[debian-lts] qemu package
Hi all,
I would like to send debdiff file of qemu for reviewing.
This patch aims to fix CVE-2014-3689 and CVE-2014-3640.
For packaging test, I follow steps listed in:
https://www.debian.org/doc/manuals/developers-reference/pkgs.html#sanitycheck
Only one error occurs when running lintian is bad distribution squeeze-lts.
However, I can not find test cases for these two CVEs, so please
test the update for me. Hope everything go fine since the vulnerable
code is few and easy to back-port.
Few notes for announcement: Multiple vulnerabilities has been
found in qemu:
CVE-2014-3640: Sending a udp package with 0 value in source
port and address could trigger access to an uninitialized socket.
CVE-2014-3689: Unspecified parameter related to rectangle
handling could allow guest user to write to qemu memory locations
and gain privileges.
Thanks and best regards
CongNT
--
=====================================================================
Nguyen The Cong (Mr)
Software Engineer
Toshiba Software Development (Vietnam) Co.,Ltd
519 Kim Ma street, Ba Dinh District, Hanoi, Vietnam
tel: +84-4-2220 8801 (Ext. 208)
e-mail: cong.nguyenthe@toshiba-tsdv.com
=====================================================================
diff -u qemu-0.12.5+dfsg/debian/changelog qemu-0.12.5+dfsg/debian/changelog
--- qemu-0.12.5+dfsg/debian/changelog
+++ qemu-0.12.5+dfsg/debian/changelog
@@ -1,3 +1,19 @@
+qemu (0.12.5+dfsg-3squeeze5) squeeze-lts; urgency=low
+
+ * Non-maintainer upload by the Debian LTS team.
+ * Turn off hardware acceleration functions which lack of sanity
+ check. This fix problem reported in CVE-2014-3689.
+ Refer to:
+ http://git.qemu.org/?p=qemu.git;a=commitdiff;h=83afa38eb20ca27e30683edc7729880e091387fc
+
+ * slirp: udp: fix NULL pointer dereference because of
+ uninitialized socket. This fix problem reported in
+ CVE-2014-3640.
+ Refer to:
+ https://github.com/qemu/qemu/commit/01f7cecf0037997cb0e58ec0d56bf9b5a6f7cb2a
+
+ -- Nguyen Cong <cong.nguyenthe@toshiba-tsdv.com> Mon, 23 Mar 2015 13:25:32 +0700
+
qemu (0.12.5+dfsg-3squeeze4) squeeze-security; urgency=high
* fix guest-triggerable buffer overrun in virtio-net device
diff -u qemu-0.12.5+dfsg/debian/patches/series qemu-0.12.5+dfsg/debian/patches/series
--- qemu-0.12.5+dfsg/debian/patches/series
+++ qemu-0.12.5+dfsg/debian/patches/series
@@ -12,0 +13,2 @@
+CVE-2014-3640.patch
+CVE-2014-3689.patch
only in patch2:
unchanged:
--- qemu-0.12.5+dfsg.orig/debian/patches/CVE-2014-3640.patch
+++ qemu-0.12.5+dfsg/debian/patches/CVE-2014-3640.patch
@@ -0,0 +1,29 @@
+Description: Fix NUll pointer dereference because of uninitialized socket
+ When guest sends udp packet with source port and source addr 0,
+ uninitialized socket is picked up when looking for matching and already
+ created udp sockets, and later passed to sosendto() where NULL pointer
+ dereference is hit during so->slirp->vnetwork_mask.s_addr access.
+ Fix this by checking that the socket is not just a socket stub.
+ This is CVE-2014-3640.
+Author: Petr Matousek <pmatouse@redhat.com>
+Origin: upstream, URL: https://github.com/qemu/qemu/commit/01f7cecf0037997cb0e58ec0d56bf9b5a6f7cb2a
+Bug-Debian: 762532
+Applied-Upstream: https://github.com/qemu/qemu/commit/01f7cecf0037997cb0e58ec0d56bf9b5a6f7cb2a
+Reviewed-by:
+ Jan Kiszka <jan.kiszka@siemens.com>
+ Michael S. Tsirkin <mst@redhat.com>
+ Michael Tokarev <mjt@tls.msk.ru>
+Last-Update: 2015-03-23
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/slirp/udp.c
++++ b/slirp/udp.c
+@@ -141,7 +141,7 @@ udp_input(register struct mbuf *m, int i
+ * Locate pcb for datagram.
+ */
+ so = slirp->udp_last_so;
+- if (so->so_lport != uh->uh_sport ||
++ if (so == &slirp->udb || so->so_lport != uh->uh_sport ||
+ so->so_laddr.s_addr != ip->ip_src.s_addr) {
+ struct socket *tmp;
+
only in patch2:
unchanged:
--- qemu-0.12.5+dfsg.orig/debian/patches/CVE-2014-3689.patch
+++ qemu-0.12.5+dfsg/debian/patches/CVE-2014-3689.patch
@@ -0,0 +1,22 @@
+Description: Compile out the hardware acceleration functions
+ Hardware acceleration functions which lack sanity checks have
+ been compiled out.
+Author: Gerd Hoffmann <kraxel@redhat.com>
+Origin: upstream<URL:http://git.qemu.org/?p=qemu.git;a=commitdiff;h=83afa38eb20ca27e30683edc7729880e091387fc>
+Bug-Debian: 765496
+Last-Update: 2015-03-23
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/hw/vmware_vga.c
++++ b/hw/vmware_vga.c
+@@ -29,8 +29,10 @@
+
+ #define VERBOSE
+ #undef DIRECT_VRAM
++#if 0
+ #define HW_RECT_ACCEL
+ #define HW_FILL_ACCEL
++#endif
+ #define HW_MOUSE_ACCEL
+
+ # include "vga_int.h"
Format: 1.8
Date: Mon, 23 Mar 2015 13:25:32 +0700
Source: qemu
Binary: qemu qemu-keymaps qemu-system qemu-user qemu-user-static qemu-utils libqemu-dev
Architecture: source all i386
Version: 0.12.5+dfsg-3squeeze5
Distribution: squeeze-lts
Urgency: low
Maintainer: Debian QEMU Team <pkg-qemu-devel@lists.alioth.debian.org>
Changed-By: Nguyen Cong <cong.nguyenthe@toshiba-tsdv.com>
Description:
libqemu-dev - static libraries and headers for QEMU
qemu - fast processor emulator
qemu-keymaps - QEMU keyboard maps
qemu-system - QEMU full system emulation binaries
qemu-user - QEMU user mode emulation binaries
qemu-user-static - QEMU user mode emulation binaries (static version)
qemu-utils - QEMU utilities
Changes:
qemu (0.12.5+dfsg-3squeeze5) squeeze-lts; urgency=low
.
* Non-maintainer upload by the Debian LTS team.
* Turn off hardware acceleration functions which lack of sanity
check. This fix problem reported in CVE-2014-3689.
Refer to:
http://git.qemu.org/?p=qemu.git;a=commitdiff;h=83afa38eb20ca27e30683edc7729880e091387fc
.
* slirp: udp: fix NULL pointer dereference because of
uninitialized socket. This fix problem reported in
CVE-2014-3640.
Refer to:
https://github.com/qemu/qemu/commit/01f7cecf0037997cb0e58ec0d56bf9b5a6f7cb2a
Checksums-Sha1:
9f414fe2f78afab88c73b3fbd4893269a5f4d58a 1772 qemu_0.12.5+dfsg-3squeeze5.dsc
d59a4b0eeacb926ddf4f52f172239dd997ef97a5 49305 qemu_0.12.5+dfsg-3squeeze5.diff.gz
e65c66079a3888e51d97cfc7bb3e95ba7d4ec89b 49516 qemu-keymaps_0.12.5+dfsg-3squeeze5_all.deb
eff2593824f99efd8ab3b733a9d79765ef76ff06 106578 qemu_0.12.5+dfsg-3squeeze5_i386.deb
e728ed2081a0deb1c53232194c1b6d7f6d320b53 12292366 qemu-system_0.12.5+dfsg-3squeeze5_i386.deb
70c09f197b42382613473630e835df42ce28564b 4205896 qemu-user_0.12.5+dfsg-3squeeze5_i386.deb
43e631f74963fe87be12867d55a8702a0149f322 8911772 qemu-user-static_0.12.5+dfsg-3squeeze5_i386.deb
57a1ce391d39c7ceff2e47b84277da4a9d89accf 367936 qemu-utils_0.12.5+dfsg-3squeeze5_i386.deb
d42be63c5aec90260210b3cc9018297c6230781b 5020566 libqemu-dev_0.12.5+dfsg-3squeeze5_i386.deb
Checksums-Sha256:
cba3413af6d9c18c187e0258bae6569ea19c19e4d994fdf879e435d319d0b480 1772 qemu_0.12.5+dfsg-3squeeze5.dsc
c3c1c78803ef7bea7f80b8fe139c5e2fb137db35f733b6b57a3dcd113555c78b 49305 qemu_0.12.5+dfsg-3squeeze5.diff.gz
b2e5ac195f2ac794f59091e2d5c3eeb49631b5d2fa631c7953b831b53a74f0d1 49516 qemu-keymaps_0.12.5+dfsg-3squeeze5_all.deb
8821e5b4cbf128e0df32042df3859b25db3fb55ec1872dbd570e15785303a4cf 106578 qemu_0.12.5+dfsg-3squeeze5_i386.deb
a3cd06b2cd4d63414e8e744cd5ea908422da83f45468b2de79245b71072c1e3b 12292366 qemu-system_0.12.5+dfsg-3squeeze5_i386.deb
e4c70a35675e5e62aadf5847450c5557680dc915cb60a73aff0d72453b75d659 4205896 qemu-user_0.12.5+dfsg-3squeeze5_i386.deb
211d4785ed5c4c1a89d27067f8b19c37d272c60e6e65f88a365eedd961a8a619 8911772 qemu-user-static_0.12.5+dfsg-3squeeze5_i386.deb
7f3e14b6f1c21b41260c28332ee4b888b5e1ca9a692dd595206d55067e678c91 367936 qemu-utils_0.12.5+dfsg-3squeeze5_i386.deb
b8cf5c9981a4ac94d485709c6bf4a1b4214f23477ba6f3114b96c39c0e11c2f3 5020566 libqemu-dev_0.12.5+dfsg-3squeeze5_i386.deb
Files:
808591c5839342bffd19d4df19ebf3ca 1772 misc optional qemu_0.12.5+dfsg-3squeeze5.dsc
adf587d57f58e07a936555511c8290e6 49305 misc optional qemu_0.12.5+dfsg-3squeeze5.diff.gz
ee53d7e14b7cc81172f83ab86f2629ff 49516 misc optional qemu-keymaps_0.12.5+dfsg-3squeeze5_all.deb
09ea3d131493abab9328a20716be8c12 106578 misc optional qemu_0.12.5+dfsg-3squeeze5_i386.deb
3f3bdf8cc4b03a3d92e57a4f9c00a8bf 12292366 misc optional qemu-system_0.12.5+dfsg-3squeeze5_i386.deb
34f4a96899a7aa25cdfd7232ea635f7e 4205896 misc optional qemu-user_0.12.5+dfsg-3squeeze5_i386.deb
fd4fc5037e5d01f60d1a1e537c3c6667 8911772 misc optional qemu-user-static_0.12.5+dfsg-3squeeze5_i386.deb
69f4896b3f34272a97db19381fdb22fc 367936 misc optional qemu-utils_0.12.5+dfsg-3squeeze5_i386.deb
6cfaadea24f005fe3b6d28d31086eb3c 5020566 libdevel optional libqemu-dev_0.12.5+dfsg-3squeeze5_i386.deb
--
This mail was scanned by BitDefender
For more information please visit http://www.bitdefender.com
Reply to: