Bug#1052288: bullseye-pu: package qemu/1:5.2+dfsg-11+deb11u3

2023-09-23 Thread Adam D. Barratt 
Control: tags -1 confirmed

On Tue, 2023-09-19 at 23:11 +0200, Moritz Muehlenhoff wrote:
> Various low severity security issues in qemu, debdiff below.
> I've tested this on a Bullseye ganeti cluster using the
> updated qemu.
> 

Please go ahead.

Regards,

Adam

Bug#1052288: bullseye-pu: package qemu/1:5.2+dfsg-11+deb11u3

2023-09-19 Thread Moritz Muehlenhoff 
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: q...@packages.debian.org, m...@tls.msk.ru
Control: affects -1 + src:qemu

Various low severity security issues in qemu, debdiff below.
I've tested this on a Bullseye ganeti cluster using the
updated qemu.

Cheers,
Moritz

diff -Nru qemu-5.2+dfsg/debian/changelog qemu-5.2+dfsg/debian/changelog
--- qemu-5.2+dfsg/debian/changelog  2022-05-04 21:50:01.0 +0200
+++ qemu-5.2+dfsg/debian/changelog  2023-09-04 16:11:35.0 +0200
@@ -1,3 +1,19 @@
+qemu (1:5.2+dfsg-11+deb11u3) bullseye; urgency=medium
+
+  * CVE-2021-20196 (Closes: #984453)
+  * CVE-2023-0330 (Closes: #1029155)
+  * CVE-2023-1544 (Closes: #1034179)
+  * CVE-2023-3354
+  * CVE-2021-3930
+  * CVE-2023-3180
+  * CVE-2021-20203 (Closes: #984452)
+  * CVE-2021-3507 (Closes: #987410)
+  * CVE-2020-14394 (Closes: #979677)
+  * CVE-2023-3301
+  * CVE-2022-0216 (Closes: #1014590)
+
+ -- Moritz Mühlenhoff   Mon, 04 Sep 2023 16:11:35 +0200
+
 qemu (1:5.2+dfsg-11+deb11u2) bullseye-security; urgency=medium
 
   * virtio-net-fix-map-leaking-on-error-during-receive-CVE-2022-26353.patch
diff -Nru qemu-5.2+dfsg/debian/patches/CVE-2020-14394.patch 
qemu-5.2+dfsg/debian/patches/CVE-2020-14394.patch
--- qemu-5.2+dfsg/debian/patches/CVE-2020-14394.patch   1970-01-01 
01:00:00.0 +0100
+++ qemu-5.2+dfsg/debian/patches/CVE-2020-14394.patch   2023-08-22 
12:42:56.0 +0200
@@ -0,0 +1,67 @@
+From effaf5a240e03020f4ae953e10b764622c3e87cc Mon Sep 17 00:00:00 2001
+From: Thomas Huth 
+Date: Thu, 4 Aug 2022 15:13:00 +0200
+Subject: [PATCH] hw/usb/hcd-xhci: Fix unbounded loop in
+ xhci_ring_chain_length() (CVE-2020-14394)
+
+The loop condition in xhci_ring_chain_length() is under control of
+the guest, and additionally the code does not check for failed DMA
+transfers (e.g. if reaching the end of the RAM), so the loop there
+could run for a very long time or even forever. Fix it by checking
+the return value of dma_memory_read() and by introducing a maximum
+loop length.
+
+Resolves: https://gitlab.com/qemu-project/qemu/-/issues/646
+Message-Id: <20220804131300.96368-1-th...@redhat.com>
+Reviewed-by: Mauro Matteo Cascella 
+Acked-by: Gerd Hoffmann 
+Signed-off-by: Thomas Huth 
+---
+ hw/usb/hcd-xhci.c | 23 +++
+ 1 file changed, 19 insertions(+), 4 deletions(-)
+
+--- qemu-5.2+dfsg.orig/hw/usb/hcd-xhci.c
 qemu-5.2+dfsg/hw/usb/hcd-xhci.c
+@@ -21,6 +21,7 @@
+ 
+ #include "qemu/osdep.h"
+ #include "qemu/timer.h"
++#include "qemu/log.h"
+ #include "qemu/module.h"
+ #include "qemu/queue.h"
+ #include "migration/vmstate.h"
+@@ -720,9 +721,13 @@ static int xhci_ring_chain_length(XHCISt
+ bool control_td_set = 0;
+ uint32_t link_cnt = 0;
+ 
+-while (1) {
++do {
+ TRBType type;
+-dma_memory_read(xhci->as, dequeue, , TRB_SIZE);
++if (dma_memory_read(xhci->as, dequeue, , TRB_SIZE) != MEMTX_OK) {
++qemu_log_mask(LOG_GUEST_ERROR, "%s: DMA memory access failed!\n",
++  __func__);
++return -1;
++}
+ le64_to_cpus();
+ le32_to_cpus();
+ le32_to_cpus();
+@@ -756,7 +761,17 @@ static int xhci_ring_chain_length(XHCISt
+ if (!control_td_set && !(trb.control & TRB_TR_CH)) {
+ return length;
+ }
+-}
++
++/*
++ * According to the xHCI spec, Transfer Ring segments should have
++ * a maximum size of 64 kB (see chapter "6 Data Structures")
++ */
++} while (length < TRB_LINK_LIMIT * 65536 / TRB_SIZE);
++
++qemu_log_mask(LOG_GUEST_ERROR, "%s: exceeded maximum tranfer ring 
size!\n",
++  __func__);
++
++return -1;
+ }
+ 
+ static void xhci_er_reset(XHCIState *xhci, int v)
diff -Nru qemu-5.2+dfsg/debian/patches/CVE-2021-20196.patch 
qemu-5.2+dfsg/debian/patches/CVE-2021-20196.patch
--- qemu-5.2+dfsg/debian/patches/CVE-2021-20196.patch   1970-01-01 
01:00:00.0 +0100
+++ qemu-5.2+dfsg/debian/patches/CVE-2021-20196.patch   2023-09-04 
16:11:35.0 +0200
@@ -0,0 +1,61 @@
+Combined backport of
+
+From 1ab95af033a419e7a64e2d58e67dd96b20af5233 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= 
+Date: Wed, 24 Nov 2021 17:15:35 +0100
+Subject: [PATCH] hw/block/fdc: Kludge missing floppy drive to fix
+ CVE-2021-20196
+
+and
+
+From b154791e7b6d4ca5cdcd54443484d97360bd7ad2 Mon Sep 17 00:00:00 2001
+From: =?utf8?q?Philippe=20Mathieu-Daud=C3=A9?= 
+Date: Wed, 24 Nov 2021 17:15:34 +0100
+Subject: [PATCH] hw/block/fdc: Extract blk_create_empty_drive()
+
+--- qemu-5.2+dfsg.orig/hw/block/fdc.c
 qemu-5.2+dfsg/hw/block/fdc.c
+@@ -61,6 +61,12 @@
+ } while (0)
+ 
+ 
++/* Anonymous BlockBackend for empty drive */
++static BlockBackend *blk_create_empty_drive(void)
++{
++return blk_new(qemu_get_aio_context(), 0, BLK_PERM_ALL);
++}
++
+