diff options
author | Leo Famulari <leo@famulari.name> | 2017-04-07 00:16:18 -0400 |
---|---|---|
committer | Leo Famulari <leo@famulari.name> | 2017-04-07 00:53:02 -0400 |
commit | fbd6fb1a9d75bd7b5d1df24cb805b7df335b0223 (patch) | |
tree | f3c44e6fad5ccde80fc4a093de28f17e8faa6642 /gnu/packages/patches/qemu-CVE-2017-2620.patch | |
parent | 0715c0e69c2ec6f91551988d46de07e2e4cfaac2 (diff) | |
download | guix-fbd6fb1a9d75bd7b5d1df24cb805b7df335b0223.tar.gz |
gnu: qemu: Update to 2.8.1 [security fixes].
Fixes CVE-2016-{9602,9603} and CVE-2017-{2615,2620,2630,5667,5931}. * gnu/packages/qemu.scm (qemu): Update to 2.8.1. * gnu/packages/patches/qemu-CVE-2017-2615.patch, gnu/packages/patches/qemu-CVE-2017-2620.patch, gnu/packages/patches/qemu-CVE-2017-2630.patch, gnu/packages/patches/qemu-CVE-2017-5667.patch, gnu/packages/patches/qemu-CVE-2017-5931.patch: Delete files. * gnu/local.mk (dist_patch_DATA): Remove them.
Diffstat (limited to 'gnu/packages/patches/qemu-CVE-2017-2620.patch')
-rw-r--r-- | gnu/packages/patches/qemu-CVE-2017-2620.patch | 134 |
1 files changed, 0 insertions, 134 deletions
diff --git a/gnu/packages/patches/qemu-CVE-2017-2620.patch b/gnu/packages/patches/qemu-CVE-2017-2620.patch deleted file mode 100644 index d3111827b7..0000000000 --- a/gnu/packages/patches/qemu-CVE-2017-2620.patch +++ /dev/null @@ -1,134 +0,0 @@ -Fix CVE-2017-2620: - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2620 -https://lists.gnu.org/archive/html/qemu-devel/2017-02/msg04700.html - -Both patches copied from upstream source repository: - -Fixes CVE-2017-2620: -http://git.qemu-project.org/?p=qemu.git;a=commit;h=92f2b88cea48c6aeba8de568a45f2ed958f3c298 - -The CVE-2017-2620 bug-fix depends on this earlier patch: -http://git.qemu-project.org/?p=qemu.git;a=commit;h=913a87885f589d263e682c2eb6637c6e14538061 - -From 92f2b88cea48c6aeba8de568a45f2ed958f3c298 Mon Sep 17 00:00:00 2001 -From: Gerd Hoffmann <kraxel@redhat.com> -Date: Wed, 8 Feb 2017 11:18:36 +0100 -Subject: [PATCH] cirrus: add blit_is_unsafe call to cirrus_bitblt_cputovideo - (CVE-2017-2620) - -CIRRUS_BLTMODE_MEMSYSSRC blits do NOT check blit destination -and blit width, at all. Oops. Fix it. - -Security impact: high. - -The missing blit destination check allows to write to host memory. -Basically same as CVE-2014-8106 for the other blit variants. - -Cc: qemu-stable@nongnu.org -Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> ---- - hw/display/cirrus_vga.c | 8 ++++++++ - 1 file changed, 8 insertions(+) - -diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c -index 1deb52070a..b9e7cb1df1 100644 ---- a/hw/display/cirrus_vga.c -+++ b/hw/display/cirrus_vga.c -@@ -900,6 +900,10 @@ static int cirrus_bitblt_cputovideo(CirrusVGAState * s) - { - int w; - -+ if (blit_is_unsafe(s, true)) { -+ return 0; -+ } -+ - s->cirrus_blt_mode &= ~CIRRUS_BLTMODE_MEMSYSSRC; - s->cirrus_srcptr = &s->cirrus_bltbuf[0]; - s->cirrus_srcptr_end = &s->cirrus_bltbuf[0]; -@@ -925,6 +929,10 @@ static int cirrus_bitblt_cputovideo(CirrusVGAState * s) - } - s->cirrus_srccounter = s->cirrus_blt_srcpitch * s->cirrus_blt_height; - } -+ -+ /* the blit_is_unsafe call above should catch this */ -+ assert(s->cirrus_blt_srcpitch <= CIRRUS_BLTBUFSIZE); -+ - s->cirrus_srcptr = s->cirrus_bltbuf; - s->cirrus_srcptr_end = s->cirrus_bltbuf + s->cirrus_blt_srcpitch; - cirrus_update_memory_access(s); --- -2.12.0 - -From 913a87885f589d263e682c2eb6637c6e14538061 Mon Sep 17 00:00:00 2001 -From: Bruce Rogers <brogers@suse.com> -Date: Mon, 9 Jan 2017 13:35:20 -0700 -Subject: [PATCH] display: cirrus: ignore source pitch value as needed in - blit_is_unsafe - -Commit 4299b90 added a check which is too broad, given that the source -pitch value is not required to be initialized for solid fill operations. -This patch refines the blit_is_unsafe() check to ignore source pitch in -that case. After applying the above commit as a security patch, we -noticed the SLES 11 SP4 guest gui failed to initialize properly. - -Signed-off-by: Bruce Rogers <brogers@suse.com> -Message-id: 20170109203520.5619-1-brogers@suse.com -Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> ---- - hw/display/cirrus_vga.c | 11 +++++++---- - 1 file changed, 7 insertions(+), 4 deletions(-) - -diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c -index bdb092ee9d..379910db2d 100644 ---- a/hw/display/cirrus_vga.c -+++ b/hw/display/cirrus_vga.c -@@ -294,7 +294,7 @@ static bool blit_region_is_unsafe(struct CirrusVGAState *s, - return false; - } - --static bool blit_is_unsafe(struct CirrusVGAState *s) -+static bool blit_is_unsafe(struct CirrusVGAState *s, bool dst_only) - { - /* should be the case, see cirrus_bitblt_start */ - assert(s->cirrus_blt_width > 0); -@@ -308,6 +308,9 @@ static bool blit_is_unsafe(struct CirrusVGAState *s) - s->cirrus_blt_dstaddr & s->cirrus_addr_mask)) { - return true; - } -+ if (dst_only) { -+ return false; -+ } - if (blit_region_is_unsafe(s, s->cirrus_blt_srcpitch, - s->cirrus_blt_srcaddr & s->cirrus_addr_mask)) { - return true; -@@ -673,7 +676,7 @@ static int cirrus_bitblt_common_patterncopy(CirrusVGAState * s, - - dst = s->vga.vram_ptr + (s->cirrus_blt_dstaddr & s->cirrus_addr_mask); - -- if (blit_is_unsafe(s)) -+ if (blit_is_unsafe(s, false)) - return 0; - - (*s->cirrus_rop) (s, dst, src, -@@ -691,7 +694,7 @@ static int cirrus_bitblt_solidfill(CirrusVGAState *s, int blt_rop) - { - cirrus_fill_t rop_func; - -- if (blit_is_unsafe(s)) { -+ if (blit_is_unsafe(s, true)) { - return 0; - } - rop_func = cirrus_fill[rop_to_index[blt_rop]][s->cirrus_blt_pixelwidth - 1]; -@@ -795,7 +798,7 @@ static int cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h) - - static int cirrus_bitblt_videotovideo_copy(CirrusVGAState * s) - { -- if (blit_is_unsafe(s)) -+ if (blit_is_unsafe(s, false)) - return 0; - - return cirrus_do_copy(s, s->cirrus_blt_dstaddr - s->vga.start_addr, --- -2.12.0 - |