[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#926441: marked as done (unblock: qemu/1:3.1+dfsg-7)

Your message dated Fri, 05 Apr 2019 14:37:41 +0000
with message-id <E1hCPyP-0003n6-1K@respighi.debian.org>
and subject line unblock qemu
has caused the Debian Bug report #926441,
regarding unblock: qemu/1:3.1+dfsg-7
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
926441: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=926441
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package qemu

The version currently in -unstable fixes 2 security issues
(CVE-2019-9824 and CVE-2018-20815), patches taken from
upstream, and fixes a mistake in previous version of
one of the binary packages (qemu-guest-agent) - we misplaced
a new config file, putting it to a subdir (/etc/qemu/fsfreeze-hook/
instead of /etc/qemu/fsfreeze-hook), -- this last issue required
some work fixing it and moving the file into proper place. All
various corner cases of this, including when the user modified
that file locally _and_ fixed its location too, where tested and
all works ok. This is Ubuntu bug (LP: #1820291) which slipped to
Debian too.

Here's the debdiff against 1:3.1+dfsg-5 currently in testing:

diff -Nru qemu-3.1+dfsg/debian/changelog qemu-3.1+dfsg/debian/changelog
--- qemu-3.1+dfsg/debian/changelog	2019-03-11 14:30:44.000000000 +0300
+++ qemu-3.1+dfsg/debian/changelog	2019-03-27 14:24:06.000000000 +0300
@@ -1,3 +1,26 @@
+qemu (1:3.1+dfsg-7) unstable; urgency=high
+
+  [ Michael Tokarev ]
+  * device_tree-don-t-use-load_image-CVE-2018-20815.patch
+    fix heap buffer overflow while loading device tree blob
+    (Closes: CVE-2018-20815)
+
+  [ Christian Ehrhardt ]
+  * qemu-guest-agent: fix path of fsfreeze-hook (LP: #1820291)
+   - d/qemu-guest-agent.install: use correct path for fsfreeze-hook
+   - d/qemu-guest-agent.pre{rm|inst}/.postrm: special handling for
+     mv_conffile since the new path is a directory in the old package
+     version which can not be handled by mv_conffile.
+
+ -- Michael Tokarev <mjt@tls.msk.ru>  Wed, 27 Mar 2019 14:24:06 +0300
+
+qemu (1:3.1+dfsg-6) unstable; urgency=high
+
+  * slirp-check-sscanf-result-when-emulating-ident-CVE-2019-9824.patch
+    fix information leakage in slirp code (Closes: CVE-2019-9824)
+
+ -- Michael Tokarev <mjt@tls.msk.ru>  Mon, 18 Mar 2019 14:41:51 +0300
+
 qemu (1:3.1+dfsg-5) unstable; urgency=high
 
   * i2c-ddc-fix-oob-read-CVE-2019-3812.patch fixes
diff -Nru qemu-3.1+dfsg/debian/patches/device_tree-don-t-use-load_image-CVE-2018-20815.patch qemu-3.1+dfsg/debian/patches/device_tree-don-t-use-load_image-CVE-2018-20815.patch
--- qemu-3.1+dfsg/debian/patches/device_tree-don-t-use-load_image-CVE-2018-20815.patch	1970-01-01 03:00:00.000000000 +0300
+++ qemu-3.1+dfsg/debian/patches/device_tree-don-t-use-load_image-CVE-2018-20815.patch	2019-03-27 14:16:54.000000000 +0300
@@ -0,0 +1,35 @@
+From: Peter Maydell <peter.maydell@linaro.org>
+Date: Fri, 14 Dec 2018 13:30:52 +0000
+Subject: device_tree.c: Don't use load_image() (CVE-2018-20815)
+Commit-Id: da885fe1ee8b4589047484bd7fa05a4905b52b17
+
+The load_image() function is deprecated, as it does not let the
+caller specify how large the buffer to read the file into is.
+Instead use load_image_size().
+
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
+Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
+Reviewed-by: Eric Blake <eblake@redhat.com>
+Message-id: 20181130151712.2312-9-peter.maydell@linaro.org
+---
+ device_tree.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/device_tree.c b/device_tree.c
+index 6d9c9726f66..296278e12ae 100644
+--- a/device_tree.c
++++ b/device_tree.c
+@@ -91,7 +91,7 @@ void *load_device_tree(const char *filename_path, int *sizep)
+     /* First allocate space in qemu for device tree */
+     fdt = g_malloc0(dt_size);
+ 
+-    dt_file_load_size = load_image(filename_path, fdt);
++    dt_file_load_size = load_image_size(filename_path, fdt, dt_size);
+     if (dt_file_load_size < 0) {
+         error_report("Unable to open device tree file '%s'",
+                      filename_path);
+-- 
+2.11.0
+
diff -Nru qemu-3.1+dfsg/debian/patches/series qemu-3.1+dfsg/debian/patches/series
--- qemu-3.1+dfsg/debian/patches/series	2019-03-11 14:30:08.000000000 +0300
+++ qemu-3.1+dfsg/debian/patches/series	2019-03-27 14:16:54.000000000 +0300
@@ -7,3 +7,5 @@
 scsi-generic-avoid-possible-oob-access-to-r-buf-CVE-2019-6501.patch
 slirp-check-data-length-while-emulating-ident-function-CVE-2019-6778.patch
 i2c-ddc-fix-oob-read-CVE-2019-3812.patch
+slirp-check-sscanf-result-when-emulating-ident-CVE-2019-9824.patch
+device_tree-don-t-use-load_image-CVE-2018-20815.patch
diff -Nru qemu-3.1+dfsg/debian/patches/slirp-check-sscanf-result-when-emulating-ident-CVE-2019-9824.patch qemu-3.1+dfsg/debian/patches/slirp-check-sscanf-result-when-emulating-ident-CVE-2019-9824.patch
--- qemu-3.1+dfsg/debian/patches/slirp-check-sscanf-result-when-emulating-ident-CVE-2019-9824.patch	1970-01-01 03:00:00.000000000 +0300
+++ qemu-3.1+dfsg/debian/patches/slirp-check-sscanf-result-when-emulating-ident-CVE-2019-9824.patch	2019-03-18 14:41:28.000000000 +0300
@@ -0,0 +1,49 @@
+From: Samuel Thibault <samuel.thibault@ens-lyon.org>
+Date: Thu,  7 Mar 2019 12:51:34 +0100
+Message-Id: <20190307115143.780-5-samuel.thibault@ens-lyon.org>
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Subject: slirp: check sscanf result when emulating ident (CVE-2019-9824)
+
+From: William Bowling <will@wbowling.info>
+
+When emulating ident in tcp_emu, if the strchr checks passed but the
+sscanf check failed, two uninitialized variables would be copied and
+sent in the reply, so move this code inside the if(sscanf()) clause.
+
+Signed-off-by: William Bowling <will@wbowling.info>
+Cc: qemu-stable@nongnu.org
+Cc: secalert@redhat.com
+Message-Id: <1551476756-25749-1-git-send-email-will@wbowling.info>
+Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+---
+ slirp/tcp_subr.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/slirp/tcp_subr.c b/slirp/tcp_subr.c
+index 262a42d6c8..ef9d99c154 100644
+--- a/slirp/tcp_subr.c
++++ b/slirp/tcp_subr.c
+@@ -664,12 +664,12 @@ tcp_emu(struct socket *so, struct mbuf *m)
+ 							break;
+ 						}
+ 					}
++					so_rcv->sb_cc = snprintf(so_rcv->sb_data,
++								 so_rcv->sb_datalen,
++								 "%d,%d\r\n", n1, n2);
++					so_rcv->sb_rptr = so_rcv->sb_data;
++					so_rcv->sb_wptr = so_rcv->sb_data + so_rcv->sb_cc;
+ 				}
+-                                so_rcv->sb_cc = snprintf(so_rcv->sb_data,
+-                                                         so_rcv->sb_datalen,
+-                                                         "%d,%d\r\n", n1, n2);
+-				so_rcv->sb_rptr = so_rcv->sb_data;
+-				so_rcv->sb_wptr = so_rcv->sb_data + so_rcv->sb_cc;
+ 			}
+ 			m_free(m);
+ 			return 0;
+-- 
+2.20.1
+
+
diff -Nru qemu-3.1+dfsg/debian/qemu-guest-agent.install qemu-3.1+dfsg/debian/qemu-guest-agent.install
--- qemu-3.1+dfsg/debian/qemu-guest-agent.install	2019-02-06 14:35:32.000000000 +0300
+++ qemu-3.1+dfsg/debian/qemu-guest-agent.install	2019-03-27 14:21:20.000000000 +0300
@@ -3,4 +3,4 @@
 debian/tmp/usr/share/man/man7/qemu-ga-ref.7 /usr/share/man/man7
 debian/tmp/usr/share/doc/qemu/qemu-ga-ref.* /usr/share/doc/qemu-guest-agent
 qga/qapi-schema.json /usr/share/doc/qemu-guest-agent
-scripts/qemu-guest-agent/fsfreeze-hook /etc/qemu/fsfreeze-hook
+scripts/qemu-guest-agent/fsfreeze-hook /etc/qemu/
diff -Nru qemu-3.1+dfsg/debian/qemu-guest-agent.postinst qemu-3.1+dfsg/debian/qemu-guest-agent.postinst
--- qemu-3.1+dfsg/debian/qemu-guest-agent.postinst	1970-01-01 03:00:00.000000000 +0300
+++ qemu-3.1+dfsg/debian/qemu-guest-agent.postinst	2019-03-27 14:21:20.000000000 +0300
@@ -0,0 +1,59 @@
+#!/bin/sh
+# postinst script for qemu-guest-agent
+#
+# see: dh_installdeb(1)
+
+set -e
+
+# summary of how this script can be called:
+#        * <postinst> `configure' <most-recently-configured-version>
+#        * <old-postinst> `abort-upgrade' <new version>
+#        * <conflictor's-postinst> `abort-remove' `in-favour' <package>
+#          <new-version>
+#        * <postinst> `abort-remove'
+#        * <deconfigured's-postinst> `abort-deconfigure' `in-favour'
+#          <failed-install-package> <version> `removing'
+#          <conflicting-package> <version>
+# for details, see https://www.debian.org/doc/debian-policy/ or
+# the debian-policy package
+
+
+case "$1" in
+    configure)
+    ;;
+
+    abort-upgrade|abort-remove|abort-deconfigure)
+    ;;
+
+    *)
+        echo "postinst called with unknown argument \`$1'" >&2
+        exit 1
+    ;;
+esac
+
+# dh_installdeb will replace this with shell code automatically
+# generated by other debhelper scripts.
+
+#DEBHELPER#
+
+# Normal mv_conffile alone would fail due to the new path being a DIR in the old package version (LP: 1820291)
+case "$1" in
+    configure)
+        # From /usr/bin/dpkg-maintscript-helper modified to be able to cope with this edge case
+        if [ -n "$2" ] && dpkg --compare-versions -- "$2" le-nl "1:3.1+dfsg-7~"; then
+            TMPCONFFILE="/etc/qemu/fsfreeze-hook.old"
+            NEWCONFFILE="/etc/qemu/fsfreeze-hook"
+            ORIGCONFFILE="/etc/qemu/fsfreeze-hook/fsfreeze-hook"
+            rm -f "$TMPCONFFILE.dpkg-remove"
+            if [ -e "$TMPCONFFILE" ]; then
+                echo "Preserving user changes to $NEWCONFFILE (renamed from $ORIGCONFFILE)..."
+                if [ -e "$NEWCONFFILE" ]; then
+                    mv -f "$NEWCONFFILE" "$NEWCONFFILE.dpkg-new"
+                fi
+                mv -f "$TMPCONFFILE" "$NEWCONFFILE"
+            fi
+        fi
+        ;;
+esac
+
+exit 0
diff -Nru qemu-3.1+dfsg/debian/qemu-guest-agent.postrm qemu-3.1+dfsg/debian/qemu-guest-agent.postrm
--- qemu-3.1+dfsg/debian/qemu-guest-agent.postrm	1970-01-01 03:00:00.000000000 +0300
+++ qemu-3.1+dfsg/debian/qemu-guest-agent.postrm	2019-03-27 14:21:20.000000000 +0300
@@ -0,0 +1,56 @@
+#!/bin/sh
+# postrm script for qemu-guest-agent
+#
+# see: dh_installdeb(1)
+
+set -e
+
+# summary of how this script can be called:
+#        * <postrm> `remove'
+#        * <postrm> `purge'
+#        * <old-postrm> `upgrade' <new-version>
+#        * <new-postrm> `failed-upgrade' <old-version>
+#        * <new-postrm> `abort-install'
+#        * <new-postrm> `abort-install' <old-version>
+#        * <new-postrm> `abort-upgrade' <old-version>
+#        * <disappearer's-postrm> `disappear' <overwriter>
+#          <overwriter-version>
+# for details, see https://www.debian.org/doc/debian-policy/ or
+# the debian-policy package
+
+
+case "$1" in
+    purge|remove|upgrade|failed-upgrade|abort-install|abort-upgrade|disappear)
+    ;;
+
+    *)
+        echo "postrm called with unknown argument \`$1'" >&2
+        exit 1
+    ;;
+esac
+
+# dh_installdeb will replace this with shell code automatically
+# generated by other debhelper scripts.
+
+#DEBHELPER#
+
+# If needed revert the move we have made in preinst to compensate the new path being a DIR in the old package version (LP: 1820291)
+case "$1" in
+    abort-install|abort-upgrade)
+        # From /usr/bin/dpkg-maintscript-helper modified to be able to cope with this edge case
+        if [ -n "$2" ] && dpkg --compare-versions -- "$2" le-nl "1:3.1+dfsg-7~"; then
+            TMPCONFFILE="/etc/qemu/fsfreeze-hook.old"
+            NEWCONFFILE="/etc/qemu/fsfreeze-hook"
+            ORIGCONFFILE="/etc/qemu/fsfreeze-hook/fsfreeze-hook"
+            if [ -e "$TMPCONFFILE.dpkg-remove" ]; then
+                echo "Reinstalling $ORIGCONFFILE that was moved away"
+                if [ -f "$NEWCONFFILE" ]; then
+                    rm -f "$NEWCONFFILE"
+                fi
+                mkdir -p "$NEWCONFFILE"
+                mv "$TMPCONFFILE.dpkg-remove" "$ORIGCONFFILE"
+            fi
+        fi
+esac
+
+exit 0
diff -Nru qemu-3.1+dfsg/debian/qemu-guest-agent.preinst qemu-3.1+dfsg/debian/qemu-guest-agent.preinst
--- qemu-3.1+dfsg/debian/qemu-guest-agent.preinst	1970-01-01 03:00:00.000000000 +0300
+++ qemu-3.1+dfsg/debian/qemu-guest-agent.preinst	2019-03-27 14:21:20.000000000 +0300
@@ -0,0 +1,62 @@
+#!/bin/sh
+# preinst script for qemu-guest-agent
+#
+# see: dh_installdeb(1)
+
+set -e
+
+# summary of how this script can be called:
+#        * <new-preinst> `install'
+#        * <new-preinst> `install' <old-version>
+#        * <new-preinst> `upgrade' <old-version>
+#        * <old-preinst> `abort-upgrade' <new-version>
+# for details, see https://www.debian.org/doc/debian-policy/ or
+# the debian-policy package
+
+
+case "$1" in
+    install|upgrade)
+    ;;
+
+    abort-upgrade)
+    ;;
+
+    *)
+        echo "preinst called with unknown argument \`$1'" >&2
+        exit 1
+    ;;
+esac
+
+# dh_installdeb will replace this with shell code automatically
+# generated by other debhelper scripts.
+
+# Normal mv_conffile alone would fail due to the new path being a DIR in the old package version (LP: 1820291)
+case "$1" in
+    install|upgrade)
+        # From /usr/bin/dpkg-maintscript-helper modified to be able to cope with this edge case
+        if [ -n "$2" ] && dpkg --compare-versions -- "$2" le-nl "1:3.1+dfsg-7~"; then
+            TMPCONFFILE="/etc/qemu/fsfreeze-hook.old"
+            NEWCONFFILE="/etc/qemu/fsfreeze-hook"
+            ORIGCONFFILE="/etc/qemu/fsfreeze-hook/fsfreeze-hook"
+            if [ -f "$ORIGCONFFILE" ]; then
+                disk_md5sum="$(md5sum "$ORIGCONFFILE" | sed -e 's/ .*//')"
+                pkg_md5sum="$(dpkg-query -W -f='${Conffiles}' "qemu-guest-agent" | \
+                    sed -n -e "\'^ $ORIGCONFFILE ' { s/ obsolete$//; s/.* //; p }")"
+                if [ "$disk_md5sum" = "$pkg_md5sum" ]; then
+                    # mark as having no custom content
+                    mv -f "$ORIGCONFFILE" "${TMPCONFFILE}.dpkg-remove"
+                else
+                    # keep the "old" name to reflect there is content to be preserved
+                    mv -f "$ORIGCONFFILE" "$TMPCONFFILE"
+                fi
+                # In any case the old directory blocking the new conffile
+                # has to be removed before unpack happens
+                rmdir "$NEWCONFFILE" || echo "failed to remove $NEWCONFFILE"
+            fi
+        fi
+        ;;
+esac
+
+#DEBHELPER#
+
+exit 0

unblock qemu/1:3.1+dfsg-7

-- System Information:
Debian Release: 9.8
  APT prefers stable
  APT policy: (990, 'stable'), (500, 'stable-debug'), (500, 'oldstable'), (199, 'testing'), (50, 'unstable'), (40, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-8-amd64 (SMP w/8 CPU cores)
Locale: LANG=ru_RU.utf8, LC_CTYPE=ru_RU.utf8 (charmap=UTF-8), LANGUAGE=ru_RU.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

--- End Message ---
--- Begin Message --- 
Unblocked qemu.

--- End Message ---
Reply to: