Hello community, here is the log from the commit of package kvm for openSUSE:Factory checked in at 2012-07-01 15:07:56 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/kvm (Old) and /work/SRC/openSUSE:Factory/.kvm.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "kvm", Maintainer is "BROGERS@suse.com" Changes: -------- --- /work/SRC/openSUSE:Factory/kvm/kvm.changes 2012-05-29 10:33:38.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.kvm.new/kvm.changes 2012-07-02 10:28:58.000000000 +0200 @@ -1,0 +2,24 @@ +Wed Jun 27 22:05:42 UTC 2012 - brogers@suse.com + +- fix qemu-kvm crash with "-usbdevice tablet". (bnc#766310) +- fix CVE-2012-2652, where a tmpdir symlink attack is possible + when using snapshots (bnc#764526) +- drop qemu-img-kvm, which is a rename of the qemu-img file and + delivers no additional value +- drop qemu-ga. This file is now provided by the qemu-guest-agent + package. + +------------------------------------------------------------------- +Wed Jun 13 22:33:20 UTC 2012 - brogers@suse.com + +- update to most recent ipxe code +- avoid array bounds error building ipxe +- include more "standard" doc files +- misc spec file cleanups + +------------------------------------------------------------------- +Sun Jun 10 19:35:58 UTC 2012 - brogers@suse.com + +- rely on newly created qemu-tools package for bridge helper + +------------------------------------------------------------------- Old: ---- qemu-img-vmdk-scsi.patch New: ---- ipxe-avoid-bad-array-reference.patch kvm-qemu-preXX-block-prevent-snapshot-mode-TMPDIR-symlink-attack.patch kvm-qemu-preXX-uhci-fix-uhci_async_cancel_all.patch kvm-qemu-preXX-use--libexecdir-instead-of-ignoring.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ kvm.spec ++++++ --- /var/tmp/diff_new_pack.UahdKQ/_old 2012-07-02 10:29:02.000000000 +0200 +++ /var/tmp/diff_new_pack.UahdKQ/_new 2012-07-02 10:29:02.000000000 +0200 @@ -22,6 +22,7 @@ %define package_true_version 1.1.rc3 %define package_base_version 1.1 %define bios_id seabios-1.7.0 +# ipxe is through git commit id: addf699c86ae18edd7de13433da78be926c22504 %define pxe_rom_id ipxe-1.0.0 %define vgabios_id vgabios-0.6c # sgabios comes from: http://sgabios.googlecode.com/svn/trunk, Rev 8 @@ -94,10 +95,11 @@ BuildRequires: pwdutils Requires: pwdutils Requires: python-curses -Requires: virt-utils %if 0%{?suse_version} < 1110 Requires: kvm-kmp %endif +Recommends: qemu-tools +Recommends: virt-utils Summary: Kernel-based Virtual Machine License: BSD-3-Clause ; GPL-2.0 ; GPL-2.0+ ; LGPL-2.1+ ; MIT Group: System/Kernel @@ -118,6 +120,7 @@ # ipxe patches Patch01: ipxe-rom-settings.patch +Patch02: ipxe-avoid-bad-array-reference.patch # seabios patches Patch20: seabios-sanitize-version.patch @@ -139,10 +142,12 @@ Patch103: kvm-qemu-preXX-console.patch Patch104: kvm-qemu-madvise-hugepages.patch Patch105: kvm-qemu-preXX-dictzip3.patch +Patch106: kvm-qemu-preXX-use--libexecdir-instead-of-ignoring.patch +Patch107: kvm-qemu-preXX-block-prevent-snapshot-mode-TMPDIR-symlink-attack.patch +Patch108: kvm-qemu-preXX-uhci-fix-uhci_async_cancel_all.patch -Patch200: qemu-img-vmdk-scsi.patch -Patch201: kvm-studio-slirp-nooutgoing.patch -Patch202: kvm-studio-vnc.patch +Patch200: kvm-studio-slirp-nooutgoing.patch +Patch201: kvm-studio-vnc.patch # for IA64 Source500: ia64-fix-pagesize.pl @@ -159,8 +164,9 @@ Patch706: S390-hp-0004-Expose-drive_add-on-all-architectures.patch # For upstream patches: + BuildRoot: %{_tmppath}/%{name}-%{version}-build -PreReq: /usr/sbin/groupadd +Requires(pre): /usr/sbin/groupadd %description KVM (Kernel-based Virtual Machine) is virtualization software for @@ -187,7 +193,6 @@ libvirt, virt-manager and vm-install. - Authors: -------- Avi Kivity <avi@qumranet.com> @@ -202,6 +207,7 @@ %setup -q -T -D -n %{pxe_rom_id} -b 7 # ipxe patches %patch01 -p1 +%patch02 -p1 %endif %setup -q -n qemu-%{name}-%{package_true_version} -a 6 -a 9 -a 10 %if %{build_fw_from_source} @@ -230,11 +236,13 @@ %patch103 -p1 %patch104 -p1 %patch105 -p1 +%patch106 -p1 +%patch107 -p1 +%patch108 -p1 # Studio addons %patch200 -p1 %patch201 -p1 -%patch202 -p1 # IA64 support %ifarch ia64 @@ -261,6 +269,7 @@ ./configure \ --prefix=%{_prefix} \ --sysconfdir=%{_sysconfdir} \ + --libexecdir=%{_libexecdir} \ --with-confsuffix=/qemu-kvm \ --extra-cflags="%{optflags}" \ --disable-debug-tcg \ @@ -320,41 +329,41 @@ sed -i 's/CFLAGS =/CFLAGS +=/' roms/vgabios/Makefile # userspace: -make %{?jobs:-j%jobs} +make %{?_smp_mflags} # Firmware %ifarch %ix86 x86_64 %if %{build_fw_from_source} echo "%{bios_id}" > roms/seabios/.version -make -C roms/seabios %{?jobs:-j%jobs} +make -C roms/seabios %{?_smp_mflags} cp roms/seabios/out/bios.bin pc-bios/bios.bin make -C roms/sgabios -#make -C roms/sgabios %{?jobs:-j%jobs} cp roms/sgabios/sgabios.bin pc-bios/sgabios.bin -make -C roms/vgabios %{?jobs:-j%jobs} +make -C roms/vgabios %{?_smp_mflags} cp roms/vgabios/VGABIOS-lgpl-latest.bin pc-bios/vgabios.bin cp roms/vgabios/VGABIOS-lgpl-latest.cirrus.bin pc-bios/vgabios-cirrus.bin cp roms/vgabios/VGABIOS-lgpl-latest.stdvga.bin pc-bios/vgabios-stdvga.bin cp roms/vgabios/VGABIOS-lgpl-latest.vmware.bin pc-bios/vgabios-vmware.bin cp roms/vgabios/VGABIOS-lgpl-latest.qxl.bin pc-bios/vgabios-qxl.bin cd ../%{pxe_rom_id}/src -make NO_WERROR=1 bin/blib.a %{?jobs:-j%jobs} -make bin/8086100e.rom %{?jobs:-j%jobs} -make bin/10222000.rom %{?jobs:-j%jobs} -make bin/10500940.rom %{?jobs:-j%jobs} -make bin/10ec8139.rom %{?jobs:-j%jobs} -make bin/80861209.rom %{?jobs:-j%jobs} -make bin/1af41000.rom %{?jobs:-j%jobs} +make NO_WERROR=1 bin/blib.a %{?_smp_mflags} +make bin/8086100e.rom %{?_smp_mflags} +make bin/10222000.rom %{?_smp_mflags} +make bin/10500940.rom %{?_smp_mflags} +make bin/10ec8139.rom %{?_smp_mflags} +make bin/80861209.rom %{?_smp_mflags} +make bin/1af41000.rom %{?_smp_mflags} %endif %endif %install -make DESTDIR=%{buildroot} install %{?jobs:-j%jobs} libexecdir=%_libexecdir +make install DESTDIR=%{buildroot} %{?_smp_mflags} mkdir -p %{buildroot}%{_docdir}/kvm cp qemu-doc.html qemu-kvm.html cp qemu-tech.html qemu-kvm-tech.html +cp QMP/qmp-commands.txt qmp-commands.txt install -m 755 scripts/kvm/kvm_stat %{buildroot}%{_bindir}/ %if %{build_fw_from_source} for i in %firmware_files @@ -373,18 +382,18 @@ install_rom 1af41000 pxe-virtio %endif cd %{buildroot} -rm -r .{%_bindir/qemu-io,%_bindir/qemu-nbd,%_datadir/doc/qemu} -mv .%_bindir/qemu-img{,-kvm} +rm .%_bindir/{qemu-img,qemu-io,qemu-ga,qemu-nbd} +rm -r .{%_libexecdir/qemu-bridge-helper,%_datadir/doc/qemu} %if !%{build_fw_from_source} -rm -r .%_datadir/qemu-kvm/{openbios-sparc32,openbios-sparc64,ppc_rom.bin,openbios-ppc,bamboo.dtb,petalogix-ml605.dtb,petalogix-s3adsp1800.dtb} +rm .%_datadir/qemu-kvm/{openbios-sparc32,openbios-sparc64,ppc_rom.bin,openbios-ppc,bamboo.dtb,petalogix-ml605.dtb,petalogix-s3adsp1800.dtb} %endif %ifarch ia64 s390x rm .%_datadir/qemu-kvm/bios.bin %endif +rm -r .%_mandir/man1/qemu-img.1 rm -r .%_mandir/man8/qemu-nbd.8 mv .%_bindir/{qemu-system*,qemu-kvm} mv .%_mandir/man1/{qemu.1,qemu-kvm.1} -mv .%_mandir/man1/{qemu-img.1,qemu-img-kvm.1} chmod 644 .%_mandir/man1/* install -D -m 644 %{SOURCE1} %{buildroot}/etc/udev/rules.d/60-kvm.rules install -D -m 755 %{SOURCE2} %{buildroot}/usr/share/qemu-kvm/qemu-ifup @@ -405,17 +414,15 @@ %files %defattr(-,root,root) -%doc qemu-kvm.html qemu-kvm-tech.html kvm-supported.txt +# qmp-commands.txt needs to be included as doc, we well as qemu-nbd.8? (we delete this above!!!!, also virtfs-proxy-helper.1 if building virtfs +# Also see what qemu has doc'd/ Do we want to NOT include kvm-supported.txt for oS? +%doc COPYING COPYING.LIB Changelog README qemu-kvm.html qemu-kvm-tech.html kvm-supported.txt qmp-commands.txt %attr(755,root,kvm) %{_bindir}/qemu-kvm -%attr(755,root,kvm) %{_bindir}/qemu-img-kvm -%attr(755,root,kvm) %{_bindir}/qemu-ga %attr(755,root,kvm) %{_bindir}/kvm_stat %{_datadir}/qemu-kvm -%_libexecdir/qemu-bridge-helper -%dir %attr(0755, root, kvm) %{_sysconfdir}/qemu-kvm/ +%dir %attr(0755,root,kvm) %{_sysconfdir}/qemu-kvm/ %config %attr(644,root,kvm) %{_sysconfdir}/qemu-kvm/target-x86_64.conf %config %{_sysconfdir}/udev/rules.d/60-kvm.rules %_mandir/man1/qemu-kvm.1.gz -%_mandir/man1/qemu-img-kvm.1.gz %changelog ++++++ ipxe-1.0.0.tar.bz2 ++++++ ++++ 368278 lines of diff (skipped) ++++++ ipxe-avoid-bad-array-reference.patch ++++++ Subject: Avoid overrunning array by conditional compilation I haven't analyzed the best way to fix this, but this code error has been there 'forever', so for now use a simple approach to avoid the issue. Signed-off-by: Bruce Rogers <brogers@suse.com> Index: ipxe-1.0.0/src/util/nrv2b.c =================================================================== --- ipxe-1.0.0.orig/src/util/nrv2b.c +++ ipxe-1.0.0/src/util/nrv2b.c @@ -629,7 +629,7 @@ static int swd_search2(struct ucl_swd *s s->b[s->bp], s->b[s->bp+1], s->b[key], s->b[key+1]); #endif assert(memcmp(&s->b[s->bp],&s->b[key],2) == 0); -#if defined(SWD_BEST_OFF) +#if defined(SWD_BEST_OFF) && (SWD_BEST_OFF > 2) if (s->best_pos[2] == 0) s->best_pos[2] = key + 1; #endif ++++++ ipxe-rom-settings.patch ++++++ --- /var/tmp/diff_new_pack.UahdKQ/_old 2012-07-02 10:29:02.000000000 +0200 +++ /var/tmp/diff_new_pack.UahdKQ/_new 2012-07-02 10:29:02.000000000 +0200 @@ -1,7 +1,7 @@ -Index: ipxe-git-3fc139362c75eb69e02989241755ec894533f675/src/config/general.h +Index: ipxe-1.0.0/src/config/general.h =================================================================== ---- ipxe-git-3fc139362c75eb69e02989241755ec894533f675.orig/src/config/general.h -+++ ipxe-git-3fc139362c75eb69e02989241755ec894533f675/src/config/general.h +--- ipxe-1.0.0.orig/src/config/general.h ++++ ipxe-1.0.0/src/config/general.h @@ -31,7 +31,7 @@ FILE_LICENCE ( GPL2_OR_LATER ); * Timer configuration * @@ -11,12 +11,12 @@ banner should appear */ /* -@@ -93,7 +93,7 @@ FILE_LICENCE ( GPL2_OR_LATER ); +@@ -92,7 +92,7 @@ FILE_LICENCE ( GPL2_OR_LATER ); * you want to use. * */ -//#define IMAGE_NBI /* NBI image support */ +#define IMAGE_NBI /* NBI image support */ //#define IMAGE_ELF /* ELF image support */ - //#define IMAGE_FREEBSD /* FreeBSD kernel image support */ //#define IMAGE_MULTIBOOT /* MultiBoot image support */ + //#define IMAGE_PXE /* PXE image support */ ++++++ kvm-qemu-preXX-block-prevent-snapshot-mode-TMPDIR-symlink-attack.patch ++++++

From eba25057b9a5e19d10ace2bc7716667a31297169 Mon Sep 17 00:00:00 2001 From: Jim Meyering <jim@meyering.net> Date: Mon, 28 May 2012 09:27:54 +0200 Subject: [PATCH] block: prevent snapshot mode $TMPDIR symlink attack Reference: bnc#764526

In snapshot mode, bdrv_open creates an empty temporary file without checking for mkstemp or close failure, and ignoring the possibility of a buffer overrun given a surprisingly long $TMPDIR. Change the get_tmp_filename function to return int (not void), so that it can inform its two callers of those failures. Also avoid the risk of buffer overrun and do not ignore mkstemp or close failure. Update both callers (in block.c and vvfat.c) to propagate temp-file-creation failure to their callers. get_tmp_filename creates and closes an empty file, while its callers later open that presumed-existing file with O_CREAT. The problem was that a malicious user could provoke mkstemp failure and race to create a symlink with the selected temporary file name, thus causing the qemu process (usually root owned) to open through the symlink, overwriting an attacker-chosen file. This addresses CVE-2012-2652. http://bugzilla.redhat.com/CVE-2012-2652 Reviewed-by: Stefan Hajnoczi <stefanha@linux.vnet.ibm.com> Signed-off-by: Jim Meyering <meyering@redhat.com> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com> Acked-by: Bruce Rogers <brogers@suse.com> --- block.c | 37 ++++++++++++++++++++++++------------- block/vvfat.c | 7 ++++++- block_int.h | 2 +- 3 files changed, 31 insertions(+), 15 deletions(-) diff --git a/block.c b/block.c index af2ab4f..7547051 100644 --- a/block.c +++ b/block.c @@ -409,28 +409,36 @@ int bdrv_create_file(const char* filename, QEMUOptionParameter *options) return bdrv_create(drv, filename, options); } -#ifdef _WIN32 -void get_tmp_filename(char *filename, int size) +/* + * Create a uniquely-named empty temporary file. + * Return 0 upon success, otherwise a negative errno value. + */ +int get_tmp_filename(char *filename, int size) { +#ifdef _WIN32 char temp_dir[MAX_PATH]; - - GetTempPath(MAX_PATH, temp_dir); - GetTempFileName(temp_dir, "qem", 0, filename); -} + /* GetTempFileName requires that its output buffer (4th param) + have length MAX_PATH or greater. */ + assert(size >= MAX_PATH); + return (GetTempPath(MAX_PATH, temp_dir) + && GetTempFileName(temp_dir, "qem", 0, filename) + ? 0 : -GetLastError()); #else -void get_tmp_filename(char *filename, int size) -{ int fd; const char *tmpdir; - /* XXX: race condition possible */ tmpdir = getenv("TMPDIR"); if (!tmpdir) tmpdir = "/tmp"; - snprintf(filename, size, "%s/vl.XXXXXX", tmpdir); + if (snprintf(filename, size, "%s/vl.XXXXXX", tmpdir) >= size) { + return -EOVERFLOW; + } fd = mkstemp(filename); - close(fd); -} + if (fd < 0 || close(fd)) { + return -errno; + } + return 0; #endif +} /* * Detect host devices. By convention, /dev/cdrom[N] is always @@ -753,7 +761,10 @@ int bdrv_open(BlockDriverState *bs, const char *filename, int flags, bdrv_delete(bs1); - get_tmp_filename(tmp_filename, sizeof(tmp_filename)); + ret = get_tmp_filename(tmp_filename, sizeof(tmp_filename)); + if (ret < 0) { + return ret; + } /* Real path is meaningless for protocols */ if (is_protocol) diff --git a/block/vvfat.c b/block/vvfat.c index 2dc9d50..0fd3367 100644 --- a/block/vvfat.c +++ b/block/vvfat.c @@ -2808,7 +2808,12 @@ static int enable_write_target(BDRVVVFATState *s) array_init(&(s->commits), sizeof(commit_t)); s->qcow_filename = g_malloc(1024); - get_tmp_filename(s->qcow_filename, 1024); + ret = get_tmp_filename(s->qcow_filename, 1024); + if (ret < 0) { + g_free(s->qcow_filename); + s->qcow_filename = NULL; + return ret; + } bdrv_qcow = bdrv_find_format("qcow"); options = parse_option_parameters("", bdrv_qcow->create_options, NULL); diff --git a/block_int.h b/block_int.h index b80e66d..3d4abc6 100644 --- a/block_int.h +++ b/block_int.h @@ -335,7 +335,7 @@ struct BlockDriverState { BlockJob *job; }; -void get_tmp_filename(char *filename, int size); +int get_tmp_filename(char *filename, int size); void bdrv_set_io_limits(BlockDriverState *bs, BlockIOLimit *io_limits); -- 1.7.7 ++++++ kvm-qemu-preXX-uhci-fix-uhci_async_cancel_all.patch ++++++ From: Gerd Hoffmann <kraxel@redhat.com> Date: Fri, 15 Jun 2012 09:39:50 +0200 Subject: [PATCH] uhci: fix uhci_async_cancel_all Reference: bnc#766310 We update the QTAILQ in the loop, thus we must use the SAFE version to make sure we don't touch the queue struct after freeing it. https://bugzilla.novell.com/show_bug.cgi?id=766310 Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> Acked-by: Bruce Rogers <brogers@suse.com> --- hw/usb/hcd-uhci.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) diff --git a/hw/usb/hcd-uhci.c b/hw/usb/hcd-uhci.c index 9871e24..2ebce04 100644 --- a/hw/usb/hcd-uhci.c +++ b/hw/usb/hcd-uhci.c @@ -292,10 +292,10 @@ static void uhci_async_cancel_device(UHCIState *s, USBDevice *dev) static void uhci_async_cancel_all(UHCIState *s) { - UHCIQueue *queue; + UHCIQueue *queue, *nq; UHCIAsync *curr, *n; - QTAILQ_FOREACH(queue, &s->queues, next) { + QTAILQ_FOREACH_SAFE(queue, &s->queues, next, nq) { QTAILQ_FOREACH_SAFE(curr, &queue->asyncs, next, n) { uhci_async_unlink(curr); uhci_async_cancel(curr); -- 1.7.7 ++++++ kvm-qemu-preXX-use--libexecdir-instead-of-ignoring.patch ++++++ Commit 7b93fadf3a38d1ed65ea5536a52efc2772c6e3b8 "Add basic version of bridge helper" put the bridge helper executable into a fixed ${prefix}/libexec/ location, instead of using ${libexecdir} for this. At the same time, --libexecdir is being happily ignored by ./configure. Even more, the same patch sets unused $libexecdir variable in the generated config-host.mak, and uses fixed string (\${prefix}/libexecdir) for the bridge helper binary. Fix this braindamage by introducing $libexecdir variable, using it for the bridge helper binary, and recognizing --libexecdir. This patch is applicable to stable-1.1. Signed-off-by: Michael Tokarev <mjt@tls.msk.ru> Cc: Corey Bryant <coreyb@linux.vnet.ibm.com> Cc: Richa Marwaha <rmarwah@linux.vnet.ibm.com> Cc: qemu-stable@nongnu.org --- configure | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/configure b/configure index 38dafec..fc86803 100755 --- a/configure +++ b/configure @@ -169,6 +169,7 @@ datadir="\${prefix}/share" qemu_docdir="\${prefix}/share/doc/qemu" bindir="\${prefix}/bin" libdir="\${prefix}/lib" +libexecdir="\${prefix}/libexec" includedir="\${prefix}/include" sysconfdir="\${prefix}/etc" confsuffix="/qemu" @@ -598,6 +599,8 @@ for opt do ;; --libdir=*) libdir="$optarg" ;; + --libexecdir=*) libexecdir="$optarg" + ;; --includedir=*) includedir="$optarg" ;; --datadir=*) datadir="$optarg" @@ -608,7 +611,7 @@ for opt do ;; --sysconfdir=*) sysconfdir="$optarg" ;; - --sbindir=*|--libexecdir=*|--sharedstatedir=*|--localstatedir=*|\ + --sbindir=*|--sharedstatedir=*|--localstatedir=*|\ --oldincludedir=*|--datarootdir=*|--infodir=*|--localedir=*|\ --htmldir=*|--dvidir=*|--pdfdir=*|--psdir=*) # These switches are silently ignored, for compatibility with @@ -2960,6 +2963,7 @@ echo "Install prefix $prefix" echo "BIOS directory `eval echo $qemu_datadir`" echo "binary directory `eval echo $bindir`" echo "library directory `eval echo $libdir`" +echo "libexec directory `eval echo $libexecdir`" echo "include directory `eval echo $includedir`" echo "config directory `eval echo $sysconfdir`" if test "$mingw32" = "no" ; then @@ -3064,14 +3068,14 @@ echo all: >> $config_host_mak echo "prefix=$prefix" >> $config_host_mak echo "bindir=$bindir" >> $config_host_mak echo "libdir=$libdir" >> $config_host_mak +echo "libexecdir=$libexecdir" >> $config_host_mak echo "includedir=$includedir" >> $config_host_mak echo "mandir=$mandir" >> $config_host_mak echo "sysconfdir=$sysconfdir" >> $config_host_mak echo "qemu_confdir=$qemu_confdir" >> $config_host_mak echo "qemu_datadir=$qemu_datadir" >> $config_host_mak echo "qemu_docdir=$qemu_docdir" >> $config_host_mak -echo "libexecdir=\${prefix}/libexec" >> $config_host_mak -echo "CONFIG_QEMU_HELPERDIR=\"$prefix/libexec\"" >> $config_host_mak +echo "CONFIG_QEMU_HELPERDIR=\"$libexecdir\"" >> $config_host_mak echo "ARCH=$ARCH" >> $config_host_mak if test "$debug_tcg" = "yes" ; then -- 1.7.10 -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org