diff options
author | Mark H Weaver <mhw@netris.org> | 2017-08-15 03:10:14 -0400 |
---|---|---|
committer | Mark H Weaver <mhw@netris.org> | 2017-08-15 03:10:14 -0400 |
commit | 09ec5a0f0c40afde63975af9e9203884dad86ea7 (patch) | |
tree | c85530d4a7ed433779d787a0c452ed0d4b7f0f0a /gnu/packages/patches | |
parent | 3785e42e5219a86d9d8a5208ff18e97e0cbcbe78 (diff) | |
parent | 2d430f29231d0d817459d86e0fe15089372e9547 (diff) | |
download | guix-09ec5a0f0c40afde63975af9e9203884dad86ea7.tar.gz |
Merge branch 'master' into core-updates
Diffstat (limited to 'gnu/packages/patches')
-rw-r--r-- | gnu/packages/patches/catdoc-CVE-2017-11110.patch | 45 | ||||
-rw-r--r-- | gnu/packages/patches/curl-bounds-check.patch | 19 | ||||
-rw-r--r-- | gnu/packages/patches/cvs-2017-12836.patch | 45 | ||||
-rw-r--r-- | gnu/packages/patches/e2fsprogs-32bit-quota-warnings.patch | 46 | ||||
-rw-r--r-- | gnu/packages/patches/qemu-CVE-2017-10664.patch | 27 | ||||
-rw-r--r-- | gnu/packages/patches/qemu-CVE-2017-10806.patch | 38 | ||||
-rw-r--r-- | gnu/packages/patches/qemu-CVE-2017-10911.patch | 106 | ||||
-rw-r--r-- | gnu/packages/patches/qemu-CVE-2017-11434.patch | 25 |
8 files changed, 351 insertions, 0 deletions
diff --git a/gnu/packages/patches/catdoc-CVE-2017-11110.patch b/gnu/packages/patches/catdoc-CVE-2017-11110.patch new file mode 100644 index 0000000000..71c44f60fb --- /dev/null +++ b/gnu/packages/patches/catdoc-CVE-2017-11110.patch @@ -0,0 +1,45 @@ +Fix CVE-2017-11110: + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11110 +https://bugzilla.redhat.com/show_bug.cgi?id=1468471 +https://security-tracker.debian.org/tracker/CVE-2017-11110 + +Patch copied from openSUSE: + +https://build.opensuse.org/package/view_file/openSUSE:Maintenance:6985/catdoc.openSUSE_Leap_42.2_Update/CVE-2017-11110.patch?expand=1 + +From: Andreas Stieger <astieger@suse.com> +Date: Mon, 10 Jul 2017 15:37:58 +0000 +References: CVE-2017-11110 http://bugzilla.suse.com/show_bug.cgi?id=1047877 + +All .doc I found had sectorSize 0x09 at offset 0x1e. Guarding it against <4. + +--- + src/ole.c | 5 +++++ + 1 file changed, 5 insertions(+) + +Index: catdoc-0.95/src/ole.c +=================================================================== +--- catdoc-0.95.orig/src/ole.c 2016-05-25 06:37:12.000000000 +0200 ++++ catdoc-0.95/src/ole.c 2017-07-10 17:42:33.578308107 +0200 +@@ -106,6 +106,11 @@ FILE* ole_init(FILE *f, void *buffer, si + return NULL; + } + sectorSize = 1<<getshort(oleBuf,0x1e); ++ /* CVE-2017-11110) */ ++ if (sectorSize < 4) { ++ fprintf(stderr,"sectorSize < 4 not supported\n"); ++ return NULL; ++ } + shortSectorSize=1<<getshort(oleBuf,0x20); + + /* Read BBD into memory */ +@@ -147,7 +152,7 @@ FILE* ole_init(FILE *f, void *buffer, si + } + + fseek(newfile, 512+mblock*sectorSize, SEEK_SET); +- if(fread(tmpBuf+MSAT_ORIG_SIZE+(sectorSize-4)*i, ++ if(fread(tmpBuf+MSAT_ORIG_SIZE+(sectorSize-4)*i, /* >= 4 for CVE-2017-11110 */ + 1, sectorSize, newfile) != sectorSize) { + fprintf(stderr, "Error read MSAT!\n"); + ole_finish(); diff --git a/gnu/packages/patches/curl-bounds-check.patch b/gnu/packages/patches/curl-bounds-check.patch new file mode 100644 index 0000000000..4b8ff65304 --- /dev/null +++ b/gnu/packages/patches/curl-bounds-check.patch @@ -0,0 +1,19 @@ +Fix test failure on some 32-bit platforms. + +Patch copied from upstream source repository: + +https://github.com/curl/curl/commit/45a560390c4356bcb81d933bbbb229c8ea2acb63 + +diff --git a/src/tool_paramhlp.c b/src/tool_paramhlp.c +index b9dedc989e..85c5e79a7e 100644 +--- a/src/tool_paramhlp.c ++++ b/src/tool_paramhlp.c +@@ -218,7 +218,7 @@ static ParameterError str2double(double *val, const char *str, long max) + num = strtod(str, &endptr); + if(errno == ERANGE) + return PARAM_NUMBER_TOO_LARGE; +- if((long)num > max) { ++ if(num > max) { + /* too large */ + return PARAM_NUMBER_TOO_LARGE; + } diff --git a/gnu/packages/patches/cvs-2017-12836.patch b/gnu/packages/patches/cvs-2017-12836.patch new file mode 100644 index 0000000000..507ab0f7d0 --- /dev/null +++ b/gnu/packages/patches/cvs-2017-12836.patch @@ -0,0 +1,45 @@ +Fix CVE-2017-12836: + +http://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-12836 +https://security-tracker.debian.org/tracker/CVE-2017-12836 + +Patch adpated from Debian (comments and changelog annotations removed): + +https://anonscm.debian.org/cgit/collab-maint/cvs.git/commit/?h=stretch&id=41e077396e35efb6c879951f44c62dd8a1d0f094 + +From 41e077396e35efb6c879951f44c62dd8a1d0f094 Mon Sep 17 00:00:00 2001 +From: mirabilos <m@mirbsd.org> +Date: Sat, 12 Aug 2017 03:17:18 +0200 +Subject: Fix CVE-2017-12836 (Closes: #871810) for stretch + +--- + debian/changelog | 6 ++++++ + src/rsh-client.c | 10 ++++++++-- + 2 files changed, 14 insertions(+), 2 deletions(-) + +diff --git a/src/rsh-client.c b/src/rsh-client.c +index fe0cfc4..1fc860d 100644 +--- a/src/rsh-client.c ++++ b/src/rsh-client.c +@@ -105,6 +106,9 @@ start_rsh_server (cvsroot_t *root, struct buffer **to_server_p, + rsh_argv[i++] = argvport; + } + ++ /* Only non-option arguments from here. (CVE-2017-12836) */ ++ rsh_argv[i++] = "--"; ++ + rsh_argv[i++] = root->hostname; + rsh_argv[i++] = cvs_server; + if (readonlyfs) +@@ -189,6 +193,8 @@ start_rsh_server (cvsroot_t *root, struct buffer **to_server_p, + *p++ = argvport; + } + ++ *p++ = "--"; ++ + *p++ = root->hostname; + *p++ = command; + *p++ = NULL; +-- +cgit v0.12 + diff --git a/gnu/packages/patches/e2fsprogs-32bit-quota-warnings.patch b/gnu/packages/patches/e2fsprogs-32bit-quota-warnings.patch new file mode 100644 index 0000000000..e7a96a2ac0 --- /dev/null +++ b/gnu/packages/patches/e2fsprogs-32bit-quota-warnings.patch @@ -0,0 +1,46 @@ +Fix a test failure on 32-bit platforms. + +Patch copied from upstream source repository: + +https://git.kernel.org/pub/scm/fs/ext2/e2fsprogs.git/commit/?id=9e31a5696c4b699bf000a07b86601c1fb91c0493 + +diff --git a/lib/support/mkquota.c b/lib/support/mkquota.c +index 00f3a40..931a839 100644 +--- a/lib/support/mkquota.c ++++ b/lib/support/mkquota.c +@@ -50,11 +50,13 @@ static void print_dquot(const char *desc, struct dquot *dq) + { + if (desc) + fprintf(stderr, "%s: ", desc); +- fprintf(stderr, "%u %ld:%ld:%ld %ld:%ld:%ld\n", +- dq->dq_id, dq->dq_dqb.dqb_curspace, +- dq->dq_dqb.dqb_bsoftlimit, dq->dq_dqb.dqb_bhardlimit, +- dq->dq_dqb.dqb_curinodes, +- dq->dq_dqb.dqb_isoftlimit, dq->dq_dqb.dqb_ihardlimit); ++ fprintf(stderr, "%u %lld:%lld:%lld %lld:%lld:%lld\n", ++ dq->dq_id, (long long) dq->dq_dqb.dqb_curspace, ++ (long long) dq->dq_dqb.dqb_bsoftlimit, ++ (long long) dq->dq_dqb.dqb_bhardlimit, ++ (long long) dq->dq_dqb.dqb_curinodes, ++ (long long) dq->dq_dqb.dqb_isoftlimit, ++ (long long) dq->dq_dqb.dqb_ihardlimit); + } + #else + static void print_dquot(const char *desc EXT2FS_ATTR((unused)), +@@ -524,11 +526,11 @@ static int scan_dquots_callback(struct dquot *dquot, void *cb_data) + dq->dq_dqb.dqb_curinodes != dquot->dq_dqb.dqb_curinodes) { + scan_data->usage_is_inconsistent = 1; + fprintf(stderr, "[QUOTA WARNING] Usage inconsistent for ID %u:" +- "actual (%ld, %ld) != expected (%ld, %ld)\n", +- dq->dq_id, dq->dq_dqb.dqb_curspace, +- dq->dq_dqb.dqb_curinodes, +- dquot->dq_dqb.dqb_curspace, +- dquot->dq_dqb.dqb_curinodes); ++ "actual (%lld, %lld) != expected (%lld, %lld)\n", ++ dq->dq_id, (long long) dq->dq_dqb.dqb_curspace, ++ (long long) dq->dq_dqb.dqb_curinodes, ++ (long long) dquot->dq_dqb.dqb_curspace, ++ (long long) dquot->dq_dqb.dqb_curinodes); + } + + if (scan_data->update_limits) { diff --git a/gnu/packages/patches/qemu-CVE-2017-10664.patch b/gnu/packages/patches/qemu-CVE-2017-10664.patch new file mode 100644 index 0000000000..2b60de3dca --- /dev/null +++ b/gnu/packages/patches/qemu-CVE-2017-10664.patch @@ -0,0 +1,27 @@ +Fix CVE-2017-10664: + +https://lists.gnu.org/archive/html/qemu-devel/2017-06/msg02693.html +https://bugzilla.redhat.com/show_bug.cgi?id=1466190 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10664 +https://security-tracker.debian.org/tracker/CVE-2017-10664 + +Patch copied from upstream source repository: + +https://git.qemu.org/gitweb.cgi?p=qemu.git;a=commitdiff;h=041e32b8d9d076980b4e35317c0339e57ab888f1 + +diff --git a/qemu-nbd.c b/qemu-nbd.c +index 9464a0461c..4dd3fd4732 100644 +--- a/qemu-nbd.c ++++ b/qemu-nbd.c +@@ -581,6 +581,10 @@ int main(int argc, char **argv) + sa_sigterm.sa_handler = termsig_handler; + sigaction(SIGTERM, &sa_sigterm, NULL); + ++#ifdef CONFIG_POSIX ++ signal(SIGPIPE, SIG_IGN); ++#endif ++ + module_call_init(MODULE_INIT_TRACE); + qcrypto_init(&error_fatal); + + diff --git a/gnu/packages/patches/qemu-CVE-2017-10806.patch b/gnu/packages/patches/qemu-CVE-2017-10806.patch new file mode 100644 index 0000000000..ebf782fe7b --- /dev/null +++ b/gnu/packages/patches/qemu-CVE-2017-10806.patch @@ -0,0 +1,38 @@ +Fix CVE-2017-10806: + +https://lists.nongnu.org/archive/html/qemu-devel/2017-05/msg03087.html +https://bugzilla.redhat.com/show_bug.cgi?id=1468496 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10806 +https://security-tracker.debian.org/tracker/CVE-2017-10806 + +Patch copied from upstream source repository: + +https://git.qemu.org/gitweb.cgi?p=qemu.git;a=commit;h=bd4a683505b27adc1ac809f71e918e58573d851d + +diff --git a/hw/usb/redirect.c b/hw/usb/redirect.c +index b001a27f05..ad5ef783a6 100644 +--- a/hw/usb/redirect.c ++++ b/hw/usb/redirect.c +@@ -229,21 +229,10 @@ static void usbredir_log(void *priv, int level, const char *msg) + static void usbredir_log_data(USBRedirDevice *dev, const char *desc, + const uint8_t *data, int len) + { +- int i, j, n; +- + if (dev->debug < usbredirparser_debug_data) { + return; + } +- +- for (i = 0; i < len; i += j) { +- char buf[128]; +- +- n = sprintf(buf, "%s", desc); +- for (j = 0; j < 8 && i + j < len; j++) { +- n += sprintf(buf + n, " %02X", data[i + j]); +- } +- error_report("%s", buf); +- } ++ qemu_hexdump((char *)data, stderr, desc, len); + } + + /* diff --git a/gnu/packages/patches/qemu-CVE-2017-10911.patch b/gnu/packages/patches/qemu-CVE-2017-10911.patch new file mode 100644 index 0000000000..1dcb860a2d --- /dev/null +++ b/gnu/packages/patches/qemu-CVE-2017-10911.patch @@ -0,0 +1,106 @@ +Fix CVE-2017-10911: + +https://xenbits.xen.org/xsa/advisory-216.html +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10911 +https://security-tracker.debian.org/tracker/CVE-2017-10911 + +Patch copied from Xen Security Advisory: + +https://xenbits.xen.org/xsa/xsa216-qemuu.patch + +--- a/hw/block/xen_blkif.h ++++ b/hw/block/xen_blkif.h +@@ -14,9 +14,6 @@ + struct blkif_common_request { + char dummy; + }; +-struct blkif_common_response { +- char dummy; +-}; + + /* i386 protocol version */ + #pragma pack(push, 4) +@@ -36,13 +33,7 @@ struct blkif_x86_32_request_discard { + blkif_sector_t sector_number; /* start sector idx on disk (r/w only) */ + uint64_t nr_sectors; /* # of contiguous sectors to discard */ + }; +-struct blkif_x86_32_response { +- uint64_t id; /* copied from request */ +- uint8_t operation; /* copied from request */ +- int16_t status; /* BLKIF_RSP_??? */ +-}; + typedef struct blkif_x86_32_request blkif_x86_32_request_t; +-typedef struct blkif_x86_32_response blkif_x86_32_response_t; + #pragma pack(pop) + + /* x86_64 protocol version */ +@@ -62,20 +53,14 @@ struct blkif_x86_64_request_discard { + blkif_sector_t sector_number; /* start sector idx on disk (r/w only) */ + uint64_t nr_sectors; /* # of contiguous sectors to discard */ + }; +-struct blkif_x86_64_response { +- uint64_t __attribute__((__aligned__(8))) id; +- uint8_t operation; /* copied from request */ +- int16_t status; /* BLKIF_RSP_??? */ +-}; + typedef struct blkif_x86_64_request blkif_x86_64_request_t; +-typedef struct blkif_x86_64_response blkif_x86_64_response_t; + + DEFINE_RING_TYPES(blkif_common, struct blkif_common_request, +- struct blkif_common_response); ++ struct blkif_response); + DEFINE_RING_TYPES(blkif_x86_32, struct blkif_x86_32_request, +- struct blkif_x86_32_response); ++ struct blkif_response QEMU_PACKED); + DEFINE_RING_TYPES(blkif_x86_64, struct blkif_x86_64_request, +- struct blkif_x86_64_response); ++ struct blkif_response); + + union blkif_back_rings { + blkif_back_ring_t native; +--- a/hw/block/xen_disk.c ++++ b/hw/block/xen_disk.c +@@ -769,31 +769,30 @@ static int blk_send_response_one(struct + struct XenBlkDev *blkdev = ioreq->blkdev; + int send_notify = 0; + int have_requests = 0; +- blkif_response_t resp; +- void *dst; +- +- resp.id = ioreq->req.id; +- resp.operation = ioreq->req.operation; +- resp.status = ioreq->status; ++ blkif_response_t *resp; + + /* Place on the response ring for the relevant domain. */ + switch (blkdev->protocol) { + case BLKIF_PROTOCOL_NATIVE: +- dst = RING_GET_RESPONSE(&blkdev->rings.native, blkdev->rings.native.rsp_prod_pvt); ++ resp = RING_GET_RESPONSE(&blkdev->rings.native, ++ blkdev->rings.native.rsp_prod_pvt); + break; + case BLKIF_PROTOCOL_X86_32: +- dst = RING_GET_RESPONSE(&blkdev->rings.x86_32_part, +- blkdev->rings.x86_32_part.rsp_prod_pvt); ++ resp = RING_GET_RESPONSE(&blkdev->rings.x86_32_part, ++ blkdev->rings.x86_32_part.rsp_prod_pvt); + break; + case BLKIF_PROTOCOL_X86_64: +- dst = RING_GET_RESPONSE(&blkdev->rings.x86_64_part, +- blkdev->rings.x86_64_part.rsp_prod_pvt); ++ resp = RING_GET_RESPONSE(&blkdev->rings.x86_64_part, ++ blkdev->rings.x86_64_part.rsp_prod_pvt); + break; + default: +- dst = NULL; + return 0; + } +- memcpy(dst, &resp, sizeof(resp)); ++ ++ resp->id = ioreq->req.id; ++ resp->operation = ioreq->req.operation; ++ resp->status = ioreq->status; ++ + blkdev->rings.common.rsp_prod_pvt++; + + RING_PUSH_RESPONSES_AND_CHECK_NOTIFY(&blkdev->rings.common, send_notify); diff --git a/gnu/packages/patches/qemu-CVE-2017-11434.patch b/gnu/packages/patches/qemu-CVE-2017-11434.patch new file mode 100644 index 0000000000..4da701a73d --- /dev/null +++ b/gnu/packages/patches/qemu-CVE-2017-11434.patch @@ -0,0 +1,25 @@ +Fix CVE-2017-11434: + +https://lists.gnu.org/archive/html/qemu-devel/2017-07/msg05001.html +https://bugzilla.redhat.com/show_bug.cgi?id=1472611 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11434 +https://security-tracker.debian.org/tracker/CVE-2017-11434 + +Patch copied from upstream source repository: + +https://git.qemu.org/gitweb.cgi?p=qemu.git;a=commit;h=413d463f43fbc4dd3a601e80a5724aa384a265a0 + +diff --git a/slirp/bootp.c b/slirp/bootp.c +index 5a4646c182..5dd1a415b5 100644 +--- a/slirp/bootp.c ++++ b/slirp/bootp.c +@@ -123,6 +123,9 @@ static void dhcp_decode(const struct bootp_t *bp, int *pmsg_type, + if (p >= p_end) + break; + len = *p++; ++ if (p + len > p_end) { ++ break; ++ } + DPRINTF("dhcp: tag=%d len=%d\n", tag, len); + + switch(tag) { |