Hello community, here is the log from the commit of package qemu for openSUSE:Factory checked in at 2018-04-07 20:54:46 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/qemu (Old) and /work/SRC/openSUSE:Factory/.qemu.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "qemu" Sat Apr 7 20:54:46 2018 rev:138 rq:594022 version:2.11.1 Changes: -------- --- /work/SRC/openSUSE:Factory/qemu/qemu-linux-user.changes 2018-03-24 16:04:29.415051374 +0100 +++ /work/SRC/openSUSE:Factory/.qemu.new/qemu-linux-user.changes 2018-04-07 20:54:53.071108544 +0200 @@ -1,0 +2,16 @@ +Thu Apr 5 21:33:40 UTC 2018 - brog...@suse.com + +- Be more specific about python version used in building package. + Other minor spec file tweaks. +- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-2.11 +* Patches added: + 0080-vga-fix-region-calculation.patch + +------------------------------------------------------------------- +Thu Apr 5 18:18:59 UTC 2018 - l...@suse.com + +- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-2.11 +* Patches added: + 0079-tpm-lookup-cancel-path-under-tpm-de.patch + +------------------------------------------------------------------- --- /work/SRC/openSUSE:Factory/qemu/qemu-testsuite.changes 2018-03-24 16:04:30.775002349 +0100 +++ /work/SRC/openSUSE:Factory/.qemu.new/qemu-testsuite.changes 2018-04-07 20:54:53.631088276 +0200 @@ -1,0 +2,14 @@ +Thu Apr 5 21:33:37 UTC 2018 - brog...@suse.com + +- Fix OOB access in VGA emulation (CVE-2018-7858 bsc#1084604) + 0080-vga-fix-region-calculation.patch +- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-2.11 + +------------------------------------------------------------------- +Thu Apr 5 18:18:57 UTC 2018 - l...@suse.com + +- Add new look up path "sys/class/tpm" for tpm cancel path based + on Linux 4.0 change (commit 313d21eeab9282e)(bsc#1070615) + 0079-tpm-lookup-cancel-path-under-tpm-de.patch + +------------------------------------------------------------------- qemu.changes: same change New: ---- 0079-tpm-lookup-cancel-path-under-tpm-de.patch 0080-vga-fix-region-calculation.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ qemu-linux-user.spec ++++++ --- /var/tmp/diff_new_pack.zdtxaw/_old 2018-04-07 20:54:56.302991569 +0200 +++ /var/tmp/diff_new_pack.zdtxaw/_new 2018-04-07 20:54:56.306991424 +0200 @@ -104,6 +104,8 @@ Patch0076: 0076-smbios-support-setting-OEM-strings-.patch Patch0077: 0077-smbios-Add-1-terminator-if-any-stri.patch Patch0078: 0078-Remove-problematic-evdev-86-key-fro.patch +Patch0079: 0079-tpm-lookup-cancel-path-under-tpm-de.patch +Patch0080: 0080-vga-fix-region-calculation.patch # Please do not add QEMU patches manually here. # Run update_git.sh to regenerate this queue. Source400: update_git.sh @@ -118,7 +120,11 @@ BuildRequires: libattr-devel-static BuildRequires: makeinfo BuildRequires: pcre-devel-static -BuildRequires: python +%if 0%{?suse_version} > 1320 +BuildRequires: python3-base +%else +BuildRequires: python-base +%endif BuildRequires: zlib-devel-static # we must not install the qemu-linux-user package when under QEMU build %if 0%{?qemu_user_space_build:1} @@ -211,6 +217,8 @@ %patch0076 -p1 %patch0077 -p1 %patch0078 -p1 +%patch0079 -p1 +%patch0080 -p1 %build ./configure \ @@ -222,7 +230,7 @@ %if 0%{?suse_version} > 1320 --python=%_bindir/python3 \ %else - --python=%_bindir/python \ + --python=%_bindir/python2 \ %endif --extra-cflags="%{optflags}" \ --disable-stack-protector \ @@ -326,9 +334,6 @@ install -m 755 scripts/qemu-binfmt-conf.sh %{buildroot}%_sbindir %fdupes -s %{buildroot} -%clean -rm -rf %{buildroot} - %files %defattr(-, root, root) %doc COPYING COPYING.LIB COPYING.PYTHON Changelog README VERSION LICENSE ++++++ qemu-testsuite.spec ++++++ --- /var/tmp/diff_new_pack.zdtxaw/_old 2018-04-07 20:54:56.326990700 +0200 +++ /var/tmp/diff_new_pack.zdtxaw/_new 2018-04-07 20:54:56.334990410 +0200 @@ -208,6 +208,8 @@ Patch0076: 0076-smbios-support-setting-OEM-strings-.patch Patch0077: 0077-smbios-Add-1-terminator-if-any-stri.patch Patch0078: 0078-Remove-problematic-evdev-86-key-fro.patch +Patch0079: 0079-tpm-lookup-cancel-path-under-tpm-de.patch +Patch0080: 0080-vga-fix-region-calculation.patch # Please do not add QEMU patches manually here. # Run update_git.sh to regenerate this queue. @@ -885,6 +887,8 @@ %patch0076 -p1 %patch0077 -p1 %patch0078 -p1 +%patch0079 -p1 +%patch0080 -p1 %if 0%{?suse_version} > 1320 %patch1000 -p1 qemu.spec: same change ++++++ 0079-tpm-lookup-cancel-path-under-tpm-de.patch ++++++ >From 9d1099c4ffea481aa803e9cc14a1419f902f52a4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lur...@redhat.com> Date: Mon, 29 Jan 2018 19:33:04 +0100 Subject: [PATCH] tpm: lookup cancel path under tpm device class MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Since Linux commit 313d21eeab9282e, tpm devices have their own device class "tpm" and the cancel path must be looked up under /sys/class/tpm/ instead of /sys/class/misc/. Signed-off-by: Marc-André Lureau <marcandre.lur...@redhat.com> Reviewed-by: Stefan Berger <stef...@linux.vnet.ibm.com> Signed-off-by: Stefan Berger <stef...@linux.vnet.ibm.com> (cherry picked from commit 05b71fb207ab7f016e067bd2a40fc0804362eb74) [LY: BSC#1070615] Signed-off-by: Liang Yan <l...@suse.com> --- hw/tpm/tpm_passthrough.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/hw/tpm/tpm_passthrough.c b/hw/tpm/tpm_passthrough.c index c440aff4b2..01ecef99aa 100644 --- a/hw/tpm/tpm_passthrough.c +++ b/hw/tpm/tpm_passthrough.c @@ -206,7 +206,8 @@ static TPMVersion tpm_passthrough_get_tpm_version(TPMBackend *tb) * Unless path or file descriptor set has been provided by user, * determine the sysfs cancel file following kernel documentation * in Documentation/ABI/stable/sysfs-class-tpm. - * From /dev/tpm0 create /sys/class/misc/tpm0/device/cancel + * From /dev/tpm0 create /sys/class/tpm/tpm0/device/cancel + * before 4.0: /sys/class/misc/tpm0/device/cancel */ static int tpm_passthrough_open_sysfs_cancel(TPMPassthruState *tpm_pt) { @@ -226,9 +227,14 @@ static int tpm_passthrough_open_sysfs_cancel(TPMPassthruState *tpm_pt) dev = strrchr(tpm_pt->tpm_dev, '/'); if (dev) { dev++; - if (snprintf(path, sizeof(path), "/sys/class/misc/%s/device/cancel", + if (snprintf(path, sizeof(path), "/sys/class/tpm/%s/device/cancel", dev) < sizeof(path)) { fd = qemu_open(path, O_WRONLY); + if (fd < 0) { + if (snprintf(path, sizeof(path), "/sys/class/misc/%s/device/cancel", dev) < sizeof(path)) { + fd = qemu_open(path, O_WRONLY); + } + } if (fd >= 0) { tpm_pt->options->cancel_path = g_strdup(path); } else { ++++++ 0080-vga-fix-region-calculation.patch ++++++ >From e5bdf248c24feab41fc7b8245e37277f1ae60e3e Mon Sep 17 00:00:00 2001 From: Gerd Hoffmann <kra...@redhat.com> Date: Fri, 9 Mar 2018 15:37:04 +0100 Subject: [PATCH] vga: fix region calculation Typically the scanline length and the line offset are identical. But in case they are not our calculation for region_end is incorrect. Using line_offset is fine for all scanlines, except the last one where we have to use the actual scanline length. Fixes: CVE-2018-7858 Reported-by: Ross Lagerwall <ross.lagerw...@citrix.com> Signed-off-by: Gerd Hoffmann <kra...@redhat.com> Reviewed-by: Prasad J Pandit <p...@fedoraproject.org> Tested-by: Ross Lagerwall <ross.lagerw...@citrix.com> Message-id: 20180309143704.13420-1-kra...@redhat.com (cherry picked from commit 7cdc61becd095b64a786b2625f321624e7111f3d) [BR: BSC#1084604 CVE-2018-7858 (NOTE: Above CVE reference was modified by me, because it was incorrect)] Signed-off-by: Bruce Rogers <brog...@suse.com> --- hw/display/vga.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/hw/display/vga.c b/hw/display/vga.c index d150a3a3eb..1fa66d597d 100644 --- a/hw/display/vga.c +++ b/hw/display/vga.c @@ -1489,6 +1489,8 @@ static void vga_draw_graphic(VGACommonState *s, int full_update) region_start = (s->start_addr * 4); region_end = region_start + (ram_addr_t)s->line_offset * height; + region_end += width * s->get_bpp(s) / 8; /* scanline length */ + region_end -= s->line_offset; if (region_end > s->vbe_size) { /* wraps around (can happen with cirrus vbe modes) */ region_start = 0; ++++++ qemu-linux-user.spec.in ++++++ --- /var/tmp/diff_new_pack.zdtxaw/_old 2018-04-07 20:54:56.802973472 +0200 +++ /var/tmp/diff_new_pack.zdtxaw/_new 2018-04-07 20:54:56.802973472 +0200 @@ -41,7 +41,11 @@ BuildRequires: libattr-devel-static BuildRequires: makeinfo BuildRequires: pcre-devel-static -BuildRequires: python +%if 0%{?suse_version} > 1320 +BuildRequires: python3-base +%else +BuildRequires: python-base +%endif BuildRequires: zlib-devel-static # we must not install the qemu-linux-user package when under QEMU build %if 0%{?qemu_user_space_build:1} @@ -66,9 +70,9 @@ --libexecdir=%_libexecdir \ --localstatedir=%_localstatedir \ %if 0%{?suse_version} > 1320 - --python=%_bindir/python3 \ + --python=%_bindir/python3 \ %else - --python=%_bindir/python \ + --python=%_bindir/python2 \ %endif --extra-cflags="%{optflags}" \ --disable-stack-protector \ @@ -172,9 +176,6 @@ install -m 755 scripts/qemu-binfmt-conf.sh %{buildroot}%_sbindir %fdupes -s %{buildroot} -%clean -rm -rf %{buildroot} - %files %defattr(-, root, root) %doc COPYING COPYING.LIB COPYING.PYTHON Changelog README VERSION LICENSE