Bug#1007931: buster-pu: package qemu/1:3.1+dfsg-8+deb10u9
On 22/08/22 11:49 AM, Moritz Muehlenhoff wrote: > On Mon, Aug 22, 2022 at 02:50:41PM +0530, Abhijith PA wrote: > > Hello Moritz, > > > > I've prepared a qemu build months back fixing pending CVEs then. I > > have now took 2 patches (CVE-2020-35504, CVE-2020-35505) from your > > diff and backported a new CVE, fixing total of ~35 CVEs. > > > > I've tested on my setup and seems fine. Can you please test with > > latest build[1]. > > I can't, the cluster in question is now running Bullseye (but it > was running just fine with my original debdiff in a Ganeti/KVM/qemu > setup). ACK. --a
Bug#1007931: buster-pu: package qemu/1:3.1+dfsg-8+deb10u9
On Mon, Aug 22, 2022 at 02:50:41PM +0530, Abhijith PA wrote: > Hello Moritz, > > I've prepared a qemu build months back fixing pending CVEs then. I > have now took 2 patches (CVE-2020-35504, CVE-2020-35505) from your > diff and backported a new CVE, fixing total of ~35 CVEs. > > I've tested on my setup and seems fine. Can you please test with > latest build[1]. I can't, the cluster in question is now running Bullseye (but it was running just fine with my original debdiff in a Ganeti/KVM/qemu setup). Cheers, Moritz
Bug#1007931: buster-pu: package qemu/1:3.1+dfsg-8+deb10u9
Hello Moritz, I've prepared a qemu build months back fixing pending CVEs then. I have now took 2 patches (CVE-2020-35504, CVE-2020-35505) from your diff and backported a new CVE, fixing total of ~35 CVEs. I've tested on my setup and seems fine. Can you please test with latest build[1]. Debdiff attached. --abhiijith 1 - https://people.debian.org/~abhijith/upload/mruby/qemu_3.1+dfsg-8+deb10u9.dsc diff -Nru qemu-3.1+dfsg/debian/changelog qemu-3.1+dfsg/debian/changelog --- qemu-3.1+dfsg/debian/changelog 2020-07-24 17:30:34.0 +0530 +++ qemu-3.1+dfsg/debian/changelog 2022-07-02 18:06:35.0 +0530 @@ -1,3 +1,18 @@ +qemu (1:3.1+dfsg-8+deb10u9) buster-security; urgency=medium + + * Non-maintainer upload by the Security Team. + * Fix CVE-2020-13253 CVE-2020-15469 CVE-2020-15859 CVE-2020-25084 +CVE-2020-25085 CVE-2020-25624 CVE-2020-25625 CVE-2020-25723 +CVE-2020-27617 CVE-2020-27821 CVE-2020-28916 CVE-2020-29129 +CVE-2020-29443 CVE-2021-3392 CVE-2021-3416 CVE-2021-3507 +CVE-2021-3527 CVE-2021-3582 CVE-2021-3607 CVE-2021-3608 +CVE-2021-3682 CVE-2021-3713 CVE-2021-3748 CVE-2021-3930 +CVE-2021-4206 CVE-2021-4207 CVE-2021-20181 CVE-2021-20196 +CVE-2021-20203 CVE-2021-20221 CVE-2021-20257 CVE-2022-26354 +CVE-2020-35504 CVE-2020-35505 CVE-2022-35414 + + -- Abhijith PA Sat, 02 Jul 2022 18:06:35 +0530 + qemu (1:3.1+dfsg-8+deb10u8) buster-security; urgency=medium * mention fixing of CVE-2020-13765 in 3.1+dfsg-8+deb10u6 diff -Nru qemu-3.1+dfsg/debian/patches/CVE-2020-35504.patch qemu-3.1+dfsg/debian/patches/CVE-2020-35504.patch --- qemu-3.1+dfsg/debian/patches/CVE-2020-35504.patch 1970-01-01 05:30:00.0 +0530 +++ qemu-3.1+dfsg/debian/patches/CVE-2020-35504.patch 2022-07-02 18:06:35.0 +0530 @@ -0,0 +1,28 @@ +Description: CVE-2020-35504 +Author: Abhijith PA +--- + +--- qemu-3.1+dfsg.orig/hw/scsi/esp.c qemu-3.1+dfsg/hw/scsi/esp.c +@@ -252,6 +252,9 @@ static void esp_do_dma(ESPState *s) + s->dma_memory_read(s->dma_opaque, &s->cmdbuf[s->cmdlen], len); + return; + } ++if (!s->current_req) { ++return; ++} + if (s->async_len == 0) { + /* Defer until data is available. */ + return; +@@ -265,6 +268,11 @@ static void esp_do_dma(ESPState *s) + } else { + s->dma_memory_write(s->dma_opaque, s->async_buf, len); + } ++ ++if (!s->current_req) { ++return; ++} ++ + s->dma_left -= len; + s->async_buf += len; + s->async_len -= len; diff -Nru qemu-3.1+dfsg/debian/patches/CVE-2020-35505.patch qemu-3.1+dfsg/debian/patches/CVE-2020-35505.patch --- qemu-3.1+dfsg/debian/patches/CVE-2020-35505.patch 1970-01-01 05:30:00.0 +0530 +++ qemu-3.1+dfsg/debian/patches/CVE-2020-35505.patch 2022-07-02 18:06:35.0 +0530 @@ -0,0 +1,18 @@ +Description: CVE-2020-35505 +Author: Abhijith PA +--- + +--- qemu-3.1+dfsg.orig/hw/scsi/esp.c qemu-3.1+dfsg/hw/scsi/esp.c +@@ -135,6 +135,11 @@ static void do_busid_cmd(ESPState *s, ui + + trace_esp_do_busid_cmd(busid); + lun = busid & 7; ++ ++ if (!s->current_dev) { ++return; ++} ++ + current_lun = scsi_device_find(&s->bus, 0, s->current_dev->id, lun); + s->current_req = scsi_req_new(current_lun, 0, lun, buf, s); + datalen = scsi_req_enqueue(s->current_req); diff -Nru qemu-3.1+dfsg/debian/patches/CVE-2021-20196-1.patch qemu-3.1+dfsg/debian/patches/CVE-2021-20196-1.patch --- qemu-3.1+dfsg/debian/patches/CVE-2021-20196-1.patch 1970-01-01 05:30:00.0 +0530 +++ qemu-3.1+dfsg/debian/patches/CVE-2021-20196-1.patch 2022-07-02 18:06:35.0 +0530 @@ -0,0 +1,45 @@ +pochu: backport to 2.8 + +From b154791e7b6d4ca5cdcd54443484d97360bd7ad2 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= +Date: Wed, 24 Nov 2021 17:15:34 +0100 +Subject: [PATCH] hw/block/fdc: Extract blk_create_empty_drive() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +We are going to re-use this code in the next commit, +so extract it as a new blk_create_empty_drive() function. + +Inspired-by: Hanna Reitz +Signed-off-by: Philippe Mathieu-Daudé +Message-id: 20211124161536.631563-2-phi...@redhat.com +Signed-off-by: John Snow +--- + hw/block/fdc.c | 9 +++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/hw/block/fdc.c b/hw/block/fdc.c +@@ -55,6 +55,12 @@ + } while (0) + + ++/* Anonymous BlockBackend for empty drive */ ++static BlockBackend *blk_create_empty_drive(void) ++{ ++return blk_new(0, BLK_PERM_ALL); ++} ++ + // + /* qdev floppy bus */ + +@@ -538,7 +544,7 @@ static void floppy_drive_realize(DeviceS + + if (!dev->conf.blk) { + /* Anonymous BlockBackend for an empty drive */ +-dev->conf.blk = blk_new(0, BLK_PERM_ALL); ++dev->conf.blk = blk_create_empty_drive()
Bug#1007931: buster-pu: package qemu/1:3.1+dfsg-8+deb10u9
Package: release.debian.org Severity: normal Tags: buster User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: m...@tls.msk.ru Various low severity qemu issues, but since quite a few of those have piled up, it makes sense to move to an update. Debdiff below. Cheers, Moritz diff -Nru qemu-3.1+dfsg/debian/changelog qemu-3.1+dfsg/debian/changelog --- qemu-3.1+dfsg/debian/changelog 2020-07-24 14:00:34.0 +0200 +++ qemu-3.1+dfsg/debian/changelog 2022-02-15 18:53:24.0 +0100 @@ -1,3 +1,34 @@ +qemu (1:3.1+dfsg-8+deb10u9) buster; urgency=medium + + * CVE-2021-3930 + * CVE-2021-3748 (Closes: #993401) + * CVE-2021-3713 (Closes: #992727) + * CVE-2021-3682 (Closes: #991911) + * CVE-2021-3608 (Closes: #990563) + * CVE-2021-3607 (Closes: #990564) + * CVE-2021-3582 (Closes: #990565) + * CVE-2021-3527 (Closes: #988157) + * CVE-2021-3392 (Closes: #984449) + * CVE-2021-20257 (Closes: #984450) + * CVE-2021-20221 + * CVE-2021-20203 (Closes: #984452) + * CVE-2021-20196 (Closes: #984453) + * CVE-2021-20181 + * CVE-2020-35505 (Closes: #979679) + * CVE-2020-35504 (Closes: #979679) + * CVE-2020-27617 (Closes: #973324) + * CVE-2020-25723 (Closes: #975276) + * CVE-2020-25624 (Closes: #970541) + * CVE-2020-25625 (Closes: #970542) + * CVE-2020-25085 (Closes: #970540) + * CVE-2020-25084 (Closes: #970539) + * CVE-2020-15859 (Closes: #965978) + * CVE-2020-13253 (Closes: #961297) + * None of the slirp changes got backported to 3.1, if you use it you should +really upgrade to the version of qemu in bullseye + + -- Moritz Mühlenhoff Tue, 15 Feb 2022 18:53:24 +0100 + qemu (1:3.1+dfsg-8+deb10u8) buster-security; urgency=medium * mention fixing of CVE-2020-13765 in 3.1+dfsg-8+deb10u6 diff -Nru qemu-3.1+dfsg/debian/patches/CVE-2020-13253.patch qemu-3.1+dfsg/debian/patches/CVE-2020-13253.patch --- qemu-3.1+dfsg/debian/patches/CVE-2020-13253.patch 1970-01-01 01:00:00.0 +0100 +++ qemu-3.1+dfsg/debian/patches/CVE-2020-13253.patch 2022-02-01 16:26:24.0 +0100 @@ -0,0 +1,80 @@ +790762e54871143415bffcec4cb3c022c3cd / CVE-2020-13253 + +--- qemu-3.1+dfsg.orig/hw/sd/sd.c qemu-3.1+dfsg/hw/sd/sd.c +@@ -1149,12 +1149,14 @@ static sd_rsp_type_t sd_normal_command(S + case 17: /* CMD17: READ_SINGLE_BLOCK */ + switch (sd->state) { + case sd_transfer_state: ++if (addr + sd->blk_len > sd->size) { ++sd->card_status |= ADDRESS_ERROR; ++return sd_r1; ++} ++ + sd->state = sd_sendingdata_state; + sd->data_start = addr; + sd->data_offset = 0; +- +-if (sd->data_start + sd->blk_len > sd->size) +-sd->card_status |= ADDRESS_ERROR; + return sd_r1; + + default: +@@ -1165,12 +1167,14 @@ static sd_rsp_type_t sd_normal_command(S + case 18: /* CMD18: READ_MULTIPLE_BLOCK */ + switch (sd->state) { + case sd_transfer_state: ++if (addr + sd->blk_len > sd->size) { ++sd->card_status |= ADDRESS_ERROR; ++return sd_r1; ++} ++ + sd->state = sd_sendingdata_state; + sd->data_start = addr; + sd->data_offset = 0; +- +-if (sd->data_start + sd->blk_len > sd->size) +-sd->card_status |= ADDRESS_ERROR; + return sd_r1; + + default: +@@ -1210,13 +1214,17 @@ static sd_rsp_type_t sd_normal_command(S + /* Writing in SPI mode not implemented. */ + if (sd->spi) + break; ++ ++if (addr + sd->blk_len > sd->size) { ++sd->card_status |= ADDRESS_ERROR; ++return sd_r1; ++} ++ + sd->state = sd_receivingdata_state; + sd->data_start = addr; + sd->data_offset = 0; + sd->blk_written = 0; + +-if (sd->data_start + sd->blk_len > sd->size) +-sd->card_status |= ADDRESS_ERROR; + if (sd_wp_addr(sd, sd->data_start)) + sd->card_status |= WP_VIOLATION; + if (sd->csd[14] & 0x30) +@@ -1234,13 +1242,17 @@ static sd_rsp_type_t sd_normal_command(S + /* Writing in SPI mode not implemented. */ + if (sd->spi) + break; ++ ++if (addr + sd->blk_len > sd->size) { ++sd->card_status |= ADDRESS_ERROR; ++return sd_r1; ++} ++ + sd->state = sd_receivingdata_state; + sd->data_start = addr; + sd->data_offset = 0; + sd->blk_written = 0; + +-if (sd->data_start + sd->blk_len > sd->size) +-sd->card_status |= ADDRESS_ERROR; + if (sd_wp_addr(sd, sd->data_start)) + sd->card_status |= WP_VIOLATION; + if (sd->csd[14] & 0x30) diff -Nru qemu-3.1+dfsg/debian/patches/CVE-2020-15859.patch qemu-3.1+d