Bug#1007931: buster-pu: package qemu/1:3.1+dfsg-8+deb10u9

Mon, 22 Aug 2022 02:24:31 -0700 

Hello Moritz, 

I've prepared a qemu build months back fixing pending CVEs then. I 
have now took 2 patches (CVE-2020-35504, CVE-2020-35505) from your 
diff and backported a new CVE, fixing total of ~35 CVEs. 

I've tested on my setup and seems fine. Can you please test with 
latest build[1].

Debdiff attached.



--abhiijith

1 - 
https://people.debian.org/~abhijith/upload/mruby/qemu_3.1+dfsg-8+deb10u9.dsc 
diff -Nru qemu-3.1+dfsg/debian/changelog qemu-3.1+dfsg/debian/changelog
--- qemu-3.1+dfsg/debian/changelog      2020-07-24 17:30:34.000000000 +0530
+++ qemu-3.1+dfsg/debian/changelog      2022-07-02 18:06:35.000000000 +0530
@@ -1,3 +1,18 @@
+qemu (1:3.1+dfsg-8+deb10u9) buster-security; urgency=medium
+
+  * Non-maintainer upload by the Security Team.
+  * Fix CVE-2020-13253 CVE-2020-15469 CVE-2020-15859 CVE-2020-25084
+    CVE-2020-25085 CVE-2020-25624 CVE-2020-25625 CVE-2020-25723
+    CVE-2020-27617 CVE-2020-27821 CVE-2020-28916 CVE-2020-29129
+    CVE-2020-29443 CVE-2021-3392 CVE-2021-3416 CVE-2021-3507
+    CVE-2021-3527 CVE-2021-3582 CVE-2021-3607 CVE-2021-3608
+    CVE-2021-3682 CVE-2021-3713 CVE-2021-3748 CVE-2021-3930
+    CVE-2021-4206 CVE-2021-4207 CVE-2021-20181 CVE-2021-20196
+    CVE-2021-20203 CVE-2021-20221 CVE-2021-20257 CVE-2022-26354
+    CVE-2020-35504 CVE-2020-35505 CVE-2022-35414
+    
+ -- Abhijith PA <abhij...@debian.org>  Sat, 02 Jul 2022 18:06:35 +0530
+
 qemu (1:3.1+dfsg-8+deb10u8) buster-security; urgency=medium
 
   * mention fixing of CVE-2020-13765 in 3.1+dfsg-8+deb10u6
diff -Nru qemu-3.1+dfsg/debian/patches/CVE-2020-35504.patch 
qemu-3.1+dfsg/debian/patches/CVE-2020-35504.patch
--- qemu-3.1+dfsg/debian/patches/CVE-2020-35504.patch   1970-01-01 
05:30:00.000000000 +0530
+++ qemu-3.1+dfsg/debian/patches/CVE-2020-35504.patch   2022-07-02 
18:06:35.000000000 +0530
@@ -0,0 +1,28 @@
+Description: CVE-2020-35504
+Author: Abhijith PA <abhij...@debian.org>
+---
+
+--- qemu-3.1+dfsg.orig/hw/scsi/esp.c
++++ qemu-3.1+dfsg/hw/scsi/esp.c
+@@ -252,6 +252,9 @@ static void esp_do_dma(ESPState *s)
+         s->dma_memory_read(s->dma_opaque, &s->cmdbuf[s->cmdlen], len);
+         return;
+     }
++    if (!s->current_req) {
++        return;
++    }
+     if (s->async_len == 0) {
+         /* Defer until data is available.  */
+         return;
+@@ -265,6 +268,11 @@ static void esp_do_dma(ESPState *s)
+     } else {
+         s->dma_memory_write(s->dma_opaque, s->async_buf, len);
+     }
++
++    if (!s->current_req) {
++        return;
++    }
++
+     s->dma_left -= len;
+     s->async_buf += len;
+     s->async_len -= len;
diff -Nru qemu-3.1+dfsg/debian/patches/CVE-2020-35505.patch 
qemu-3.1+dfsg/debian/patches/CVE-2020-35505.patch
--- qemu-3.1+dfsg/debian/patches/CVE-2020-35505.patch   1970-01-01 
05:30:00.000000000 +0530
+++ qemu-3.1+dfsg/debian/patches/CVE-2020-35505.patch   2022-07-02 
18:06:35.000000000 +0530
@@ -0,0 +1,18 @@
+Description: CVE-2020-35505
+Author: Abhijith PA <abhij...@debian.org>
+---
+
+--- qemu-3.1+dfsg.orig/hw/scsi/esp.c
++++ qemu-3.1+dfsg/hw/scsi/esp.c
+@@ -135,6 +135,11 @@ static void do_busid_cmd(ESPState *s, ui
+ 
+     trace_esp_do_busid_cmd(busid);
+     lun = busid & 7;
++
++     if (!s->current_dev) {
++        return;
++    }
++
+     current_lun = scsi_device_find(&s->bus, 0, s->current_dev->id, lun);
+     s->current_req = scsi_req_new(current_lun, 0, lun, buf, s);
+     datalen = scsi_req_enqueue(s->current_req);
diff -Nru qemu-3.1+dfsg/debian/patches/CVE-2021-20196-1.patch 
qemu-3.1+dfsg/debian/patches/CVE-2021-20196-1.patch
--- qemu-3.1+dfsg/debian/patches/CVE-2021-20196-1.patch 1970-01-01 
05:30:00.000000000 +0530
+++ qemu-3.1+dfsg/debian/patches/CVE-2021-20196-1.patch 2022-07-02 
18:06:35.000000000 +0530
@@ -0,0 +1,45 @@
+pochu: backport to 2.8
+
+From b154791e7b6d4ca5cdcd54443484d97360bd7ad2 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <phi...@redhat.com>
+Date: Wed, 24 Nov 2021 17:15:34 +0100
+Subject: [PATCH] hw/block/fdc: Extract blk_create_empty_drive()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+We are going to re-use this code in the next commit,
+so extract it as a new blk_create_empty_drive() function.
+
+Inspired-by: Hanna Reitz <hre...@redhat.com>
+Signed-off-by: Philippe Mathieu-Daudé <phi...@redhat.com>
+Message-id: 20211124161536.631563-2-phi...@redhat.com
+Signed-off-by: John Snow <js...@redhat.com>
+---
+ hw/block/fdc.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/hw/block/fdc.c
++++ b/hw/block/fdc.c
+@@ -55,6 +55,12 @@
+     } while (0)
+ 
+ 
++/* Anonymous BlockBackend for empty drive */
++static BlockBackend *blk_create_empty_drive(void)
++{
++    return blk_new(0, BLK_PERM_ALL);
++}
++
+ /********************************************************/
+ /* qdev floppy bus                                      */
+ 
+@@ -538,7 +544,7 @@ static void floppy_drive_realize(DeviceS
+ 
+     if (!dev->conf.blk) {
+         /* Anonymous BlockBackend for an empty drive */
+-        dev->conf.blk = blk_new(0, BLK_PERM_ALL);
++        dev->conf.blk = blk_create_empty_drive();
+         ret = blk_attach_dev(dev->conf.blk, qdev);
+         assert(ret == 0);
+     }
diff -Nru qemu-3.1+dfsg/debian/patches/CVE-2022-35414.patch 
qemu-3.1+dfsg/debian/patches/CVE-2022-35414.patch
--- qemu-3.1+dfsg/debian/patches/CVE-2022-35414.patch   1970-01-01 
05:30:00.000000000 +0530
+++ qemu-3.1+dfsg/debian/patches/CVE-2022-35414.patch   2022-07-02 
18:06:35.000000000 +0530
@@ -0,0 +1,40 @@
+Description: CVE-2022-35414
+Author: Abhijith PA <abhij...@debian.org>
+---
+
+--- qemu-3.1+dfsg.orig/exec.c
++++ qemu-3.1+dfsg/exec.c
+@@ -712,7 +712,7 @@ static void tcg_iommu_free_notifier_list
+ 
+ /* Called from RCU critical section */
+ MemoryRegionSection *
+-address_space_translate_for_iotlb(CPUState *cpu, int asidx, hwaddr addr,
++address_space_translate_for_iotlb(CPUState *cpu, int asidx, hwaddr orig_addr,
+                                   hwaddr *xlat, hwaddr *plen,
+                                   MemTxAttrs attrs, int *prot)
+ {
+@@ -721,6 +721,7 @@ address_space_translate_for_iotlb(CPUSta
+     IOMMUMemoryRegionClass *imrc;
+     IOMMUTLBEntry iotlb;
+     int iommu_idx;
++    hwaddr addr = orig_addr;
+     AddressSpaceDispatch *d = 
atomic_rcu_read(&cpu->cpu_ases[asidx].memory_dispatch);
+ 
+     for (;;) {
+@@ -764,6 +765,16 @@ address_space_translate_for_iotlb(CPUSta
+     return section;
+ 
+ translate_fail:
++    /*
++     * We should be given a page-aligned address -- certainly
++     * tlb_set_page_with_attrs() does so.  The page offset of xlat
++     * is used to index sections[], and PHYS_SECTION_UNASSIGNED = 0.
++     * The page portion of xlat will be logged by memory_region_access_valid()
++     * when this memory access is rejected, so use the original untranslated
++     * physical address.
++     */
++    assert((orig_addr & ~TARGET_PAGE_MASK) == 0);
++    *xlat = orig_addr;
+     return &d->map.sections[PHYS_SECTION_UNASSIGNED];
+ }
+ #endif
diff -Nru qemu-3.1+dfsg/debian/patches/series 
qemu-3.1+dfsg/debian/patches/series
--- qemu-3.1+dfsg/debian/patches/series 2020-07-24 17:30:34.000000000 +0530
+++ qemu-3.1+dfsg/debian/patches/series 2022-07-02 18:06:35.000000000 +0530
@@ -77,7 +77,11 @@
 CVE-2021-4207.patch
 CVE-2021-20181.patch
 CVE-2021-20196-2.patch
+CVE-2021-20196-1.patch
 CVE-2021-20203.patch
 CVE-2021-20221.patch
 CVE-2021-20257.patch
 CVE-2022-26354.patch
+CVE-2020-35504.patch
+CVE-2020-35505.patch
+CVE-2022-35414.patch

Reply via email to