From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 23AE7139695 for ; Tue, 25 Apr 2017 13:51:45 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 506A9E0C56; Tue, 25 Apr 2017 13:51:42 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 1678CE0C56 for ; Tue, 25 Apr 2017 13:51:41 +0000 (UTC) Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id A43AF34164B for ; Tue, 25 Apr 2017 13:51:40 +0000 (UTC) Received: from localhost.localdomain (localhost [IPv6:::1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id D53DD743A for ; Tue, 25 Apr 2017 13:51:38 +0000 (UTC) From: "Matthias Maier" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Matthias Maier" Message-ID: <1493128291.51d94aaeff0e35fa68711f5623c5e6f68be2fac8.tamiko@gentoo> Subject: [gentoo-commits] repo/gentoo:master commit in: app-emulation/qemu/files/, app-emulation/qemu/ X-VCS-Repository: repo/gentoo X-VCS-Files: app-emulation/qemu/files/qemu-2.8.1-CVE-2017-7471.patch app-emulation/qemu/files/qemu-2.8.1-CVE-2017-8086.patch app-emulation/qemu/qemu-2.8.1-r1.ebuild app-emulation/qemu/qemu-2.8.1-r2.ebuild X-VCS-Directories: app-emulation/qemu/files/ app-emulation/qemu/ X-VCS-Committer: tamiko X-VCS-Committer-Name: Matthias Maier X-VCS-Revision: 51d94aaeff0e35fa68711f5623c5e6f68be2fac8 X-VCS-Branch: master Date: Tue, 25 Apr 2017 13:51:38 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: f245aa7b-d161-497e-abbc-dba334a1f5f5 X-Archives-Hash: 74e693dc6d52e86bddc42f3e0c9ba65c commit: 51d94aaeff0e35fa68711f5623c5e6f68be2fac8 Author: Matthias Maier gentoo org> AuthorDate: Tue Apr 25 13:32:43 2017 +0000 Commit: Matthias Maier gentoo org> CommitDate: Tue Apr 25 13:51:31 2017 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=51d94aae app-emulation/qemu: security fixes CVE-2017-7471, bug #616484 CVE-2017-7718, bug #616482 already applied on stable-2.8 as 3328c14e63f08fb07e8c6dec779c9d365e9e9864 CVE-2017-7980, bug #616462 already applied on stable-2.8 as a290442234fa214fcb7f45fc91d802bcb8d05c4b 031700e4527b9e05798f7040dccdf638da27aee2 CVE-2017-8086, bug #616460 Package-Manager: Portage-2.3.5, Repoman-2.3.2 .../qemu/files/qemu-2.8.1-CVE-2017-7471.patch | 64 ++++++++++++++++++++++ .../qemu/files/qemu-2.8.1-CVE-2017-8086.patch | 28 ++++++++++ .../{qemu-2.8.1-r1.ebuild => qemu-2.8.1-r2.ebuild} | 2 + 3 files changed, 94 insertions(+) diff --git a/app-emulation/qemu/files/qemu-2.8.1-CVE-2017-7471.patch b/app-emulation/qemu/files/qemu-2.8.1-CVE-2017-7471.patch new file mode 100644 index 00000000000..c5366f5758e --- /dev/null +++ b/app-emulation/qemu/files/qemu-2.8.1-CVE-2017-7471.patch @@ -0,0 +1,64 @@ +From 9c6b899f7a46893ab3b671e341a2234e9c0c060e Mon Sep 17 00:00:00 2001 +From: Greg Kurz +Date: Mon, 17 Apr 2017 10:53:23 +0200 +Subject: [PATCH] 9pfs: local: set the path of the export root to "." +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The local backend was recently converted to using "at*()" syscalls in order +to ensure all accesses happen below the shared directory. This requires that +we only pass relative paths, otherwise the dirfd argument to the "at*()" +syscalls is ignored and the path is treated as an absolute path in the host. +This is actually the case for paths in all fids, with the notable exception +of the root fid, whose path is "/". This causes the following backend ops to +act on the "/" directory of the host instead of the virtfs shared directory +when the export root is involved: +- lstat +- chmod +- chown +- utimensat + +ie, chmod /9p_mount_point in the guest will be converted to chmod / in the +host for example. This could cause security issues with a privileged QEMU. + +All "*at()" syscalls are being passed an open file descriptor. In the case +of the export root, this file descriptor points to the path in the host that +was passed to -fsdev. + +The fix is thus as simple as changing the path of the export root fid to be +"." instead of "/". + +This is CVE-2017-7471. + +Cc: qemu-stable@nongnu.org +Reported-by: Léo Gaspard +Signed-off-by: Greg Kurz +Reviewed-by: Eric Blake +Signed-off-by: Peter Maydell +--- + hw/9pfs/9p-local.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c +index 45e9a1f..f3ebca4 100644 +--- a/hw/9pfs/9p-local.c ++++ b/hw/9pfs/9p-local.c +@@ -1098,8 +1098,13 @@ static int local_name_to_path(FsContext *ctx, V9fsPath *dir_path, + { + if (dir_path) { + v9fs_path_sprintf(target, "%s/%s", dir_path->data, name); +- } else { ++ } else if (strcmp(name, "/")) { + v9fs_path_sprintf(target, "%s", name); ++ } else { ++ /* We want the path of the export root to be relative, otherwise ++ * "*at()" syscalls would treat it as "/" in the host. ++ */ ++ v9fs_path_sprintf(target, "%s", "."); + } + return 0; + } +-- +2.10.2 + diff --git a/app-emulation/qemu/files/qemu-2.8.1-CVE-2017-8086.patch b/app-emulation/qemu/files/qemu-2.8.1-CVE-2017-8086.patch new file mode 100644 index 00000000000..eac72f3dcb5 --- /dev/null +++ b/app-emulation/qemu/files/qemu-2.8.1-CVE-2017-8086.patch @@ -0,0 +1,28 @@ +From 4ffcdef4277a91af15a3c09f7d16af072c29f3f2 Mon Sep 17 00:00:00 2001 +From: Li Qiang +Date: Fri, 7 Apr 2017 03:48:52 -0700 +Subject: [PATCH] 9pfs: xattr: fix memory leak in v9fs_list_xattr + +Free 'orig_value' in error path. + +Signed-off-by: Li Qiang +Signed-off-by: Greg Kurz +--- + hw/9pfs/9p-xattr.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/hw/9pfs/9p-xattr.c b/hw/9pfs/9p-xattr.c +index eec160b..d05c1a1 100644 +--- a/hw/9pfs/9p-xattr.c ++++ b/hw/9pfs/9p-xattr.c +@@ -108,6 +108,7 @@ ssize_t v9fs_list_xattr(FsContext *ctx, const char *path, + g_free(name); + close_preserve_errno(dirfd); + if (xattr_len < 0) { ++ g_free(orig_value); + return -1; + } + +-- +2.10.2 + diff --git a/app-emulation/qemu/qemu-2.8.1-r1.ebuild b/app-emulation/qemu/qemu-2.8.1-r2.ebuild similarity index 99% rename from app-emulation/qemu/qemu-2.8.1-r1.ebuild rename to app-emulation/qemu/qemu-2.8.1-r2.ebuild index 62dcf576139..2e9ad1977aa 100644 --- a/app-emulation/qemu/qemu-2.8.1-r1.ebuild +++ b/app-emulation/qemu/qemu-2.8.1-r2.ebuild @@ -207,6 +207,8 @@ PATCHES=( "${FILESDIR}"/${PN}-2.8.0-CVE-2017-5987.patch #609398 "${FILESDIR}"/${PN}-2.8.0-CVE-2017-6505.patch #612220 "${FILESDIR}"/${PN}-2.8.0-CVE-2017-7377.patch #614744 + "${FILESDIR}"/${PN}-2.8.1-CVE-2017-7471.patch #616484 + "${FILESDIR}"/${PN}-2.8.1-CVE-2017-8086.patch #616460 ) STRIP_MASK="/usr/share/qemu/palcode-clipper"