diff options
author | Marius Bakke <mbakke@fastmail.com> | 2018-02-20 17:44:43 +0100 |
---|---|---|
committer | Marius Bakke <mbakke@fastmail.com> | 2018-02-20 17:44:43 +0100 |
commit | 5fa6b52a548a806c36a450448972ae4007bbac17 (patch) | |
tree | a42d8c56a3e6f388dc3db85128bf06ed0ccfc52d /gnu/packages/patches | |
parent | b1989c12501e880afab62d3ff961791906fef350 (diff) | |
download | guix-5fa6b52a548a806c36a450448972ae4007bbac17.tar.gz |
gnu: qemu: Update to 2.11.1.
* gnu/packages/patches/qemu-CVE-2017-15038.patch, gnu/packages/patches/qemu-CVE-2017-15289.patch: Delete files. * gnu/local.mk (dist_patch_DATA): Remove them. * gnu/packages/virtualization.scm (qemu): Update to 2.11.1 [source](patches): Remove.
Diffstat (limited to 'gnu/packages/patches')
-rw-r--r-- | gnu/packages/patches/qemu-CVE-2017-15038.patch | 51 | ||||
-rw-r--r-- | gnu/packages/patches/qemu-CVE-2017-15289.patch | 66 |
2 files changed, 0 insertions, 117 deletions
diff --git a/gnu/packages/patches/qemu-CVE-2017-15038.patch b/gnu/packages/patches/qemu-CVE-2017-15038.patch deleted file mode 100644 index 4791a186bf..0000000000 --- a/gnu/packages/patches/qemu-CVE-2017-15038.patch +++ /dev/null @@ -1,51 +0,0 @@ -Fix CVE-2017-15038: - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15038 - -Patch copied from upstream source repository: - -https://git.qemu.org/?p=qemu.git;a=commitdiff;h=7bd92756303f2158a68d5166264dc30139b813b6 - -From 7bd92756303f2158a68d5166264dc30139b813b6 Mon Sep 17 00:00:00 2001 -From: Prasad J Pandit <pjp@fedoraproject.org> -Date: Mon, 16 Oct 2017 14:21:59 +0200 -Subject: [PATCH] 9pfs: use g_malloc0 to allocate space for xattr - -9p back-end first queries the size of an extended attribute, -allocates space for it via g_malloc() and then retrieves its -value into allocated buffer. Race between querying attribute -size and retrieving its could lead to memory bytes disclosure. -Use g_malloc0() to avoid it. - -Reported-by: Tuomas Tynkkynen <tuomas.tynkkynen@iki.fi> -Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> -Signed-off-by: Greg Kurz <groug@kaod.org> ---- - hw/9pfs/9p.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c -index 23ac7bb532..f8bbac251d 100644 ---- a/hw/9pfs/9p.c -+++ b/hw/9pfs/9p.c -@@ -3234,7 +3234,7 @@ static void coroutine_fn v9fs_xattrwalk(void *opaque) - xattr_fidp->fid_type = P9_FID_XATTR; - xattr_fidp->fs.xattr.xattrwalk_fid = true; - if (size) { -- xattr_fidp->fs.xattr.value = g_malloc(size); -+ xattr_fidp->fs.xattr.value = g_malloc0(size); - err = v9fs_co_llistxattr(pdu, &xattr_fidp->path, - xattr_fidp->fs.xattr.value, - xattr_fidp->fs.xattr.len); -@@ -3267,7 +3267,7 @@ static void coroutine_fn v9fs_xattrwalk(void *opaque) - xattr_fidp->fid_type = P9_FID_XATTR; - xattr_fidp->fs.xattr.xattrwalk_fid = true; - if (size) { -- xattr_fidp->fs.xattr.value = g_malloc(size); -+ xattr_fidp->fs.xattr.value = g_malloc0(size); - err = v9fs_co_lgetxattr(pdu, &xattr_fidp->path, - &name, xattr_fidp->fs.xattr.value, - xattr_fidp->fs.xattr.len); --- -2.15.0 - diff --git a/gnu/packages/patches/qemu-CVE-2017-15289.patch b/gnu/packages/patches/qemu-CVE-2017-15289.patch deleted file mode 100644 index d4b536a405..0000000000 --- a/gnu/packages/patches/qemu-CVE-2017-15289.patch +++ /dev/null @@ -1,66 +0,0 @@ -Fix CVE-2017-15289: - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15289 - -Patch copied from upstream source repository: - -https://git.qemu.org/?p=qemu.git;a=commitdiff;h=eb38e1bc3740725ca29a535351de94107ec58d51 - -From eb38e1bc3740725ca29a535351de94107ec58d51 Mon Sep 17 00:00:00 2001 -From: Gerd Hoffmann <kraxel@redhat.com> -Date: Wed, 11 Oct 2017 10:43:14 +0200 -Subject: [PATCH] cirrus: fix oob access in mode4and5 write functions - -Move dst calculation into the loop, so we apply the mask on each -interation and will not overflow vga memory. - -Cc: Prasad J Pandit <pjp@fedoraproject.org> -Reported-by: Niu Guoxiang <niuguoxiang@huawei.com> -Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> -Message-id: 20171011084314.21752-1-kraxel@redhat.com ---- - hw/display/cirrus_vga.c | 6 ++---- - 1 file changed, 2 insertions(+), 4 deletions(-) - -diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c -index b4d579857a..bc32bf1e39 100644 ---- a/hw/display/cirrus_vga.c -+++ b/hw/display/cirrus_vga.c -@@ -2038,15 +2038,14 @@ static void cirrus_mem_writeb_mode4and5_8bpp(CirrusVGAState * s, - unsigned val = mem_value; - uint8_t *dst; - -- dst = s->vga.vram_ptr + (offset &= s->cirrus_addr_mask); - for (x = 0; x < 8; x++) { -+ dst = s->vga.vram_ptr + ((offset + x) & s->cirrus_addr_mask); - if (val & 0x80) { - *dst = s->cirrus_shadow_gr1; - } else if (mode == 5) { - *dst = s->cirrus_shadow_gr0; - } - val <<= 1; -- dst++; - } - memory_region_set_dirty(&s->vga.vram, offset, 8); - } -@@ -2060,8 +2059,8 @@ static void cirrus_mem_writeb_mode4and5_16bpp(CirrusVGAState * s, - unsigned val = mem_value; - uint8_t *dst; - -- dst = s->vga.vram_ptr + (offset &= s->cirrus_addr_mask); - for (x = 0; x < 8; x++) { -+ dst = s->vga.vram_ptr + ((offset + 2 * x) & s->cirrus_addr_mask & ~1); - if (val & 0x80) { - *dst = s->cirrus_shadow_gr1; - *(dst + 1) = s->vga.gr[0x11]; -@@ -2070,7 +2069,6 @@ static void cirrus_mem_writeb_mode4and5_16bpp(CirrusVGAState * s, - *(dst + 1) = s->vga.gr[0x10]; - } - val <<= 1; -- dst += 2; - } - memory_region_set_dirty(&s->vga.vram, offset, 16); - } --- -2.15.0 - |