Hello community, here is the log from the commit of package qemu for openSUSE:Factory checked in at 2020-09-03 01:10:27 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/qemu (Old) and /work/SRC/openSUSE:Factory/.qemu.new.3399 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "qemu" Thu Sep 3 01:10:27 2020 rev:180 rq:831276 version:5.1.0 Changes: -------- --- /work/SRC/openSUSE:Factory/qemu/qemu.changes 2020-08-23 09:20:56.742677351 +0200 +++ /work/SRC/openSUSE:Factory/.qemu.new.3399/qemu.changes 2020-09-03 01:11:17.092409598 +0200 @@ -1,0 +2,31 @@ +Tue Sep 1 18:10:17 UTC 2020 - Bruce Rogers <[email protected]> + +- For SLE15-SP3, note that this update to v5.1.0 is a step towards + fulfilling jsc#SLE-13689, which asks for qemu v5.2.0 or higher + +------------------------------------------------------------------- +Wed Aug 26 21:46:05 UTC 2020 - Bruce Rogers <[email protected]> + +- Fix some shell syntax in update_git.sh, esp. an issue exposed by + the most recent patch added + +------------------------------------------------------------------- +Tue Aug 25 22:42:27 UTC 2020 - Bruce Rogers <[email protected]> + +- Fix OOB access while processing USB packets (CVE-2020-14364 + bsc#1175441) + usb-fix-setup_len-init-CVE-2020-14364.patch +- Re-sync openSUSE and SUSE SLE qemu packages. This changes file + is the openSUSE one with this entry providing the intervening + SLE CVE, JIRA, and bugzilla references, which are still addressed + in this package, and not yet called out in this changes file. +* CVE-2020-1983 CVE-2020-10761 CVE-2020-13361 CVE-2020-13362 + CVE-2020-13659 CVE-2020-13800 +* bsc#1167816 bsc#1170940 boo#1171712 bsc#1172383 bsc#1172384 + bsc#1172386 bsc#1172495 bsc#1172710 +* Patches dropped (SLE) (included in current release tarball): + exec-set-map-length-to-zero-when-returni.patch + i386-acpi-Remove-_HID-from-the-SMBus-ACP.patch + megasas-use-unsigned-type-for-reply_queu.patch + +------------------------------------------------------------------- New: ---- usb-fix-setup_len-init-CVE-2020-14364.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ qemu.spec ++++++ --- /var/tmp/diff_new_pack.BmJeLA/_old 2020-09-03 01:11:23.532411745 +0200 +++ /var/tmp/diff_new_pack.BmJeLA/_new 2020-09-03 01:11:23.540411748 +0200 @@ -183,6 +183,7 @@ Patch00043: s390x-Fix-stringop-truncation-issue-repo.patch Patch00044: Revert-qht-constify-qht_statistics_init.patch Patch00045: qht-Revert-some-constification-in-qht.c.patch +Patch00046: usb-fix-setup_len-init-CVE-2020-14364.patch # Patches applied in roms/seabios/: Patch01000: seabios-use-python2-explicitly-as-needed.patch Patch01001: seabios-switch-to-python3-as-needed.patch @@ -1006,6 +1007,7 @@ %patch00043 -p1 %patch00044 -p1 %patch00045 -p1 +%patch00046 -p1 %patch01000 -p1 %patch01001 -p1 %patch01002 -p1 ++++++ bundles.tar.xz ++++++ Binary files old/d0ed6a69d399ae193959225cdeaa9382746c91cc.bundle and new/d0ed6a69d399ae193959225cdeaa9382746c91cc.bundle differ ++++++ update_git.sh ++++++ --- /var/tmp/diff_new_pack.BmJeLA/_old 2020-09-03 01:11:24.172411958 +0200 +++ /var/tmp/diff_new_pack.BmJeLA/_new 2020-09-03 01:11:24.172411958 +0200 @@ -363,10 +363,10 @@ sed -E -i 's/(^index [a-f0-9]{28})[a-f0-9]{12}([.][.][a-f0-9]{28})[a-f0-9]{12}( [0-9]{6}$)/\1\2\3/' $i BASENAME=$(basename $i) if [ "$FIVE_DIGIT_POTENTIAL" = "1" ]; then - if [[ $BASENAME =~ [[:digit:]]{5}.* ]]; then + if [[ "$BASENAME" =~ ^[[:digit:]]{5}.* ]]; then : else - BASENAME=0$BASENAME + BASENAME=0"$BASENAME" fi fi if [[ "$NUMBERED_PATCHES" = "0" ]]; then @@ -374,23 +374,23 @@ else KEEP_COUNT=40 fi - tail -n +2 $i > $CMP_DIR/${BASENAME:0:$KEEP_COUNT}.patch + tail -n +2 $i > $CMP_DIR/"${BASENAME:0:$KEEP_COUNT}".patch rm $i done if [[ "$NUMBERED_PATCHES" = "0" ]]; then for i in [0-9]*.patch; do - osc rm --force $i + osc rm --force "$i" done # make sure that w/out the numbered prefixes, the patchnames are all unique mkdir checkdir for i in $CMP_DIR/*; do BASENAME=$(basename $i) - FINALNAME=${BASENAME:4+$FIVE_DIGIT_POTENTIAL+1:40+1+5} - if [[ -e checkdir/$FINALNAME ]]; then + FINALNAME="${BASENAME:4+$FIVE_DIGIT_POTENTIAL+1:40+1+5}" + if [[ -e checkdir/"$FINALNAME" ]]; then echo "ERROR! Patch name $FINALNAME is not unique! Please modify patch subject to achieve uniqueness" exit 1 fi - cp $i checkdir/$FINALNAME + cp $i checkdir/"$FINALNAME" done CHECK_DIR=checkdir cp $CMP_DIR/*.patch . @@ -404,10 +404,10 @@ fi for i in $CHECK_DIR/*; do BASENAME=$(basename $i) - if [ -e $BASENAME ]; then - if cmp -s $i $BASENAME; then - touch --reference=$BASENAME $i - rm $BASENAME + if [ -e "$BASENAME" ]; then + if cmp -s "$i" "$BASENAME"; then + touch --reference="$BASENAME" "$i" + rm "$BASENAME" let UNCHANGED_COUNT+=1 else if [ "${BASENAME:0:1+$FIVE_DIGIT_POTENTIAL}" = "$CHECK_PREFIX" ]; then @@ -432,7 +432,7 @@ NUMBERED_PATCH_RE="^[[:digit:]]{5}-.*[.]patch$" fi for i in *.patch; do - if [[ $i =~ $NUMBERED_PATCH_RE ]]; then + if [[ "$i" =~ $NUMBERED_PATCH_RE ]]; then if [[ "$NUMBERED_PATCHES" = "1" ]]; then osc rm --force $i echo " $i" >> qemu.changes.deleted ++++++ usb-fix-setup_len-init-CVE-2020-14364.patch ++++++ From: Gerd Hoffmann <[email protected]> Date: Tue, 25 Aug 2020 07:36:36 +0200 Subject: usb: fix setup_len init (CVE-2020-14364) Git-commit: 0000000000000000000000000000000000000000 References: bsc#1175441, CVE-2020-14364 Store calculated setup_len in a local variable, verify it, and only write it to the struct (USBDevice->setup_len) in case it passed the sanity checks. This prevents other code (do_token_{in,out} functions specifically) from working with invalid USBDevice->setup_len values and overrunning the USBDevice->setup_buf[] buffer. Fixes: CVE-2020-14364 Signed-off-by: Gerd Hoffmann <[email protected]> Tested-by: Gonglei <[email protected]> Signed-off-by: Bruce Rogers <[email protected]> --- hw/usb/core.c | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/hw/usb/core.c b/hw/usb/core.c index 5abd128b6bc5f5440e18b143fe41..5234dcc73fea6012f7143f307640 100644 --- a/hw/usb/core.c +++ b/hw/usb/core.c @@ -129,6 +129,7 @@ void usb_wakeup(USBEndpoint *ep, unsigned int stream) static void do_token_setup(USBDevice *s, USBPacket *p) { int request, value, index; + unsigned int setup_len; if (p->iov.size != 8) { p->status = USB_RET_STALL; @@ -138,14 +139,15 @@ static void do_token_setup(USBDevice *s, USBPacket *p) usb_packet_copy(p, s->setup_buf, p->iov.size); s->setup_index = 0; p->actual_length = 0; - s->setup_len = (s->setup_buf[7] << 8) | s->setup_buf[6]; - if (s->setup_len > sizeof(s->data_buf)) { + setup_len = (s->setup_buf[7] << 8) | s->setup_buf[6]; + if (setup_len > sizeof(s->data_buf)) { fprintf(stderr, "usb_generic_handle_packet: ctrl buffer too small (%d > %zu)\n", - s->setup_len, sizeof(s->data_buf)); + setup_len, sizeof(s->data_buf)); p->status = USB_RET_STALL; return; } + s->setup_len = setup_len; request = (s->setup_buf[0] << 8) | s->setup_buf[1]; value = (s->setup_buf[3] << 8) | s->setup_buf[2]; @@ -259,26 +261,28 @@ static void do_token_out(USBDevice *s, USBPacket *p) static void do_parameter(USBDevice *s, USBPacket *p) { int i, request, value, index; + unsigned int setup_len; for (i = 0; i < 8; i++) { s->setup_buf[i] = p->parameter >> (i*8); } s->setup_state = SETUP_STATE_PARAM; - s->setup_len = (s->setup_buf[7] << 8) | s->setup_buf[6]; s->setup_index = 0; request = (s->setup_buf[0] << 8) | s->setup_buf[1]; value = (s->setup_buf[3] << 8) | s->setup_buf[2]; index = (s->setup_buf[5] << 8) | s->setup_buf[4]; - if (s->setup_len > sizeof(s->data_buf)) { + setup_len = (s->setup_buf[7] << 8) | s->setup_buf[6]; + if (setup_len > sizeof(s->data_buf)) { fprintf(stderr, "usb_generic_handle_packet: ctrl buffer too small (%d > %zu)\n", - s->setup_len, sizeof(s->data_buf)); + setup_len, sizeof(s->data_buf)); p->status = USB_RET_STALL; return; } + s->setup_len = setup_len; if (p->pid == USB_TOKEN_OUT) { usb_packet_copy(p, s->data_buf, s->setup_len);
