packages/patches/qemu-CVE-2017-10911.patch create mode 100644 gnu/packages/patches/qemu-CVE-2017-11434.patch diff --git a/gnu/local.mk b/gnu/local.mk index c12fd8559..f513a7490 100644 =2D-- a/gnu/local.mk +++ b/gnu/local.mk @@ -988,7 +988,11 @@ dist_patch_DATA =3D \ %D%/packages/patches/qemu-CVE-2017-8379.patch \ %D%/packages/patches/qemu-CVE-2017-8380.patch \ %D%/packages/patches/qemu-CVE-2017-9524.patch \ + %D%/packages/patches/qemu-CVE-2017-10664.patch \ + %D%/packages/patches/qemu-CVE-2017-10806.patch \ + %D%/packages/patches/qemu-CVE-2017-10911.patch \ %D%/packages/patches/qemu-CVE-2017-11334.patch \ + %D%/packages/patches/qemu-CVE-2017-11434.patch \ %D%/packages/patches/qt4-ldflags.patch \ %D%/packages/patches/qtscript-disable-tests.patch \ %D%/packages/patches/quagga-reproducible-build.patch \ diff --git a/gnu/packages/patches/qemu-CVE-2017-10664.patch b/gnu/packages/= patches/qemu-CVE-2017-10664.patch new file mode 100644 index 000000000..5a7406eaf =2D-- /dev/null +++ b/gnu/packages/patches/qemu-CVE-2017-10664.patch @@ -0,0 +1,58 @@ +Fix CVE-2017-10664: + +https://lists.gnu.org/archive/html/qemu-devel/2017-06/msg02693.html +https://bugzilla.redhat.com/show_bug.cgi?id=3D1466190 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2017-10664 +https://security-tracker.debian.org/tracker/CVE-2017-10664 + +Patch copied from upstream source repository: + +https://git.qemu.org/gitweb.cgi?p=3Dqemu.git;a=3Dcommitdiff;h=3D041e32b8d9= d076980b4e35317c0339e57ab888f1 + +From 041e32b8d9d076980b4e35317c0339e57ab888f1 Mon Sep 17 00:00:00 2001 +From: Max Reitz +Date: Sun, 11 Jun 2017 14:37:14 +0200 +Subject: [PATCH] qemu-nbd: Ignore SIGPIPE + +qemu proper has done so for 13 years +(8a7ddc38a60648257dc0645ab4a05b33d6040063), qemu-img and qemu-io have +done so for four years (526eda14a68d5b3596be715505289b541288ef2a). +Ignoring this signal is especially important in qemu-nbd because +otherwise a client can easily take down the qemu-nbd server by dropping +the connection when the server wants to send something, for example: + +$ qemu-nbd -x foo -f raw -t null-co:// & +[1] 12726 +$ qemu-io -c quit nbd://localhost/bar +can't open device nbd://localhost/bar: No export with name 'bar' available +[1] + 12726 broken pipe qemu-nbd -x foo -f raw -t null-co:// + +In this case, the client sends an NBD_OPT_ABORT and closes the +connection (because it is not required to wait for a reply), but the +server replies with an NBD_REP_ACK (because it is required to reply). + +Signed-off-by: Max Reitz +Message-Id: <20170611123714.31292-1-mreitz@redhat.com> +Signed-off-by: Paolo Bonzini +--- + qemu-nbd.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/qemu-nbd.c b/qemu-nbd.c +index 9464a0461c..4dd3fd4732 100644 +--- a/qemu-nbd.c ++++ b/qemu-nbd.c +@@ -581,6 +581,10 @@ int main(int argc, char **argv) + sa_sigterm.sa_handler =3D termsig_handler; + sigaction(SIGTERM, &sa_sigterm, NULL); +=20 ++#ifdef CONFIG_POSIX ++ signal(SIGPIPE, SIG_IGN); ++#endif ++ + module_call_init(MODULE_INIT_TRACE); + qcrypto_init(&error_fatal); +=20 +--=20 +2.14.0 + diff --git a/gnu/packages/patches/qemu-CVE-2017-10806.patch b/gnu/packages/= patches/qemu-CVE-2017-10806.patch new file mode 100644 index 000000000..202ced8cf =2D-- /dev/null +++ b/gnu/packages/patches/qemu-CVE-2017-10806.patch @@ -0,0 +1,61 @@ +Fix CVE-2017-10806: + +https://lists.nongnu.org/archive/html/qemu-devel/2017-05/msg03087.html +https://bugzilla.redhat.com/show_bug.cgi?id=3D1468496 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2017-10806 +https://security-tracker.debian.org/tracker/CVE-2017-10806 + +Patch copied from upstream source repository: + +https://git.qemu.org/gitweb.cgi?p=3Dqemu.git;a=3Dcommit;h=3Dbd4a683505b27a= dc1ac809f71e918e58573d851d + +From bd4a683505b27adc1ac809f71e918e58573d851d Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Tue, 9 May 2017 13:01:28 +0200 +Subject: [PATCH] usb-redir: fix stack overflow in usbredir_log_data +MIME-Version: 1.0 +Content-Type: text/plain; charset=3DUTF-8 +Content-Transfer-Encoding: 8bit + +Don't reinvent a broken wheel, just use the hexdump function we have. + +Impact: low, broken code doesn't run unless you have debug logging +enabled. + +Reported-by: =E6=9D=8E=E5=BC=BA +Signed-off-by: Gerd Hoffmann +Message-id: 20170509110128.27261-1-kraxel@redhat.com +--- + hw/usb/redirect.c | 13 +------------ + 1 file changed, 1 insertion(+), 12 deletions(-) + +diff --git a/hw/usb/redirect.c b/hw/usb/redirect.c +index b001a27f05..ad5ef783a6 100644 +--- a/hw/usb/redirect.c ++++ b/hw/usb/redirect.c +@@ -229,21 +229,10 @@ static void usbredir_log(void *priv, int level, cons= t char *msg) + static void usbredir_log_data(USBRedirDevice *dev, const char *desc, + const uint8_t *data, int len) + { +- int i, j, n; +- + if (dev->debug < usbredirparser_debug_data) { + return; + } +- +- for (i =3D 0; i < len; i +=3D j) { +- char buf[128]; +- +- n =3D sprintf(buf, "%s", desc); +- for (j =3D 0; j < 8 && i + j < len; j++) { +- n +=3D sprintf(buf + n, " %02X", data[i + j]); +- } +- error_report("%s", buf); +- } ++ qemu_hexdump((char *)data, stderr, desc, len); + } +=20 + /* +--=20 +2.14.1 + diff --git a/gnu/packages/patches/qemu-CVE-2017-10911.patch b/gnu/packages/= patches/qemu-CVE-2017-10911.patch new file mode 100644 index 000000000..fed3fb8ff =2D-- /dev/null +++ b/gnu/packages/patches/qemu-CVE-2017-10911.patch @@ -0,0 +1,123 @@ +Fix CVE-2017-10911: + +https://xenbits.xen.org/xsa/advisory-216.html +https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2017-10911 +https://security-tracker.debian.org/tracker/CVE-2017-10911 + +Patch copied from Xen Security Advisory: + +https://xenbits.xen.org/xsa/xsa216-qemuu.patch + +From: Jan Beulich +Subject: xen/disk: don't leak stack data via response ring + +Rather than constructing a local structure instance on the stack, fill +the fields directly on the shared ring, just like other (Linux) +backends do. Build on the fact that all response structure flavors are +actually identical (the old code did make this assumption too). + +This is XSA-216. + +Reported-by: Anthony Perard +Signed-off-by: Jan Beulich +Reviewed-by: Konrad Rzeszutek Wilk +Acked-by: Anthony PERARD +--- +v2: Add QEMU_PACKED to fix handling 32-bit guests by 64-bit qemu. + +--- a/hw/block/xen_blkif.h ++++ b/hw/block/xen_blkif.h +@@ -14,9 +14,6 @@ + struct blkif_common_request { + char dummy; + }; +-struct blkif_common_response { +- char dummy; +-}; +=20 + /* i386 protocol version */ + #pragma pack(push, 4) +@@ -36,13 +33,7 @@ struct blkif_x86_32_request_discard { + blkif_sector_t sector_number; /* start sector idx on disk (r/w onl= y) */ + uint64_t nr_sectors; /* # of contiguous sectors to discar= d */ + }; +-struct blkif_x86_32_response { +- uint64_t id; /* copied from request */ +- uint8_t operation; /* copied from request */ +- int16_t status; /* BLKIF_RSP_??? */ +-}; + typedef struct blkif_x86_32_request blkif_x86_32_request_t; +-typedef struct blkif_x86_32_response blkif_x86_32_response_t; + #pragma pack(pop) +=20 + /* x86_64 protocol version */ +@@ -62,20 +53,14 @@ struct blkif_x86_64_request_discard { + blkif_sector_t sector_number; /* start sector idx on disk (r/w onl= y) */ + uint64_t nr_sectors; /* # of contiguous sectors to discar= d */ + }; +-struct blkif_x86_64_response { +- uint64_t __attribute__((__aligned__(8))) id; +- uint8_t operation; /* copied from request */ +- int16_t status; /* BLKIF_RSP_??? */ +-}; + typedef struct blkif_x86_64_request blkif_x86_64_request_t; +-typedef struct blkif_x86_64_response blkif_x86_64_response_t; +=20 + DEFINE_RING_TYPES(blkif_common, struct blkif_common_request, +- struct blkif_common_response); ++ struct blkif_response); + DEFINE_RING_TYPES(blkif_x86_32, struct blkif_x86_32_request, +- struct blkif_x86_32_response); ++ struct blkif_response QEMU_PACKED); + DEFINE_RING_TYPES(blkif_x86_64, struct blkif_x86_64_request, +- struct blkif_x86_64_response); ++ struct blkif_response); +=20 + union blkif_back_rings { + blkif_back_ring_t native; +--- a/hw/block/xen_disk.c ++++ b/hw/block/xen_disk.c +@@ -769,31 +769,30 @@ static int blk_send_response_one(struct + struct XenBlkDev *blkdev =3D ioreq->blkdev; + int send_notify =3D 0; + int have_requests =3D 0; +- blkif_response_t resp; +- void *dst; +- +- resp.id =3D ioreq->req.id; +- resp.operation =3D ioreq->req.operation; +- resp.status =3D ioreq->status; ++ blkif_response_t *resp; +=20 + /* Place on the response ring for the relevant domain. */ + switch (blkdev->protocol) { + case BLKIF_PROTOCOL_NATIVE: +- dst =3D RING_GET_RESPONSE(&blkdev->rings.native, blkdev->rings.na= tive.rsp_prod_pvt); ++ resp =3D RING_GET_RESPONSE(&blkdev->rings.native, ++ blkdev->rings.native.rsp_prod_pvt); + break; + case BLKIF_PROTOCOL_X86_32: +- dst =3D RING_GET_RESPONSE(&blkdev->rings.x86_32_part, +- blkdev->rings.x86_32_part.rsp_prod_pvt); ++ resp =3D RING_GET_RESPONSE(&blkdev->rings.x86_32_part, ++ blkdev->rings.x86_32_part.rsp_prod_pvt); + break; + case BLKIF_PROTOCOL_X86_64: +- dst =3D RING_GET_RESPONSE(&blkdev->rings.x86_64_part, +- blkdev->rings.x86_64_part.rsp_prod_pvt); ++ resp =3D RING_GET_RESPONSE(&blkdev->rings.x86_64_part, ++ blkdev->rings.x86_64_part.rsp_prod_pvt); + break; + default: +- dst =3D NULL; + return 0; + } +- memcpy(dst, &resp, sizeof(resp)); ++ ++ resp->id =3D ioreq->req.id; ++ resp->operation =3D ioreq->req.operation; ++ resp->status =3D ioreq->status; ++ + blkdev->rings.common.rsp_prod_pvt++; +=20 + RING_PUSH_RESPONSES_AND_CHECK_NOTIFY(&blkdev->rings.common, send_noti= fy); diff --git a/gnu/packages/patches/qemu-CVE-2017-11434.patch b/gnu/packages/= patches/qemu-CVE-2017-11434.patch new file mode 100644 index 000000000..8c384b6c8 =2D-- /dev/null +++ b/gnu/packages/patches/qemu-CVE-2017-11434.patch @@ -0,0 +1,46 @@ +Fix CVE-2017-11434: + +https://lists.gnu.org/archive/html/qemu-devel/2017-07/msg05001.html +https://bugzilla.redhat.com/show_bug.cgi?id=3D1472611 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2017-11434 +https://security-tracker.debian.org/tracker/CVE-2017-11434 + +Patch copied from upstream source repository: + +https://git.qemu.org/gitweb.cgi?p=3Dqemu.git;a=3Dcommit;h=3D413d463f43fbc4= dd3a601e80a5724aa384a265a0 + +From 413d463f43fbc4dd3a601e80a5724aa384a265a0 Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Mon, 17 Jul 2017 17:33:26 +0530 +Subject: [PATCH] slirp: check len against dhcp options array end + +While parsing dhcp options string in 'dhcp_decode', if an options' +length 'len' appeared towards the end of 'bp_vend' array, ensuing +read could lead to an OOB memory access issue. Add check to avoid it. + +This is CVE-2017-11434. + +Reported-by: Reno Robert +Signed-off-by: Prasad J Pandit +Signed-off-by: Samuel Thibault +--- + slirp/bootp.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/slirp/bootp.c b/slirp/bootp.c +index 5a4646c182..5dd1a415b5 100644 +--- a/slirp/bootp.c ++++ b/slirp/bootp.c +@@ -123,6 +123,9 @@ static void dhcp_decode(const struct bootp_t *bp, int = *pmsg_type, + if (p >=3D p_end) + break; + len =3D *p++; ++ if (p + len > p_end) { ++ break; ++ } + DPRINTF("dhcp: tag=3D%d len=3D%d\n", tag, len); +=20 + switch(tag) { +--=20 +2.14.1 + diff --git a/gnu/packages/virtualization.scm b/gnu/packages/virtualization.= scm index 49998120d..ab364cd1f 100644 =2D-- a/gnu/packages/virtualization.scm +++ b/gnu/packages/virtualization.scm @@ -3,6 +3,7 @@ ;;; Copyright =C2=A9 2015, 2016, 2017 Mark H Weaver ;;; Copyright =C2=A9 2016, 2017 Efraim Flashner ;;; Copyright =C2=A9 2016 Ricardo Wurmus +;;; Copyright =C2=A9 2017 Alex Vong ;;; ;;; This file is part of GNU Guix. ;;; @@ -82,7 +83,11 @@ "qemu-CVE-2017-8379.patch" "qemu-CVE-2017-8380.patch" "qemu-CVE-2017-9524.patch" =2D "qemu-CVE-2017-11334.patch")) + "qemu-CVE-2017-10664.patch" + "qemu-CVE-2017-10806.patch" + "qemu-CVE-2017-10911.patch" + "qemu-CVE-2017-11334.patch" + "qemu-CVE-2017-11434.patch")) (sha256 (base32 "08mhfs0ndbkyqgw7fjaa9vjxf4dinrly656f6hjzvmaz7hzc677h")))) =2D-=20 2.14.0 --=-=-= Content-Type: text/plain Cheers, Alex --=-=-=-- --==-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEdZDkzSn0Cycogr9IxYq4eRf1Ea4FAlmQVksACgkQxYq4eRf1 Ea5MiBAAtrBDQQxqnw4H52t78ENwSn9xgRMfeEKnAU9v+gTVVAiDSFVGM+V954jG 5ZoBRQxrfxn7OTJylEG+i/NuQUMQlvocUBduKD4QrDmWuydJBF6687CCFkxQWv84 MWsuqX1dIgISrPr9BJqXDtTcarjf2WoZGmxJDFjpyqeHgwCUEz6H9Hh8x8l8R5Zq s9pBAwpVNUffFrLIW4rVViTUJrcoS6C52Ok9nkcMrFMIXUTwwfL1fpACTiQIWgQF PbM4mTjAmfZ0XE/FUHvqiUmMUUbSGwdunqYCtTVZX+7ZAvIyT61HjS93t3k6Whwj NzV9xSiyl4zD60ULceuBkCWcA4IUWTx0QitTwWBBG14LT0AN9zeQo60DnVNwUlC7 JkQGIvuhn+YnoNFxWJv0O0Rar6xxce/OwkNtELFDKHrznheqian46NSYUQ8ADOkB vPgh51tZcF9pSzsOaU5mlqAEgcAIaZHUVP/inJo59kpanddY3mRSrdzDVlppjbPp avAWIsdyk2ZHvS5zhCgeuTXI9pNnAZ1yAFWAT7/tRL5nZxSzIiwkHSbRi0A85s28 APvIVGYqYmkdDUWYz8CEIlcMiXWHDrZ132AmLwnc9wsm1WCj0DWYvp+JWEZkXQPI mHxKtAGul+5NPVfS6GrX2ux7dQqVnIWhfeMfmKqZeUESNlSj2mI= =Y6xs -----END PGP SIGNATURE----- --==-=-=-- From debbugs-submit-bounces@debbugs.gnu.org Sun Aug 13 10:57:47 2017 Received: (at control) by debbugs.gnu.org; 13 Aug 2017 14:57:47 +0000 Received: from localhost ([127.0.0.1]:59589 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dguKp-0004Ag-HX for submit@debbugs.gnu.org; Sun, 13 Aug 2017 10:57:47 -0400 Received: from mail-pf0-f174.google.com ([209.85.192.174]:34151) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dguKo-0004Aa-8a for control@debbugs.gnu.org; Sun, 13 Aug 2017 10:57:46 -0400 Received: by mail-pf0-f174.google.com with SMTP id o86so32786689pfj.1 for ; Sun, 13 Aug 2017 07:57:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:subject:date:message-id:user-agent:mime-version; bh=AJ1iTo2hzqA8UFPIlEtvsH9YPJOZNoem8TvnZ4MO/dg=; b=KMewv+lC+P1sWSgLcgNX/NBFCZz/NfbW/rlAO992W9zGiVMbQCImJ6HaoFNPDFT3o9 zGP8Q/9VUK11LiGbiHUNR4ekAgWKdP+9QdIamoM/V0vViReFnCgpahOzRkhVJMGVbdCz BGWBTAu393iCn4gUaaJ6TZxRlcn7kGzYUmXxfjdRR6b4Sw3XuYNycBkyiwd090IDdCO9 zoLSj/NOScx2zfvPgS0NN/1wUuQhMNt82Ud1jQTATwVuDEgUaBeXTq3VVawPEfq1XbCQ OJIjEOqo6tf/phDT22f40JbuBsHv4YxuWXMT/2K5hMtUT7m+6yGOffHOQadiRGtBZngq PY3Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:user-agent :mime-version; bh=AJ1iTo2hzqA8UFPIlEtvsH9YPJOZNoem8TvnZ4MO/dg=; b=mvx2x5Y1QEvp35tS3upXEJpk+jHljDP0rPBT6JZpxbom8s6ySbQLOhsU2VMCT0IDGO gFqWsk/YUOpmwxgLhfMa5Wy0elzAVm/X2QEQdIrdhoU+KKM7mvW0nBB3Zlqp6l/JSg3N 1PsDxJujrch246f8BX2GWLe0xH/pKzP1KeJFMMAyem1Az8FAibbEHB48ySu5bvPtiPhu nkEI5PL3nshacEKIip0Lo4tRV2RZZLCZYtAiwAsY2lpImfAGn2qRKfYAM9j7uzSB486u GKuh19sPl7QRJ69kW2vYo8fn6V6hUQ8AKW3E1WK8H+gTrzHeFGZzf/6FcuOW/d/F+Zb3 C1/Q== X-Gm-Message-State: AHYfb5hvMhYqh6CQiLcwnCjqRTaqS/y1t8nbA5XSpphbXckq6YFqw4fd 1yqrRPT3bU+/Bw== X-Received: by 10.98.60.23 with SMTP id j23mr22005977pfa.189.1502636260381; Sun, 13 Aug 2017 07:57:40 -0700 (PDT) Received: from debian (1-36-201-133.static.netvigator.com. [1.36.201.133]) by smtp.gmail.com with ESMTPSA id 67sm9267635pfa.75.2017.08.13.07.57.38 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Sun, 13 Aug 2017 07:57:39 -0700 (PDT) From: Alex Vong To: control@debbugs.gnu.org Subject: Add 'patch' tag. Date: Sun, 13 Aug 2017 22:57:28 +0800 Message-ID: <87lgmn1pnr.fsf@gmail.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.2 (gnu/linux) MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" X-Spam-Score: -2.5 (--) X-Debbugs-Envelope-To: control X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.5 (--) --=-=-= Content-Type: text/plain package guix-patches tags 27987 patch tags 28077 patch thanks --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEdZDkzSn0Cycogr9IxYq4eRf1Ea4FAlmQaNoACgkQxYq4eRf1 Ea7ivxAAm6MbUd8RN4VEK5MMEy/O2O16WHBQs9tEnPUTSOutYNbDDYPTCxi3wMMo DX04Tv5E7hqJs4t1sefZ2PFHzB/yyB2J3q+MBJCgioSwlgRlCnvHh7I/VvUwcLew OvdwUdKCB8DbZWia1z+FqWJhMqzSQhUIeEabq2yVALFeW/KsxDKMf/fP2wXY7h6t gJqubJRE3spl/jKzmba4QyrEw/Ci8Ywt0VtZ2rhlxqQnk5WcZ6nFTX+iM63Y49IE HACaBxUDGB2JxkdJd66N078sHigc8v+8ZYd4eqXNXa6nmC9S20K4b5ONvT8mfZat KTL1VF/m878ntFP15Aey0z0oyaxheq9WYRM0M6DK84WeAUdsD4I6KHvTpCsKm4aI t9YIIiUzY2bG8eqK2b4hzYGMR/JNYxstaUQLKkNzgO1O+QUJHFy16unFG46j/cSI fj6OwFdIUrDHkYHHNrP4TInuh3YM4sbmGOqX2Ksy66oRqZUUmUdeDUX66k4KO9k9 ob7ANlTJxf5AYdOOypFd6waQAwVBhJaH4/Hh2jtQk/qApeXTrobiEJqnuac1QENd yPdJpM++KDTkUyn8ENDUj670k+XbZ87J6nupbpUgoPGdOuei9uRECR2oa744WbuE SjnVR+TgYGZvEkKoLLxC5l2QCEWFpjmZpDvZZ0bFAiBKhacPQek= =vvH+ -----END PGP SIGNATURE----- --=-=-=-- From debbugs-submit-bounces@debbugs.gnu.org Sun Aug 13 13:11:14 2017 Received: (at 28077-done) by debbugs.gnu.org; 13 Aug 2017 17:11:14 +0000 Received: from localhost ([127.0.0.1]:60111 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dgwPx-0006yz-R5 for submit@debbugs.gnu.org; Sun, 13 Aug 2017 13:11:14 -0400 Received: from out4-smtp.messagingengine.com ([66.111.4.28]:59941) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dgwPv-0006yr-HC for 28077-done@debbugs.gnu.org; Sun, 13 Aug 2017 13:11:12 -0400 Received: from compute5.internal (compute5.nyi.internal [10.202.2.45]) by mailout.nyi.internal (Postfix) with ESMTP id D990720A1F; Sun, 13 Aug 2017 13:11:10 -0400 (EDT) Received: from frontend1 ([10.202.2.160]) by compute5.internal (MEProxy); Sun, 13 Aug 2017 13:11:10 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastmail.com; h= content-type:date:from:in-reply-to:message-id:mime-version :references:subject:to:x-me-sender:x-me-sender:x-sasl-enc :x-sasl-enc; s=fm1; bh=YDvAFcRbJkMDa3OUR43c5VuxNn4C6sfq6UTAVikob cM=; b=33OQSd91zSEfZN4BISpdBLpCcj55rtne1ZlHVRCBK3QYdnAzp6Q7BbHsT NLYoHkil1fanDNQUS9cq1BYs8ZwrciLkITcT7Y9PieQEH4PDmK+RxRaHGfSPT/Py lvG3UOrav1jD4x/lqgUHMObAOu4pvUhYt8VLOTx/Qd/nQv3jgUPgGris+WMR5DiI bcPUQUTQm60JBgyFrrgA/3/wV0Wl1Hxf5K9Oru9anNeGQMC7teW0Z4t/cFx+o5ef GgwCxY/q/TaN6HuIufYMzMCYWFVKDusNL17YGs4sspUqXuLbc6g1H+OTEJSRNVY9 ZzCKWt+K9D85h11/ZKUgU1fQNdG/w== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-sender :x-me-sender:x-sasl-enc:x-sasl-enc; s=fm1; bh=YDvAFcRbJkMDa3OUR4 3c5VuxNn4C6sfq6UTAVikobcM=; b=Hbod+UFpM3zgrgezYRGPWfZJj/88CzGQgK wLECGeIZSQGN6lXAnKFI6OgEy50NM6n3bo1oqAnXwYXeL97LidUYUkMOM9FTglNS LeN6vIcsH61/ebGdgIQ3S5VjsSiYdeM2xEDcmq3VFDNsJow3v3Cpyc5ldmU0KYBC 7+Qk9yX80sm5PLyEw0FlKyv4JXksq7iPYeSsX1mGUAUnxeKnJeP2TyJb8m6IIn57 dgmWNi81OVgCydvUUF/zthooWiIrqjak9pbM5MotLJvCTaDLSnjlqCHG6AeQv7PK r6Sk0c1GIkuRyjjOd/c0MPT6Bzeio/kJydRXYFphd9Y/M5HWwQ5g== X-ME-Sender: X-Sasl-enc: 2WX+l+/9WWjWvYAWUCjaY5CXdRRBVXCq7WHKsDCfG/1z 1502644270 Received: from localhost (unknown [188.113.81.93]) by mail.messagingengine.com (Postfix) with ESMTPA id 5F9497E4EA; Sun, 13 Aug 2017 13:11:10 -0400 (EDT) From: Marius Bakke To: Alex Vong , 28077-done@debbugs.gnu.org Subject: Re: [bug#28077] [PATCH] gnu: qemu: Fix CVE-2017-{10664, 10806, 10911, 11434}. In-Reply-To: <87pobz1tbp.fsf@gmail.com> References: <87pobz1tbp.fsf@gmail.com> User-Agent: Notmuch/0.25 (https://notmuchmail.org) Emacs/25.2.1 (x86_64-unknown-linux-gnu) Date: Sun, 13 Aug 2017 19:10:56 +0200 Message-ID: <87wp671jhb.fsf@fastmail.com> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 28077-done X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.7 (/) --=-=-= Content-Type: text/plain Alex Vong writes: > Severity: important > Tags: security > > Hello, > > This fixes a bunch of CVEs which were left unfixed. Most of the patches > are copied from the upstream git repo. Except one is copied from Xen > Security Advisory. Thanks for these, applied! I took the liberty of removing the commit messages from the patches, since we have the URLs anyway. It reduced the commit length by 31%. [...] > diff --git a/gnu/packages/patches/qemu-CVE-2017-10911.patch b/gnu/packages/patches/qemu-CVE-2017-10911.patch > new file mode 100644 > index 000000000..fed3fb8ff > --- /dev/null > +++ b/gnu/packages/patches/qemu-CVE-2017-10911.patch > @@ -0,0 +1,123 @@ > +Fix CVE-2017-10911: > + > +https://xenbits.xen.org/xsa/advisory-216.html > +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10911 > +https://security-tracker.debian.org/tracker/CVE-2017-10911 > + > +Patch copied from Xen Security Advisory: > + > +https://xenbits.xen.org/xsa/xsa216-qemuu.patch Apparently this patch has been pulled by one of the qemu developers, but is not on any branches on git.qemu.org: https://lists.gnu.org/archive/html/qemu-devel/2017-06/msg06662.html I wonder what's up with that. --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAlmQiCAACgkQoqBt8qM6 VPqkaQgAiVtc2bLyLbXB5j6bNFBv/fYGXcJelGn6rd3L9zhwMA+ly+E2GwVIvxbB fWz5tubtiZ+Hsr6Ch9mwKXAUg89SJrHfb33FzF2cmx3trlT1Ee7x9Nk6OEDowcqV 2qdWs0TILLWc+2N5pA/eyxHa7XJITUMA6u686GJ3JuD/Td07GOnY+SO0zjZRBhjN uKfc68kSPSizRZEADdfAJDhnPyqI87hvhZSoxanfVC8kWOO9gZ4jVbLMtFQC/EY6 nQmf40xoz5xyO4f0Hy3r5vOrt4SOIgb8kggiH4wrdTpjQpJfp8Iykj4cFchvS9yD 1bP/sahbY8YLcgWEq/iwPSWm5eDCUQ== =gyaL -----END PGP SIGNATURE----- --=-=-=-- From unknown Sun Jun 22 11:38:12 2025 Received: (at fakecontrol) by fakecontrolmessage; To: internal_control@debbugs.gnu.org From: Debbugs Internal Request Subject: Internal Control Message-Id: bug archived. Date: Mon, 11 Sep 2017 11:24:05 +0000 User-Agent: Fakemail v42.6.9 # This is a fake control message. # # The action: # bug archived. thanks # This fakemail brought to you by your local debbugs # administrator