Bug#1007931: buster-pu: package qemu/1:3.1+dfsg-8+deb10u9
Hello Moritz,
I've prepared a qemu build months back fixing pending CVEs then. I
have now took 2 patches (CVE-2020-35504, CVE-2020-35505) from your
diff and backported a new CVE, fixing total of ~35 CVEs.
I've tested on my setup and seems fine. Can you please test with
latest build[1].
Debdiff attached.
--abhiijith
1 -
https://people.debian.org/~abhijith/upload/mruby/qemu_3.1+dfsg-8+deb10u9.dsc
diff -Nru qemu-3.1+dfsg/debian/changelog qemu-3.1+dfsg/debian/changelog
--- qemu-3.1+dfsg/debian/changelog 2020-07-24 17:30:34.000000000 +0530
+++ qemu-3.1+dfsg/debian/changelog 2022-07-02 18:06:35.000000000 +0530
@@ -1,3 +1,18 @@
+qemu (1:3.1+dfsg-8+deb10u9) buster-security; urgency=medium
+
+ * Non-maintainer upload by the Security Team.
+ * Fix CVE-2020-13253 CVE-2020-15469 CVE-2020-15859 CVE-2020-25084
+ CVE-2020-25085 CVE-2020-25624 CVE-2020-25625 CVE-2020-25723
+ CVE-2020-27617 CVE-2020-27821 CVE-2020-28916 CVE-2020-29129
+ CVE-2020-29443 CVE-2021-3392 CVE-2021-3416 CVE-2021-3507
+ CVE-2021-3527 CVE-2021-3582 CVE-2021-3607 CVE-2021-3608
+ CVE-2021-3682 CVE-2021-3713 CVE-2021-3748 CVE-2021-3930
+ CVE-2021-4206 CVE-2021-4207 CVE-2021-20181 CVE-2021-20196
+ CVE-2021-20203 CVE-2021-20221 CVE-2021-20257 CVE-2022-26354
+ CVE-2020-35504 CVE-2020-35505 CVE-2022-35414
+
+ -- Abhijith PA <abhijith@debian.org> Sat, 02 Jul 2022 18:06:35 +0530
+
qemu (1:3.1+dfsg-8+deb10u8) buster-security; urgency=medium
* mention fixing of CVE-2020-13765 in 3.1+dfsg-8+deb10u6
diff -Nru qemu-3.1+dfsg/debian/patches/CVE-2020-35504.patch qemu-3.1+dfsg/debian/patches/CVE-2020-35504.patch
--- qemu-3.1+dfsg/debian/patches/CVE-2020-35504.patch 1970-01-01 05:30:00.000000000 +0530
+++ qemu-3.1+dfsg/debian/patches/CVE-2020-35504.patch 2022-07-02 18:06:35.000000000 +0530
@@ -0,0 +1,28 @@
+Description: CVE-2020-35504
+Author: Abhijith PA <abhijith@debian.org>
+---
+
+--- qemu-3.1+dfsg.orig/hw/scsi/esp.c
++++ qemu-3.1+dfsg/hw/scsi/esp.c
+@@ -252,6 +252,9 @@ static void esp_do_dma(ESPState *s)
+ s->dma_memory_read(s->dma_opaque, &s->cmdbuf[s->cmdlen], len);
+ return;
+ }
++ if (!s->current_req) {
++ return;
++ }
+ if (s->async_len == 0) {
+ /* Defer until data is available. */
+ return;
+@@ -265,6 +268,11 @@ static void esp_do_dma(ESPState *s)
+ } else {
+ s->dma_memory_write(s->dma_opaque, s->async_buf, len);
+ }
++
++ if (!s->current_req) {
++ return;
++ }
++
+ s->dma_left -= len;
+ s->async_buf += len;
+ s->async_len -= len;
diff -Nru qemu-3.1+dfsg/debian/patches/CVE-2020-35505.patch qemu-3.1+dfsg/debian/patches/CVE-2020-35505.patch
--- qemu-3.1+dfsg/debian/patches/CVE-2020-35505.patch 1970-01-01 05:30:00.000000000 +0530
+++ qemu-3.1+dfsg/debian/patches/CVE-2020-35505.patch 2022-07-02 18:06:35.000000000 +0530
@@ -0,0 +1,18 @@
+Description: CVE-2020-35505
+Author: Abhijith PA <abhijith@debian.org>
+---
+
+--- qemu-3.1+dfsg.orig/hw/scsi/esp.c
++++ qemu-3.1+dfsg/hw/scsi/esp.c
+@@ -135,6 +135,11 @@ static void do_busid_cmd(ESPState *s, ui
+
+ trace_esp_do_busid_cmd(busid);
+ lun = busid & 7;
++
++ if (!s->current_dev) {
++ return;
++ }
++
+ current_lun = scsi_device_find(&s->bus, 0, s->current_dev->id, lun);
+ s->current_req = scsi_req_new(current_lun, 0, lun, buf, s);
+ datalen = scsi_req_enqueue(s->current_req);
diff -Nru qemu-3.1+dfsg/debian/patches/CVE-2021-20196-1.patch qemu-3.1+dfsg/debian/patches/CVE-2021-20196-1.patch
--- qemu-3.1+dfsg/debian/patches/CVE-2021-20196-1.patch 1970-01-01 05:30:00.000000000 +0530
+++ qemu-3.1+dfsg/debian/patches/CVE-2021-20196-1.patch 2022-07-02 18:06:35.000000000 +0530
@@ -0,0 +1,45 @@
+pochu: backport to 2.8
+
+From b154791e7b6d4ca5cdcd54443484d97360bd7ad2 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
+Date: Wed, 24 Nov 2021 17:15:34 +0100
+Subject: [PATCH] hw/block/fdc: Extract blk_create_empty_drive()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+We are going to re-use this code in the next commit,
+so extract it as a new blk_create_empty_drive() function.
+
+Inspired-by: Hanna Reitz <hreitz@redhat.com>
+Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Message-id: 20211124161536.631563-2-philmd@redhat.com
+Signed-off-by: John Snow <jsnow@redhat.com>
+---
+ hw/block/fdc.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/hw/block/fdc.c
++++ b/hw/block/fdc.c
+@@ -55,6 +55,12 @@
+ } while (0)
+
+
++/* Anonymous BlockBackend for empty drive */
++static BlockBackend *blk_create_empty_drive(void)
++{
++ return blk_new(0, BLK_PERM_ALL);
++}
++
+ /********************************************************/
+ /* qdev floppy bus */
+
+@@ -538,7 +544,7 @@ static void floppy_drive_realize(DeviceS
+
+ if (!dev->conf.blk) {
+ /* Anonymous BlockBackend for an empty drive */
+- dev->conf.blk = blk_new(0, BLK_PERM_ALL);
++ dev->conf.blk = blk_create_empty_drive();
+ ret = blk_attach_dev(dev->conf.blk, qdev);
+ assert(ret == 0);
+ }
diff -Nru qemu-3.1+dfsg/debian/patches/CVE-2022-35414.patch qemu-3.1+dfsg/debian/patches/CVE-2022-35414.patch
--- qemu-3.1+dfsg/debian/patches/CVE-2022-35414.patch 1970-01-01 05:30:00.000000000 +0530
+++ qemu-3.1+dfsg/debian/patches/CVE-2022-35414.patch 2022-07-02 18:06:35.000000000 +0530
@@ -0,0 +1,40 @@
+Description: CVE-2022-35414
+Author: Abhijith PA <abhijith@debian.org>
+---
+
+--- qemu-3.1+dfsg.orig/exec.c
++++ qemu-3.1+dfsg/exec.c
+@@ -712,7 +712,7 @@ static void tcg_iommu_free_notifier_list
+
+ /* Called from RCU critical section */
+ MemoryRegionSection *
+-address_space_translate_for_iotlb(CPUState *cpu, int asidx, hwaddr addr,
++address_space_translate_for_iotlb(CPUState *cpu, int asidx, hwaddr orig_addr,
+ hwaddr *xlat, hwaddr *plen,
+ MemTxAttrs attrs, int *prot)
+ {
+@@ -721,6 +721,7 @@ address_space_translate_for_iotlb(CPUSta
+ IOMMUMemoryRegionClass *imrc;
+ IOMMUTLBEntry iotlb;
+ int iommu_idx;
++ hwaddr addr = orig_addr;
+ AddressSpaceDispatch *d = atomic_rcu_read(&cpu->cpu_ases[asidx].memory_dispatch);
+
+ for (;;) {
+@@ -764,6 +765,16 @@ address_space_translate_for_iotlb(CPUSta
+ return section;
+
+ translate_fail:
++ /*
++ * We should be given a page-aligned address -- certainly
++ * tlb_set_page_with_attrs() does so. The page offset of xlat
++ * is used to index sections[], and PHYS_SECTION_UNASSIGNED = 0.
++ * The page portion of xlat will be logged by memory_region_access_valid()
++ * when this memory access is rejected, so use the original untranslated
++ * physical address.
++ */
++ assert((orig_addr & ~TARGET_PAGE_MASK) == 0);
++ *xlat = orig_addr;
+ return &d->map.sections[PHYS_SECTION_UNASSIGNED];
+ }
+ #endif
diff -Nru qemu-3.1+dfsg/debian/patches/series qemu-3.1+dfsg/debian/patches/series
--- qemu-3.1+dfsg/debian/patches/series 2020-07-24 17:30:34.000000000 +0530
+++ qemu-3.1+dfsg/debian/patches/series 2022-07-02 18:06:35.000000000 +0530
@@ -77,7 +77,11 @@
CVE-2021-4207.patch
CVE-2021-20181.patch
CVE-2021-20196-2.patch
+CVE-2021-20196-1.patch
CVE-2021-20203.patch
CVE-2021-20221.patch
CVE-2021-20257.patch
CVE-2022-26354.patch
+CVE-2020-35504.patch
+CVE-2020-35505.patch
+CVE-2022-35414.patch
Reply to: