Bug#926441: unblock: qemu/1:3.1+dfsg-7
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Please unblock package qemu
The version currently in -unstable fixes 2 security issues
(CVE-2019-9824 and CVE-2018-20815), patches taken from
upstream, and fixes a mistake in previous version of
one of the binary packages (qemu-guest-agent) - we misplaced
a new config file, putting it to a subdir (/etc/qemu/fsfreeze-hook/
instead of /etc/qemu/fsfreeze-hook), -- this last issue required
some work fixing it and moving the file into proper place. All
various corner cases of this, including when the user modified
that file locally _and_ fixed its location too, where tested and
all works ok. This is Ubuntu bug (LP: #1820291) which slipped to
Debian too.
Here's the debdiff against 1:3.1+dfsg-5 currently in testing:
diff -Nru qemu-3.1+dfsg/debian/changelog qemu-3.1+dfsg/debian/changelog
--- qemu-3.1+dfsg/debian/changelog 2019-03-11 14:30:44.000000000 +0300
+++ qemu-3.1+dfsg/debian/changelog 2019-03-27 14:24:06.000000000 +0300
@@ -1,3 +1,26 @@
+qemu (1:3.1+dfsg-7) unstable; urgency=high
+
+ [ Michael Tokarev ]
+ * device_tree-don-t-use-load_image-CVE-2018-20815.patch
+ fix heap buffer overflow while loading device tree blob
+ (Closes: CVE-2018-20815)
+
+ [ Christian Ehrhardt ]
+ * qemu-guest-agent: fix path of fsfreeze-hook (LP: #1820291)
+ - d/qemu-guest-agent.install: use correct path for fsfreeze-hook
+ - d/qemu-guest-agent.pre{rm|inst}/.postrm: special handling for
+ mv_conffile since the new path is a directory in the old package
+ version which can not be handled by mv_conffile.
+
+ -- Michael Tokarev <mjt@tls.msk.ru> Wed, 27 Mar 2019 14:24:06 +0300
+
+qemu (1:3.1+dfsg-6) unstable; urgency=high
+
+ * slirp-check-sscanf-result-when-emulating-ident-CVE-2019-9824.patch
+ fix information leakage in slirp code (Closes: CVE-2019-9824)
+
+ -- Michael Tokarev <mjt@tls.msk.ru> Mon, 18 Mar 2019 14:41:51 +0300
+
qemu (1:3.1+dfsg-5) unstable; urgency=high
* i2c-ddc-fix-oob-read-CVE-2019-3812.patch fixes
diff -Nru qemu-3.1+dfsg/debian/patches/device_tree-don-t-use-load_image-CVE-2018-20815.patch qemu-3.1+dfsg/debian/patches/device_tree-don-t-use-load_image-CVE-2018-20815.patch
--- qemu-3.1+dfsg/debian/patches/device_tree-don-t-use-load_image-CVE-2018-20815.patch 1970-01-01 03:00:00.000000000 +0300
+++ qemu-3.1+dfsg/debian/patches/device_tree-don-t-use-load_image-CVE-2018-20815.patch 2019-03-27 14:16:54.000000000 +0300
@@ -0,0 +1,35 @@
+From: Peter Maydell <peter.maydell@linaro.org>
+Date: Fri, 14 Dec 2018 13:30:52 +0000
+Subject: device_tree.c: Don't use load_image() (CVE-2018-20815)
+Commit-Id: da885fe1ee8b4589047484bd7fa05a4905b52b17
+
+The load_image() function is deprecated, as it does not let the
+caller specify how large the buffer to read the file into is.
+Instead use load_image_size().
+
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
+Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
+Reviewed-by: Eric Blake <eblake@redhat.com>
+Message-id: 20181130151712.2312-9-peter.maydell@linaro.org
+---
+ device_tree.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/device_tree.c b/device_tree.c
+index 6d9c9726f66..296278e12ae 100644
+--- a/device_tree.c
++++ b/device_tree.c
+@@ -91,7 +91,7 @@ void *load_device_tree(const char *filename_path, int *sizep)
+ /* First allocate space in qemu for device tree */
+ fdt = g_malloc0(dt_size);
+
+- dt_file_load_size = load_image(filename_path, fdt);
++ dt_file_load_size = load_image_size(filename_path, fdt, dt_size);
+ if (dt_file_load_size < 0) {
+ error_report("Unable to open device tree file '%s'",
+ filename_path);
+--
+2.11.0
+
diff -Nru qemu-3.1+dfsg/debian/patches/series qemu-3.1+dfsg/debian/patches/series
--- qemu-3.1+dfsg/debian/patches/series 2019-03-11 14:30:08.000000000 +0300
+++ qemu-3.1+dfsg/debian/patches/series 2019-03-27 14:16:54.000000000 +0300
@@ -7,3 +7,5 @@
scsi-generic-avoid-possible-oob-access-to-r-buf-CVE-2019-6501.patch
slirp-check-data-length-while-emulating-ident-function-CVE-2019-6778.patch
i2c-ddc-fix-oob-read-CVE-2019-3812.patch
+slirp-check-sscanf-result-when-emulating-ident-CVE-2019-9824.patch
+device_tree-don-t-use-load_image-CVE-2018-20815.patch
diff -Nru qemu-3.1+dfsg/debian/patches/slirp-check-sscanf-result-when-emulating-ident-CVE-2019-9824.patch qemu-3.1+dfsg/debian/patches/slirp-check-sscanf-result-when-emulating-ident-CVE-2019-9824.patch
--- qemu-3.1+dfsg/debian/patches/slirp-check-sscanf-result-when-emulating-ident-CVE-2019-9824.patch 1970-01-01 03:00:00.000000000 +0300
+++ qemu-3.1+dfsg/debian/patches/slirp-check-sscanf-result-when-emulating-ident-CVE-2019-9824.patch 2019-03-18 14:41:28.000000000 +0300
@@ -0,0 +1,49 @@
+From: Samuel Thibault <samuel.thibault@ens-lyon.org>
+Date: Thu, 7 Mar 2019 12:51:34 +0100
+Message-Id: <20190307115143.780-5-samuel.thibault@ens-lyon.org>
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Subject: slirp: check sscanf result when emulating ident (CVE-2019-9824)
+
+From: William Bowling <will@wbowling.info>
+
+When emulating ident in tcp_emu, if the strchr checks passed but the
+sscanf check failed, two uninitialized variables would be copied and
+sent in the reply, so move this code inside the if(sscanf()) clause.
+
+Signed-off-by: William Bowling <will@wbowling.info>
+Cc: qemu-stable@nongnu.org
+Cc: secalert@redhat.com
+Message-Id: <1551476756-25749-1-git-send-email-will@wbowling.info>
+Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+---
+ slirp/tcp_subr.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/slirp/tcp_subr.c b/slirp/tcp_subr.c
+index 262a42d6c8..ef9d99c154 100644
+--- a/slirp/tcp_subr.c
++++ b/slirp/tcp_subr.c
+@@ -664,12 +664,12 @@ tcp_emu(struct socket *so, struct mbuf *m)
+ break;
+ }
+ }
++ so_rcv->sb_cc = snprintf(so_rcv->sb_data,
++ so_rcv->sb_datalen,
++ "%d,%d\r\n", n1, n2);
++ so_rcv->sb_rptr = so_rcv->sb_data;
++ so_rcv->sb_wptr = so_rcv->sb_data + so_rcv->sb_cc;
+ }
+- so_rcv->sb_cc = snprintf(so_rcv->sb_data,
+- so_rcv->sb_datalen,
+- "%d,%d\r\n", n1, n2);
+- so_rcv->sb_rptr = so_rcv->sb_data;
+- so_rcv->sb_wptr = so_rcv->sb_data + so_rcv->sb_cc;
+ }
+ m_free(m);
+ return 0;
+--
+2.20.1
+
+
diff -Nru qemu-3.1+dfsg/debian/qemu-guest-agent.install qemu-3.1+dfsg/debian/qemu-guest-agent.install
--- qemu-3.1+dfsg/debian/qemu-guest-agent.install 2019-02-06 14:35:32.000000000 +0300
+++ qemu-3.1+dfsg/debian/qemu-guest-agent.install 2019-03-27 14:21:20.000000000 +0300
@@ -3,4 +3,4 @@
debian/tmp/usr/share/man/man7/qemu-ga-ref.7 /usr/share/man/man7
debian/tmp/usr/share/doc/qemu/qemu-ga-ref.* /usr/share/doc/qemu-guest-agent
qga/qapi-schema.json /usr/share/doc/qemu-guest-agent
-scripts/qemu-guest-agent/fsfreeze-hook /etc/qemu/fsfreeze-hook
+scripts/qemu-guest-agent/fsfreeze-hook /etc/qemu/
diff -Nru qemu-3.1+dfsg/debian/qemu-guest-agent.postinst qemu-3.1+dfsg/debian/qemu-guest-agent.postinst
--- qemu-3.1+dfsg/debian/qemu-guest-agent.postinst 1970-01-01 03:00:00.000000000 +0300
+++ qemu-3.1+dfsg/debian/qemu-guest-agent.postinst 2019-03-27 14:21:20.000000000 +0300
@@ -0,0 +1,59 @@
+#!/bin/sh
+# postinst script for qemu-guest-agent
+#
+# see: dh_installdeb(1)
+
+set -e
+
+# summary of how this script can be called:
+# * <postinst> `configure' <most-recently-configured-version>
+# * <old-postinst> `abort-upgrade' <new version>
+# * <conflictor's-postinst> `abort-remove' `in-favour' <package>
+# <new-version>
+# * <postinst> `abort-remove'
+# * <deconfigured's-postinst> `abort-deconfigure' `in-favour'
+# <failed-install-package> <version> `removing'
+# <conflicting-package> <version>
+# for details, see https://www.debian.org/doc/debian-policy/ or
+# the debian-policy package
+
+
+case "$1" in
+ configure)
+ ;;
+
+ abort-upgrade|abort-remove|abort-deconfigure)
+ ;;
+
+ *)
+ echo "postinst called with unknown argument \`$1'" >&2
+ exit 1
+ ;;
+esac
+
+# dh_installdeb will replace this with shell code automatically
+# generated by other debhelper scripts.
+
+#DEBHELPER#
+
+# Normal mv_conffile alone would fail due to the new path being a DIR in the old package version (LP: 1820291)
+case "$1" in
+ configure)
+ # From /usr/bin/dpkg-maintscript-helper modified to be able to cope with this edge case
+ if [ -n "$2" ] && dpkg --compare-versions -- "$2" le-nl "1:3.1+dfsg-7~"; then
+ TMPCONFFILE="/etc/qemu/fsfreeze-hook.old"
+ NEWCONFFILE="/etc/qemu/fsfreeze-hook"
+ ORIGCONFFILE="/etc/qemu/fsfreeze-hook/fsfreeze-hook"
+ rm -f "$TMPCONFFILE.dpkg-remove"
+ if [ -e "$TMPCONFFILE" ]; then
+ echo "Preserving user changes to $NEWCONFFILE (renamed from $ORIGCONFFILE)..."
+ if [ -e "$NEWCONFFILE" ]; then
+ mv -f "$NEWCONFFILE" "$NEWCONFFILE.dpkg-new"
+ fi
+ mv -f "$TMPCONFFILE" "$NEWCONFFILE"
+ fi
+ fi
+ ;;
+esac
+
+exit 0
diff -Nru qemu-3.1+dfsg/debian/qemu-guest-agent.postrm qemu-3.1+dfsg/debian/qemu-guest-agent.postrm
--- qemu-3.1+dfsg/debian/qemu-guest-agent.postrm 1970-01-01 03:00:00.000000000 +0300
+++ qemu-3.1+dfsg/debian/qemu-guest-agent.postrm 2019-03-27 14:21:20.000000000 +0300
@@ -0,0 +1,56 @@
+#!/bin/sh
+# postrm script for qemu-guest-agent
+#
+# see: dh_installdeb(1)
+
+set -e
+
+# summary of how this script can be called:
+# * <postrm> `remove'
+# * <postrm> `purge'
+# * <old-postrm> `upgrade' <new-version>
+# * <new-postrm> `failed-upgrade' <old-version>
+# * <new-postrm> `abort-install'
+# * <new-postrm> `abort-install' <old-version>
+# * <new-postrm> `abort-upgrade' <old-version>
+# * <disappearer's-postrm> `disappear' <overwriter>
+# <overwriter-version>
+# for details, see https://www.debian.org/doc/debian-policy/ or
+# the debian-policy package
+
+
+case "$1" in
+ purge|remove|upgrade|failed-upgrade|abort-install|abort-upgrade|disappear)
+ ;;
+
+ *)
+ echo "postrm called with unknown argument \`$1'" >&2
+ exit 1
+ ;;
+esac
+
+# dh_installdeb will replace this with shell code automatically
+# generated by other debhelper scripts.
+
+#DEBHELPER#
+
+# If needed revert the move we have made in preinst to compensate the new path being a DIR in the old package version (LP: 1820291)
+case "$1" in
+ abort-install|abort-upgrade)
+ # From /usr/bin/dpkg-maintscript-helper modified to be able to cope with this edge case
+ if [ -n "$2" ] && dpkg --compare-versions -- "$2" le-nl "1:3.1+dfsg-7~"; then
+ TMPCONFFILE="/etc/qemu/fsfreeze-hook.old"
+ NEWCONFFILE="/etc/qemu/fsfreeze-hook"
+ ORIGCONFFILE="/etc/qemu/fsfreeze-hook/fsfreeze-hook"
+ if [ -e "$TMPCONFFILE.dpkg-remove" ]; then
+ echo "Reinstalling $ORIGCONFFILE that was moved away"
+ if [ -f "$NEWCONFFILE" ]; then
+ rm -f "$NEWCONFFILE"
+ fi
+ mkdir -p "$NEWCONFFILE"
+ mv "$TMPCONFFILE.dpkg-remove" "$ORIGCONFFILE"
+ fi
+ fi
+esac
+
+exit 0
diff -Nru qemu-3.1+dfsg/debian/qemu-guest-agent.preinst qemu-3.1+dfsg/debian/qemu-guest-agent.preinst
--- qemu-3.1+dfsg/debian/qemu-guest-agent.preinst 1970-01-01 03:00:00.000000000 +0300
+++ qemu-3.1+dfsg/debian/qemu-guest-agent.preinst 2019-03-27 14:21:20.000000000 +0300
@@ -0,0 +1,62 @@
+#!/bin/sh
+# preinst script for qemu-guest-agent
+#
+# see: dh_installdeb(1)
+
+set -e
+
+# summary of how this script can be called:
+# * <new-preinst> `install'
+# * <new-preinst> `install' <old-version>
+# * <new-preinst> `upgrade' <old-version>
+# * <old-preinst> `abort-upgrade' <new-version>
+# for details, see https://www.debian.org/doc/debian-policy/ or
+# the debian-policy package
+
+
+case "$1" in
+ install|upgrade)
+ ;;
+
+ abort-upgrade)
+ ;;
+
+ *)
+ echo "preinst called with unknown argument \`$1'" >&2
+ exit 1
+ ;;
+esac
+
+# dh_installdeb will replace this with shell code automatically
+# generated by other debhelper scripts.
+
+# Normal mv_conffile alone would fail due to the new path being a DIR in the old package version (LP: 1820291)
+case "$1" in
+ install|upgrade)
+ # From /usr/bin/dpkg-maintscript-helper modified to be able to cope with this edge case
+ if [ -n "$2" ] && dpkg --compare-versions -- "$2" le-nl "1:3.1+dfsg-7~"; then
+ TMPCONFFILE="/etc/qemu/fsfreeze-hook.old"
+ NEWCONFFILE="/etc/qemu/fsfreeze-hook"
+ ORIGCONFFILE="/etc/qemu/fsfreeze-hook/fsfreeze-hook"
+ if [ -f "$ORIGCONFFILE" ]; then
+ disk_md5sum="$(md5sum "$ORIGCONFFILE" | sed -e 's/ .*//')"
+ pkg_md5sum="$(dpkg-query -W -f='${Conffiles}' "qemu-guest-agent" | \
+ sed -n -e "\'^ $ORIGCONFFILE ' { s/ obsolete$//; s/.* //; p }")"
+ if [ "$disk_md5sum" = "$pkg_md5sum" ]; then
+ # mark as having no custom content
+ mv -f "$ORIGCONFFILE" "${TMPCONFFILE}.dpkg-remove"
+ else
+ # keep the "old" name to reflect there is content to be preserved
+ mv -f "$ORIGCONFFILE" "$TMPCONFFILE"
+ fi
+ # In any case the old directory blocking the new conffile
+ # has to be removed before unpack happens
+ rmdir "$NEWCONFFILE" || echo "failed to remove $NEWCONFFILE"
+ fi
+ fi
+ ;;
+esac
+
+#DEBHELPER#
+
+exit 0
unblock qemu/1:3.1+dfsg-7
-- System Information:
Debian Release: 9.8
APT prefers stable
APT policy: (990, 'stable'), (500, 'stable-debug'), (500, 'oldstable'), (199, 'testing'), (50, 'unstable'), (40, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.9.0-8-amd64 (SMP w/8 CPU cores)
Locale: LANG=ru_RU.utf8, LC_CTYPE=ru_RU.utf8 (charmap=UTF-8), LANGUAGE=ru_RU.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Reply to: