guix-commits
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

15/16: gnu: qemu: Update to 3.0.0 [mitigate CVE-2018-3639].


From: Tobias Geerinckx-Rice
Subject: 15/16: gnu: qemu: Update to 3.0.0 [mitigate CVE-2018-3639].
Date: Wed, 15 Aug 2018 21:02:59 -0400 (EDT)

nckx pushed a commit to branch master
in repository guix.

commit 5dc8437fc0ff3dedf75de2183e3bf9d493e4aa81
Author: Tobias Geerinckx-Rice <address@hidden>
Date:   Thu Aug 16 02:38:32 2018 +0200

    gnu: qemu: Update to 3.0.0 [mitigate CVE-2018-3639].
    
    * gnu/packages/virtualization.scm (qemu): Update to 3.0.0.
    [source]: Remove patch.
    * gnu/packages/patches/qemu-CVE-2018-11806.patch: Delete file.
    * gnu/local.mk (dist_patch_DATA): Remove it.
---
 gnu/local.mk                                   |   1 -
 gnu/packages/patches/qemu-CVE-2018-11806.patch | 105 -------------------------
 gnu/packages/virtualization.scm                |   5 +-
 3 files changed, 2 insertions(+), 109 deletions(-)

diff --git a/gnu/local.mk b/gnu/local.mk
index e3ca237..606b3ac 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1097,7 +1097,6 @@ dist_patch_DATA =                                         
\
   %D%/packages/patches/python-unittest2-remove-argparse.patch  \
   %D%/packages/patches/python-waitress-fix-tests.patch         \
   %D%/packages/patches/qemu-glibc-2.27.patch                   \
-  %D%/packages/patches/qemu-CVE-2018-11806.patch               \
   %D%/packages/patches/qt4-ldflags.patch                       \
   %D%/packages/patches/qtbase-use-TZDIR.patch                  \
   %D%/packages/patches/qtoctave-qt-5.11-fix.patch              \
diff --git a/gnu/packages/patches/qemu-CVE-2018-11806.patch 
b/gnu/packages/patches/qemu-CVE-2018-11806.patch
deleted file mode 100644
index f021dfa..0000000
--- a/gnu/packages/patches/qemu-CVE-2018-11806.patch
+++ /dev/null
@@ -1,105 +0,0 @@
-Fix CVE-2018-11806:
-
-https://lists.gnu.org/archive/html/qemu-devel/2018-06/msg01012.html
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11806
-
-Patch copied from upstream source repository:
-
-https://git.qemu.org/?p=qemu.git;a=commitdiff;h=864036e251f54c99d31df124aad7f34f01f5344c
-
-From 864036e251f54c99d31df124aad7f34f01f5344c Mon Sep 17 00:00:00 2001
-From: Prasad J Pandit <address@hidden>
-Date: Tue, 5 Jun 2018 23:38:35 +0530
-Subject: [PATCH] slirp: correct size computation while concatenating mbuf
-
-While reassembling incoming fragmented datagrams, 'm_cat' routine
-extends the 'mbuf' buffer, if it has insufficient room. It computes
-a wrong buffer size, which leads to overwriting adjacent heap buffer
-area. Correct this size computation in m_cat.
-
-Reported-by: ZDI Disclosures <address@hidden>
-Signed-off-by: Prasad J Pandit <address@hidden>
-Signed-off-by: Samuel Thibault <address@hidden>
----
- slirp/mbuf.c | 11 +++++------
- slirp/mbuf.h |  8 +++-----
- 2 files changed, 8 insertions(+), 11 deletions(-)
-
-diff --git a/slirp/mbuf.c b/slirp/mbuf.c
-index 5ff24559fd..18cbf759a7 100644
---- a/slirp/mbuf.c
-+++ b/slirp/mbuf.c
-@@ -138,7 +138,7 @@ m_cat(struct mbuf *m, struct mbuf *n)
-        * If there's no room, realloc
-        */
-       if (M_FREEROOM(m) < n->m_len)
--              m_inc(m,m->m_size+MINCSIZE);
-+              m_inc(m, m->m_len + n->m_len);
- 
-       memcpy(m->m_data+m->m_len, n->m_data, n->m_len);
-       m->m_len += n->m_len;
-@@ -147,7 +147,7 @@ m_cat(struct mbuf *m, struct mbuf *n)
- }
- 
- 
--/* make m size bytes large */
-+/* make m 'size' bytes large from m_data */
- void
- m_inc(struct mbuf *m, int size)
- {
-@@ -158,12 +158,12 @@ m_inc(struct mbuf *m, int size)
- 
-         if (m->m_flags & M_EXT) {
-         datasize = m->m_data - m->m_ext;
--          m->m_ext = g_realloc(m->m_ext, size);
-+        m->m_ext = g_realloc(m->m_ext, size + datasize);
-         m->m_data = m->m_ext + datasize;
-         } else {
-         char *dat;
-         datasize = m->m_data - m->m_dat;
--          dat = g_malloc(size);
-+        dat = g_malloc(size + datasize);
-         memcpy(dat, m->m_dat, m->m_size);
- 
-         m->m_ext = dat;
-@@ -171,8 +171,7 @@ m_inc(struct mbuf *m, int size)
-         m->m_flags |= M_EXT;
-         }
- 
--        m->m_size = size;
--
-+        m->m_size = size + datasize;
- }
- 
- 
-diff --git a/slirp/mbuf.h b/slirp/mbuf.h
-index 893601ff9d..33b84485d6 100644
---- a/slirp/mbuf.h
-+++ b/slirp/mbuf.h
-@@ -33,8 +33,6 @@
- #ifndef MBUF_H
- #define MBUF_H
- 
--#define MINCSIZE 4096 /* Amount to increase mbuf if too small */
--
- /*
-  * Macros for type conversion
-  * mtod(m,t) -        convert mbuf pointer to data pointer of correct type
-@@ -72,11 +70,11 @@ struct mbuf {
-       struct  mbuf *m_prevpkt;        /* Flags aren't used in the output 
queue */
-       int     m_flags;                /* Misc flags */
- 
--      int     m_size;                 /* Size of data */
-+      int     m_size;                 /* Size of mbuf, from m_dat or m_ext */
-       struct  socket *m_so;
- 
--      caddr_t m_data;                 /* Location of data */
--      int     m_len;                  /* Amount of data in this mbuf */
-+      caddr_t m_data;                 /* Current location of data */
-+      int     m_len;                  /* Amount of data in this mbuf, from 
m_data */
- 
-       Slirp *slirp;
-       bool    resolution_requested;
--- 
-2.17.1
-
diff --git a/gnu/packages/virtualization.scm b/gnu/packages/virtualization.scm
index 8e7eded5..a39f2fa 100644
--- a/gnu/packages/virtualization.scm
+++ b/gnu/packages/virtualization.scm
@@ -94,15 +94,14 @@
 (define-public qemu
   (package
     (name "qemu")
-    (version "2.12.1")
+    (version "3.0.0")
     (source (origin
              (method url-fetch)
              (uri (string-append "https://download.qemu.org/qemu-";
                                  version ".tar.xz"))
-             (patches (search-patches "qemu-CVE-2018-11806.patch"))
              (sha256
               (base32
-               "0krnp2wvggpchc7fdlmyasqy7j17baz8asr2g05x0v00w003hn1k"))))
+               "04sp3f1gp4bdb913jf7fw761njaqp2l32wgipp1sapmxx17zcyld"))))
     (build-system gnu-build-system)
     (arguments
      '(;; Running tests in parallel can occasionally lead to failures, like:



reply via email to

[Prev in Thread] Current Thread [Next in Thread]