Package: guix-patches;
Reported by: Leo Famulari <leo <at> famulari.name>
Date: Tue, 21 Jan 2020 18:57:03 UTC
Severity: normal
Tags: patch
Done: Leo Famulari <leo <at> famulari.name>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 39226 in the body.
You can then email your comments to 39226 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
View this report as an mbox folder, status mbox, maintainer mbox
guix-patches <at> gnu.org
:bug#39226
; Package guix-patches
.
(Tue, 21 Jan 2020 18:57:03 GMT) Full text and rfc822 format available.Leo Famulari <leo <at> famulari.name>
:guix-patches <at> gnu.org
.
(Tue, 21 Jan 2020 18:57:03 GMT) Full text and rfc822 format available.Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
From: Leo Famulari <leo <at> famulari.name> To: guix-patches <at> gnu.org Subject: [PATCH 1/2] gnu: QEMU: Fix CVE-2020-{7039,7211}. Date: Tue, 21 Jan 2020 13:55:51 -0500
* gnu/packages/patches/qemu-CVE-2020-7039.patch, gnu/packages/patches/qemu-CVE-2020-7211.patch: New files. * gnu/local.mk (dist_patch_DATA): Add them. * gnu/packages/virtualization.scm (qemu)[source]: Use them. --- gnu/local.mk | 2 + gnu/packages/patches/qemu-CVE-2020-7039.patch | 173 ++++++++++++++++++ gnu/packages/patches/qemu-CVE-2020-7211.patch | 49 +++++ gnu/packages/virtualization.scm | 2 + 4 files changed, 226 insertions(+) create mode 100644 gnu/packages/patches/qemu-CVE-2020-7039.patch create mode 100644 gnu/packages/patches/qemu-CVE-2020-7211.patch diff --git a/gnu/local.mk b/gnu/local.mk index 626d91ce62..1a01a87c40 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1334,6 +1334,8 @@ dist_patch_DATA = \ %D%/packages/patches/python-unittest2-remove-argparse.patch \ %D%/packages/patches/python-waitress-fix-tests.patch \ %D%/packages/patches/qemu-glibc-2.27.patch \ + %D%/packages/patches/qemu-CVE-2020-7039.patch \ + %D%/packages/patches/qemu-CVE-2020-7211.patch \ %D%/packages/patches/qt4-ldflags.patch \ %D%/packages/patches/qtbase-use-TZDIR.patch \ %D%/packages/patches/qtscript-disable-tests.patch \ diff --git a/gnu/packages/patches/qemu-CVE-2020-7039.patch b/gnu/packages/patches/qemu-CVE-2020-7039.patch new file mode 100644 index 0000000000..ffebda68ab --- /dev/null +++ b/gnu/packages/patches/qemu-CVE-2020-7039.patch @@ -0,0 +1,173 @@ +Fix CVE-2020-7039: + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7039 + +Patches copied from upstream dependency repository: + +https://gitlab.freedesktop.org/slirp/libslirp/commit/2655fffed7a9e765bcb4701dd876e9dab975f289 +https://gitlab.freedesktop.org/slirp/libslirp/commit/ce131029d6d4a405cb7d3ac6716d03e58fb4a5d9 +https://gitlab.freedesktop.org/slirp/libslirp/commit/82ebe9c370a0e2970fb5695aa19aa5214a6a1c80 + +From 2655fffed7a9e765bcb4701dd876e9dab975f289 Mon Sep 17 00:00:00 2001 +From: Samuel Thibault <samuel.thibault <at> ens-lyon.org> +Date: Wed, 8 Jan 2020 00:58:48 +0100 +Subject: [PATCH] tcp_emu: Fix oob access + +The main loop only checks for one available byte, while we sometimes +need two bytes. +--- + CHANGELOG.md | 1 + + src/tcp_subr.c | 7 +++++++ + 2 files changed, 8 insertions(+) + +#diff --git a/CHANGELOG.md b/CHANGELOG.md +#index 00d0ce2..5cf94a8 100644 +#--- a/CHANGELOG.md +#+++ b/CHANGELOG.md +#@@ -20,6 +20,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 +# ### Fixed +# +# - ncsi: fix checksum OOB memory access +#+ - `tcp_emu()`: fix OOB accesses +# +# ## [4.1.0] - 2019-12-02 +# +diff --git a/src/tcp_subr.c b/src/tcp_subr.c +index 382aa38..9c1bdec 100644 +--- a/slirp/src/tcp_subr.c ++++ b/slirp/src/tcp_subr.c +@@ -871,6 +871,9 @@ int tcp_emu(struct socket *so, struct mbuf *m) + break; + + case 5: ++ if (bptr == m->m_data + m->m_len - 1) ++ return 1; /* We need two bytes */ ++ + /* + * The difference between versions 1.0 and + * 2.0 is here. For future versions of +@@ -886,6 +889,10 @@ int tcp_emu(struct socket *so, struct mbuf *m) + /* This is the field containing the port + * number that RA-player is listening to. + */ ++ ++ if (bptr == m->m_data + m->m_len - 1) ++ return 1; /* We need two bytes */ ++ + lport = (((uint8_t *)bptr)[0] << 8) + ((uint8_t *)bptr)[1]; + if (lport < 6970) + lport += 256; /* don't know why */ +-- +2.24.1 + +From ce131029d6d4a405cb7d3ac6716d03e58fb4a5d9 Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit <pjp <at> fedoraproject.org> +Date: Thu, 9 Jan 2020 15:12:27 +0530 +Subject: [PATCH] slirp: use correct size while emulating IRC commands + +While emulating IRC DCC commands, tcp_emu() uses 'mbuf' size +'m->m_size' to write DCC commands via snprintf(3). This may +lead to OOB write access, because 'bptr' points somewhere in +the middle of 'mbuf' buffer, not at the start. Use M_FREEROOM(m) +size to avoid OOB access. + +Reported-by: Vishnu Dev TJ <vishnudevtj <at> gmail.com> +Signed-off-by: Prasad J Pandit <pjp <at> fedoraproject.org> +Reviewed-by: Samuel Thibault <samuel.thibault <at> ens-lyon.org> +Message-Id: <20200109094228.79764-2-ppandit <at> redhat.com> +--- + src/tcp_subr.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/src/tcp_subr.c b/src/tcp_subr.c +index 9c1bdec..ee7a938 100644 +--- a/slirp/src/tcp_subr.c ++++ b/slirp/src/tcp_subr.c +@@ -763,7 +763,8 @@ int tcp_emu(struct socket *so, struct mbuf *m) + return 1; + } + m->m_len = bptr - m->m_data; /* Adjust length */ +- m->m_len += snprintf(bptr, m->m_size, "DCC CHAT chat %lu %u%c\n", ++ m->m_len += snprintf(bptr, M_FREEROOM(m), ++ "DCC CHAT chat %lu %u%c\n", + (unsigned long)ntohl(so->so_faddr.s_addr), + ntohs(so->so_fport), 1); + } else if (sscanf(bptr, "DCC SEND %256s %u %u %u", buff, &laddr, &lport, +@@ -773,8 +774,8 @@ int tcp_emu(struct socket *so, struct mbuf *m) + return 1; + } + m->m_len = bptr - m->m_data; /* Adjust length */ +- m->m_len += +- snprintf(bptr, m->m_size, "DCC SEND %s %lu %u %u%c\n", buff, ++ m->m_len += snprintf(bptr, M_FREEROOM(m), ++ "DCC SEND %s %lu %u %u%c\n", buff, + (unsigned long)ntohl(so->so_faddr.s_addr), + ntohs(so->so_fport), n1, 1); + } else if (sscanf(bptr, "DCC MOVE %256s %u %u %u", buff, &laddr, &lport, +@@ -784,8 +785,8 @@ int tcp_emu(struct socket *so, struct mbuf *m) + return 1; + } + m->m_len = bptr - m->m_data; /* Adjust length */ +- m->m_len += +- snprintf(bptr, m->m_size, "DCC MOVE %s %lu %u %u%c\n", buff, ++ m->m_len += snprintf(bptr, M_FREEROOM(m), ++ "DCC MOVE %s %lu %u %u%c\n", buff, + (unsigned long)ntohl(so->so_faddr.s_addr), + ntohs(so->so_fport), n1, 1); + } +-- +2.24.1 + +From 82ebe9c370a0e2970fb5695aa19aa5214a6a1c80 Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit <pjp <at> fedoraproject.org> +Date: Thu, 9 Jan 2020 15:12:28 +0530 +Subject: [PATCH] slirp: use correct size while emulating commands + +While emulating services in tcp_emu(), it uses 'mbuf' size +'m->m_size' to write commands via snprintf(3). Use M_FREEROOM(m) +size to avoid possible OOB access. + +Signed-off-by: Prasad J Pandit <pjp <at> fedoraproject.org> +Signed-off-by: Samuel Thibault <samuel.thibault <at> ens-lyon.org> +Message-Id: <20200109094228.79764-3-ppandit <at> redhat.com> +--- + src/tcp_subr.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +diff --git a/src/tcp_subr.c b/src/tcp_subr.c +index ee7a938..177dfd2 100644 +--- a/slirp/src/tcp_subr.c ++++ b/slirp/src/tcp_subr.c +@@ -681,7 +681,7 @@ int tcp_emu(struct socket *so, struct mbuf *m) + n4 = (laddr & 0xff); + + m->m_len = bptr - m->m_data; /* Adjust length */ +- m->m_len += snprintf(bptr, m->m_size - m->m_len, ++ m->m_len += snprintf(bptr, M_FREEROOM(m), + "ORT %d,%d,%d,%d,%d,%d\r\n%s", n1, n2, n3, n4, + n5, n6, x == 7 ? buff : ""); + return 1; +@@ -716,8 +716,7 @@ int tcp_emu(struct socket *so, struct mbuf *m) + n4 = (laddr & 0xff); + + m->m_len = bptr - m->m_data; /* Adjust length */ +- m->m_len += +- snprintf(bptr, m->m_size - m->m_len, ++ m->m_len += snprintf(bptr, M_FREEROOM(m), + "27 Entering Passive Mode (%d,%d,%d,%d,%d,%d)\r\n%s", + n1, n2, n3, n4, n5, n6, x == 7 ? buff : ""); + +@@ -743,8 +742,8 @@ int tcp_emu(struct socket *so, struct mbuf *m) + if (m->m_data[m->m_len - 1] == '\0' && lport != 0 && + (so = tcp_listen(slirp, INADDR_ANY, 0, so->so_laddr.s_addr, + htons(lport), SS_FACCEPTONCE)) != NULL) +- m->m_len = +- snprintf(m->m_data, m->m_size, "%d", ntohs(so->so_fport)) + 1; ++ m->m_len = snprintf(m->m_data, M_ROOM(m), ++ "%d", ntohs(so->so_fport)) + 1; + return 1; + + case EMU_IRC: +-- +2.24.1 + diff --git a/gnu/packages/patches/qemu-CVE-2020-7211.patch b/gnu/packages/patches/qemu-CVE-2020-7211.patch new file mode 100644 index 0000000000..2885dda411 --- /dev/null +++ b/gnu/packages/patches/qemu-CVE-2020-7211.patch @@ -0,0 +1,49 @@ +Fix CVE-2020-7211: + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7211 + +Patch copied from upstream dependency repository: + +https://gitlab.freedesktop.org/slirp/libslirp/commit/14ec36e107a8c9af7d0a80c3571fe39b291ff1d4 + +From 14ec36e107a8c9af7d0a80c3571fe39b291ff1d4 Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit <pjp <at> fedoraproject.org> +Date: Mon, 13 Jan 2020 17:44:31 +0530 +Subject: [PATCH] slirp: tftp: restrict relative path access + +tftp restricts relative or directory path access on Linux systems. +Apply same restrictions on Windows systems too. It helps to avoid +directory traversal issue. + +Fixes: https://bugs.launchpad.net/qemu/+bug/1812451 +Reported-by: Peter Maydell <peter.maydell <at> linaro.org> +Signed-off-by: Prasad J Pandit <pjp <at> fedoraproject.org> +Reviewed-by: Samuel Thibault <samuel.thibault <at> ens-lyon.org> +Message-Id: <20200113121431.156708-1-ppandit <at> redhat.com> +--- + src/tftp.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/src/tftp.c b/src/tftp.c +index 093c2e0..e52e71b 100644 +--- a/slirp/src/tftp.c ++++ b/slirp/src/tftp.c +@@ -344,8 +344,13 @@ static void tftp_handle_rrq(Slirp *slirp, struct sockaddr_storage *srcsas, + k += 6; /* skipping octet */ + + /* do sanity checks on the filename */ +- if (!strncmp(req_fname, "../", 3) || +- req_fname[strlen(req_fname) - 1] == '/' || strstr(req_fname, "/../")) { ++ if ( ++#ifdef G_OS_WIN32 ++ strstr(req_fname, "..\\") || ++ req_fname[strlen(req_fname) - 1] == '\\' || ++#endif ++ strstr(req_fname, "../") || ++ req_fname[strlen(req_fname) - 1] == '/') { + tftp_send_error(spt, 2, "Access violation", tp); + return; + } +-- +2.24.1 + diff --git a/gnu/packages/virtualization.scm b/gnu/packages/virtualization.scm index 51ba3c602a..1874cf3d9f 100644 --- a/gnu/packages/virtualization.scm +++ b/gnu/packages/virtualization.scm @@ -114,6 +114,8 @@ (method url-fetch) (uri (string-append "https://download.qemu.org/qemu-" version ".tar.xz")) + (patches (search-patches "qemu-CVE-2020-7039.patch" + "qemu-CVE-2020-7211.patch")) (sha256 (base32 "1lm1jndfpc5sydwrxyiz5sms414zkcg9jdl0zx318qbjsayxnvzd")))) -- 2.25.0
Leo Famulari <leo <at> famulari.name>
to control <at> debbugs.gnu.org
.
(Tue, 21 Jan 2020 19:00:02 GMT) Full text and rfc822 format available.Leo Famulari <leo <at> famulari.name>
to control <at> debbugs.gnu.org
.
(Tue, 21 Jan 2020 19:00:02 GMT) Full text and rfc822 format available.Debbugs Internal Request <help-debbugs <at> gnu.org>
to internal_control <at> debbugs.gnu.org
.
(Sat, 22 Feb 2020 12:24:04 GMT) Full text and rfc822 format available.
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.