Bug#1007931: buster-pu: package qemu/1:3.1+dfsg-8+deb10u9
On 22/08/22 11:49 AM, Moritz Muehlenhoff wrote: > On Mon, Aug 22, 2022 at 02:50:41PM +0530, Abhijith PA wrote: > > Hello Moritz, > > > > I've prepared a qemu build months back fixing pending CVEs then. I > > have now took 2 patches (CVE-2020-35504, CVE-2020-35505) from your > > diff and backported a new CVE, fixing total of ~35 CVEs. > > > > I've tested on my setup and seems fine. Can you please test with > > latest build[1]. > > I can't, the cluster in question is now running Bullseye (but it > was running just fine with my original debdiff in a Ganeti/KVM/qemu > setup). ACK. --a
Bug#1007931: buster-pu: package qemu/1:3.1+dfsg-8+deb10u9
On Mon, Aug 22, 2022 at 02:50:41PM +0530, Abhijith PA wrote: > Hello Moritz, > > I've prepared a qemu build months back fixing pending CVEs then. I > have now took 2 patches (CVE-2020-35504, CVE-2020-35505) from your > diff and backported a new CVE, fixing total of ~35 CVEs. > > I've tested on my setup and seems fine. Can you please test with > latest build[1]. I can't, the cluster in question is now running Bullseye (but it was running just fine with my original debdiff in a Ganeti/KVM/qemu setup). Cheers, Moritz
Bug#1007931: buster-pu: package qemu/1:3.1+dfsg-8+deb10u9
Hello Moritz,
I've prepared a qemu build months back fixing pending CVEs then. I
have now took 2 patches (CVE-2020-35504, CVE-2020-35505) from your
diff and backported a new CVE, fixing total of ~35 CVEs.
I've tested on my setup and seems fine. Can you please test with
latest build[1].
Debdiff attached.
--abhiijith
1 -
https://people.debian.org/~abhijith/upload/mruby/qemu_3.1+dfsg-8+deb10u9.dsc diff -Nru qemu-3.1+dfsg/debian/changelog qemu-3.1+dfsg/debian/changelog
--- qemu-3.1+dfsg/debian/changelog 2020-07-24 17:30:34.0 +0530
+++ qemu-3.1+dfsg/debian/changelog 2022-07-02 18:06:35.0 +0530
@@ -1,3 +1,18 @@
+qemu (1:3.1+dfsg-8+deb10u9) buster-security; urgency=medium
+
+ * Non-maintainer upload by the Security Team.
+ * Fix CVE-2020-13253 CVE-2020-15469 CVE-2020-15859 CVE-2020-25084
+CVE-2020-25085 CVE-2020-25624 CVE-2020-25625 CVE-2020-25723
+CVE-2020-27617 CVE-2020-27821 CVE-2020-28916 CVE-2020-29129
+CVE-2020-29443 CVE-2021-3392 CVE-2021-3416 CVE-2021-3507
+CVE-2021-3527 CVE-2021-3582 CVE-2021-3607 CVE-2021-3608
+CVE-2021-3682 CVE-2021-3713 CVE-2021-3748 CVE-2021-3930
+CVE-2021-4206 CVE-2021-4207 CVE-2021-20181 CVE-2021-20196
+CVE-2021-20203 CVE-2021-20221 CVE-2021-20257 CVE-2022-26354
+CVE-2020-35504 CVE-2020-35505 CVE-2022-35414
+
+ -- Abhijith PA Sat, 02 Jul 2022 18:06:35 +0530
+
qemu (1:3.1+dfsg-8+deb10u8) buster-security; urgency=medium
* mention fixing of CVE-2020-13765 in 3.1+dfsg-8+deb10u6
diff -Nru qemu-3.1+dfsg/debian/patches/CVE-2020-35504.patch
qemu-3.1+dfsg/debian/patches/CVE-2020-35504.patch
--- qemu-3.1+dfsg/debian/patches/CVE-2020-35504.patch 1970-01-01
05:30:00.0 +0530
+++ qemu-3.1+dfsg/debian/patches/CVE-2020-35504.patch 2022-07-02
18:06:35.0 +0530
@@ -0,0 +1,28 @@
+Description: CVE-2020-35504
+Author: Abhijith PA
+---
+
+--- qemu-3.1+dfsg.orig/hw/scsi/esp.c
qemu-3.1+dfsg/hw/scsi/esp.c
+@@ -252,6 +252,9 @@ static void esp_do_dma(ESPState *s)
+ s->dma_memory_read(s->dma_opaque, &s->cmdbuf[s->cmdlen], len);
+ return;
+ }
++if (!s->current_req) {
++return;
++}
+ if (s->async_len == 0) {
+ /* Defer until data is available. */
+ return;
+@@ -265,6 +268,11 @@ static void esp_do_dma(ESPState *s)
+ } else {
+ s->dma_memory_write(s->dma_opaque, s->async_buf, len);
+ }
++
++if (!s->current_req) {
++return;
++}
++
+ s->dma_left -= len;
+ s->async_buf += len;
+ s->async_len -= len;
diff -Nru qemu-3.1+dfsg/debian/patches/CVE-2020-35505.patch
qemu-3.1+dfsg/debian/patches/CVE-2020-35505.patch
--- qemu-3.1+dfsg/debian/patches/CVE-2020-35505.patch 1970-01-01
05:30:00.0 +0530
+++ qemu-3.1+dfsg/debian/patches/CVE-2020-35505.patch 2022-07-02
18:06:35.0 +0530
@@ -0,0 +1,18 @@
+Description: CVE-2020-35505
+Author: Abhijith PA
+---
+
+--- qemu-3.1+dfsg.orig/hw/scsi/esp.c
qemu-3.1+dfsg/hw/scsi/esp.c
+@@ -135,6 +135,11 @@ static void do_busid_cmd(ESPState *s, ui
+
+ trace_esp_do_busid_cmd(busid);
+ lun = busid & 7;
++
++ if (!s->current_dev) {
++return;
++}
++
+ current_lun = scsi_device_find(&s->bus, 0, s->current_dev->id, lun);
+ s->current_req = scsi_req_new(current_lun, 0, lun, buf, s);
+ datalen = scsi_req_enqueue(s->current_req);
diff -Nru qemu-3.1+dfsg/debian/patches/CVE-2021-20196-1.patch
qemu-3.1+dfsg/debian/patches/CVE-2021-20196-1.patch
--- qemu-3.1+dfsg/debian/patches/CVE-2021-20196-1.patch 1970-01-01
05:30:00.0 +0530
+++ qemu-3.1+dfsg/debian/patches/CVE-2021-20196-1.patch 2022-07-02
18:06:35.0 +0530
@@ -0,0 +1,45 @@
+pochu: backport to 2.8
+
+From b154791e7b6d4ca5cdcd54443484d97360bd7ad2 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?=
+Date: Wed, 24 Nov 2021 17:15:34 +0100
+Subject: [PATCH] hw/block/fdc: Extract blk_create_empty_drive()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+We are going to re-use this code in the next commit,
+so extract it as a new blk_create_empty_drive() function.
+
+Inspired-by: Hanna Reitz
+Signed-off-by: Philippe Mathieu-Daudé
+Message-id: 20211124161536.631563-2-phi...@redhat.com
+Signed-off-by: John Snow
+---
+ hw/block/fdc.c | 9 +++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/hw/block/fdc.c
b/hw/block/fdc.c
+@@ -55,6 +55,12 @@
+ } while (0)
+
+
++/* Anonymous BlockBackend for empty drive */
++static BlockBackend *blk_create_empty_drive(void)
++{
++return blk_new(0, BLK_PERM_ALL);
++}
++
+ //
+ /* qdev floppy bus */
+
+@@ -538,7 +544,7 @@ static void floppy_drive_realize(DeviceS
+
+ if (!dev->conf.blk) {
+ /* Anonymous BlockBackend for an empty drive */
+-dev->conf.blk = blk_new(0, BLK_PERM_ALL);
++dev->conf.blk = blk_create_empty_drive()
Bug#1007931: buster-pu: package qemu/1:3.1+dfsg-8+deb10u9
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: m...@tls.msk.ru
Various low severity qemu issues, but since quite a few
of those have piled up, it makes sense to move to an
update. Debdiff below.
Cheers,
Moritz
diff -Nru qemu-3.1+dfsg/debian/changelog qemu-3.1+dfsg/debian/changelog
--- qemu-3.1+dfsg/debian/changelog 2020-07-24 14:00:34.0 +0200
+++ qemu-3.1+dfsg/debian/changelog 2022-02-15 18:53:24.0 +0100
@@ -1,3 +1,34 @@
+qemu (1:3.1+dfsg-8+deb10u9) buster; urgency=medium
+
+ * CVE-2021-3930
+ * CVE-2021-3748 (Closes: #993401)
+ * CVE-2021-3713 (Closes: #992727)
+ * CVE-2021-3682 (Closes: #991911)
+ * CVE-2021-3608 (Closes: #990563)
+ * CVE-2021-3607 (Closes: #990564)
+ * CVE-2021-3582 (Closes: #990565)
+ * CVE-2021-3527 (Closes: #988157)
+ * CVE-2021-3392 (Closes: #984449)
+ * CVE-2021-20257 (Closes: #984450)
+ * CVE-2021-20221
+ * CVE-2021-20203 (Closes: #984452)
+ * CVE-2021-20196 (Closes: #984453)
+ * CVE-2021-20181
+ * CVE-2020-35505 (Closes: #979679)
+ * CVE-2020-35504 (Closes: #979679)
+ * CVE-2020-27617 (Closes: #973324)
+ * CVE-2020-25723 (Closes: #975276)
+ * CVE-2020-25624 (Closes: #970541)
+ * CVE-2020-25625 (Closes: #970542)
+ * CVE-2020-25085 (Closes: #970540)
+ * CVE-2020-25084 (Closes: #970539)
+ * CVE-2020-15859 (Closes: #965978)
+ * CVE-2020-13253 (Closes: #961297)
+ * None of the slirp changes got backported to 3.1, if you use it you should
+really upgrade to the version of qemu in bullseye
+
+ -- Moritz Mühlenhoff Tue, 15 Feb 2022 18:53:24 +0100
+
qemu (1:3.1+dfsg-8+deb10u8) buster-security; urgency=medium
* mention fixing of CVE-2020-13765 in 3.1+dfsg-8+deb10u6
diff -Nru qemu-3.1+dfsg/debian/patches/CVE-2020-13253.patch
qemu-3.1+dfsg/debian/patches/CVE-2020-13253.patch
--- qemu-3.1+dfsg/debian/patches/CVE-2020-13253.patch 1970-01-01
01:00:00.0 +0100
+++ qemu-3.1+dfsg/debian/patches/CVE-2020-13253.patch 2022-02-01
16:26:24.0 +0100
@@ -0,0 +1,80 @@
+790762e54871143415bffcec4cb3c022c3cd / CVE-2020-13253
+
+--- qemu-3.1+dfsg.orig/hw/sd/sd.c
qemu-3.1+dfsg/hw/sd/sd.c
+@@ -1149,12 +1149,14 @@ static sd_rsp_type_t sd_normal_command(S
+ case 17: /* CMD17: READ_SINGLE_BLOCK */
+ switch (sd->state) {
+ case sd_transfer_state:
++if (addr + sd->blk_len > sd->size) {
++sd->card_status |= ADDRESS_ERROR;
++return sd_r1;
++}
++
+ sd->state = sd_sendingdata_state;
+ sd->data_start = addr;
+ sd->data_offset = 0;
+-
+-if (sd->data_start + sd->blk_len > sd->size)
+-sd->card_status |= ADDRESS_ERROR;
+ return sd_r1;
+
+ default:
+@@ -1165,12 +1167,14 @@ static sd_rsp_type_t sd_normal_command(S
+ case 18: /* CMD18: READ_MULTIPLE_BLOCK */
+ switch (sd->state) {
+ case sd_transfer_state:
++if (addr + sd->blk_len > sd->size) {
++sd->card_status |= ADDRESS_ERROR;
++return sd_r1;
++}
++
+ sd->state = sd_sendingdata_state;
+ sd->data_start = addr;
+ sd->data_offset = 0;
+-
+-if (sd->data_start + sd->blk_len > sd->size)
+-sd->card_status |= ADDRESS_ERROR;
+ return sd_r1;
+
+ default:
+@@ -1210,13 +1214,17 @@ static sd_rsp_type_t sd_normal_command(S
+ /* Writing in SPI mode not implemented. */
+ if (sd->spi)
+ break;
++
++if (addr + sd->blk_len > sd->size) {
++sd->card_status |= ADDRESS_ERROR;
++return sd_r1;
++}
++
+ sd->state = sd_receivingdata_state;
+ sd->data_start = addr;
+ sd->data_offset = 0;
+ sd->blk_written = 0;
+
+-if (sd->data_start + sd->blk_len > sd->size)
+-sd->card_status |= ADDRESS_ERROR;
+ if (sd_wp_addr(sd, sd->data_start))
+ sd->card_status |= WP_VIOLATION;
+ if (sd->csd[14] & 0x30)
+@@ -1234,13 +1242,17 @@ static sd_rsp_type_t sd_normal_command(S
+ /* Writing in SPI mode not implemented. */
+ if (sd->spi)
+ break;
++
++if (addr + sd->blk_len > sd->size) {
++sd->card_status |= ADDRESS_ERROR;
++return sd_r1;
++}
++
+ sd->state = sd_receivingdata_state;
+ sd->data_start = addr;
+ sd->data_offset = 0;
+ sd->blk_written = 0;
+
+-if (sd->data_start + sd->blk_len > sd->size)
+-sd->card_status |= ADDRESS_ERROR;
+ if (sd_wp_addr(sd, sd->data_start))
+ sd->card_status |= WP_VIOLATION;
+ if (sd->csd[14] & 0x30)
diff -Nru qemu-3.1+dfsg/debian/patches/CVE-2020-15859.patch
qemu-3.1+d
