[PATCH] gnu: qemu: Fix CVE-2017-{10664,10806,10911,11434}.

DoneSubmitted by Alex Vong.
Details
2 participants
  • Alex Vong
  • Marius Bakke
Owner
unassigned
Severity
important
A
A
Alex Vong wrote on 13 Aug 2017 15:38
(address . guix-patches@gnu.org)
87pobz1tbp.fsf@gmail.com
Severity: importantTags: security
Hello,
This fixes a bunch of CVEs which were left unfixed. Most of the patchesare copied from the upstream git repo. Except one is copied from XenSecurity Advisory.
From f513dd18602c0321bedce3f4ebf4b0b6a77288ac Mon Sep 17 00:00:00 2001From: Alex Vong <alexvong1995@gmail.com>Date: Sun, 13 Aug 2017 19:42:59 +0800Subject: [PATCH] gnu: qemu: Fix CVE-2017-{10664,10806,10911,11434}.
* gnu/packages/patches/qemu-CVE-2017-10664.patch,gnu/packages/patches/qemu-CVE-2017-10806.patch,gnu/packages/patches/qemu-CVE-2017-10911.patch,gnu/packages/patches/qemu-CVE-2017-11434.patch: New files.* gnu/local.mk (dist_patch_DATA): Add them.* gnu/packages/virtualization.scm (qemu)[source]: Use them.--- gnu/local.mk | 4 + gnu/packages/patches/qemu-CVE-2017-10664.patch | 58 ++++++++++++ gnu/packages/patches/qemu-CVE-2017-10806.patch | 61 ++++++++++++ gnu/packages/patches/qemu-CVE-2017-10911.patch | 123 +++++++++++++++++++++++++ gnu/packages/patches/qemu-CVE-2017-11434.patch | 46 +++++++++ gnu/packages/virtualization.scm | 7 +- 6 files changed, 298 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/qemu-CVE-2017-10664.patch create mode 100644 gnu/packages/patches/qemu-CVE-2017-10806.patch create mode 100644 gnu/packages/patches/qemu-CVE-2017-10911.patch create mode 100644 gnu/packages/patches/qemu-CVE-2017-11434.patch
Toggle diff (355 lines)diff --git a/gnu/local.mk b/gnu/local.mkindex c12fd8559..f513a7490 100644--- a/gnu/local.mk+++ b/gnu/local.mk@@ -988,7 +988,11 @@ dist_patch_DATA = \ %D%/packages/patches/qemu-CVE-2017-8379.patch \ %D%/packages/patches/qemu-CVE-2017-8380.patch \ %D%/packages/patches/qemu-CVE-2017-9524.patch \+ %D%/packages/patches/qemu-CVE-2017-10664.patch \+ %D%/packages/patches/qemu-CVE-2017-10806.patch \+ %D%/packages/patches/qemu-CVE-2017-10911.patch \ %D%/packages/patches/qemu-CVE-2017-11334.patch \+ %D%/packages/patches/qemu-CVE-2017-11434.patch \ %D%/packages/patches/qt4-ldflags.patch \ %D%/packages/patches/qtscript-disable-tests.patch \ %D%/packages/patches/quagga-reproducible-build.patch \diff --git a/gnu/packages/patches/qemu-CVE-2017-10664.patch b/gnu/packages/patches/qemu-CVE-2017-10664.patchnew file mode 100644index 000000000..5a7406eaf--- /dev/null+++ b/gnu/packages/patches/qemu-CVE-2017-10664.patch@@ -0,0 +1,58 @@+Fix CVE-2017-10664:++https://lists.gnu.org/archive/html/qemu-devel/2017-06/msg02693.html+https://bugzilla.redhat.com/show_bug.cgi?id=1466190+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10664+https://security-tracker.debian.org/tracker/CVE-2017-10664++Patch copied from upstream source repository:++https://git.qemu.org/gitweb.cgi?p=qemu.git;a=commitdiff;h=041e32b8d9d076980b4e35317c0339e57ab888f1++From 041e32b8d9d076980b4e35317c0339e57ab888f1 Mon Sep 17 00:00:00 2001+From: Max Reitz <mreitz@redhat.com>+Date: Sun, 11 Jun 2017 14:37:14 +0200+Subject: [PATCH] qemu-nbd: Ignore SIGPIPE++qemu proper has done so for 13 years+(8a7ddc38a60648257dc0645ab4a05b33d6040063), qemu-img and qemu-io have+done so for four years (526eda14a68d5b3596be715505289b541288ef2a).+Ignoring this signal is especially important in qemu-nbd because+otherwise a client can easily take down the qemu-nbd server by dropping+the connection when the server wants to send something, for example:++$ qemu-nbd -x foo -f raw -t null-co:// &+[1] 12726+$ qemu-io -c quit nbd://localhost/bar+can't open device nbd://localhost/bar: No export with name 'bar' available+[1] + 12726 broken pipe qemu-nbd -x foo -f raw -t null-co://++In this case, the client sends an NBD_OPT_ABORT and closes the+connection (because it is not required to wait for a reply), but the+server replies with an NBD_REP_ACK (because it is required to reply).++Signed-off-by: Max Reitz <mreitz@redhat.com>+Message-Id: <20170611123714.31292-1-mreitz@redhat.com>+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>+---+ qemu-nbd.c | 4 +++++ 1 file changed, 4 insertions(+)++diff --git a/qemu-nbd.c b/qemu-nbd.c+index 9464a0461c..4dd3fd4732 100644+--- a/qemu-nbd.c++++ b/qemu-nbd.c+@@ -581,6 +581,10 @@ int main(int argc, char **argv)+ sa_sigterm.sa_handler = termsig_handler;+ sigaction(SIGTERM, &sa_sigterm, NULL);+ ++#ifdef CONFIG_POSIX++ signal(SIGPIPE, SIG_IGN);++#endif+++ module_call_init(MODULE_INIT_TRACE);+ qcrypto_init(&error_fatal);+ +-- +2.14.0+diff --git a/gnu/packages/patches/qemu-CVE-2017-10806.patch b/gnu/packages/patches/qemu-CVE-2017-10806.patchnew file mode 100644index 000000000..202ced8cf--- /dev/null+++ b/gnu/packages/patches/qemu-CVE-2017-10806.patch@@ -0,0 +1,61 @@+Fix CVE-2017-10806:++https://lists.nongnu.org/archive/html/qemu-devel/2017-05/msg03087.html+https://bugzilla.redhat.com/show_bug.cgi?id=1468496+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10806+https://security-tracker.debian.org/tracker/CVE-2017-10806++Patch copied from upstream source repository:++https://git.qemu.org/gitweb.cgi?p=qemu.git;a=commit;h=bd4a683505b27adc1ac809f71e918e58573d851d++From bd4a683505b27adc1ac809f71e918e58573d851d Mon Sep 17 00:00:00 2001+From: Gerd Hoffmann <kraxel@redhat.com>+Date: Tue, 9 May 2017 13:01:28 +0200+Subject: [PATCH] usb-redir: fix stack overflow in usbredir_log_data+MIME-Version: 1.0+Content-Type: text/plain; charset=UTF-8+Content-Transfer-Encoding: 8bit++Don't reinvent a broken wheel, just use the hexdump function we have.++Impact: low, broken code doesn't run unless you have debug logging+enabled.++Reported-by: 李强 <liqiang6-s@360.cn>+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>+Message-id: 20170509110128.27261-1-kraxel@redhat.com+---+ hw/usb/redirect.c | 13 +------------+ 1 file changed, 1 insertion(+), 12 deletions(-)++diff --git a/hw/usb/redirect.c b/hw/usb/redirect.c+index b001a27f05..ad5ef783a6 100644+--- a/hw/usb/redirect.c++++ b/hw/usb/redirect.c+@@ -229,21 +229,10 @@ static void usbredir_log(void *priv, int level, const char *msg)+ static void usbredir_log_data(USBRedirDevice *dev, const char *desc,+ const uint8_t *data, int len)+ {+- int i, j, n;+-+ if (dev->debug < usbredirparser_debug_data) {+ return;+ }+-+- for (i = 0; i < len; i += j) {+- char buf[128];+-+- n = sprintf(buf, "%s", desc);+- for (j = 0; j < 8 && i + j < len; j++) {+- n += sprintf(buf + n, " %02X", data[i + j]);+- }+- error_report("%s", buf);+- }++ qemu_hexdump((char *)data, stderr, desc, len);+ }+ + /*+-- +2.14.1+diff --git a/gnu/packages/patches/qemu-CVE-2017-10911.patch b/gnu/packages/patches/qemu-CVE-2017-10911.patchnew file mode 100644index 000000000..fed3fb8ff--- /dev/null+++ b/gnu/packages/patches/qemu-CVE-2017-10911.patch@@ -0,0 +1,123 @@+Fix CVE-2017-10911:++https://xenbits.xen.org/xsa/advisory-216.html+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10911+https://security-tracker.debian.org/tracker/CVE-2017-10911++Patch copied from Xen Security Advisory:++https://xenbits.xen.org/xsa/xsa216-qemuu.patch++From: Jan Beulich <jbeulich@suse.com>+Subject: xen/disk: don't leak stack data via response ring++Rather than constructing a local structure instance on the stack, fill+the fields directly on the shared ring, just like other (Linux)+backends do. Build on the fact that all response structure flavors are+actually identical (the old code did make this assumption too).++This is XSA-216.++Reported-by: Anthony Perard <anthony.perard@citrix.com>+Signed-off-by: Jan Beulich <jbeulich@suse.com>+Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>+Acked-by: Anthony PERARD <anthony.perard@citrix.com>+---+v2: Add QEMU_PACKED to fix handling 32-bit guests by 64-bit qemu.++--- a/hw/block/xen_blkif.h++++ b/hw/block/xen_blkif.h+@@ -14,9 +14,6 @@+ struct blkif_common_request {+ char dummy;+ };+-struct blkif_common_response {+- char dummy;+-};+ + /* i386 protocol version */+ #pragma pack(push, 4)+@@ -36,13 +33,7 @@ struct blkif_x86_32_request_discard {+ blkif_sector_t sector_number; /* start sector idx on disk (r/w only) */+ uint64_t nr_sectors; /* # of contiguous sectors to discard */+ };+-struct blkif_x86_32_response {+- uint64_t id; /* copied from request */+- uint8_t operation; /* copied from request */+- int16_t status; /* BLKIF_RSP_??? */+-};+ typedef struct blkif_x86_32_request blkif_x86_32_request_t;+-typedef struct blkif_x86_32_response blkif_x86_32_response_t;+ #pragma pack(pop)+ + /* x86_64 protocol version */+@@ -62,20 +53,14 @@ struct blkif_x86_64_request_discard {+ blkif_sector_t sector_number; /* start sector idx on disk (r/w only) */+ uint64_t nr_sectors; /* # of contiguous sectors to discard */+ };+-struct blkif_x86_64_response {+- uint64_t __attribute__((__aligned__(8))) id;+- uint8_t operation; /* copied from request */+- int16_t status; /* BLKIF_RSP_??? */+-};+ typedef struct blkif_x86_64_request blkif_x86_64_request_t;+-typedef struct blkif_x86_64_response blkif_x86_64_response_t;+ + DEFINE_RING_TYPES(blkif_common, struct blkif_common_request,+- struct blkif_common_response);++ struct blkif_response);+ DEFINE_RING_TYPES(blkif_x86_32, struct blkif_x86_32_request,+- struct blkif_x86_32_response);++ struct blkif_response QEMU_PACKED);+ DEFINE_RING_TYPES(blkif_x86_64, struct blkif_x86_64_request,+- struct blkif_x86_64_response);++ struct blkif_response);+ + union blkif_back_rings {+ blkif_back_ring_t native;+--- a/hw/block/xen_disk.c++++ b/hw/block/xen_disk.c+@@ -769,31 +769,30 @@ static int blk_send_response_one(struct+ struct XenBlkDev *blkdev = ioreq->blkdev;+ int send_notify = 0;+ int have_requests = 0;+- blkif_response_t resp;+- void *dst;+-+- resp.id = ioreq->req.id;+- resp.operation = ioreq->req.operation;+- resp.status = ioreq->status;++ blkif_response_t *resp;+ + /* Place on the response ring for the relevant domain. */+ switch (blkdev->protocol) {+ case BLKIF_PROTOCOL_NATIVE:+- dst = RING_GET_RESPONSE(&blkdev->rings.native, blkdev->rings.native.rsp_prod_pvt);++ resp = RING_GET_RESPONSE(&blkdev->rings.native,++ blkdev->rings.native.rsp_prod_pvt);+ break;+ case BLKIF_PROTOCOL_X86_32:+- dst = RING_GET_RESPONSE(&blkdev->rings.x86_32_part,+- blkdev->rings.x86_32_part.rsp_prod_pvt);++ resp = RING_GET_RESPONSE(&blkdev->rings.x86_32_part,++ blkdev->rings.x86_32_part.rsp_prod_pvt);+ break;+ case BLKIF_PROTOCOL_X86_64:+- dst = RING_GET_RESPONSE(&blkdev->rings.x86_64_part,+- blkdev->rings.x86_64_part.rsp_prod_pvt);++ resp = RING_GET_RESPONSE(&blkdev->rings.x86_64_part,++ blkdev->rings.x86_64_part.rsp_prod_pvt);+ break;+ default:+- dst = NULL;+ return 0;+ }+- memcpy(dst, &resp, sizeof(resp));++++ resp->id = ioreq->req.id;++ resp->operation = ioreq->req.operation;++ resp->status = ioreq->status;+++ blkdev->rings.common.rsp_prod_pvt++;+ + RING_PUSH_RESPONSES_AND_CHECK_NOTIFY(&blkdev->rings.common, send_notify);diff --git a/gnu/packages/patches/qemu-CVE-2017-11434.patch b/gnu/packages/patches/qemu-CVE-2017-11434.patchnew file mode 100644index 000000000..8c384b6c8--- /dev/null+++ b/gnu/packages/patches/qemu-CVE-2017-11434.patch@@ -0,0 +1,46 @@+Fix CVE-2017-11434:++https://lists.gnu.org/archive/html/qemu-devel/2017-07/msg05001.html+https://bugzilla.redhat.com/show_bug.cgi?id=1472611+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11434+https://security-tracker.debian.org/tracker/CVE-2017-11434++Patch copied from upstream source repository:++https://git.qemu.org/gitweb.cgi?p=qemu.git;a=commit;h=413d463f43fbc4dd3a601e80a5724aa384a265a0++From 413d463f43fbc4dd3a601e80a5724aa384a265a0 Mon Sep 17 00:00:00 2001+From: Prasad J Pandit <pjp@fedoraproject.org>+Date: Mon, 17 Jul 2017 17:33:26 +0530+Subject: [PATCH] slirp: check len against dhcp options array end++While parsing dhcp options string in 'dhcp_decode', if an options'+length 'len' appeared towards the end of 'bp_vend' array, ensuing+read could lead to an OOB memory access issue. Add check to avoid it.++This is CVE-2017-11434.++Reported-by: Reno Robert <renorobert@gmail.com>+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>+Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>+---+ slirp/bootp.c | 3 ++++ 1 file changed, 3 insertions(+)++diff --git a/slirp/bootp.c b/slirp/bootp.c+index 5a4646c182..5dd1a415b5 100644+--- a/slirp/bootp.c++++ b/slirp/bootp.c+@@ -123,6 +123,9 @@ static void dhcp_decode(const struct bootp_t *bp, int *pmsg_type,+ if (p >= p_end)+ break;+ len = *p++;++ if (p + len > p_end) {++ break;++ }+ DPRINTF("dhcp: tag=%d len=%d\n", tag, len);+ + switch(tag) {+-- +2.14.1+diff --git a/gnu/packages/virtualization.scm b/gnu/packages/virtualization.scmindex 49998120d..ab364cd1f 100644--- a/gnu/packages/virtualization.scm+++ b/gnu/packages/virtualization.scm@@ -3,6 +3,7 @@ ;;; Copyright © 2015, 2016, 2017 Mark H Weaver <mhw@netris.org> ;;; Copyright © 2016, 2017 Efraim Flashner <efraim@flashner.co.il> ;;; Copyright © 2016 Ricardo Wurmus <rekado@elephly.net>+;;; Copyright © 2017 Alex Vong <alexvong1995@gmail.com> ;;; ;;; This file is part of GNU Guix. ;;;@@ -82,7 +83,11 @@ "qemu-CVE-2017-8379.patch" "qemu-CVE-2017-8380.patch" "qemu-CVE-2017-9524.patch"- "qemu-CVE-2017-11334.patch"))+ "qemu-CVE-2017-10664.patch"+ "qemu-CVE-2017-10806.patch"+ "qemu-CVE-2017-10911.patch"+ "qemu-CVE-2017-11334.patch"+ "qemu-CVE-2017-11434.patch")) (sha256 (base32 "08mhfs0ndbkyqgw7fjaa9vjxf4dinrly656f6hjzvmaz7hzc677h"))))-- 2.14.0
Cheers,Alex
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEdZDkzSn0Cycogr9IxYq4eRf1Ea4FAlmQVksACgkQxYq4eRf1Ea5MiBAAtrBDQQxqnw4H52t78ENwSn9xgRMfeEKnAU9v+gTVVAiDSFVGM+V954jG5ZoBRQxrfxn7OTJylEG+i/NuQUMQlvocUBduKD4QrDmWuydJBF6687CCFkxQWv84MWsuqX1dIgISrPr9BJqXDtTcarjf2WoZGmxJDFjpyqeHgwCUEz6H9Hh8x8l8R5Zqs9pBAwpVNUffFrLIW4rVViTUJrcoS6C52Ok9nkcMrFMIXUTwwfL1fpACTiQIWgQFPbM4mTjAmfZ0XE/FUHvqiUmMUUbSGwdunqYCtTVZX+7ZAvIyT61HjS93t3k6WhwjNzV9xSiyl4zD60ULceuBkCWcA4IUWTx0QitTwWBBG14LT0AN9zeQo60DnVNwUlC7JkQGIvuhn+YnoNFxWJv0O0Rar6xxce/OwkNtELFDKHrznheqian46NSYUQ8ADOkBvPgh51tZcF9pSzsOaU5mlqAEgcAIaZHUVP/inJo59kpanddY3mRSrdzDVlppjbPpavAWIsdyk2ZHvS5zhCgeuTXI9pNnAZ1yAFWAT7/tRL5nZxSzIiwkHSbRi0A85s28APvIVGYqYmkdDUWYz8CEIlcMiXWHDrZ132AmLwnc9wsm1WCj0DWYvp+JWEZkXQPImHxKtAGul+5NPVfS6GrX2ux7dQqVnIWhfeMfmKqZeUESNlSj2mI==Y6xs-----END PGP SIGNATURE-----
A
A
Alex Vong wrote on 13 Aug 2017 16:57
Add 'patch' tag.
(address . control@debbugs.gnu.org)
87lgmn1pnr.fsf@gmail.com
package guix-patchestags 27987 patchtags 28077 patchthanks
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEdZDkzSn0Cycogr9IxYq4eRf1Ea4FAlmQaNoACgkQxYq4eRf1Ea7ivxAAm6MbUd8RN4VEK5MMEy/O2O16WHBQs9tEnPUTSOutYNbDDYPTCxi3wMMoDX04Tv5E7hqJs4t1sefZ2PFHzB/yyB2J3q+MBJCgioSwlgRlCnvHh7I/VvUwcLewOvdwUdKCB8DbZWia1z+FqWJhMqzSQhUIeEabq2yVALFeW/KsxDKMf/fP2wXY7h6tgJqubJRE3spl/jKzmba4QyrEw/Ci8Ywt0VtZ2rhlxqQnk5WcZ6nFTX+iM63Y49IEHACaBxUDGB2JxkdJd66N078sHigc8v+8ZYd4eqXNXa6nmC9S20K4b5ONvT8mfZatKTL1VF/m878ntFP15Aey0z0oyaxheq9WYRM0M6DK84WeAUdsD4I6KHvTpCsKm4aIt9YIIiUzY2bG8eqK2b4hzYGMR/JNYxstaUQLKkNzgO1O+QUJHFy16unFG46j/cSIfj6OwFdIUrDHkYHHNrP4TInuh3YM4sbmGOqX2Ksy66oRqZUUmUdeDUX66k4KO9k9ob7ANlTJxf5AYdOOypFd6waQAwVBhJaH4/Hh2jtQk/qApeXTrobiEJqnuac1QENdyPdJpM++KDTkUyn8ENDUj670k+XbZ87J6nupbpUgoPGdOuei9uRECR2oa744WbuESjnVR+TgYGZvEkKoLLxC5l2QCEWFpjmZpDvZZ0bFAiBKhacPQek==vvH+-----END PGP SIGNATURE-----
M
M
Marius Bakke wrote on 13 Aug 2017 19:10
Re: [bug#28077] [PATCH] gnu: qemu: Fix CVE-2017-{10664, 10806, 10911, 11434}.
87wp671jhb.fsf@fastmail.com
Alex Vong <alexvong1995@gmail.com> writes:
Toggle quote (9 lines)> Severity: important> Tags: security>> Hello,>> This fixes a bunch of CVEs which were left unfixed. Most of the patches> are copied from the upstream git repo. Except one is copied from Xen> Security Advisory.
Thanks for these, applied!
I took the liberty of removing the commit messages from the patches,since we have the URLs anyway. It reduced the commit length by 31%.
[...]
Toggle quote (16 lines)> diff --git a/gnu/packages/patches/qemu-CVE-2017-10911.patch b/gnu/packages/patches/qemu-CVE-2017-10911.patch> new file mode 100644> index 000000000..fed3fb8ff> --- /dev/null> +++ b/gnu/packages/patches/qemu-CVE-2017-10911.patch> @@ -0,0 +1,123 @@> +Fix CVE-2017-10911:> +> +https://xenbits.xen.org/xsa/advisory-216.html> +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10911> +https://security-tracker.debian.org/tracker/CVE-2017-10911> +> +Patch copied from Xen Security Advisory:> +> +https://xenbits.xen.org/xsa/xsa216-qemuu.patch
Apparently this patch has been pulled by one of the qemu developers, butis not on any branches on git.qemu.org:
https://lists.gnu.org/archive/html/qemu-devel/2017-06/msg06662.html
I wonder what's up with that.
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAlmQiCAACgkQoqBt8qM6VPqkaQgAiVtc2bLyLbXB5j6bNFBv/fYGXcJelGn6rd3L9zhwMA+ly+E2GwVIvxbBfWz5tubtiZ+Hsr6Ch9mwKXAUg89SJrHfb33FzF2cmx3trlT1Ee7x9Nk6OEDowcqV2qdWs0TILLWc+2N5pA/eyxHa7XJITUMA6u686GJ3JuD/Td07GOnY+SO0zjZRBhjNuKfc68kSPSizRZEADdfAJDhnPyqI87hvhZSoxanfVC8kWOO9gZ4jVbLMtFQC/EY6nQmf40xoz5xyO4f0Hy3r5vOrt4SOIgb8kggiH4wrdTpjQpJfp8Iykj4cFchvS9yD1bP/sahbY8YLcgWEq/iwPSWm5eDCUQ===gyaL-----END PGP SIGNATURE-----
Closed
?
Your comment

This issue is archived.

To comment on this conversation send email to 28077@debbugs.gnu.org