summary refs log tree commit diff
path: root/gnu
diff options
context:
space:
mode:
Diffstat (limited to 'gnu')
-rw-r--r--gnu/local.mk5
-rw-r--r--gnu/packages/patches/qemu-CVE-2020-1711.patch69
-rw-r--r--gnu/packages/patches/qemu-CVE-2020-7039.patch173
-rw-r--r--gnu/packages/patches/qemu-CVE-2020-7211.patch49
-rw-r--r--gnu/packages/patches/qemu-CVE-2020-8608.patch269
-rw-r--r--gnu/packages/patches/qemu-fix-documentation-build-failure.patch43
-rw-r--r--gnu/packages/virtualization.scm38
7 files changed, 22 insertions, 624 deletions
diff --git a/gnu/local.mk b/gnu/local.mk
index 722ccba746..a7ccec5e0b 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1434,11 +1434,6 @@ dist_patch_DATA =						\
   %D%/packages/patches/python-unittest2-remove-argparse.patch	\
   %D%/packages/patches/python-waitress-fix-tests.patch		\
   %D%/packages/patches/qemu-glibc-2.27.patch 			\
-  %D%/packages/patches/qemu-CVE-2020-1711.patch			\
-  %D%/packages/patches/qemu-CVE-2020-7039.patch			\
-  %D%/packages/patches/qemu-CVE-2020-7211.patch			\
-  %D%/packages/patches/qemu-CVE-2020-8608.patch			\
-  %D%/packages/patches/qemu-fix-documentation-build-failure.patch	\
   %D%/packages/patches/qrcodegen-cpp-make-install.patch		\
   %D%/packages/patches/qt4-ldflags.patch			\
   %D%/packages/patches/qtbase-moc-ignore-gcc-macro.patch	\
diff --git a/gnu/packages/patches/qemu-CVE-2020-1711.patch b/gnu/packages/patches/qemu-CVE-2020-1711.patch
deleted file mode 100644
index 32d04f61dd..0000000000
--- a/gnu/packages/patches/qemu-CVE-2020-1711.patch
+++ /dev/null
@@ -1,69 +0,0 @@
-Fix CVE-2020-1711:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1711
-
-Patch copied from upstream source repository:
-
-https://git.qemu.org/?p=qemu.git;a=commitdiff;h=693fd2acdf14dd86c0bf852610f1c2cca80a74dc
-
-From 693fd2acdf14dd86c0bf852610f1c2cca80a74dc Mon Sep 17 00:00:00 2001
-From: Felipe Franciosi <felipe@nutanix.com>
-Date: Thu, 23 Jan 2020 12:44:59 +0000
-Subject: [PATCH] iscsi: Cap block count from GET LBA STATUS (CVE-2020-1711)
-
-When querying an iSCSI server for the provisioning status of blocks (via
-GET LBA STATUS), Qemu only validates that the response descriptor zero's
-LBA matches the one requested. Given the SCSI spec allows servers to
-respond with the status of blocks beyond the end of the LUN, Qemu may
-have its heap corrupted by clearing/setting too many bits at the end of
-its allocmap for the LUN.
-
-A malicious guest in control of the iSCSI server could carefully program
-Qemu's heap (by selectively setting the bitmap) and then smash it.
-
-This limits the number of bits that iscsi_co_block_status() will try to
-update in the allocmap so it can't overflow the bitmap.
-
-Fixes: CVE-2020-1711
-Cc: qemu-stable@nongnu.org
-Signed-off-by: Felipe Franciosi <felipe@nutanix.com>
-Signed-off-by: Peter Turschmid <peter.turschm@nutanix.com>
-Signed-off-by: Raphael Norwitz <raphael.norwitz@nutanix.com>
-Signed-off-by: Kevin Wolf <kwolf@redhat.com>
----
- block/iscsi.c | 5 +++--
- 1 file changed, 3 insertions(+), 2 deletions(-)
-
-diff --git a/block/iscsi.c b/block/iscsi.c
-index 2aea7e3f13..cbd57294ab 100644
---- a/block/iscsi.c
-+++ b/block/iscsi.c
-@@ -701,7 +701,7 @@ static int coroutine_fn iscsi_co_block_status(BlockDriverState *bs,
-     struct scsi_get_lba_status *lbas = NULL;
-     struct scsi_lba_status_descriptor *lbasd = NULL;
-     struct IscsiTask iTask;
--    uint64_t lba;
-+    uint64_t lba, max_bytes;
-     int ret;
- 
-     iscsi_co_init_iscsitask(iscsilun, &iTask);
-@@ -721,6 +721,7 @@ static int coroutine_fn iscsi_co_block_status(BlockDriverState *bs,
-     }
- 
-     lba = offset / iscsilun->block_size;
-+    max_bytes = (iscsilun->num_blocks - lba) * iscsilun->block_size;
- 
-     qemu_mutex_lock(&iscsilun->mutex);
- retry:
-@@ -764,7 +765,7 @@ retry:
-         goto out_unlock;
-     }
- 
--    *pnum = (int64_t) lbasd->num_blocks * iscsilun->block_size;
-+    *pnum = MIN((int64_t) lbasd->num_blocks * iscsilun->block_size, max_bytes);
- 
-     if (lbasd->provisioning == SCSI_PROVISIONING_TYPE_DEALLOCATED ||
-         lbasd->provisioning == SCSI_PROVISIONING_TYPE_ANCHORED) {
--- 
-2.25.0
-
diff --git a/gnu/packages/patches/qemu-CVE-2020-7039.patch b/gnu/packages/patches/qemu-CVE-2020-7039.patch
deleted file mode 100644
index ffebda68ab..0000000000
--- a/gnu/packages/patches/qemu-CVE-2020-7039.patch
+++ /dev/null
@@ -1,173 +0,0 @@
-Fix CVE-2020-7039:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7039
-
-Patches copied from upstream dependency repository:
-
-https://gitlab.freedesktop.org/slirp/libslirp/commit/2655fffed7a9e765bcb4701dd876e9dab975f289
-https://gitlab.freedesktop.org/slirp/libslirp/commit/ce131029d6d4a405cb7d3ac6716d03e58fb4a5d9
-https://gitlab.freedesktop.org/slirp/libslirp/commit/82ebe9c370a0e2970fb5695aa19aa5214a6a1c80
-
-From 2655fffed7a9e765bcb4701dd876e9dab975f289 Mon Sep 17 00:00:00 2001
-From: Samuel Thibault <samuel.thibault@ens-lyon.org>
-Date: Wed, 8 Jan 2020 00:58:48 +0100
-Subject: [PATCH] tcp_emu: Fix oob access
-
-The main loop only checks for one available byte, while we sometimes
-need two bytes.
----
- CHANGELOG.md   | 1 +
- src/tcp_subr.c | 7 +++++++
- 2 files changed, 8 insertions(+)
-
-#diff --git a/CHANGELOG.md b/CHANGELOG.md
-#index 00d0ce2..5cf94a8 100644
-#--- a/CHANGELOG.md
-#+++ b/CHANGELOG.md
-#@@ -20,6 +20,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
-# ### Fixed
-# 
-#  - ncsi: fix checksum OOB memory access
-#+ - `tcp_emu()`: fix OOB accesses
-# 
-# ## [4.1.0] - 2019-12-02
-# 
-diff --git a/src/tcp_subr.c b/src/tcp_subr.c
-index 382aa38..9c1bdec 100644
---- a/slirp/src/tcp_subr.c
-+++ b/slirp/src/tcp_subr.c
-@@ -871,6 +871,9 @@ int tcp_emu(struct socket *so, struct mbuf *m)
-                 break;
- 
-             case 5:
-+                if (bptr == m->m_data + m->m_len - 1)
-+                        return 1; /* We need two bytes */
-+
-                 /*
-                  * The difference between versions 1.0 and
-                  * 2.0 is here. For future versions of
-@@ -886,6 +889,10 @@ int tcp_emu(struct socket *so, struct mbuf *m)
-                 /* This is the field containing the port
-                  * number that RA-player is listening to.
-                  */
-+
-+                if (bptr == m->m_data + m->m_len - 1)
-+                        return 1; /* We need two bytes */
-+
-                 lport = (((uint8_t *)bptr)[0] << 8) + ((uint8_t *)bptr)[1];
-                 if (lport < 6970)
-                     lport += 256; /* don't know why */
--- 
-2.24.1
-
-From ce131029d6d4a405cb7d3ac6716d03e58fb4a5d9 Mon Sep 17 00:00:00 2001
-From: Prasad J Pandit <pjp@fedoraproject.org>
-Date: Thu, 9 Jan 2020 15:12:27 +0530
-Subject: [PATCH] slirp: use correct size while emulating IRC commands
-
-While emulating IRC DCC commands, tcp_emu() uses 'mbuf' size
-'m->m_size' to write DCC commands via snprintf(3). This may
-lead to OOB write access, because 'bptr' points somewhere in
-the middle of 'mbuf' buffer, not at the start. Use M_FREEROOM(m)
-size to avoid OOB access.
-
-Reported-by: Vishnu Dev TJ <vishnudevtj@gmail.com>
-Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
-Reviewed-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
-Message-Id: <20200109094228.79764-2-ppandit@redhat.com>
----
- src/tcp_subr.c | 11 ++++++-----
- 1 file changed, 6 insertions(+), 5 deletions(-)
-
-diff --git a/src/tcp_subr.c b/src/tcp_subr.c
-index 9c1bdec..ee7a938 100644
---- a/slirp/src/tcp_subr.c
-+++ b/slirp/src/tcp_subr.c
-@@ -763,7 +763,8 @@ int tcp_emu(struct socket *so, struct mbuf *m)
-                 return 1;
-             }
-             m->m_len = bptr - m->m_data; /* Adjust length */
--            m->m_len += snprintf(bptr, m->m_size, "DCC CHAT chat %lu %u%c\n",
-+            m->m_len += snprintf(bptr, M_FREEROOM(m),
-+                                 "DCC CHAT chat %lu %u%c\n",
-                                  (unsigned long)ntohl(so->so_faddr.s_addr),
-                                  ntohs(so->so_fport), 1);
-         } else if (sscanf(bptr, "DCC SEND %256s %u %u %u", buff, &laddr, &lport,
-@@ -773,8 +774,8 @@ int tcp_emu(struct socket *so, struct mbuf *m)
-                 return 1;
-             }
-             m->m_len = bptr - m->m_data; /* Adjust length */
--            m->m_len +=
--                snprintf(bptr, m->m_size, "DCC SEND %s %lu %u %u%c\n", buff,
-+            m->m_len += snprintf(bptr, M_FREEROOM(m),
-+                         "DCC SEND %s %lu %u %u%c\n", buff,
-                          (unsigned long)ntohl(so->so_faddr.s_addr),
-                          ntohs(so->so_fport), n1, 1);
-         } else if (sscanf(bptr, "DCC MOVE %256s %u %u %u", buff, &laddr, &lport,
-@@ -784,8 +785,8 @@ int tcp_emu(struct socket *so, struct mbuf *m)
-                 return 1;
-             }
-             m->m_len = bptr - m->m_data; /* Adjust length */
--            m->m_len +=
--                snprintf(bptr, m->m_size, "DCC MOVE %s %lu %u %u%c\n", buff,
-+            m->m_len += snprintf(bptr, M_FREEROOM(m),
-+                         "DCC MOVE %s %lu %u %u%c\n", buff,
-                          (unsigned long)ntohl(so->so_faddr.s_addr),
-                          ntohs(so->so_fport), n1, 1);
-         }
--- 
-2.24.1
-
-From 82ebe9c370a0e2970fb5695aa19aa5214a6a1c80 Mon Sep 17 00:00:00 2001
-From: Prasad J Pandit <pjp@fedoraproject.org>
-Date: Thu, 9 Jan 2020 15:12:28 +0530
-Subject: [PATCH] slirp: use correct size while emulating commands
-
-While emulating services in tcp_emu(), it uses 'mbuf' size
-'m->m_size' to write commands via snprintf(3). Use M_FREEROOM(m)
-size to avoid possible OOB access.
-
-Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
-Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
-Message-Id: <20200109094228.79764-3-ppandit@redhat.com>
----
- src/tcp_subr.c | 9 ++++-----
- 1 file changed, 4 insertions(+), 5 deletions(-)
-
-diff --git a/src/tcp_subr.c b/src/tcp_subr.c
-index ee7a938..177dfd2 100644
---- a/slirp/src/tcp_subr.c
-+++ b/slirp/src/tcp_subr.c
-@@ -681,7 +681,7 @@ int tcp_emu(struct socket *so, struct mbuf *m)
-             n4 = (laddr & 0xff);
- 
-             m->m_len = bptr - m->m_data; /* Adjust length */
--            m->m_len += snprintf(bptr, m->m_size - m->m_len,
-+            m->m_len += snprintf(bptr, M_FREEROOM(m),
-                                  "ORT %d,%d,%d,%d,%d,%d\r\n%s", n1, n2, n3, n4,
-                                  n5, n6, x == 7 ? buff : "");
-             return 1;
-@@ -716,8 +716,7 @@ int tcp_emu(struct socket *so, struct mbuf *m)
-             n4 = (laddr & 0xff);
- 
-             m->m_len = bptr - m->m_data; /* Adjust length */
--            m->m_len +=
--                snprintf(bptr, m->m_size - m->m_len,
-+            m->m_len += snprintf(bptr, M_FREEROOM(m),
-                          "27 Entering Passive Mode (%d,%d,%d,%d,%d,%d)\r\n%s",
-                          n1, n2, n3, n4, n5, n6, x == 7 ? buff : "");
- 
-@@ -743,8 +742,8 @@ int tcp_emu(struct socket *so, struct mbuf *m)
-         if (m->m_data[m->m_len - 1] == '\0' && lport != 0 &&
-             (so = tcp_listen(slirp, INADDR_ANY, 0, so->so_laddr.s_addr,
-                              htons(lport), SS_FACCEPTONCE)) != NULL)
--            m->m_len =
--                snprintf(m->m_data, m->m_size, "%d", ntohs(so->so_fport)) + 1;
-+            m->m_len = snprintf(m->m_data, M_ROOM(m),
-+                                "%d", ntohs(so->so_fport)) + 1;
-         return 1;
- 
-     case EMU_IRC:
--- 
-2.24.1
-
diff --git a/gnu/packages/patches/qemu-CVE-2020-7211.patch b/gnu/packages/patches/qemu-CVE-2020-7211.patch
deleted file mode 100644
index 2885dda411..0000000000
--- a/gnu/packages/patches/qemu-CVE-2020-7211.patch
+++ /dev/null
@@ -1,49 +0,0 @@
-Fix CVE-2020-7211:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7211
-
-Patch copied from upstream dependency repository:
-
-https://gitlab.freedesktop.org/slirp/libslirp/commit/14ec36e107a8c9af7d0a80c3571fe39b291ff1d4
-
-From 14ec36e107a8c9af7d0a80c3571fe39b291ff1d4 Mon Sep 17 00:00:00 2001
-From: Prasad J Pandit <pjp@fedoraproject.org>
-Date: Mon, 13 Jan 2020 17:44:31 +0530
-Subject: [PATCH] slirp: tftp: restrict relative path access
-
-tftp restricts relative or directory path access on Linux systems.
-Apply same restrictions on Windows systems too. It helps to avoid
-directory traversal issue.
-
-Fixes: https://bugs.launchpad.net/qemu/+bug/1812451
-Reported-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
-Reviewed-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
-Message-Id: <20200113121431.156708-1-ppandit@redhat.com>
----
- src/tftp.c | 9 +++++++--
- 1 file changed, 7 insertions(+), 2 deletions(-)
-
-diff --git a/src/tftp.c b/src/tftp.c
-index 093c2e0..e52e71b 100644
---- a/slirp/src/tftp.c
-+++ b/slirp/src/tftp.c
-@@ -344,8 +344,13 @@ static void tftp_handle_rrq(Slirp *slirp, struct sockaddr_storage *srcsas,
-     k += 6; /* skipping octet */
- 
-     /* do sanity checks on the filename */
--    if (!strncmp(req_fname, "../", 3) ||
--        req_fname[strlen(req_fname) - 1] == '/' || strstr(req_fname, "/../")) {
-+    if (
-+#ifdef G_OS_WIN32
-+        strstr(req_fname, "..\\") ||
-+        req_fname[strlen(req_fname) - 1] == '\\' ||
-+#endif
-+        strstr(req_fname, "../") ||
-+        req_fname[strlen(req_fname) - 1] == '/') {
-         tftp_send_error(spt, 2, "Access violation", tp);
-         return;
-     }
--- 
-2.24.1
-
diff --git a/gnu/packages/patches/qemu-CVE-2020-8608.patch b/gnu/packages/patches/qemu-CVE-2020-8608.patch
deleted file mode 100644
index 4cb017c795..0000000000
--- a/gnu/packages/patches/qemu-CVE-2020-8608.patch
+++ /dev/null
@@ -1,269 +0,0 @@
-Fix CVE-2020-8608:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8608
-https://www.openwall.com/lists/oss-security/2020/02/06/2
-
-Patches copied from upstream dependency repository:
-
-https://gitlab.freedesktop.org/slirp/libslirp/commit/68ccb8021a838066f0951d4b2817eb6b6f10a843
-https://gitlab.freedesktop.org/slirp/libslirp/commit/30648c03b27fb8d9611b723184216cd3174b6775
-
-From 68ccb8021a838066f0951d4b2817eb6b6f10a843 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
-Date: Mon, 27 Jan 2020 10:24:14 +0100
-Subject: [PATCH] tcp_emu: fix unsafe snprintf() usages
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Various calls to snprintf() assume that snprintf() returns "only" the
-number of bytes written (excluding terminating NUL).
-
-https://pubs.opengroup.org/onlinepubs/9699919799/functions/snprintf.html#tag_16_159_04
-
-"Upon successful completion, the snprintf() function shall return the
-number of bytes that would be written to s had n been sufficiently
-large excluding the terminating null byte."
-
-Before patch ce131029, if there isn't enough room in "m_data" for the
-"DCC ..." message, we overflow "m_data".
-
-After the patch, if there isn't enough room for the same, we don't
-overflow "m_data", but we set "m_len" out-of-bounds. The next time an
-access is bounded by "m_len", we'll have a buffer overflow then.
-
-Use slirp_fmt*() to fix potential OOB memory access.
-
-Reported-by: Laszlo Ersek <lersek@redhat.com>
-Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
-Reviewed-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
-Message-Id: <20200127092414.169796-7-marcandre.lureau@redhat.com>
----
- src/tcp_subr.c | 44 +++++++++++++++++++++-----------------------
- 1 file changed, 21 insertions(+), 23 deletions(-)
-
-diff --git a/src/tcp_subr.c b/src/tcp_subr.c
-index a699117..a72c86b 100644
---- a/slirp/src/tcp_subr.c
-+++ b/slirp/src/tcp_subr.c
-@@ -643,8 +643,7 @@ int tcp_emu(struct socket *so, struct mbuf *m)
-                 NTOHS(n1);
-                 NTOHS(n2);
-                 m_inc(m, snprintf(NULL, 0, "%d,%d\r\n", n1, n2) + 1);
--                m->m_len = snprintf(m->m_data, M_ROOM(m), "%d,%d\r\n", n1, n2);
--                assert(m->m_len < M_ROOM(m));
-+                m->m_len = slirp_fmt(m->m_data, M_ROOM(m), "%d,%d\r\n", n1, n2);
-             } else {
-                 *eol = '\r';
-             }
-@@ -684,9 +683,9 @@ int tcp_emu(struct socket *so, struct mbuf *m)
-             n4 = (laddr & 0xff);
- 
-             m->m_len = bptr - m->m_data; /* Adjust length */
--            m->m_len += snprintf(bptr, M_FREEROOM(m),
--                                 "ORT %d,%d,%d,%d,%d,%d\r\n%s", n1, n2, n3, n4,
--                                 n5, n6, x == 7 ? buff : "");
-+            m->m_len += slirp_fmt(bptr, M_FREEROOM(m),
-+                                  "ORT %d,%d,%d,%d,%d,%d\r\n%s",
-+                                  n1, n2, n3, n4, n5, n6, x == 7 ? buff : "");
-             return 1;
-         } else if ((bptr = (char *)strstr(m->m_data, "27 Entering")) != NULL) {
-             /*
-@@ -719,10 +718,9 @@ int tcp_emu(struct socket *so, struct mbuf *m)
-             n4 = (laddr & 0xff);
- 
-             m->m_len = bptr - m->m_data; /* Adjust length */
--            m->m_len += snprintf(bptr, M_FREEROOM(m),
--                         "27 Entering Passive Mode (%d,%d,%d,%d,%d,%d)\r\n%s",
--                         n1, n2, n3, n4, n5, n6, x == 7 ? buff : "");
--
-+            m->m_len += slirp_fmt(bptr, M_FREEROOM(m),
-+                                  "27 Entering Passive Mode (%d,%d,%d,%d,%d,%d)\r\n%s",
-+                                  n1, n2, n3, n4, n5, n6, x == 7 ? buff : "");
-             return 1;
-         }
- 
-@@ -745,8 +743,8 @@ int tcp_emu(struct socket *so, struct mbuf *m)
-         if (m->m_data[m->m_len - 1] == '\0' && lport != 0 &&
-             (so = tcp_listen(slirp, INADDR_ANY, 0, so->so_laddr.s_addr,
-                              htons(lport), SS_FACCEPTONCE)) != NULL)
--            m->m_len = snprintf(m->m_data, M_ROOM(m),
--                                "%d", ntohs(so->so_fport)) + 1;
-+            m->m_len = slirp_fmt0(m->m_data, M_ROOM(m),
-+                                  "%d", ntohs(so->so_fport));
-         return 1;
- 
-     case EMU_IRC:
-@@ -765,10 +763,10 @@ int tcp_emu(struct socket *so, struct mbuf *m)
-                 return 1;
-             }
-             m->m_len = bptr - m->m_data; /* Adjust length */
--            m->m_len += snprintf(bptr, M_FREEROOM(m),
--                                 "DCC CHAT chat %lu %u%c\n",
--                                 (unsigned long)ntohl(so->so_faddr.s_addr),
--                                 ntohs(so->so_fport), 1);
-+            m->m_len += slirp_fmt(bptr, M_FREEROOM(m),
-+                                  "DCC CHAT chat %lu %u%c\n",
-+                                  (unsigned long)ntohl(so->so_faddr.s_addr),
-+                                  ntohs(so->so_fport), 1);
-         } else if (sscanf(bptr, "DCC SEND %256s %u %u %u", buff, &laddr, &lport,
-                           &n1) == 4) {
-             if ((so = tcp_listen(slirp, INADDR_ANY, 0, htonl(laddr),
-@@ -776,10 +774,10 @@ int tcp_emu(struct socket *so, struct mbuf *m)
-                 return 1;
-             }
-             m->m_len = bptr - m->m_data; /* Adjust length */
--            m->m_len += snprintf(bptr, M_FREEROOM(m),
--                         "DCC SEND %s %lu %u %u%c\n", buff,
--                         (unsigned long)ntohl(so->so_faddr.s_addr),
--                         ntohs(so->so_fport), n1, 1);
-+            m->m_len += slirp_fmt(bptr, M_FREEROOM(m),
-+                                  "DCC SEND %s %lu %u %u%c\n", buff,
-+                                  (unsigned long)ntohl(so->so_faddr.s_addr),
-+                                  ntohs(so->so_fport), n1, 1);
-         } else if (sscanf(bptr, "DCC MOVE %256s %u %u %u", buff, &laddr, &lport,
-                           &n1) == 4) {
-             if ((so = tcp_listen(slirp, INADDR_ANY, 0, htonl(laddr),
-@@ -787,10 +785,10 @@ int tcp_emu(struct socket *so, struct mbuf *m)
-                 return 1;
-             }
-             m->m_len = bptr - m->m_data; /* Adjust length */
--            m->m_len += snprintf(bptr, M_FREEROOM(m),
--                         "DCC MOVE %s %lu %u %u%c\n", buff,
--                         (unsigned long)ntohl(so->so_faddr.s_addr),
--                         ntohs(so->so_fport), n1, 1);
-+            m->m_len += slirp_fmt(bptr, M_FREEROOM(m),
-+                                  "DCC MOVE %s %lu %u %u%c\n", buff,
-+                                  (unsigned long)ntohl(so->so_faddr.s_addr),
-+                                  ntohs(so->so_fport), n1, 1);
-         }
-         return 1;
- 
--- 
-2.25.1
-
-From 30648c03b27fb8d9611b723184216cd3174b6775 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
-Date: Mon, 27 Jan 2020 10:24:09 +0100
-Subject: [PATCH] util: add slirp_fmt() helpers
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Various calls to snprintf() in libslirp assume that snprintf() returns
-"only" the number of bytes written (excluding terminating NUL).
-
-https://pubs.opengroup.org/onlinepubs/9699919799/functions/snprintf.html#tag_16_159_04
-
-"Upon successful completion, the snprintf() function shall return the
-number of bytes that would be written to s had n been sufficiently
-large excluding the terminating null byte."
-
-Introduce slirp_fmt() that handles several pathological cases the
-way libslirp usually expect:
-
-- treat error as fatal (instead of silently returning -1)
-
-- fmt0() will always \0 end
-
-- return the number of bytes actually written (instead of what would
-have been written, which would usually result in OOB later), including
-the ending \0 for fmt0()
-
-- warn if truncation happened (instead of ignoring)
-
-Other less common cases can still be handled with strcpy/snprintf() etc.
-
-Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
-Reviewed-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
-Message-Id: <20200127092414.169796-2-marcandre.lureau@redhat.com>
----
- src/util.c | 62 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
- src/util.h |  3 +++
- 2 files changed, 65 insertions(+)
-
-diff --git a/src/util.c b/src/util.c
-index e596087..e3b6257 100644
---- a/slirp/src/util.c
-+++ b/slirp/src/util.c
-@@ -364,3 +364,65 @@ void slirp_pstrcpy(char *buf, int buf_size, const char *str)
-     }
-     *q = '\0';
- }
-+
-+static int slirp_vsnprintf(char *str, size_t size,
-+                           const char *format, va_list args)
-+{
-+    int rv = vsnprintf(str, size, format, args);
-+
-+    if (rv < 0) {
-+        g_error("vsnprintf() failed: %s", g_strerror(errno));
-+    }
-+
-+    return rv;
-+}
-+
-+/*
-+ * A snprintf()-like function that:
-+ * - returns the number of bytes written (excluding optional \0-ending)
-+ * - dies on error
-+ * - warn on truncation
-+ */
-+int slirp_fmt(char *str, size_t size, const char *format, ...)
-+{
-+    va_list args;
-+    int rv;
-+
-+    va_start(args, format);
-+    rv = slirp_vsnprintf(str, size, format, args);
-+    va_end(args);
-+
-+    if (rv > size) {
-+        g_critical("vsnprintf() truncation");
-+    }
-+
-+    return MIN(rv, size);
-+}
-+
-+/*
-+ * A snprintf()-like function that:
-+ * - always \0-end (unless size == 0)
-+ * - returns the number of bytes actually written, including \0 ending
-+ * - dies on error
-+ * - warn on truncation
-+ */
-+int slirp_fmt0(char *str, size_t size, const char *format, ...)
-+{
-+    va_list args;
-+    int rv;
-+
-+    va_start(args, format);
-+    rv = slirp_vsnprintf(str, size, format, args);
-+    va_end(args);
-+
-+    if (rv >= size) {
-+        g_critical("vsnprintf() truncation");
-+        if (size > 0)
-+            str[size - 1] = '\0';
-+        rv = size;
-+    } else {
-+        rv += 1; /* include \0 */
-+    }
-+
-+    return rv;
-+}
-diff --git a/src/util.h b/src/util.h
-index e9c3073..5530c46 100644
---- a/slirp/src/util.h
-+++ b/slirp/src/util.h
-@@ -181,4 +181,7 @@ static inline int slirp_socket_set_fast_reuse(int fd)
- 
- void slirp_pstrcpy(char *buf, int buf_size, const char *str);
- 
-+int slirp_fmt(char *str, size_t size, const char *format, ...);
-+int slirp_fmt0(char *str, size_t size, const char *format, ...);
-+
- #endif
--- 
-2.25.1
-
diff --git a/gnu/packages/patches/qemu-fix-documentation-build-failure.patch b/gnu/packages/patches/qemu-fix-documentation-build-failure.patch
deleted file mode 100644
index c913c553b2..0000000000
--- a/gnu/packages/patches/qemu-fix-documentation-build-failure.patch
+++ /dev/null
@@ -1,43 +0,0 @@
-Fix a build failure caused by a texinfo bug:
-
-qemu-doc.texi:41: @menu reference to nonexistent node `QEMU Guest Agent'
-
-Patch copied from upstream source repository:
-
-https://git.qemu.org/?p=qemu.git;a=commitdiff;h=80bc935eaaf93e5b9a4efe97abd7c51d645f2612
-
-From 80bc935eaaf93e5b9a4efe97abd7c51d645f2612 Mon Sep 17 00:00:00 2001
-From: Thomas Huth <thuth@redhat.com>
-Date: Mon, 16 Dec 2019 14:29:41 +0100
-Subject: [PATCH] qemu-doc: Remove the unused "Guest Agent" node
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-The node has been removed from the texi file some months ago, so we
-should remove it from the menu section, too.
-
-Fixes: 27a296fce982 ("qemu-ga: Convert invocation documentation to rST")
-Signed-off-by: Thomas Huth <thuth@redhat.com>
-Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-Message-Id: <20191216132941.25729-1-thuth@redhat.com>
-Signed-off-by: Laurent Vivier <laurent@vivier.eu>
----
- qemu-doc.texi | 1 -
- 1 file changed, 1 deletion(-)
-
-diff --git a/qemu-doc.texi b/qemu-doc.texi
-index eea91a2d1e..39f950471f 100644
---- a/qemu-doc.texi
-+++ b/qemu-doc.texi
-@@ -38,7 +38,6 @@
- * Introduction::
- * QEMU PC System emulator::
- * QEMU System emulator for non PC targets::
--* QEMU Guest Agent::
- * QEMU User space emulator::
- * System requirements::
- * Security::
--- 
-2.24.1
-
diff --git a/gnu/packages/virtualization.scm b/gnu/packages/virtualization.scm
index b098ef36e0..18b0992dec 100644
--- a/gnu/packages/virtualization.scm
+++ b/gnu/packages/virtualization.scm
@@ -14,6 +14,7 @@
 ;;; Copyright © 2020 Jakub Kądziołka <kuba@kadziolka.net>
 ;;; Copyright © 2020 Brice Waegeneire <brice@waegenei.re>
 ;;; Copyright © 2020 Mathieu Othacehe <m.othacehe@gmail.com>
+;;; Copyright © 2020 Marius Bakke <mbakke@fastmail.com>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -115,19 +116,14 @@
 (define-public qemu
   (package
     (name "qemu")
-    (version "4.2.0")
+    (version "5.0.0")
     (source (origin
              (method url-fetch)
              (uri (string-append "https://download.qemu.org/qemu-"
                                  version ".tar.xz"))
-             (patches (search-patches "qemu-CVE-2020-1711.patch"
-                                      "qemu-CVE-2020-7039.patch"
-                                      "qemu-CVE-2020-7211.patch"
-                                      "qemu-CVE-2020-8608.patch"
-                                      "qemu-fix-documentation-build-failure.patch"))
              (sha256
               (base32
-               "1w38hzlw7xp05gcq1nhga7hxvndxy6dfcnzi7q2il8ff110isj6k"))))
+               "1dlcwyshdp94fwd30pddxf9bn2q8dfw5jsvry2gvdj551wmaj4rg"))))
     (build-system gnu-build-system)
     (arguments
      `(;; Running tests in parallel can occasionally lead to failures, like:
@@ -169,6 +165,14 @@
                                               '("include")
                                               input-directories)
                #t)))
+         (add-after 'patch-source-shebangs 'patch-/bin/sh-references
+           (lambda _
+             ;; Ensure the executables created by these source files reference
+             ;; /bin/sh from the store so they work inside the build container.
+             (substitute* '("block/cloop.c" "migration/exec.c"
+                            "net/tap.c" "tests/qtest/libqtest.c")
+               (("/bin/sh") (which "sh")))
+             #t))
          (replace 'configure
            (lambda* (#:key inputs outputs (configure-flags '())
                            #:allow-other-keys)
@@ -178,8 +182,16 @@
                (setenv "SHELL" (which "bash"))
 
                ;; While we're at it, patch for tests.
-               (substitute* "tests/libqtest.c"
-                 (("/bin/sh") (which "sh")))
+               (substitute* "tests/qemu-iotests/check"
+                 (("#!/usr/bin/env python3")
+                  (string-append "#!" (which "python3"))))
+
+               ;; Ensure config.status gets the correct shebang off the bat.
+               ;; The build system gets confused if we change it later and
+               ;; attempts to re-run the whole configury, and fails.
+               (substitute* "configure"
+                 (("#!/bin/sh")
+                  (string-append "#!" (which "sh"))))
 
                ;; The binaries need to be linked against -lrt.
                (setenv "LDFLAGS" "-lrt")
@@ -218,12 +230,6 @@ exec smbd $@")))
                (chmod "samba-wrapper" #o755)
                (install-file "samba-wrapper" libexec))
              #t))
-         (add-before 'configure 'prevent-network-configuration
-           (lambda _
-             ;; Prevent the build from trying to use git to fetch from the net.
-             (substitute* "Makefile"
-               (("@./config.status")
-                "")) #t))
          (add-before 'check 'disable-unusable-tests
            (lambda* (#:key inputs outputs #:allow-other-keys)
              (substitute* "tests/Makefile.include"
@@ -245,7 +251,7 @@ exec smbd $@")))
        ("libaio" ,libaio)
        ("libattr" ,attr)
        ("libcacard" ,libcacard)     ; smartcard support
-       ("libcap" ,libcap)           ; virtfs support requires libcap & libattr
+       ("libcap-ng" ,libcap-ng)     ; virtfs support requires libcap-ng & libattr
        ("libdrm" ,libdrm)
        ("libepoxy" ,libepoxy)
        ("libjpeg" ,libjpeg-turbo)