mirror of
https://git.in.rschanz.org/ryan77627/guix.git
synced 2024-12-24 05:18:07 -05:00
gnu: QEMU: Fix CVE-2018-16872 and CVE-2019-6778.
* gnu/packages/patches/qemu-CVE-2018-16872.patch, gnu/packages/patches/qemu-CVE-2019-6778.patch: New files. * gnu/local.mk (dist_patch_DATA): Add them. * gnu/packages/virtualization.scm (qemu)[source]: Use them.
This commit is contained in:
parent
a382860bd4
commit
11d19ca236
4 changed files with 135 additions and 0 deletions
|
@ -1186,6 +1186,8 @@ dist_patch_DATA = \
|
|||
%D%/packages/patches/python-unittest2-remove-argparse.patch \
|
||||
%D%/packages/patches/python-waitress-fix-tests.patch \
|
||||
%D%/packages/patches/qemu-glibc-2.27.patch \
|
||||
%D%/packages/patches/qemu-CVE-2018-16872.patch \
|
||||
%D%/packages/patches/qemu-CVE-2019-6778.patch \
|
||||
%D%/packages/patches/qt4-ldflags.patch \
|
||||
%D%/packages/patches/qtbase-use-TZDIR.patch \
|
||||
%D%/packages/patches/qtscript-disable-tests.patch \
|
||||
|
|
88
gnu/packages/patches/qemu-CVE-2018-16872.patch
Normal file
88
gnu/packages/patches/qemu-CVE-2018-16872.patch
Normal file
|
@ -0,0 +1,88 @@
|
|||
Fixes CVE-2018-16872:
|
||||
|
||||
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16872
|
||||
|
||||
Patch copied from upstream source repository:
|
||||
|
||||
https://git.qemu.org/?p=qemu.git;a=commitdiff;h=bab9df35ce73d1c8e19a37e2737717ea1c984dc1
|
||||
|
||||
From bab9df35ce73d1c8e19a37e2737717ea1c984dc1 Mon Sep 17 00:00:00 2001
|
||||
From: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Date: Thu, 13 Dec 2018 13:25:11 +0100
|
||||
Subject: [PATCH] usb-mtp: use O_NOFOLLOW and O_CLOEXEC.
|
||||
|
||||
Open files and directories with O_NOFOLLOW to avoid symlinks attacks.
|
||||
While being at it also add O_CLOEXEC.
|
||||
|
||||
usb-mtp only handles regular files and directories and ignores
|
||||
everything else, so users should not see a difference.
|
||||
|
||||
Because qemu ignores symlinks, carrying out a successful symlink attack
|
||||
requires swapping an existing file or directory below rootdir for a
|
||||
symlink and winning the race against the inotify notification to qemu.
|
||||
|
||||
Fixes: CVE-2018-16872
|
||||
Cc: Prasad J Pandit <ppandit@redhat.com>
|
||||
Cc: Bandan Das <bsd@redhat.com>
|
||||
Reported-by: Michael Hanselmann <public@hansmi.ch>
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Reviewed-by: Michael Hanselmann <public@hansmi.ch>
|
||||
Message-id: 20181213122511.13853-1-kraxel@redhat.com
|
||||
---
|
||||
hw/usb/dev-mtp.c | 13 +++++++++----
|
||||
1 file changed, 9 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/hw/usb/dev-mtp.c b/hw/usb/dev-mtp.c
|
||||
index 100b7171f4..36c43b8c20 100644
|
||||
--- a/hw/usb/dev-mtp.c
|
||||
+++ b/hw/usb/dev-mtp.c
|
||||
@@ -653,13 +653,18 @@ static void usb_mtp_object_readdir(MTPState *s, MTPObject *o)
|
||||
{
|
||||
struct dirent *entry;
|
||||
DIR *dir;
|
||||
+ int fd;
|
||||
|
||||
if (o->have_children) {
|
||||
return;
|
||||
}
|
||||
o->have_children = true;
|
||||
|
||||
- dir = opendir(o->path);
|
||||
+ fd = open(o->path, O_DIRECTORY | O_CLOEXEC | O_NOFOLLOW);
|
||||
+ if (fd < 0) {
|
||||
+ return;
|
||||
+ }
|
||||
+ dir = fdopendir(fd);
|
||||
if (!dir) {
|
||||
return;
|
||||
}
|
||||
@@ -1007,7 +1012,7 @@ static MTPData *usb_mtp_get_object(MTPState *s, MTPControl *c,
|
||||
|
||||
trace_usb_mtp_op_get_object(s->dev.addr, o->handle, o->path);
|
||||
|
||||
- d->fd = open(o->path, O_RDONLY);
|
||||
+ d->fd = open(o->path, O_RDONLY | O_CLOEXEC | O_NOFOLLOW);
|
||||
if (d->fd == -1) {
|
||||
usb_mtp_data_free(d);
|
||||
return NULL;
|
||||
@@ -1031,7 +1036,7 @@ static MTPData *usb_mtp_get_partial_object(MTPState *s, MTPControl *c,
|
||||
c->argv[1], c->argv[2]);
|
||||
|
||||
d = usb_mtp_data_alloc(c);
|
||||
- d->fd = open(o->path, O_RDONLY);
|
||||
+ d->fd = open(o->path, O_RDONLY | O_CLOEXEC | O_NOFOLLOW);
|
||||
if (d->fd == -1) {
|
||||
usb_mtp_data_free(d);
|
||||
return NULL;
|
||||
@@ -1658,7 +1663,7 @@ static void usb_mtp_write_data(MTPState *s)
|
||||
0, 0, 0, 0);
|
||||
goto done;
|
||||
}
|
||||
- d->fd = open(path, O_CREAT | O_WRONLY, mask);
|
||||
+ d->fd = open(path, O_CREAT | O_WRONLY | O_CLOEXEC | O_NOFOLLOW, mask);
|
||||
if (d->fd == -1) {
|
||||
usb_mtp_queue_result(s, RES_STORE_FULL, d->trans,
|
||||
0, 0, 0, 0);
|
||||
--
|
||||
2.20.1
|
||||
|
43
gnu/packages/patches/qemu-CVE-2019-6778.patch
Normal file
43
gnu/packages/patches/qemu-CVE-2019-6778.patch
Normal file
|
@ -0,0 +1,43 @@
|
|||
Fixes CVE-2019-6778:
|
||||
|
||||
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6778
|
||||
|
||||
Patch copied from upstream source repository:
|
||||
|
||||
https://git.qemu.org/?p=qemu.git;a=commitdiff;h=a7104eda7dab99d0cdbd3595c211864cba415905
|
||||
|
||||
From a7104eda7dab99d0cdbd3595c211864cba415905 Mon Sep 17 00:00:00 2001
|
||||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Date: Sun, 13 Jan 2019 23:29:48 +0530
|
||||
Subject: [PATCH] slirp: check data length while emulating ident function
|
||||
|
||||
While emulating identification protocol, tcp_emu() does not check
|
||||
available space in the 'sc_rcv->sb_data' buffer. It could lead to
|
||||
heap buffer overflow issue. Add check to avoid it.
|
||||
|
||||
Reported-by: Kira <864786842@qq.com>
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
|
||||
---
|
||||
slirp/tcp_subr.c | 5 +++++
|
||||
1 file changed, 5 insertions(+)
|
||||
|
||||
diff --git a/slirp/tcp_subr.c b/slirp/tcp_subr.c
|
||||
index 4a9a5b5edc..23a841f26e 100644
|
||||
--- a/slirp/tcp_subr.c
|
||||
+++ b/slirp/tcp_subr.c
|
||||
@@ -634,6 +634,11 @@ tcp_emu(struct socket *so, struct mbuf *m)
|
||||
socklen_t addrlen = sizeof(struct sockaddr_in);
|
||||
struct sbuf *so_rcv = &so->so_rcv;
|
||||
|
||||
+ if (m->m_len > so_rcv->sb_datalen
|
||||
+ - (so_rcv->sb_wptr - so_rcv->sb_data)) {
|
||||
+ return 1;
|
||||
+ }
|
||||
+
|
||||
memcpy(so_rcv->sb_wptr, m->m_data, m->m_len);
|
||||
so_rcv->sb_wptr += m->m_len;
|
||||
so_rcv->sb_rptr += m->m_len;
|
||||
--
|
||||
2.20.1
|
||||
|
|
@ -110,6 +110,8 @@ (define-public qemu
|
|||
(method url-fetch)
|
||||
(uri (string-append "https://download.qemu.org/qemu-"
|
||||
version ".tar.xz"))
|
||||
(patches (search-patches "qemu-CVE-2018-16872.patch"
|
||||
"qemu-CVE-2019-6778.patch"))
|
||||
(sha256
|
||||
(base32
|
||||
"1z5bd5nfyjvhfi1s95labc82y4hjdjjkdabw931362ls0zghh1ba"))))
|
||||
|
|
Loading…
Reference in a new issue