summary refs log tree commit diff
diff options
context:
space:
mode:
-rw-r--r--gnu/local.mk1
-rw-r--r--gnu/packages/patches/qemu-CVE-2018-11806.patch105
-rw-r--r--gnu/packages/virtualization.scm5
3 files changed, 2 insertions, 109 deletions
diff --git a/gnu/local.mk b/gnu/local.mk
index e3ca237d87..606b3ace3c 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1097,7 +1097,6 @@ dist_patch_DATA =						\
   %D%/packages/patches/python-unittest2-remove-argparse.patch	\
   %D%/packages/patches/python-waitress-fix-tests.patch		\
   %D%/packages/patches/qemu-glibc-2.27.patch 			\
-  %D%/packages/patches/qemu-CVE-2018-11806.patch 		\
   %D%/packages/patches/qt4-ldflags.patch			\
   %D%/packages/patches/qtbase-use-TZDIR.patch			\
   %D%/packages/patches/qtoctave-qt-5.11-fix.patch		\
diff --git a/gnu/packages/patches/qemu-CVE-2018-11806.patch b/gnu/packages/patches/qemu-CVE-2018-11806.patch
deleted file mode 100644
index f021dfa747..0000000000
--- a/gnu/packages/patches/qemu-CVE-2018-11806.patch
+++ /dev/null
@@ -1,105 +0,0 @@
-Fix CVE-2018-11806:
-
-https://lists.gnu.org/archive/html/qemu-devel/2018-06/msg01012.html
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11806
-
-Patch copied from upstream source repository:
-
-https://git.qemu.org/?p=qemu.git;a=commitdiff;h=864036e251f54c99d31df124aad7f34f01f5344c
-
-From 864036e251f54c99d31df124aad7f34f01f5344c Mon Sep 17 00:00:00 2001
-From: Prasad J Pandit <pjp@fedoraproject.org>
-Date: Tue, 5 Jun 2018 23:38:35 +0530
-Subject: [PATCH] slirp: correct size computation while concatenating mbuf
-
-While reassembling incoming fragmented datagrams, 'm_cat' routine
-extends the 'mbuf' buffer, if it has insufficient room. It computes
-a wrong buffer size, which leads to overwriting adjacent heap buffer
-area. Correct this size computation in m_cat.
-
-Reported-by: ZDI Disclosures <zdi-disclosures@trendmicro.com>
-Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
-Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
----
- slirp/mbuf.c | 11 +++++------
- slirp/mbuf.h |  8 +++-----
- 2 files changed, 8 insertions(+), 11 deletions(-)
-
-diff --git a/slirp/mbuf.c b/slirp/mbuf.c
-index 5ff24559fd..18cbf759a7 100644
---- a/slirp/mbuf.c
-+++ b/slirp/mbuf.c
-@@ -138,7 +138,7 @@ m_cat(struct mbuf *m, struct mbuf *n)
- 	 * If there's no room, realloc
- 	 */
- 	if (M_FREEROOM(m) < n->m_len)
--		m_inc(m,m->m_size+MINCSIZE);
-+		m_inc(m, m->m_len + n->m_len);
- 
- 	memcpy(m->m_data+m->m_len, n->m_data, n->m_len);
- 	m->m_len += n->m_len;
-@@ -147,7 +147,7 @@ m_cat(struct mbuf *m, struct mbuf *n)
- }
- 
- 
--/* make m size bytes large */
-+/* make m 'size' bytes large from m_data */
- void
- m_inc(struct mbuf *m, int size)
- {
-@@ -158,12 +158,12 @@ m_inc(struct mbuf *m, int size)
- 
-         if (m->m_flags & M_EXT) {
- 	  datasize = m->m_data - m->m_ext;
--          m->m_ext = g_realloc(m->m_ext, size);
-+	  m->m_ext = g_realloc(m->m_ext, size + datasize);
- 	  m->m_data = m->m_ext + datasize;
-         } else {
- 	  char *dat;
- 	  datasize = m->m_data - m->m_dat;
--          dat = g_malloc(size);
-+	  dat = g_malloc(size + datasize);
- 	  memcpy(dat, m->m_dat, m->m_size);
- 
- 	  m->m_ext = dat;
-@@ -171,8 +171,7 @@ m_inc(struct mbuf *m, int size)
- 	  m->m_flags |= M_EXT;
-         }
- 
--        m->m_size = size;
--
-+        m->m_size = size + datasize;
- }
- 
- 
-diff --git a/slirp/mbuf.h b/slirp/mbuf.h
-index 893601ff9d..33b84485d6 100644
---- a/slirp/mbuf.h
-+++ b/slirp/mbuf.h
-@@ -33,8 +33,6 @@
- #ifndef MBUF_H
- #define MBUF_H
- 
--#define MINCSIZE 4096	/* Amount to increase mbuf if too small */
--
- /*
-  * Macros for type conversion
-  * mtod(m,t) -	convert mbuf pointer to data pointer of correct type
-@@ -72,11 +70,11 @@ struct mbuf {
- 	struct	mbuf *m_prevpkt;	/* Flags aren't used in the output queue */
- 	int	m_flags;		/* Misc flags */
- 
--	int	m_size;			/* Size of data */
-+	int	m_size;			/* Size of mbuf, from m_dat or m_ext */
- 	struct	socket *m_so;
- 
--	caddr_t	m_data;			/* Location of data */
--	int	m_len;			/* Amount of data in this mbuf */
-+	caddr_t	m_data;			/* Current location of data */
-+	int	m_len;			/* Amount of data in this mbuf, from m_data */
- 
- 	Slirp *slirp;
- 	bool	resolution_requested;
--- 
-2.17.1
-
diff --git a/gnu/packages/virtualization.scm b/gnu/packages/virtualization.scm
index 8e7eded5e1..a39f2fa58f 100644
--- a/gnu/packages/virtualization.scm
+++ b/gnu/packages/virtualization.scm
@@ -94,15 +94,14 @@
 (define-public qemu
   (package
     (name "qemu")
-    (version "2.12.1")
+    (version "3.0.0")
     (source (origin
              (method url-fetch)
              (uri (string-append "https://download.qemu.org/qemu-"
                                  version ".tar.xz"))
-             (patches (search-patches "qemu-CVE-2018-11806.patch"))
              (sha256
               (base32
-               "0krnp2wvggpchc7fdlmyasqy7j17baz8asr2g05x0v00w003hn1k"))))
+               "04sp3f1gp4bdb913jf7fw761njaqp2l32wgipp1sapmxx17zcyld"))))
     (build-system gnu-build-system)
     (arguments
      '(;; Running tests in parallel can occasionally lead to failures, like: