[qemu/f17] Remove comma from 1.0.1 version number CVE-2012-3515 VT100 emulation vulnerability (bz #854600, bz 8
Cole Robinson
crobinso at fedoraproject.org
Sun Oct 7 20:24:22 UTC 2012
commit dee28d805f75dfd9704e3de8e4cd13263452f2a5
Author: Cole Robinson <crobinso at redhat.com>
Date: Sun Oct 7 16:24:18 2012 -0400
Remove comma from 1.0.1 version number
CVE-2012-3515 VT100 emulation vulnerability (bz #854600, bz 851252)
Fix slirp crash (bz #845793)
Fix KVM module permissions after install (bz #863374)
0001-qemu-1.0.1-VERSION.patch | 34 +++++
...nds-check-whenever-changing-the-cursor-du.patch | 129 ++++++++++++++++++++
...x-requeuing-of-batchq-packets-in-if_start.patch | 95 ++++++++++++++
qemu.spec | 20 +++-
4 files changed, 276 insertions(+), 2 deletions(-)
---
diff --git a/0001-qemu-1.0.1-VERSION.patch b/0001-qemu-1.0.1-VERSION.patch
new file mode 100644
index 0000000..5adc9c8
--- /dev/null
+++ b/0001-qemu-1.0.1-VERSION.patch
@@ -0,0 +1,34 @@
+From be94aaec72dbacd0d948946ebab482864454b8ff Mon Sep 17 00:00:00 2001
+Message-Id: <be94aaec72dbacd0d948946ebab482864454b8ff.1349639034.git.crobinso at redhat.com>
+From: Kenneth Salerno <kennethsalerno at yahoo.com>
+Date: Sat, 18 Feb 2012 16:05:44 -0800
+Subject: [PATCH 1/3] qemu-1.0.1/VERSION
+
+Hello,
+
+The VERSION file in stable release qemu-1.0.1 has what I believe might be a typo: "1.0,1" rather than "1.0.1". This is causing a parsing issue for windres.exe in Win32 which chokes on:
+ #define CONFIG_FILEVERSION 1,0,1,0,1,0
+ #define CONFIG_PRODUCTVERSION 1,0,1,0,1,0
+
+when it should be seeing this:
+ #define CONFIG_FILEVERSION 1,0,1,0
+ #define CONFIG_PRODUCTVERSION 1,0,1,0
+
+Patch:
+
+Signed-off-by: Justin M. Forbes <jforbes at redhat.com>
+Signed-off-by: Cole Robinson <crobinso at redhat.com>
+---
+ VERSION | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/VERSION b/VERSION
+index b70c292..7dea76e 100644
+--- a/VERSION
++++ b/VERSION
+@@ -1 +1 @@
+-1.0,1
++1.0.1
+--
+1.7.11.4
+
diff --git a/0002-console-bounds-check-whenever-changing-the-cursor-du.patch b/0002-console-bounds-check-whenever-changing-the-cursor-du.patch
new file mode 100644
index 0000000..7c8c7a1
--- /dev/null
+++ b/0002-console-bounds-check-whenever-changing-the-cursor-du.patch
@@ -0,0 +1,129 @@
+From 7a6b29b57272ab9559573aa45bc6c41bcb9d9718 Mon Sep 17 00:00:00 2001
+Message-Id: <7a6b29b57272ab9559573aa45bc6c41bcb9d9718.1349639034.git.crobinso at redhat.com>
+In-Reply-To: <be94aaec72dbacd0d948946ebab482864454b8ff.1349639034.git.crobinso at redhat.com>
+References: <be94aaec72dbacd0d948946ebab482864454b8ff.1349639034.git.crobinso at redhat.com>
+From: Ian Campbell <ian.campbell at citrix.com>
+Date: Tue, 4 Sep 2012 10:26:09 -0500
+Subject: [PATCH 2/3] console: bounds check whenever changing the cursor due
+ to an escape code
+
+This is XSA-17 / CVE-2012-3515
+
+Signed-off-by: Ian Campbell <ian.campbell at citrix.com>
+Signed-off-by: Anthony Liguori <aliguori at us.ibm.com>
+(cherry picked from commit 3eea5498ca501922520b3447ba94815bfc109743)
+Signed-off-by: Cole Robinson <crobinso at redhat.com>
+---
+ console.c | 57 ++++++++++++++++++++++++++++-----------------------------
+ 1 file changed, 28 insertions(+), 29 deletions(-)
+
+diff --git a/console.c b/console.c
+index ed6a653..bfad360 100644
+--- a/console.c
++++ b/console.c
+@@ -841,6 +841,26 @@ static void console_clear_xy(TextConsole *s, int x, int y)
+ update_xy(s, x, y);
+ }
+
++/* set cursor, checking bounds */
++static void set_cursor(TextConsole *s, int x, int y)
++{
++ if (x < 0) {
++ x = 0;
++ }
++ if (y < 0) {
++ y = 0;
++ }
++ if (y >= s->height) {
++ y = s->height - 1;
++ }
++ if (x >= s->width) {
++ x = s->width - 1;
++ }
++
++ s->x = x;
++ s->y = y;
++}
++
+ static void console_putchar(TextConsole *s, int ch)
+ {
+ TextCell *c;
+@@ -912,7 +932,8 @@ static void console_putchar(TextConsole *s, int ch)
+ s->esc_params[s->nb_esc_params] * 10 + ch - '0';
+ }
+ } else {
+- s->nb_esc_params++;
++ if (s->nb_esc_params < MAX_ESC_PARAMS)
++ s->nb_esc_params++;
+ if (ch == ';')
+ break;
+ #ifdef DEBUG_CONSOLE
+@@ -926,59 +947,37 @@ static void console_putchar(TextConsole *s, int ch)
+ if (s->esc_params[0] == 0) {
+ s->esc_params[0] = 1;
+ }
+- s->y -= s->esc_params[0];
+- if (s->y < 0) {
+- s->y = 0;
+- }
++ set_cursor(s, s->x, s->y - s->esc_params[0]);
+ break;
+ case 'B':
+ /* move cursor down */
+ if (s->esc_params[0] == 0) {
+ s->esc_params[0] = 1;
+ }
+- s->y += s->esc_params[0];
+- if (s->y >= s->height) {
+- s->y = s->height - 1;
+- }
++ set_cursor(s, s->x, s->y + s->esc_params[0]);
+ break;
+ case 'C':
+ /* move cursor right */
+ if (s->esc_params[0] == 0) {
+ s->esc_params[0] = 1;
+ }
+- s->x += s->esc_params[0];
+- if (s->x >= s->width) {
+- s->x = s->width - 1;
+- }
++ set_cursor(s, s->x + s->esc_params[0], s->y);
+ break;
+ case 'D':
+ /* move cursor left */
+ if (s->esc_params[0] == 0) {
+ s->esc_params[0] = 1;
+ }
+- s->x -= s->esc_params[0];
+- if (s->x < 0) {
+- s->x = 0;
+- }
++ set_cursor(s, s->x - s->esc_params[0], s->y);
+ break;
+ case 'G':
+ /* move cursor to column */
+- s->x = s->esc_params[0] - 1;
+- if (s->x < 0) {
+- s->x = 0;
+- }
++ set_cursor(s, s->esc_params[0] - 1, s->y);
+ break;
+ case 'f':
+ case 'H':
+ /* move cursor to row, column */
+- s->x = s->esc_params[1] - 1;
+- if (s->x < 0) {
+- s->x = 0;
+- }
+- s->y = s->esc_params[0] - 1;
+- if (s->y < 0) {
+- s->y = 0;
+- }
++ set_cursor(s, s->esc_params[1] - 1, s->esc_params[0] - 1);
+ break;
+ case 'J':
+ switch (s->esc_params[0]) {
+--
+1.7.11.4
+
diff --git a/0003-slirp-Fix-requeuing-of-batchq-packets-in-if_start.patch b/0003-slirp-Fix-requeuing-of-batchq-packets-in-if_start.patch
new file mode 100644
index 0000000..3990cc8
--- /dev/null
+++ b/0003-slirp-Fix-requeuing-of-batchq-packets-in-if_start.patch
@@ -0,0 +1,95 @@
+From 3c5ff5a0a14a2cd7098560f5637bd945cac7f17b Mon Sep 17 00:00:00 2001
+Message-Id: <3c5ff5a0a14a2cd7098560f5637bd945cac7f17b.1349639034.git.crobinso at redhat.com>
+In-Reply-To: <be94aaec72dbacd0d948946ebab482864454b8ff.1349639034.git.crobinso at redhat.com>
+References: <be94aaec72dbacd0d948946ebab482864454b8ff.1349639034.git.crobinso at redhat.com>
+From: Jan Kiszka <jan.kiszka at siemens.com>
+Date: Fri, 17 Feb 2012 16:26:38 +0100
+Subject: [PATCH 3/3] slirp: Fix requeuing of batchq packets in if_start
+
+In case we requeued a packet that was the head of a longer session
+queue, we failed to restore this ordering. Also, we did not properly
+deal with changes to Slirp::next_m.
+
+Instead of a cumbersome roll back, this fix simply avoids any changes
+until we know if the packet was actually sent. Both fixes crashes due
+to inconsistent queues and simplifies the logic.
+
+Thanks to Zhi Yong Wu who found the reason for these crashes.
+
+CC: Zhi Yong Wu <wuzhy at linux.vnet.ibm.com>
+CC: Fabien Chouteau <chouteau at adacore.com>
+Signed-off-by: Jan Kiszka <jan.kiszka at siemens.com>
+(cherry picked from commit b248ede2ef2792d364bd305e5e92e24921c924a8)
+Signed-off-by: Cole Robinson <crobinso at redhat.com>
+---
+ slirp/if.c | 35 +++++++++++++++++++----------------
+ 1 file changed, 19 insertions(+), 16 deletions(-)
+
+diff --git a/slirp/if.c b/slirp/if.c
+index 2852396..75a3c26 100644
+--- a/slirp/if.c
++++ b/slirp/if.c
+@@ -156,6 +156,7 @@ if_start(Slirp *slirp)
+ {
+ uint64_t now = qemu_get_clock_ns(rt_clock);
+ int requeued = 0;
++ bool from_batchq = false;
+ struct mbuf *ifm, *ifqt;
+
+ DEBUG_CALL("if_start");
+@@ -181,13 +182,26 @@ if_start(Slirp *slirp)
+ else
+ ifm = slirp->if_batchq.ifq_next;
+
+- /* Set which packet to send on next iteration */
+- slirp->next_m = ifm->ifq_next;
++ from_batchq = true;
+ }
++
++ slirp->if_queued--;
++
++ /* Try to send packet unless it already expired */
++ if (ifm->expiration_date >= now && !if_encap(slirp, ifm)) {
++ /* Packet is delayed due to pending ARP resolution */
++ requeued++;
++ goto out;
++ }
++
++ if (from_batchq) {
++ /* Set which packet to send on next iteration */
++ slirp->next_m = ifm->ifq_next;
++ }
++
+ /* Remove it from the queue */
+ ifqt = ifm->ifq_prev;
+ remque(ifm);
+- slirp->if_queued--;
+
+ /* If there are more packets for this session, re-queue them */
+ if (ifm->ifs_next != /* ifm->ifs_prev != */ ifm) {
+@@ -202,20 +216,9 @@ if_start(Slirp *slirp)
+ ifm->ifq_so->so_nqueued = 0;
+ }
+
+- if (ifm->expiration_date < now) {
+- /* Expired */
+- m_free(ifm);
+- } else {
+- /* Encapsulate the packet for sending */
+- if (if_encap(slirp, ifm)) {
+- m_free(ifm);
+- } else {
+- /* re-queue */
+- insque(ifm, ifqt);
+- requeued++;
+- }
+- }
++ m_free(ifm);
+
++ out:
+ if (slirp->if_queued)
+ goto again;
+
+--
+1.7.11.4
+
diff --git a/qemu.spec b/qemu.spec
index 963c14b..7f5f823 100644
--- a/qemu.spec
+++ b/qemu.spec
@@ -38,7 +38,7 @@
Summary: QEMU is a FAST! processor emulator
Name: qemu
Version: 1.0.1
-Release: 1%{?dist}
+Release: 2%{?dist}
# Epoch because we pushed a qemu-1.0 package. AIUI this can't ever be dropped
Epoch: 2
License: GPLv2+ and LGPLv2+ and BSD
@@ -186,6 +186,12 @@ Patch511: %{name}-fix-vnc-audio.patch
Patch512: %{name}-snapshot-symlink-attack.patch
# Fix systemtap tapsets (bz 831763)
Patch513: %{name}-fix-systemtap.patch
+# Remove comma from 1.0.1 version number
+Patch514: 0001-qemu-1.0.1-VERSION.patch
+# CVE-2012-3515 VT100 emulation vulnerability (bz 854600, bz 851252)
+Patch515: 0002-console-bounds-check-whenever-changing-the-cursor-du.patch
+# Fix slirp crash (bz 845793)
+Patch516: 0003-slirp-Fix-requeuing-of-batchq-packets-in-if_start.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildRequires: SDL-devel zlib-devel which texi2html gnutls-devel cyrus-sasl-devel
@@ -539,6 +545,9 @@ such as kvm_stat.
%patch511 -p1
%patch512 -p1
%patch513 -p1
+%patch514 -p1
+%patch515 -p1
+%patch516 -p1
%build
@@ -775,6 +784,7 @@ rm -rf $RPM_BUILD_ROOT
# load kvm modules now, so we can make sure no reboot is needed.
# If there's already a kvm module installed, we don't mess with it
sh %{_sysconfdir}/sysconfig/modules/kvm.modules || :
+udevadm trigger --sysname-match=kvm || :
%endif
%post common
@@ -978,7 +988,13 @@ fi
%{_mandir}/man1/qemu-img.1*
%changelog
-* Sun Jul 29 2012 Cole Robinson <crobinso at redhat.com> - 1.0.1-2
+* Sun Oct 07 2012 Cole Robinson <crobinso at redhat.com> - 1.0.1-2
+- Remove comma from 1.0.1 version number
+- CVE-2012-3515 VT100 emulation vulnerability (bz #854600, bz #851252)
+- Fix slirp crash (bz #845793)
+- Fix KVM module permissions after install (bz #863374)
+
+* Sun Jul 29 2012 Cole Robinson <crobinso at redhat.com> - 1.0.1-1
- Fix VNC audio tunnelling (bz 840653)
- CVE-2012-2652: Possible symlink attacks with -snapshot (bz 825697, bz
824919)
More information about the scm-commits
mailing list