Your message dated Fri, 05 Apr 2019 14:37:41 +0000
with message-id <[email protected]>
and subject line unblock qemu
has caused the Debian Bug report #926441,
regarding unblock: qemu/1:3.1+dfsg-7
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
926441: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=926441
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: [email protected]
Usertags: unblock
Please unblock package qemu
The version currently in -unstable fixes 2 security issues
(CVE-2019-9824 and CVE-2018-20815), patches taken from
upstream, and fixes a mistake in previous version of
one of the binary packages (qemu-guest-agent) - we misplaced
a new config file, putting it to a subdir (/etc/qemu/fsfreeze-hook/
instead of /etc/qemu/fsfreeze-hook), -- this last issue required
some work fixing it and moving the file into proper place. All
various corner cases of this, including when the user modified
that file locally _and_ fixed its location too, where tested and
all works ok. This is Ubuntu bug (LP: #1820291) which slipped to
Debian too.
Here's the debdiff against 1:3.1+dfsg-5 currently in testing:
diff -Nru qemu-3.1+dfsg/debian/changelog qemu-3.1+dfsg/debian/changelog
--- qemu-3.1+dfsg/debian/changelog 2019-03-11 14:30:44.000000000 +0300
+++ qemu-3.1+dfsg/debian/changelog 2019-03-27 14:24:06.000000000 +0300
@@ -1,3 +1,26 @@
+qemu (1:3.1+dfsg-7) unstable; urgency=high
+
+ [ Michael Tokarev ]
+ * device_tree-don-t-use-load_image-CVE-2018-20815.patch
+ fix heap buffer overflow while loading device tree blob
+ (Closes: CVE-2018-20815)
+
+ [ Christian Ehrhardt ]
+ * qemu-guest-agent: fix path of fsfreeze-hook (LP: #1820291)
+ - d/qemu-guest-agent.install: use correct path for fsfreeze-hook
+ - d/qemu-guest-agent.pre{rm|inst}/.postrm: special handling for
+ mv_conffile since the new path is a directory in the old package
+ version which can not be handled by mv_conffile.
+
+ -- Michael Tokarev <[email protected]> Wed, 27 Mar 2019 14:24:06 +0300
+
+qemu (1:3.1+dfsg-6) unstable; urgency=high
+
+ * slirp-check-sscanf-result-when-emulating-ident-CVE-2019-9824.patch
+ fix information leakage in slirp code (Closes: CVE-2019-9824)
+
+ -- Michael Tokarev <[email protected]> Mon, 18 Mar 2019 14:41:51 +0300
+
qemu (1:3.1+dfsg-5) unstable; urgency=high
* i2c-ddc-fix-oob-read-CVE-2019-3812.patch fixes
diff -Nru
qemu-3.1+dfsg/debian/patches/device_tree-don-t-use-load_image-CVE-2018-20815.patch
qemu-3.1+dfsg/debian/patches/device_tree-don-t-use-load_image-CVE-2018-20815.patch
---
qemu-3.1+dfsg/debian/patches/device_tree-don-t-use-load_image-CVE-2018-20815.patch
1970-01-01 03:00:00.000000000 +0300
+++
qemu-3.1+dfsg/debian/patches/device_tree-don-t-use-load_image-CVE-2018-20815.patch
2019-03-27 14:16:54.000000000 +0300
@@ -0,0 +1,35 @@
+From: Peter Maydell <[email protected]>
+Date: Fri, 14 Dec 2018 13:30:52 +0000
+Subject: device_tree.c: Don't use load_image() (CVE-2018-20815)
+Commit-Id: da885fe1ee8b4589047484bd7fa05a4905b52b17
+
+The load_image() function is deprecated, as it does not let the
+caller specify how large the buffer to read the file into is.
+Instead use load_image_size().
+
+Signed-off-by: Peter Maydell <[email protected]>
+Reviewed-by: Richard Henderson <[email protected]>
+Reviewed-by: Stefan Hajnoczi <[email protected]>
+Reviewed-by: Michael S. Tsirkin <[email protected]>
+Reviewed-by: Eric Blake <[email protected]>
+Message-id: [email protected]
+---
+ device_tree.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/device_tree.c b/device_tree.c
+index 6d9c9726f66..296278e12ae 100644
+--- a/device_tree.c
++++ b/device_tree.c
+@@ -91,7 +91,7 @@ void *load_device_tree(const char *filename_path, int *sizep)
+ /* First allocate space in qemu for device tree */
+ fdt = g_malloc0(dt_size);
+
+- dt_file_load_size = load_image(filename_path, fdt);
++ dt_file_load_size = load_image_size(filename_path, fdt, dt_size);
+ if (dt_file_load_size < 0) {
+ error_report("Unable to open device tree file '%s'",
+ filename_path);
+--
+2.11.0
+
diff -Nru qemu-3.1+dfsg/debian/patches/series
qemu-3.1+dfsg/debian/patches/series
--- qemu-3.1+dfsg/debian/patches/series 2019-03-11 14:30:08.000000000 +0300
+++ qemu-3.1+dfsg/debian/patches/series 2019-03-27 14:16:54.000000000 +0300
@@ -7,3 +7,5 @@
scsi-generic-avoid-possible-oob-access-to-r-buf-CVE-2019-6501.patch
slirp-check-data-length-while-emulating-ident-function-CVE-2019-6778.patch
i2c-ddc-fix-oob-read-CVE-2019-3812.patch
+slirp-check-sscanf-result-when-emulating-ident-CVE-2019-9824.patch
+device_tree-don-t-use-load_image-CVE-2018-20815.patch
diff -Nru
qemu-3.1+dfsg/debian/patches/slirp-check-sscanf-result-when-emulating-ident-CVE-2019-9824.patch
qemu-3.1+dfsg/debian/patches/slirp-check-sscanf-result-when-emulating-ident-CVE-2019-9824.patch
---
qemu-3.1+dfsg/debian/patches/slirp-check-sscanf-result-when-emulating-ident-CVE-2019-9824.patch
1970-01-01 03:00:00.000000000 +0300
+++
qemu-3.1+dfsg/debian/patches/slirp-check-sscanf-result-when-emulating-ident-CVE-2019-9824.patch
2019-03-18 14:41:28.000000000 +0300
@@ -0,0 +1,49 @@
+From: Samuel Thibault <[email protected]>
+Date: Thu, 7 Mar 2019 12:51:34 +0100
+Message-Id: <[email protected]>
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Subject: slirp: check sscanf result when emulating ident (CVE-2019-9824)
+
+From: William Bowling <[email protected]>
+
+When emulating ident in tcp_emu, if the strchr checks passed but the
+sscanf check failed, two uninitialized variables would be copied and
+sent in the reply, so move this code inside the if(sscanf()) clause.
+
+Signed-off-by: William Bowling <[email protected]>
+Cc: [email protected]
+Cc: [email protected]
+Message-Id: <[email protected]>
+Signed-off-by: Samuel Thibault <[email protected]>
+Reviewed-by: Philippe Mathieu-Daudé <[email protected]>
+---
+ slirp/tcp_subr.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/slirp/tcp_subr.c b/slirp/tcp_subr.c
+index 262a42d6c8..ef9d99c154 100644
+--- a/slirp/tcp_subr.c
++++ b/slirp/tcp_subr.c
+@@ -664,12 +664,12 @@ tcp_emu(struct socket *so, struct mbuf *m)
+ break;
+ }
+ }
++ so_rcv->sb_cc =
snprintf(so_rcv->sb_data,
++
so_rcv->sb_datalen,
++ "%d,%d\r\n",
n1, n2);
++ so_rcv->sb_rptr = so_rcv->sb_data;
++ so_rcv->sb_wptr = so_rcv->sb_data +
so_rcv->sb_cc;
+ }
+- so_rcv->sb_cc = snprintf(so_rcv->sb_data,
+- so_rcv->sb_datalen,
+- "%d,%d\r\n", n1, n2);
+- so_rcv->sb_rptr = so_rcv->sb_data;
+- so_rcv->sb_wptr = so_rcv->sb_data +
so_rcv->sb_cc;
+ }
+ m_free(m);
+ return 0;
+--
+2.20.1
+
+
diff -Nru qemu-3.1+dfsg/debian/qemu-guest-agent.install
qemu-3.1+dfsg/debian/qemu-guest-agent.install
--- qemu-3.1+dfsg/debian/qemu-guest-agent.install 2019-02-06
14:35:32.000000000 +0300
+++ qemu-3.1+dfsg/debian/qemu-guest-agent.install 2019-03-27
14:21:20.000000000 +0300
@@ -3,4 +3,4 @@
debian/tmp/usr/share/man/man7/qemu-ga-ref.7 /usr/share/man/man7
debian/tmp/usr/share/doc/qemu/qemu-ga-ref.* /usr/share/doc/qemu-guest-agent
qga/qapi-schema.json /usr/share/doc/qemu-guest-agent
-scripts/qemu-guest-agent/fsfreeze-hook /etc/qemu/fsfreeze-hook
+scripts/qemu-guest-agent/fsfreeze-hook /etc/qemu/
diff -Nru qemu-3.1+dfsg/debian/qemu-guest-agent.postinst
qemu-3.1+dfsg/debian/qemu-guest-agent.postinst
--- qemu-3.1+dfsg/debian/qemu-guest-agent.postinst 1970-01-01
03:00:00.000000000 +0300
+++ qemu-3.1+dfsg/debian/qemu-guest-agent.postinst 2019-03-27
14:21:20.000000000 +0300
@@ -0,0 +1,59 @@
+#!/bin/sh
+# postinst script for qemu-guest-agent
+#
+# see: dh_installdeb(1)
+
+set -e
+
+# summary of how this script can be called:
+# * <postinst> `configure' <most-recently-configured-version>
+# * <old-postinst> `abort-upgrade' <new version>
+# * <conflictor's-postinst> `abort-remove' `in-favour' <package>
+# <new-version>
+# * <postinst> `abort-remove'
+# * <deconfigured's-postinst> `abort-deconfigure' `in-favour'
+# <failed-install-package> <version> `removing'
+# <conflicting-package> <version>
+# for details, see https://www.debian.org/doc/debian-policy/ or
+# the debian-policy package
+
+
+case "$1" in
+ configure)
+ ;;
+
+ abort-upgrade|abort-remove|abort-deconfigure)
+ ;;
+
+ *)
+ echo "postinst called with unknown argument \`$1'" >&2
+ exit 1
+ ;;
+esac
+
+# dh_installdeb will replace this with shell code automatically
+# generated by other debhelper scripts.
+
+#DEBHELPER#
+
+# Normal mv_conffile alone would fail due to the new path being a DIR in the
old package version (LP: 1820291)
+case "$1" in
+ configure)
+ # From /usr/bin/dpkg-maintscript-helper modified to be able to cope
with this edge case
+ if [ -n "$2" ] && dpkg --compare-versions -- "$2" le-nl
"1:3.1+dfsg-7~"; then
+ TMPCONFFILE="/etc/qemu/fsfreeze-hook.old"
+ NEWCONFFILE="/etc/qemu/fsfreeze-hook"
+ ORIGCONFFILE="/etc/qemu/fsfreeze-hook/fsfreeze-hook"
+ rm -f "$TMPCONFFILE.dpkg-remove"
+ if [ -e "$TMPCONFFILE" ]; then
+ echo "Preserving user changes to $NEWCONFFILE (renamed from
$ORIGCONFFILE)..."
+ if [ -e "$NEWCONFFILE" ]; then
+ mv -f "$NEWCONFFILE" "$NEWCONFFILE.dpkg-new"
+ fi
+ mv -f "$TMPCONFFILE" "$NEWCONFFILE"
+ fi
+ fi
+ ;;
+esac
+
+exit 0
diff -Nru qemu-3.1+dfsg/debian/qemu-guest-agent.postrm
qemu-3.1+dfsg/debian/qemu-guest-agent.postrm
--- qemu-3.1+dfsg/debian/qemu-guest-agent.postrm 1970-01-01
03:00:00.000000000 +0300
+++ qemu-3.1+dfsg/debian/qemu-guest-agent.postrm 2019-03-27
14:21:20.000000000 +0300
@@ -0,0 +1,56 @@
+#!/bin/sh
+# postrm script for qemu-guest-agent
+#
+# see: dh_installdeb(1)
+
+set -e
+
+# summary of how this script can be called:
+# * <postrm> `remove'
+# * <postrm> `purge'
+# * <old-postrm> `upgrade' <new-version>
+# * <new-postrm> `failed-upgrade' <old-version>
+# * <new-postrm> `abort-install'
+# * <new-postrm> `abort-install' <old-version>
+# * <new-postrm> `abort-upgrade' <old-version>
+# * <disappearer's-postrm> `disappear' <overwriter>
+# <overwriter-version>
+# for details, see https://www.debian.org/doc/debian-policy/ or
+# the debian-policy package
+
+
+case "$1" in
+ purge|remove|upgrade|failed-upgrade|abort-install|abort-upgrade|disappear)
+ ;;
+
+ *)
+ echo "postrm called with unknown argument \`$1'" >&2
+ exit 1
+ ;;
+esac
+
+# dh_installdeb will replace this with shell code automatically
+# generated by other debhelper scripts.
+
+#DEBHELPER#
+
+# If needed revert the move we have made in preinst to compensate the new path
being a DIR in the old package version (LP: 1820291)
+case "$1" in
+ abort-install|abort-upgrade)
+ # From /usr/bin/dpkg-maintscript-helper modified to be able to cope
with this edge case
+ if [ -n "$2" ] && dpkg --compare-versions -- "$2" le-nl
"1:3.1+dfsg-7~"; then
+ TMPCONFFILE="/etc/qemu/fsfreeze-hook.old"
+ NEWCONFFILE="/etc/qemu/fsfreeze-hook"
+ ORIGCONFFILE="/etc/qemu/fsfreeze-hook/fsfreeze-hook"
+ if [ -e "$TMPCONFFILE.dpkg-remove" ]; then
+ echo "Reinstalling $ORIGCONFFILE that was moved away"
+ if [ -f "$NEWCONFFILE" ]; then
+ rm -f "$NEWCONFFILE"
+ fi
+ mkdir -p "$NEWCONFFILE"
+ mv "$TMPCONFFILE.dpkg-remove" "$ORIGCONFFILE"
+ fi
+ fi
+esac
+
+exit 0
diff -Nru qemu-3.1+dfsg/debian/qemu-guest-agent.preinst
qemu-3.1+dfsg/debian/qemu-guest-agent.preinst
--- qemu-3.1+dfsg/debian/qemu-guest-agent.preinst 1970-01-01
03:00:00.000000000 +0300
+++ qemu-3.1+dfsg/debian/qemu-guest-agent.preinst 2019-03-27
14:21:20.000000000 +0300
@@ -0,0 +1,62 @@
+#!/bin/sh
+# preinst script for qemu-guest-agent
+#
+# see: dh_installdeb(1)
+
+set -e
+
+# summary of how this script can be called:
+# * <new-preinst> `install'
+# * <new-preinst> `install' <old-version>
+# * <new-preinst> `upgrade' <old-version>
+# * <old-preinst> `abort-upgrade' <new-version>
+# for details, see https://www.debian.org/doc/debian-policy/ or
+# the debian-policy package
+
+
+case "$1" in
+ install|upgrade)
+ ;;
+
+ abort-upgrade)
+ ;;
+
+ *)
+ echo "preinst called with unknown argument \`$1'" >&2
+ exit 1
+ ;;
+esac
+
+# dh_installdeb will replace this with shell code automatically
+# generated by other debhelper scripts.
+
+# Normal mv_conffile alone would fail due to the new path being a DIR in the
old package version (LP: 1820291)
+case "$1" in
+ install|upgrade)
+ # From /usr/bin/dpkg-maintscript-helper modified to be able to cope
with this edge case
+ if [ -n "$2" ] && dpkg --compare-versions -- "$2" le-nl
"1:3.1+dfsg-7~"; then
+ TMPCONFFILE="/etc/qemu/fsfreeze-hook.old"
+ NEWCONFFILE="/etc/qemu/fsfreeze-hook"
+ ORIGCONFFILE="/etc/qemu/fsfreeze-hook/fsfreeze-hook"
+ if [ -f "$ORIGCONFFILE" ]; then
+ disk_md5sum="$(md5sum "$ORIGCONFFILE" | sed -e 's/ .*//')"
+ pkg_md5sum="$(dpkg-query -W -f='${Conffiles}'
"qemu-guest-agent" | \
+ sed -n -e "\'^ $ORIGCONFFILE ' { s/ obsolete$//; s/.* //;
p }")"
+ if [ "$disk_md5sum" = "$pkg_md5sum" ]; then
+ # mark as having no custom content
+ mv -f "$ORIGCONFFILE" "${TMPCONFFILE}.dpkg-remove"
+ else
+ # keep the "old" name to reflect there is content to be
preserved
+ mv -f "$ORIGCONFFILE" "$TMPCONFFILE"
+ fi
+ # In any case the old directory blocking the new conffile
+ # has to be removed before unpack happens
+ rmdir "$NEWCONFFILE" || echo "failed to remove $NEWCONFFILE"
+ fi
+ fi
+ ;;
+esac
+
+#DEBHELPER#
+
+exit 0
unblock qemu/1:3.1+dfsg-7
-- System Information:
Debian Release: 9.8
APT prefers stable
APT policy: (990, 'stable'), (500, 'stable-debug'), (500, 'oldstable'), (199,
'testing'), (50, 'unstable'), (40, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.9.0-8-amd64 (SMP w/8 CPU cores)
Locale: LANG=ru_RU.utf8, LC_CTYPE=ru_RU.utf8 (charmap=UTF-8),
LANGUAGE=ru_RU.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
--- End Message ---
--- Begin Message ---
Unblocked qemu.
--- End Message ---
