Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package qemu for openSUSE:Factory checked in at 2022-03-16 21:30:20 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/qemu (Old) and /work/SRC/openSUSE:Factory/.qemu.new.25692 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "qemu" Wed Mar 16 21:30:20 2022 rev:222 rq:961860 version:unknown Changes: -------- --- /work/SRC/openSUSE:Factory/qemu/qemu.changes 2022-03-11 21:39:54.110011272 +0100 +++ /work/SRC/openSUSE:Factory/.qemu.new.25692/qemu.changes 2022-03-16 21:30:24.811395776 +0100 @@ -1,0 +2,6 @@ +Tue Mar 15 09:58:18 UTC 2022 - Li Zhang <li.zh...@suse.com> +Fix bsc#1189702 CVE-2021-3713 +* Patches added: + hw-nvram-at24-return-0xff-if-1-byte-addr.patch + +------------------------------------------------------------------- New: ---- hw-nvram-at24-return-0xff-if-1-byte-addr.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ qemu.spec ++++++ --- /var/tmp/diff_new_pack.AibcZb/_old 2022-03-16 21:30:27.143397543 +0100 +++ /var/tmp/diff_new_pack.AibcZb/_new 2022-03-16 21:30:27.147397546 +0100 @@ -215,6 +215,7 @@ Patch00069: block-backend-Retain-permissions-after-m.patch Patch00070: virtiofsd-Drop-membership-of-all-supplem.patch Patch00071: hw-scsi-megasas-check-for-NULL-frame-in-.patch +Patch00072: hw-nvram-at24-return-0xff-if-1-byte-addr.patch # Patches applied in roms/seabios/: Patch01000: seabios-use-python2-explicitly-as-needed.patch Patch01001: seabios-switch-to-python3-as-needed.patch @@ -1206,6 +1207,7 @@ %patch00069 -p1 %patch00070 -p1 %patch00071 -p1 +%patch00072 -p1 %patch01000 -p1 %patch01001 -p1 %patch01002 -p1 ++++++ bundles.tar.xz ++++++ Binary files old/44f28df24767cf9dca1ddc9b23157737c4cbb645.bundle and new/44f28df24767cf9dca1ddc9b23157737c4cbb645.bundle differ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/repo new/repo --- old/repo 2021-12-16 17:53:29.000000000 +0100 +++ new/repo 2021-12-16 17:53:29.000000000 +0100 @@ -1 +1 @@ -https://git.qemu.org/git/qemu.git +https://github.com/openSUSE/qemu.git diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/roms/edk2/BaseTools/Source/C/BrotliCompress/brotli/repo new/roms/edk2/BaseTools/Source/C/BrotliCompress/brotli/repo --- old/roms/edk2/BaseTools/Source/C/BrotliCompress/brotli/repo 2021-12-16 17:53:29.000000000 +0100 +++ new/roms/edk2/BaseTools/Source/C/BrotliCompress/brotli/repo 2021-12-16 17:53:29.000000000 +0100 @@ -1 +1 @@ -https://github.com/google/brotli +https://github.com/openSUSE/qemu-edk2-BrotliCompress-brotli.git diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/roms/ipxe/repo new/roms/ipxe/repo --- old/roms/ipxe/repo 2021-12-16 17:53:29.000000000 +0100 +++ new/roms/ipxe/repo 2021-12-16 17:53:29.000000000 +0100 @@ -1 +1 @@ -https://git.qemu.org/git/ipxe.git +https://github.com/openSUSE/qemu-ipxe.git diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/roms/opensbi/repo new/roms/opensbi/repo --- old/roms/opensbi/repo 2021-12-16 17:53:29.000000000 +0100 +++ new/roms/opensbi/repo 2021-12-16 17:53:29.000000000 +0100 @@ -1 +1 @@ -https://git.qemu.org/git/opensbi.git +https://github.com/openSUSE/qemu-opensbi.git diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/roms/qboot/repo new/roms/qboot/repo --- old/roms/qboot/repo 2021-12-16 17:53:29.000000000 +0100 +++ new/roms/qboot/repo 2021-12-16 17:53:29.000000000 +0100 @@ -1 +1 @@ -https://github.com/bonzini/qboot +https://github.com/openSUSE/qemu-qboot.git diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/roms/seabios/repo new/roms/seabios/repo --- old/roms/seabios/repo 2021-12-16 17:53:29.000000000 +0100 +++ new/roms/seabios/repo 2021-12-16 17:53:29.000000000 +0100 @@ -1 +1 @@ -https://git.qemu.org/git/seabios.git/ +https://github.com/openSUSE/qemu-seabios.git diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/roms/sgabios/repo new/roms/sgabios/repo --- old/roms/sgabios/repo 2021-12-16 17:53:29.000000000 +0100 +++ new/roms/sgabios/repo 2021-12-16 17:53:29.000000000 +0100 @@ -1 +1 @@ -https://git.qemu.org/git/sgabios.git +https://github.com/openSUSE/qemu-sgabios.git diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/roms/skiboot/repo new/roms/skiboot/repo --- old/roms/skiboot/repo 2021-12-16 17:53:29.000000000 +0100 +++ new/roms/skiboot/repo 2021-12-16 17:53:29.000000000 +0100 @@ -1 +1 @@ -https://gitlab.com/qemu-project/skiboot.git +https://github.com/openSUSE/qemu-skiboot.git ++++++ hw-nvram-at24-return-0xff-if-1-byte-addr.patch ++++++ From: Patrick Venture <vent...@google.com> Date: Mon, 20 Dec 2021 13:21:37 -0800 Subject: hw/nvram: at24 return 0xff if 1 byte address MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Git-commit: 1cbab82e9d1bdb2c7b9ef46a396fdc03ea3fa04c References: bsc#1193880 CVE-2021-3929 The at24 eeproms are 2 byte devices that return 0xff when they are read from with a partial (1-byte) address written. This distinction was found comparing model behavior to real hardware testing. Tested: `i2ctransfer -f -y 45 w1@85 0 r1` returns 0xff instead of next byte Signed-off-by: Patrick Venture <vent...@google.com> Reviewed-by: Philippe Mathieu-Daud?? <phi...@redhat.com> Message-Id: <20211220212137.1244511-1-vent...@google.com> Signed-off-by: Philippe Mathieu-Daud?? <f4...@amsat.org> Signed-off-by: Li Zhang <lizh...@suse.de> --- hw/nvram/eeprom_at24c.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/hw/nvram/eeprom_at24c.c b/hw/nvram/eeprom_at24c.c index af6f5dbb998475871b4defb59c47..b956b8e2b2d9d74a1bc61bc16eb9 100644 --- a/hw/nvram/eeprom_at24c.c +++ b/hw/nvram/eeprom_at24c.c @@ -58,9 +58,10 @@ int at24c_eeprom_event(I2CSlave *s, enum i2c_event event) switch (event) { case I2C_START_SEND: - case I2C_START_RECV: case I2C_FINISH: ee->haveaddr = 0; + /* fallthrough */ + case I2C_START_RECV: DPRINTK("clear\n"); if (ee->blk && ee->changed) { int len = blk_pwrite(ee->blk, 0, ee->mem, ee->rsize, 0); @@ -84,6 +85,10 @@ uint8_t at24c_eeprom_recv(I2CSlave *s) EEPROMState *ee = AT24C_EE(s); uint8_t ret; + if (ee->haveaddr == 1) { + return 0xff; + } + ret = ee->mem[ee->cur]; ee->cur = (ee->cur + 1u) % ee->rsize;
