Package: qemu / 1:3.1+dfsg-7

Metadata

Package Version Patches format
qemu 1:3.1+dfsg-7 3.0 (quilt)

Patch series

view the series file
Patch File delta Description
use fixed data path.patch | (download)

os-posix.c | 2 2 + 0 - 0 !
vl.c | 7 1 + 6 - 0 !
2 files changed, 3 insertions(+), 6 deletions(-)

 use fixed data dir instead of determining it at runtime
do not link everything with xen.patch | (download)

configure | 1 0 + 1 - 0 !
1 file changed, 1 deletion(-)

---
usb mtp use O_NOFOLLOW and O_CLOEXEC CVE 2018 16872.patch | (download)

hw/usb/dev-mtp.c | 13 9 + 4 - 0 !
1 file changed, 9 insertions(+), 4 deletions(-)

 usb-mtp: use o_nofollow and o_cloexec.
Bug-Debian: https://bugs.debian.org/916397
Closes: #916397

Open files and directories with O_NOFOLLOW to avoid symlinks attacks.
While being at it also add O_CLOEXEC.

usb-mtp only handles regular files and directories and ignores
bt use size_t type for length parameters instead of int CVE 2018 19665.patch | (download)

bt-host.c | 8 4 + 4 - 0 !
bt-vhci.c | 7 4 + 3 - 0 !
hw/bt/core.c | 2 1 + 1 - 0 !
hw/bt/hci-csr.c | 32 16 + 16 - 0 !
hw/bt/hci.c | 38 19 + 19 - 0 !
hw/bt/hid.c | 10 5 + 5 - 0 !
hw/bt/l2cap.c | 56 29 + 27 - 0 !
hw/bt/sdp.c | 6 3 + 3 - 0 !
hw/usb/dev-bluetooth.c | 12 6 + 6 - 0 !
include/hw/bt.h | 8 4 + 4 - 0 !
include/sysemu/bt.h | 10 5 + 5 - 0 !
11 files changed, 96 insertions(+), 93 deletions(-)

 bt: use size_t type for length parameters instead of int
Bug-Debian: https://bugs.debian.org/916278
Closes: #916278, CVE-2018-19665

The length parameter values are not negative, thus use an unsigned
type 'size_t' for them. Many routines pass 'len' values to memcpy(3)
calls. If it was negative, it could lead to memory corruption issues.
Add check to avoid it.

Reported-by: Arash TC <tohidi.arash@gmail.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
hw_usb fix mistaken de initialization of CCID state.patch | (download)

hw/usb/ccid-card-emulated.c | 2 2 + 0 - 0 !
1 file changed, 2 insertions(+)

 hw/usb: fix mistaken de-initialization of ccid state
Date: Fri, 21 Dec 2018 13:41:15 +0000
Message-Id: <20181221134115.27973-1-berrange@redhat.com>
Bug-Debian: https://bugs.debian.org/917007

In previous commit:

  commit 7dea29e4af17fc1d27478de9f8ea38144deac54a
sparc64 timeval.tv_usec is int.patch | (download)

linux-user/syscall_defs.h | 4 4 + 0 - 0 !
1 file changed, 4 insertions(+)

 sparc64 timeval.tv_usec is int


On sparc (only) Linux defines timeval::tv_usec with type int, not
long.  However qemu-user's definition of struct target_timeval uses
abi_long unconditionally.  This results in the syscall translation
layer effectively multiplying tv_usec by 2**32.  All sparc syscalls
passing non-zero values for this field fail with -EINVAL.

Laurent Vivier <laurent@vivier.eu>:

According to the kernel definition, I think it should be:

See arch/sparc/include/uapi/asm/posix_types.h

typedef int                    __kernel_suseconds_t;
..

scsi generic avoid possible oob access to r buf CVE 2019 6501.patch | (download)

hw/scsi/scsi-generic.c | 18 10 + 8 - 0 !
1 file changed, 10 insertions(+), 8 deletions(-)

 scsi-generic: avoid possible out-of-bounds access to r->buf (cve-2019-6501)
Bug-Debian: http://bugs.debian.org/920222

Whenever the allocation length of a SCSI request is shorter than the size of the
VPD page list, page_idx is used blindly to index into r->buf.  Even though
the stores in the insertion sort are protected against overflows, the same is not
true of the reads and the final store of 0xb0.

This basically does the same thing as commit 57dbb58d80 ("scsi-generic: avoid
out-of-bounds access to VPD page list", 2018-11-06), except that here the
allocation length can be chosen by the guest.  Note that according to the SCSI
standard, the contents of the PAGE LENGTH field are not altered based
on the allocation length.

The code was introduced by commit 6c219fc8a1 ("scsi-generic: keep VPD
page list sorted", 2018-11-06) but the overflow was already possible before.

Reported-by: Kevin Wolf <kwolf@redhat.com>
Fixes: a71c775b24ebc664129eb1d9b4c360590353efd5
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

slirp check data length while emulating ident function CVE 2019 6778.patch | (download)

slirp/tcp_subr.c | 5 5 + 0 - 0 !
1 file changed, 5 insertions(+)

 slirp: check data length while emulating ident function (cve-2019-6778)
Bug-Debian: http://bugs.debian.org/921525

While emulating identification protocol, tcp_emu() does not check
available space in the 'sc_rcv->sb_data' buffer. It could lead to
heap buffer overflow issue. Add check to avoid it.

Reported-by: Kira <864786842@qq.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>

i2c ddc fix oob read CVE 2019 3812.patch | (download)

hw/i2c/i2c-ddc.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 i2c-ddc: fix oob read
Commit-Id: b05b267840515730dbf6753495d5b7bd8b04ad1c
Bug-Debian: https://bugs.debian.org/922635
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Suggested-by: Michael Hanselmann <public@hansmi.ch>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
slirp check sscanf result when emulating ident CVE 2019 9824.patch | (download)

slirp/tcp_subr.c | 10 5 + 5 - 0 !
1 file changed, 5 insertions(+), 5 deletions(-)

 slirp: check sscanf result when emulating ident (cve-2019-9824)

device_tree don t use load_image CVE 2018 20815.patch | (download)

device_tree.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 device_tree.c: don't use load_image() (cve-2018-20815)
Commit-Id: da885fe1ee8b4589047484bd7fa05a4905b52b17

The load_image() function is deprecated, as it does not let the
caller specify how large the buffer to read the file into is.
Instead use load_image_size().

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>