summary refs log tree commit diff
path: root/gnu/packages/patches
diff options
context:
space:
mode:
authorMark H Weaver <mhw@netris.org>2017-03-19 18:52:01 -0400
committerMark H Weaver <mhw@netris.org>2017-03-19 18:52:12 -0400
commitf67337e23ec16b1e05fcdcc7953f68f13ed6770a (patch)
tree766e98a6c4695228f0a066accf91f639791dad68 /gnu/packages/patches
parentb99eec83b861f6bee7afb7bd6ffcbdddd8f62b65 (diff)
parente05fc441cd5528ba6c83b6371c27c1e87dd393e9 (diff)
downloadguix-f67337e23ec16b1e05fcdcc7953f68f13ed6770a.tar.gz
Merge branch 'master' into core-updates
Diffstat (limited to 'gnu/packages/patches')
-rw-r--r--gnu/packages/patches/libevent-2.0-evbuffer-add-use-last-with-datap.patch38
-rw-r--r--gnu/packages/patches/libwebp-CVE-2016-9085.patch144
-rw-r--r--gnu/packages/patches/ninja-tests.patch48
-rw-r--r--gnu/packages/patches/password-store-gnupg-compat.patch53
-rw-r--r--gnu/packages/patches/qemu-CVE-2017-2620.patch134
-rw-r--r--gnu/packages/patches/qemu-CVE-2017-2630.patch47
-rw-r--r--gnu/packages/patches/virglrenderer-CVE-2017-6386.patch54
7 files changed, 326 insertions, 192 deletions
diff --git a/gnu/packages/patches/libevent-2.0-evbuffer-add-use-last-with-datap.patch b/gnu/packages/patches/libevent-2.0-evbuffer-add-use-last-with-datap.patch
new file mode 100644
index 0000000000..0253700bf6
--- /dev/null
+++ b/gnu/packages/patches/libevent-2.0-evbuffer-add-use-last-with-datap.patch
@@ -0,0 +1,38 @@
+From a8769ef12d7e223e33fc47bed03fba2bfa2f3536 Mon Sep 17 00:00:00 2001
+From: Marcus Sundberg <marcus@marcussundberg.com>
+Date: Sat, 26 Mar 2016 20:11:43 +0100
+Subject: [PATCH] evbuffer_add: Use last_with_datap if set, not last.
+
+evbuffer_add() would always put data in the last chain, even if there
+was available space in a previous chain, and in doing so it also
+failed to update last_with_datap, causing subsequent calls to other
+functions that do look at last_with_datap to add data in the middle
+of the evbuffer instead of at the end.
+
+Fixes the evbuffer_add() part of issue #335, and the evbuffer/add2 and
+evbuffer/add3 tests, and also prevents wasting space available in the
+chain pointed to by last_with_datap.
+---
+ buffer.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/buffer.c b/buffer.c
+index 7cca0e8a..f378b731 100644
+--- a/buffer.c
++++ b/buffer.c
+@@ -1732,7 +1732,11 @@ evbuffer_add(struct evbuffer *buf, const void *data_in, size_t datlen)
+ 		goto done;
+ 	}
+ 
+-	chain = buf->last;
++	if (*buf->last_with_datap == NULL) {
++		chain = buf->last;
++	} else {
++		chain = *buf->last_with_datap;
++	}
+ 
+ 	/* If there are no chains allocated for this buffer, allocate one
+ 	 * big enough to hold all the data. */
+-- 
+2.12.0
+
diff --git a/gnu/packages/patches/libwebp-CVE-2016-9085.patch b/gnu/packages/patches/libwebp-CVE-2016-9085.patch
deleted file mode 100644
index e40b353303..0000000000
--- a/gnu/packages/patches/libwebp-CVE-2016-9085.patch
+++ /dev/null
@@ -1,144 +0,0 @@
-Fix CVE-2016-9085 (several integer overflows):
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9085
-http://seclists.org/oss-sec/2016/q4/253
-
-Patch copied from upstream source repository:
-
-https://chromium.googlesource.com/webm/libwebp/+/e2affacc35f1df6cc3b1a9fa0ceff5ce2d0cce83
-
-From e2affacc35f1df6cc3b1a9fa0ceff5ce2d0cce83 Mon Sep 17 00:00:00 2001
-From: Pascal Massimino <pascal.massimino@gmail.com>
-Date: Mon, 10 Oct 2016 11:48:39 +0200
-Subject: [PATCH] fix potential overflow when width * height * 4 >= (1<<32)
-
-Mostly: avoid doing calculation like: ptr + j * stride
-when stride is 'int'. Rather use size_t, or pointer increments (ptr += stride)
-when possible.
-
-BUG=webp:314
-
-Change-Id: I81c684b515dd1ec4f601f32d50a6e821c4e46e20
----
- examples/gifdec.c | 56 +++++++++++++++++++++++++++++++------------------------
- 1 file changed, 32 insertions(+), 24 deletions(-)
-
-diff --git a/examples/gifdec.c b/examples/gifdec.c
-index 83c3d82..7df176f 100644
---- a/examples/gifdec.c
-+++ b/examples/gifdec.c
-@@ -20,6 +20,7 @@
- 
- #include "webp/encode.h"
- #include "webp/mux_types.h"
-+#include "webp/format_constants.h"
- 
- #define GIF_TRANSPARENT_COLOR 0x00000000
- #define GIF_WHITE_COLOR       0xffffffff
-@@ -103,12 +104,19 @@ int GIFReadFrame(GifFileType* const gif, int transparent_index,
-   const GifImageDesc* const image_desc = &gif->Image;
-   uint32_t* dst = NULL;
-   uint8_t* tmp = NULL;
--  int ok = 0;
--  GIFFrameRect rect = {
-+  const GIFFrameRect rect = {
-       image_desc->Left, image_desc->Top, image_desc->Width, image_desc->Height
-   };
-+  const uint64_t memory_needed = 4 * rect.width * (uint64_t)rect.height;
-+  int ok = 0;
-   *gif_rect = rect;
- 
-+  if (memory_needed != (size_t)memory_needed ||
-+      memory_needed > 4 * MAX_IMAGE_AREA) {
-+    fprintf(stderr, "Image is too large (%d x %d).", rect.width, rect.height);
-+    return 0;
-+  }
-+
-   // Use a view for the sub-picture:
-   if (!WebPPictureView(picture, rect.x_offset, rect.y_offset,
-                        rect.width, rect.height, &sub_image)) {
-@@ -132,15 +140,15 @@ int GIFReadFrame(GifFileType* const gif, int transparent_index,
-            y += interlace_jumps[pass]) {
-         if (DGifGetLine(gif, tmp, rect.width) == GIF_ERROR) goto End;
-         Remap(gif, tmp, rect.width, transparent_index,
--              dst + y * sub_image.argb_stride);
-+              dst + y * (size_t)sub_image.argb_stride);
-       }
-     }
-   } else {  // Non-interlaced image.
-     int y;
--    for (y = 0; y < rect.height; ++y) {
-+    uint32_t* ptr = dst;
-+    for (y = 0; y < rect.height; ++y, ptr += sub_image.argb_stride) {
-       if (DGifGetLine(gif, tmp, rect.width) == GIF_ERROR) goto End;
--      Remap(gif, tmp, rect.width, transparent_index,
--            dst + y * sub_image.argb_stride);
-+      Remap(gif, tmp, rect.width, transparent_index, ptr);
-     }
-   }
-   ok = 1;
-@@ -216,13 +224,11 @@ int GIFReadMetadata(GifFileType* const gif, GifByteType** const buf,
- 
- static void ClearRectangle(WebPPicture* const picture,
-                            int left, int top, int width, int height) {
--  int j;
--  for (j = top; j < top + height; ++j) {
--    uint32_t* const dst = picture->argb + j * picture->argb_stride;
--    int i;
--    for (i = left; i < left + width; ++i) {
--      dst[i] = GIF_TRANSPARENT_COLOR;
--    }
-+  int i, j;
-+  const size_t stride = picture->argb_stride;
-+  uint32_t* dst = picture->argb + top * stride + left;
-+  for (j = 0; j < height; ++j, dst += stride) {
-+    for (i = 0; i < width; ++i) dst[i] = GIF_TRANSPARENT_COLOR;
-   }
- }
- 
-@@ -246,29 +252,31 @@ void GIFDisposeFrame(GIFDisposeMethod dispose, const GIFFrameRect* const rect,
-   if (dispose == GIF_DISPOSE_BACKGROUND) {
-     GIFClearPic(curr_canvas, rect);
-   } else if (dispose == GIF_DISPOSE_RESTORE_PREVIOUS) {
--    const int src_stride = prev_canvas->argb_stride;
--    const uint32_t* const src =
--        prev_canvas->argb + rect->x_offset + rect->y_offset * src_stride;
--    const int dst_stride = curr_canvas->argb_stride;
--    uint32_t* const dst =
--        curr_canvas->argb + rect->x_offset + rect->y_offset * dst_stride;
-+    const size_t src_stride = prev_canvas->argb_stride;
-+    const uint32_t* const src = prev_canvas->argb + rect->x_offset
-+                              + rect->y_offset * src_stride;
-+    const size_t dst_stride = curr_canvas->argb_stride;
-+    uint32_t* const dst = curr_canvas->argb + rect->x_offset
-+                        + rect->y_offset * dst_stride;
-     assert(prev_canvas != NULL);
--    WebPCopyPlane((uint8_t*)src, 4 * src_stride, (uint8_t*)dst, 4 * dst_stride,
-+    WebPCopyPlane((uint8_t*)src, (int)(4 * src_stride),
-+                  (uint8_t*)dst, (int)(4 * dst_stride),
-                   4 * rect->width, rect->height);
-   }
- }
- 
- void GIFBlendFrames(const WebPPicture* const src,
-                     const GIFFrameRect* const rect, WebPPicture* const dst) {
--  int j;
-+  int i, j;
-+  const size_t src_stride = src->argb_stride;
-+  const size_t dst_stride = dst->argb_stride;
-   assert(src->width == dst->width && src->height == dst->height);
-   for (j = rect->y_offset; j < rect->y_offset + rect->height; ++j) {
--    int i;
-     for (i = rect->x_offset; i < rect->x_offset + rect->width; ++i) {
--      const uint32_t src_pixel = src->argb[j * src->argb_stride + i];
-+      const uint32_t src_pixel = src->argb[j * src_stride + i];
-       const int src_alpha = src_pixel >> 24;
-       if (src_alpha != 0) {
--        dst->argb[j * dst->argb_stride + i] = src_pixel;
-+        dst->argb[j * dst_stride + i] = src_pixel;
-       }
-     }
-   }
--- 
-2.10.1
-
diff --git a/gnu/packages/patches/ninja-tests.patch b/gnu/packages/patches/ninja-tests.patch
deleted file mode 100644
index f9b0d9f910..0000000000
--- a/gnu/packages/patches/ninja-tests.patch
+++ /dev/null
@@ -1,48 +0,0 @@
-From 67d6b9262efad99f8aad63ab81efc8e689748766 Mon Sep 17 00:00:00 2001
-From: Efraim Flashner <efraim@flashner.co.il>
-Date: Sun, 3 Jul 2016 11:55:43 +0300
-Subject: [PATCH] patch
-
----
- src/subprocess_test.cc | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/src/subprocess_test.cc b/src/subprocess_test.cc
-index ee16190..a537c11 100644
---- a/src/subprocess_test.cc
-+++ b/src/subprocess_test.cc
-@@ -72,6 +72,7 @@ TEST_F(SubprocessTest, NoSuchCommand) {
- 
- #ifndef _WIN32
- 
-+#if 0
- TEST_F(SubprocessTest, InterruptChild) {
-   Subprocess* subproc = subprocs_.Add("kill -INT $$");
-   ASSERT_NE((Subprocess *) 0, subproc);
-@@ -82,6 +83,7 @@ TEST_F(SubprocessTest, InterruptChild) {
- 
-   EXPECT_EQ(ExitInterrupted, subproc->Finish());
- }
-+#endif
- 
- TEST_F(SubprocessTest, InterruptParent) {
-   Subprocess* subproc = subprocs_.Add("kill -INT $PPID ; sleep 1");
-@@ -217,6 +219,7 @@ TEST_F(SubprocessTest, SetWithMulti) {
- // OS X's process limit is less than 1025 by default
- // (|sysctl kern.maxprocperuid| is 709 on 10.7 and 10.8 and less prior to that).
- #if !defined(__APPLE__) && !defined(_WIN32)
-+#if 0
- TEST_F(SubprocessTest, SetWithLots) {
-   // Arbitrary big number; needs to be over 1024 to confirm we're no longer
-   // hostage to pselect.
-@@ -245,6 +248,7 @@ TEST_F(SubprocessTest, SetWithLots) {
-   }
-   ASSERT_EQ(kNumProcs, subprocs_.finished_.size());
- }
-+#endif
- #endif  // !__APPLE__ && !_WIN32
- 
- // TODO: this test could work on Windows, just not sure how to simply
--- 
-2.9.0
-
diff --git a/gnu/packages/patches/password-store-gnupg-compat.patch b/gnu/packages/patches/password-store-gnupg-compat.patch
new file mode 100644
index 0000000000..c314ba6647
--- /dev/null
+++ b/gnu/packages/patches/password-store-gnupg-compat.patch
@@ -0,0 +1,53 @@
+Copied from upstream mailing list:
+https://lists.zx2c4.com/pipermail/password-store/2017-March/002844.html.
+
+The patch actually restores compatibility with GnuPG 2.1.19, the '2.2.19' in
+the commit message is a typo.
+
+From 8723d8e8192683891904aff321446b0fac37d1ad Mon Sep 17 00:00:00 2001
+From: Andreas Stieger <astieger@suse.com>
+Date: Fri, 10 Mar 2017 15:43:26 +0100
+Subject: [PATCH] Fix compatibility with GnuPG 2.2.19
+
+GnuPG 2.2.19 added a warning when no command was given.
+
+* src/password-store.sh (reencrypt_path): Add --decrypt to --list-only
+* tests/t0300-reencryption.sh (gpg_keys_from_encrypted_file): same
+
+https://bugs.gnupg.org/gnupg/msg9873
+http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=810adfd47801fc01e45fb71af9f05c91f7890cdb
+https://bugzilla.suse.com/show_bug.cgi?id=1028867
+---
+ src/password-store.sh       | 2 +-
+ tests/t0300-reencryption.sh | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/password-store.sh b/src/password-store.sh
+index 1ab6fb5..bad8d4f 100755
+--- a/src/password-store.sh
++++ b/src/password-store.sh
+@@ -125,7 +125,7 @@ reencrypt_path() {
+ 			done
+ 			gpg_keys="$($GPG $PASSWORD_STORE_GPG_OPTS --list-keys --with-colons "${GPG_RECIPIENTS[@]}" | sed -n 's/sub:[^:]*:[^:]*:[^:]*:\([^:]*\):[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[a-zA-Z]*e[a-zA-Z]*:.*/\1/p' | LC_ALL=C sort -u)"
+ 		fi
+-		current_keys="$($GPG $PASSWORD_STORE_GPG_OPTS -v --no-secmem-warning --no-permission-warning --list-only --keyid-format long "$passfile" 2>&1 | cut -d ' ' -f 5 | LC_ALL=C sort -u)"
++		current_keys="$($GPG $PASSWORD_STORE_GPG_OPTS -v --no-secmem-warning --no-permission-warning --decrypt --list-only --keyid-format long "$passfile" 2>&1 | cut -d ' ' -f 5 | LC_ALL=C sort -u)"
+ 
+ 		if [[ $gpg_keys != "$current_keys" ]]; then
+ 			echo "$passfile_display: reencrypting to ${gpg_keys//$'\n'/ }"
+diff --git a/tests/t0300-reencryption.sh b/tests/t0300-reencryption.sh
+index 9d46580..6d5811d 100755
+--- a/tests/t0300-reencryption.sh
++++ b/tests/t0300-reencryption.sh
+@@ -10,7 +10,7 @@ canonicalize_gpg_keys() {
+ 	$GPG --list-keys --with-colons "$@" | sed -n 's/sub:[^:]*:[^:]*:[^:]*:\([^:]*\):[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[a-zA-Z]*e[a-zA-Z]*:.*/\1/p' | LC_ALL=C sort -u
+ }
+ gpg_keys_from_encrypted_file() {
+-	$GPG -v --no-secmem-warning --no-permission-warning --list-only --keyid-format long "$1" 2>&1 | cut -d ' ' -f 5 | LC_ALL=C sort -u
++	$GPG -v --no-secmem-warning --no-permission-warning --decrypt --list-only --keyid-format long "$1" 2>&1 | cut -d ' ' -f 5 | LC_ALL=C sort -u
+ }
+ gpg_keys_from_group() {
+ 	local output="$($GPG --list-config --with-colons | sed -n "s/^cfg:group:$1:\\(.*\\)/\\1/p" | head -n 1)"
+-- 
+2.12.0
+
diff --git a/gnu/packages/patches/qemu-CVE-2017-2620.patch b/gnu/packages/patches/qemu-CVE-2017-2620.patch
new file mode 100644
index 0000000000..d3111827b7
--- /dev/null
+++ b/gnu/packages/patches/qemu-CVE-2017-2620.patch
@@ -0,0 +1,134 @@
+Fix CVE-2017-2620:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2620
+https://lists.gnu.org/archive/html/qemu-devel/2017-02/msg04700.html
+
+Both patches copied from upstream source repository:
+
+Fixes CVE-2017-2620:
+http://git.qemu-project.org/?p=qemu.git;a=commit;h=92f2b88cea48c6aeba8de568a45f2ed958f3c298
+
+The CVE-2017-2620 bug-fix depends on this earlier patch:
+http://git.qemu-project.org/?p=qemu.git;a=commit;h=913a87885f589d263e682c2eb6637c6e14538061
+
+From 92f2b88cea48c6aeba8de568a45f2ed958f3c298 Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Wed, 8 Feb 2017 11:18:36 +0100
+Subject: [PATCH] cirrus: add blit_is_unsafe call to cirrus_bitblt_cputovideo
+ (CVE-2017-2620)
+
+CIRRUS_BLTMODE_MEMSYSSRC blits do NOT check blit destination
+and blit width, at all.  Oops.  Fix it.
+
+Security impact: high.
+
+The missing blit destination check allows to write to host memory.
+Basically same as CVE-2014-8106 for the other blit variants.
+
+Cc: qemu-stable@nongnu.org
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+---
+ hw/display/cirrus_vga.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
+index 1deb52070a..b9e7cb1df1 100644
+--- a/hw/display/cirrus_vga.c
++++ b/hw/display/cirrus_vga.c
+@@ -900,6 +900,10 @@ static int cirrus_bitblt_cputovideo(CirrusVGAState * s)
+ {
+     int w;
+ 
++    if (blit_is_unsafe(s, true)) {
++        return 0;
++    }
++
+     s->cirrus_blt_mode &= ~CIRRUS_BLTMODE_MEMSYSSRC;
+     s->cirrus_srcptr = &s->cirrus_bltbuf[0];
+     s->cirrus_srcptr_end = &s->cirrus_bltbuf[0];
+@@ -925,6 +929,10 @@ static int cirrus_bitblt_cputovideo(CirrusVGAState * s)
+ 	}
+         s->cirrus_srccounter = s->cirrus_blt_srcpitch * s->cirrus_blt_height;
+     }
++
++    /* the blit_is_unsafe call above should catch this */
++    assert(s->cirrus_blt_srcpitch <= CIRRUS_BLTBUFSIZE);
++
+     s->cirrus_srcptr = s->cirrus_bltbuf;
+     s->cirrus_srcptr_end = s->cirrus_bltbuf + s->cirrus_blt_srcpitch;
+     cirrus_update_memory_access(s);
+-- 
+2.12.0
+
+From 913a87885f589d263e682c2eb6637c6e14538061 Mon Sep 17 00:00:00 2001
+From: Bruce Rogers <brogers@suse.com>
+Date: Mon, 9 Jan 2017 13:35:20 -0700
+Subject: [PATCH] display: cirrus: ignore source pitch value as needed in
+ blit_is_unsafe
+
+Commit 4299b90 added a check which is too broad, given that the source
+pitch value is not required to be initialized for solid fill operations.
+This patch refines the blit_is_unsafe() check to ignore source pitch in
+that case. After applying the above commit as a security patch, we
+noticed the SLES 11 SP4 guest gui failed to initialize properly.
+
+Signed-off-by: Bruce Rogers <brogers@suse.com>
+Message-id: 20170109203520.5619-1-brogers@suse.com
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+---
+ hw/display/cirrus_vga.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
+index bdb092ee9d..379910db2d 100644
+--- a/hw/display/cirrus_vga.c
++++ b/hw/display/cirrus_vga.c
+@@ -294,7 +294,7 @@ static bool blit_region_is_unsafe(struct CirrusVGAState *s,
+     return false;
+ }
+ 
+-static bool blit_is_unsafe(struct CirrusVGAState *s)
++static bool blit_is_unsafe(struct CirrusVGAState *s, bool dst_only)
+ {
+     /* should be the case, see cirrus_bitblt_start */
+     assert(s->cirrus_blt_width > 0);
+@@ -308,6 +308,9 @@ static bool blit_is_unsafe(struct CirrusVGAState *s)
+                               s->cirrus_blt_dstaddr & s->cirrus_addr_mask)) {
+         return true;
+     }
++    if (dst_only) {
++        return false;
++    }
+     if (blit_region_is_unsafe(s, s->cirrus_blt_srcpitch,
+                               s->cirrus_blt_srcaddr & s->cirrus_addr_mask)) {
+         return true;
+@@ -673,7 +676,7 @@ static int cirrus_bitblt_common_patterncopy(CirrusVGAState * s,
+ 
+     dst = s->vga.vram_ptr + (s->cirrus_blt_dstaddr & s->cirrus_addr_mask);
+ 
+-    if (blit_is_unsafe(s))
++    if (blit_is_unsafe(s, false))
+         return 0;
+ 
+     (*s->cirrus_rop) (s, dst, src,
+@@ -691,7 +694,7 @@ static int cirrus_bitblt_solidfill(CirrusVGAState *s, int blt_rop)
+ {
+     cirrus_fill_t rop_func;
+ 
+-    if (blit_is_unsafe(s)) {
++    if (blit_is_unsafe(s, true)) {
+         return 0;
+     }
+     rop_func = cirrus_fill[rop_to_index[blt_rop]][s->cirrus_blt_pixelwidth - 1];
+@@ -795,7 +798,7 @@ static int cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h)
+ 
+ static int cirrus_bitblt_videotovideo_copy(CirrusVGAState * s)
+ {
+-    if (blit_is_unsafe(s))
++    if (blit_is_unsafe(s, false))
+         return 0;
+ 
+     return cirrus_do_copy(s, s->cirrus_blt_dstaddr - s->vga.start_addr,
+-- 
+2.12.0
+
diff --git a/gnu/packages/patches/qemu-CVE-2017-2630.patch b/gnu/packages/patches/qemu-CVE-2017-2630.patch
new file mode 100644
index 0000000000..b154d171f1
--- /dev/null
+++ b/gnu/packages/patches/qemu-CVE-2017-2630.patch
@@ -0,0 +1,47 @@
+Fix CVE-2017-2630:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2630
+https://lists.gnu.org/archive/html/qemu-devel/2017-02/msg01246.html
+
+Patch copied from upstream source repository:
+
+http://git.qemu-project.org/?p=qemu.git;a=commit;h=2563c9c6b8670400c48e562034b321a7cf3d9a85
+
+From 2563c9c6b8670400c48e562034b321a7cf3d9a85 Mon Sep 17 00:00:00 2001
+From: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
+Date: Tue, 7 Mar 2017 09:16:27 -0600
+Subject: [PATCH] nbd/client: fix drop_sync [CVE-2017-2630]
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Comparison symbol is misused. It may lead to memory corruption.
+Introduced in commit 7d3123e.
+
+Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
+Message-Id: <20170203154757.36140-6-vsementsov@virtuozzo.com>
+[eblake: add CVE details, update conditional]
+Signed-off-by: Eric Blake <eblake@redhat.com>
+Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+Message-Id: <20170307151627.27212-1-eblake@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+---
+ nbd/client.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/nbd/client.c b/nbd/client.c
+index 5c9dee37fa..3dc2564cd0 100644
+--- a/nbd/client.c
++++ b/nbd/client.c
+@@ -94,7 +94,7 @@ static ssize_t drop_sync(QIOChannel *ioc, size_t size)
+     char small[1024];
+     char *buffer;
+ 
+-    buffer = sizeof(small) < size ? small : g_malloc(MIN(65536, size));
++    buffer = sizeof(small) >= size ? small : g_malloc(MIN(65536, size));
+     while (size > 0) {
+         ssize_t count = read_sync(ioc, buffer, MIN(65536, size));
+ 
+-- 
+2.12.0
+
diff --git a/gnu/packages/patches/virglrenderer-CVE-2017-6386.patch b/gnu/packages/patches/virglrenderer-CVE-2017-6386.patch
new file mode 100644
index 0000000000..bd3bf106bf
--- /dev/null
+++ b/gnu/packages/patches/virglrenderer-CVE-2017-6386.patch
@@ -0,0 +1,54 @@
+Fix CVE-2017-6386 (memory leak introduced by fix for CVE-2017-5994).
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5994
+
+Patch copied from upstream source repository:
+
+https://cgit.freedesktop.org/virglrenderer/commit/?id=737c3350850ca4dbc5633b3bdb4118176ce59920
+
+From 737c3350850ca4dbc5633b3bdb4118176ce59920 Mon Sep 17 00:00:00 2001
+From: Dave Airlie <airlied@redhat.com>
+Date: Tue, 28 Feb 2017 14:52:09 +1000
+Subject: renderer: fix memory leak in vertex elements state create
+
+Reported-by: Li Qiang
+Free the vertex array in error path.
+This was introduced by this commit:
+renderer: fix heap overflow in vertex elements state create.
+
+I rewrote the code to not require the allocation in the first
+place if we have an error, seems nicer.
+
+Signed-off-by: Dave Airlie <airlied@redhat.com>
+
+diff --git a/src/vrend_renderer.c b/src/vrend_renderer.c
+index 1bca7ad..e5d9f5c 100644
+--- a/src/vrend_renderer.c
++++ b/src/vrend_renderer.c
+@@ -1648,18 +1648,19 @@ int vrend_create_vertex_elements_state(struct vrend_context *ctx,
+                                        unsigned num_elements,
+                                        const struct pipe_vertex_element *elements)
+ {
+-   struct vrend_vertex_element_array *v = CALLOC_STRUCT(vrend_vertex_element_array);
++   struct vrend_vertex_element_array *v;
+    const struct util_format_description *desc;
+    GLenum type;
+    int i;
+    uint32_t ret_handle;
+ 
+-   if (!v)
+-      return ENOMEM;
+-
+    if (num_elements > PIPE_MAX_ATTRIBS)
+       return EINVAL;
+ 
++   v = CALLOC_STRUCT(vrend_vertex_element_array);
++   if (!v)
++      return ENOMEM;
++
+    v->count = num_elements;
+    for (i = 0; i < num_elements; i++) {
+       memcpy(&v->elements[i].base, &elements[i], sizeof(struct pipe_vertex_element));
+-- 
+cgit v0.10.2
+