Hello community, here is the log from the commit of package qemu for openSUSE:Factory checked in at 2015-05-20 23:51:47 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/qemu (Old) and /work/SRC/openSUSE:Factory/.qemu.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "qemu" Changes: -------- --- /work/SRC/openSUSE:Factory/qemu/libcacard.changes 2015-05-15 07:44:23.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.qemu.new/libcacard.changes 2015-05-20 23:51:48.000000000 +0200 @@ -1,0 +2,7 @@ +Thu May 14 17:21:21 UTC 2015 - [email protected] + +- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-2.3 +* Patches added: + 0041-fdc-force-the-fifo-access-to-be-in-.patch + +------------------------------------------------------------------- --- /work/SRC/openSUSE:Factory/qemu/qemu-linux-user.changes 2015-05-15 07:44:23.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.qemu.new/qemu-linux-user.changes 2015-05-20 23:51:48.000000000 +0200 @@ -1,0 +2,7 @@ +Thu May 14 17:21:17 UTC 2015 - [email protected] + +- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-2.3 +* Patches added: + 0041-fdc-force-the-fifo-access-to-be-in-.patch + +------------------------------------------------------------------- @@ -7,0 +15,5 @@ + +------------------------------------------------------------------- +Mon May 11 12:21:16 UTC 2015 - [email protected] + +- Limit %check to architectures prepared for it --- /work/SRC/openSUSE:Factory/qemu/qemu-testsuite.changes 2015-05-15 07:44:23.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.qemu.new/qemu-testsuite.changes 2015-05-20 23:51:48.000000000 +0200 @@ -1,0 +2,7 @@ +Thu May 14 17:21:13 UTC 2015 - [email protected] + +- Fix CVE-2015-3456 (boo#929339) + 0041-fdc-force-the-fifo-access-to-be-in-.patch +- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-2.3 + +------------------------------------------------------------------- qemu.changes: same change New: ---- 0041-fdc-force-the-fifo-access-to-be-in-.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libcacard.spec ++++++ --- /var/tmp/diff_new_pack.8vazUp/_old 2015-05-20 23:51:50.000000000 +0200 +++ /var/tmp/diff_new_pack.8vazUp/_new 2015-05-20 23:51:50.000000000 +0200 @@ -65,6 +65,7 @@ Patch0038: 0038-Revert-Revert-seccomp-tests-that-al.patch Patch0039: 0039-s390x-Fix-stoc-direction.patch Patch0040: 0040-s390x-Add-interlocked-access-facili.patch +Patch0041: 0041-fdc-force-the-fifo-access-to-be-in-.patch # Please do not add patches manually here, run update_git.sh. # this is to make lint happy Source300: qemu-rpmlintrc @@ -164,6 +165,7 @@ %patch0038 -p1 %patch0039 -p1 %patch0040 -p1 +%patch0041 -p1 %build ./configure --prefix=%_prefix --sysconfdir=%_sysconfdir \ ++++++ qemu-linux-user.spec ++++++ --- /var/tmp/diff_new_pack.8vazUp/_old 2015-05-20 23:51:50.000000000 +0200 +++ /var/tmp/diff_new_pack.8vazUp/_new 2015-05-20 23:51:50.000000000 +0200 @@ -65,6 +65,7 @@ Patch0038: 0038-Revert-Revert-seccomp-tests-that-al.patch Patch0039: 0039-s390x-Fix-stoc-direction.patch Patch0040: 0040-s390x-Add-interlocked-access-facili.patch +Patch0041: 0041-fdc-force-the-fifo-access-to-be-in-.patch # Please do not add patches manually here, run update_git.sh. # this is to make lint happy Source300: qemu-rpmlintrc @@ -158,6 +159,7 @@ %patch0038 -p1 %patch0039 -p1 %patch0040 -p1 +%patch0041 -p1 %build ./configure --prefix=%_prefix --sysconfdir=%_sysconfdir \ @@ -203,10 +205,12 @@ %define qemu_arch s390x %endif +%ifarch %ix86 x86_64 %arm aarch64 ppc ppc64 ppc64le s390x %if 0%{?suse_version} >= 1310 %check %{qemu_arch}-linux-user/qemu-%{qemu_arch} %_bindir/ls > /dev/null %endif +%endif %install make install DESTDIR=$RPM_BUILD_ROOT ++++++ qemu-testsuite.spec ++++++ --- /var/tmp/diff_new_pack.8vazUp/_old 2015-05-20 23:51:50.000000000 +0200 +++ /var/tmp/diff_new_pack.8vazUp/_new 2015-05-20 23:51:50.000000000 +0200 @@ -96,6 +96,7 @@ Patch0038: 0038-Revert-Revert-seccomp-tests-that-al.patch Patch0039: 0039-s390x-Fix-stoc-direction.patch Patch0040: 0040-s390x-Add-interlocked-access-facili.patch +Patch0041: 0041-fdc-force-the-fifo-access-to-be-in-.patch # Please do not add QEMU patches manually here. # Run update_git.sh to regenerate this queue. @@ -596,6 +597,7 @@ %patch0038 -p1 %patch0039 -p1 %patch0040 -p1 +%patch0041 -p1 %if %{build_x86_fw_from_source} pushd roms/seabios qemu.spec: same change ++++++ 0041-fdc-force-the-fifo-access-to-be-in-.patch ++++++ >From 8ee1862533a1af5b18387662b262560fc336a08b Mon Sep 17 00:00:00 2001 From: Petr Matousek <[email protected]> Date: Wed, 6 May 2015 09:48:59 +0200 Subject: [PATCH] fdc: force the fifo access to be in bounds of the allocated buffer MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit During processing of certain commands such as FD_CMD_READ_ID and FD_CMD_DRIVE_SPECIFICATION_COMMAND the fifo memory access could get out of bounds leading to memory corruption with values coming from the guest. Fix this by making sure that the index is always bounded by the allocated memory. This is CVE-2015-3456. Signed-off-by: Petr Matousek <[email protected]> Reviewed-by: John Snow <[email protected]> Signed-off-by: John Snow <[email protected]> (cherry picked from commit e907746266721f305d67bc0718795fedee2e824c) [AF: BOO#929339] Signed-off-by: Andreas Färber <[email protected]> --- hw/block/fdc.c | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/hw/block/fdc.c b/hw/block/fdc.c index 2bf87c9..a9de4ab 100644 --- a/hw/block/fdc.c +++ b/hw/block/fdc.c @@ -1512,7 +1512,7 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl) { FDrive *cur_drv; uint32_t retval = 0; - int pos; + uint32_t pos; cur_drv = get_cur_drv(fdctrl); fdctrl->dsr &= ~FD_DSR_PWRDOWN; @@ -1521,8 +1521,8 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl) return 0; } pos = fdctrl->data_pos; + pos %= FD_SECTOR_LEN; if (fdctrl->msr & FD_MSR_NONDMA) { - pos %= FD_SECTOR_LEN; if (pos == 0) { if (fdctrl->data_pos != 0) if (!fdctrl_seek_to_next_sect(fdctrl, cur_drv)) { @@ -1867,10 +1867,13 @@ static void fdctrl_handle_option(FDCtrl *fdctrl, int direction) static void fdctrl_handle_drive_specification_command(FDCtrl *fdctrl, int direction) { FDrive *cur_drv = get_cur_drv(fdctrl); + uint32_t pos; - if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x80) { + pos = fdctrl->data_pos - 1; + pos %= FD_SECTOR_LEN; + if (fdctrl->fifo[pos] & 0x80) { /* Command parameters done */ - if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x40) { + if (fdctrl->fifo[pos] & 0x40) { fdctrl->fifo[0] = fdctrl->fifo[1]; fdctrl->fifo[2] = 0; fdctrl->fifo[3] = 0; @@ -1970,7 +1973,7 @@ static uint8_t command_to_handler[256]; static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value) { FDrive *cur_drv; - int pos; + uint32_t pos; /* Reset mode */ if (!(fdctrl->dor & FD_DOR_nRESET)) { @@ -2019,7 +2022,9 @@ static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value) } FLOPPY_DPRINTF("%s: %02x\n", __func__, value); - fdctrl->fifo[fdctrl->data_pos++] = value; + pos = fdctrl->data_pos++; + pos %= FD_SECTOR_LEN; + fdctrl->fifo[pos] = value; if (fdctrl->data_pos == fdctrl->data_len) { /* We now have all parameters * and will be able to treat the command ++++++ qemu-linux-user.spec.in ++++++ --- /var/tmp/diff_new_pack.8vazUp/_old 2015-05-20 23:51:50.000000000 +0200 +++ /var/tmp/diff_new_pack.8vazUp/_new 2015-05-20 23:51:50.000000000 +0200 @@ -125,10 +125,12 @@ %define qemu_arch s390x %endif +%ifarch %ix86 x86_64 %arm aarch64 ppc ppc64 ppc64le s390x %if 0%{?suse_version} >= 1310 %check %{qemu_arch}-linux-user/qemu-%{qemu_arch} %_bindir/ls > /dev/null %endif +%endif %install make install DESTDIR=$RPM_BUILD_ROOT
