GNU bug report logs -
#29232
[PATCH] gnu: qemu: Fix CVE-2017-{15038,15268,15289}.
Previous Next
Reported by: Leo Famulari <leo <at> famulari.name>
Date: Thu, 9 Nov 2017 18:17:01 UTC
Severity: normal
Tags: patch
Done: Leo Famulari <leo <at> famulari.name>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 29232 in the body.
You can then email your comments to 29232 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
guix-patches <at> gnu.org:
bug#29232; Package
guix-patches.
(Thu, 09 Nov 2017 18:17:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Leo Famulari <leo <at> famulari.name>:
New bug report received and forwarded. Copy sent to
guix-patches <at> gnu.org.
(Thu, 09 Nov 2017 18:17:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
What do you think of fetching the patches like this, instead of copying
them into the Guix source tree?
* gnu/packages/virtualization.scm (qemu-patch): Use HTTPS.
(qemu)[source]: Use qemu-patch.
---
gnu/packages/virtualization.scm | 31 +++++++++++++++++++++++--------
1 file changed, 23 insertions(+), 8 deletions(-)
diff --git a/gnu/packages/virtualization.scm b/gnu/packages/virtualization.scm
index 14b1dfbe0..2a2f41626 100644
--- a/gnu/packages/virtualization.scm
+++ b/gnu/packages/virtualization.scm
@@ -69,7 +69,7 @@
(origin
(method url-fetch)
(uri (string-append
- "http://git.qemu.org/?p=qemu.git;a=commitdiff_plain;h="
+ "https://git.qemu.org/?p=qemu.git;a=commitdiff_plain;h="
commit))
(sha256 sha256)
(file-name file-name)))
@@ -78,13 +78,28 @@
(package
(name "qemu")
(version "2.10.1")
- (source (origin
- (method url-fetch)
- (uri (string-append "https://download.qemu.org/qemu-"
- version ".tar.xz"))
- (sha256
- (base32
- "1ahwl7r18iw2ds0q3c51nlivqsan9hcgnc8bbf9pv366iy81mm8x"))))
+ (source
+ (origin
+ (method url-fetch)
+ (uri (string-append "https://download.qemu.org/qemu-"
+ version ".tar.xz"))
+ (patches
+ (list
+ (qemu-patch "7bd92756303f2158a68d5166264dc30139b813b6"
+ "qemu-CVE-2017-15038.patch"
+ (base32
+ "0wpgf8ivjdbaihf2l7720h1fydh7kdl36wj2nchjd9irfkhw399q"))
+ (qemu-patch "a7b20a8efa28e5f22c26c06cd06c2f12bc863493"
+ "qemu-CVE-2017-15268.patch"
+ (base32
+ "1adhwj91pmgbmdvyrkvslbfsyz7l00xdrr6vzps6s58q5idvdp79"))
+ (qemu-patch "eb38e1bc3740725ca29a535351de94107ec58d51"
+ "qemu-CVE-2017-15289.patch"
+ (base32
+ "1zshrlzbwgwrsnimbq8kqr7injd65ncsr8a4lrmgyfv185ma4z8d"))))
+ (sha256
+ (base32
+ "1ahwl7r18iw2ds0q3c51nlivqsan9hcgnc8bbf9pv366iy81mm8x"))))
(build-system gnu-build-system)
(arguments
'(;; Running tests in parallel can occasionally lead to failures, like:
--
2.15.0
Information forwarded
to
guix-patches <at> gnu.org:
bug#29232; Package
guix-patches.
(Thu, 09 Nov 2017 22:52:03 GMT)
Full text and
rfc822 format available.
Message #8 received at 29232 <at> debbugs.gnu.org (full text, mbox):
Hello,
Leo Famulari <leo <at> famulari.name> skribis:
> What do you think of fetching the patches like this, instead of copying
> them into the Guix source tree?
I think it’s OK. If the Gitweb instance disappears, or if it changes
somehow, hopefully the patch itself will still have the same hash, so we
can always change to different URL or a local file.
> * gnu/packages/virtualization.scm (qemu-patch): Use HTTPS.
> (qemu)[source]: Use qemu-patch.
[…]
> + (qemu-patch "7bd92756303f2158a68d5166264dc30139b813b6"
> + "qemu-CVE-2017-15038.patch"
> + (base32
> + "0wpgf8ivjdbaihf2l7720h1fydh7kdl36wj2nchjd9irfkhw399q"))
> + (qemu-patch "a7b20a8efa28e5f22c26c06cd06c2f12bc863493"
> + "qemu-CVE-2017-15268.patch"
> + (base32
> + "1adhwj91pmgbmdvyrkvslbfsyz7l00xdrr6vzps6s58q5idvdp79"))
> + (qemu-patch "eb38e1bc3740725ca29a535351de94107ec58d51"
> + "qemu-CVE-2017-15289.patch"
> + (base32
> + "1zshrlzbwgwrsnimbq8kqr7injd65ncsr8a4lrmgyfv185ma4z8d"))))
I trust these commits correspond to these CVEs.
Thanks,
Ludo’.
Reply sent
to
Leo Famulari <leo <at> famulari.name>:
You have taken responsibility.
(Fri, 10 Nov 2017 17:18:02 GMT)
Full text and
rfc822 format available.
Notification sent
to
Leo Famulari <leo <at> famulari.name>:
bug acknowledged by developer.
(Fri, 10 Nov 2017 17:18:02 GMT)
Full text and
rfc822 format available.
Message #13 received at 29232-done <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
On Thu, Nov 09, 2017 at 11:51:48PM +0100, Ludovic Courtès wrote:
> Hello,
>
> Leo Famulari <leo <at> famulari.name> skribis:
>
> > What do you think of fetching the patches like this, instead of copying
> > them into the Guix source tree?
>
> I think it’s OK. If the Gitweb instance disappears, or if it changes
> somehow, hopefully the patch itself will still have the same hash, so we
> can always change to different URL or a local file.
>
> > * gnu/packages/virtualization.scm (qemu-patch): Use HTTPS.
> > (qemu)[source]: Use qemu-patch.
>
> […]
>
> > + (qemu-patch "7bd92756303f2158a68d5166264dc30139b813b6"
> > + "qemu-CVE-2017-15038.patch"
> > + (base32
> > + "0wpgf8ivjdbaihf2l7720h1fydh7kdl36wj2nchjd9irfkhw399q"))
> > + (qemu-patch "a7b20a8efa28e5f22c26c06cd06c2f12bc863493"
> > + "qemu-CVE-2017-15268.patch"
> > + (base32
> > + "1adhwj91pmgbmdvyrkvslbfsyz7l00xdrr6vzps6s58q5idvdp79"))
> > + (qemu-patch "eb38e1bc3740725ca29a535351de94107ec58d51"
> > + "qemu-CVE-2017-15289.patch"
> > + (base32
> > + "1zshrlzbwgwrsnimbq8kqr7injd65ncsr8a4lrmgyfv185ma4z8d"))))
>
> I trust these commits correspond to these CVEs.
Okay, I pushed adf7e69cab6180ef75360a1c0731c93f4bff2b18, which uses good
ol' annotated patch files instead.
Fetching the patches like this is too opaque. There's no *easy* way to
view the patches or figure out where they came from. The upstream
commits don't mention the CVE ID, and every interested person has to
re-do the work of corrolating the patch with the ID'd bug.
In practice, I think this extra works means that nobody will ever review
the patches or check that they correspond to a particular bug. Making
that easy is worth the extra bytes in our source tree.
Also I'm not confident that it will be easy to find bit-reproducible
patches in the future, whereas I think it will be easy to find the QEMU
tarballs and the patches from our Git repo.
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
guix-patches <at> gnu.org:
bug#29232; Package
guix-patches.
(Fri, 10 Nov 2017 21:43:02 GMT)
Full text and
rfc822 format available.
Message #16 received at 29232-done <at> debbugs.gnu.org (full text, mbox):
Hello,
Leo Famulari <leo <at> famulari.name> skribis:
> Okay, I pushed adf7e69cab6180ef75360a1c0731c93f4bff2b18, which uses good
> ol' annotated patch files instead.
>
> Fetching the patches like this is too opaque. There's no *easy* way to
> view the patches or figure out where they came from. The upstream
> commits don't mention the CVE ID, and every interested person has to
> re-do the work of corrolating the patch with the ID'd bug.
>
> In practice, I think this extra works means that nobody will ever review
> the patches or check that they correspond to a particular bug. Making
> that easy is worth the extra bytes in our source tree.
True. I’m more inclined to skim over CVE patches that are inlined than
in this case.
> Also I'm not confident that it will be easy to find bit-reproducible
> patches in the future, whereas I think it will be easy to find the QEMU
> tarballs and the patches from our Git repo.
I’m a little bit more confident given that the Gitweb-generated patches
are merely raw commits, but I get your point.
Thanks!
Ludo’.
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Sat, 09 Dec 2017 12:24:04 GMT)
Full text and
rfc822 format available.
This bug report was last modified 7 years and 257 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.