Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

qemu: add patches for CVE-2020-7039 and CVE-2020-7211 #79050

Merged
merged 1 commit into from Feb 10, 2020

Conversation

andrew-d
Copy link
Contributor

@andrew-d andrew-d commented Feb 1, 2020

Motivation for this change

Patch two known CVEs in QEMU.

Fixes #78762

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.

cc @ckauhaus

@andrew-d andrew-d requested a review from risicle February 1, 2020 22:36
@andrew-d
Copy link
Contributor Author

andrew-d commented Feb 1, 2020

@GrahamcOfBorg build qemu

@risicle
Copy link
Contributor

risicle commented Feb 1, 2020

What is the origin of the CVE-2020-7039 patch and why isn't it fetchable?

@andrew-d
Copy link
Contributor Author

andrew-d commented Feb 1, 2020

It's a manually-merged version of these three commits:
https://gitlab.freedesktop.org/slirp/libslirp/commit/2655fffed7a9e765bcb4701dd876e9dab975f289
https://gitlab.freedesktop.org/slirp/libslirp/commit/82ebe9c370a0e2970fb5695aa19aa5214a6a1c80
https://gitlab.freedesktop.org/slirp/libslirp/commit/ce131029d6d4a405cb7d3ac6716d03e58fb4a5d9

It's not fetchable because it includes an entry to the CHANGELOG which causes it to fail to apply. In the version in this PR, that section is dropped.

@andrew-d
Copy link
Contributor Author

andrew-d commented Feb 1, 2020

(and those three commits were obtained from the links in the NVD entry)

@risicle
Copy link
Contributor

risicle commented Feb 2, 2020

Will the excludes option to fetchpatch not strip the changelog out?

@andrew-d
Copy link
Contributor Author

andrew-d commented Feb 2, 2020

@risicle - TIL about the excludes option; thanks! That seems to have worked, so I switched to that.

@GrahamcOfBorg build qemu

Copy link
Contributor

@risicle risicle left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM on non-nixos linux x86_64 & macos 10.14.

@ckauhaus
Copy link
Contributor

Built and smoke-tested successfully on NixOS. LGTM.

@ckauhaus ckauhaus merged commit edfd964 into NixOS:master Feb 10, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Vulnerability roundup 82: qemu-4.2.0: 2 advisories
4 participants