qemu: apply patches for multiple CVEs

Fixes: * CVE-2017-2615 * CVE-2017-5667 * CVE-2017-5898 * CVE-2017-5931 * CVE-2017-5973 We are vulnerable to even more CVEs but those are either not severe like memory leaks in obscure situations or upstream hasn't acknowledged the patch yet. cc #23072
NixOS · Feb 25, 2017 · 6bafe64 · 6bafe64
1 parent 9f184ac
commit 6bafe64
Showing 1 changed file with 32 additions and 0 deletions.
diff --git a/pkgs/applications/virtualization/qemu/default.nix b/pkgs/applications/virtualization/qemu/default.nix
@@ -51,7 +51,39 @@ stdenv.mkDerivation rec {
 
   patches = [
     ./no-etc-install.patch
+
+    (fetchurl {
+      name = "CVE-2017-2615.patch";
+      url = "http://git.qemu-project.org/?p=qemu.git;a=patch;h=62d4c6bd5263bb8413a06c80144fc678df6dfb64";
+      sha256 = "0miph2x4d474issa44hmc542zxmkc7lsr4ncb7pwarq6j7v52l8h";
+    })
+
+    (fetchurl {
+      name = "CVE-2017-5667.patch";
+      url = "http://git.qemu-project.org/?p=qemu.git;a=patch;h=42922105beb14c2fc58185ea022b9f72fb5465e9";
+      sha256 = "049vq70is3fj9bf4ysfj3s44iz93qhyqn6xijck32w1x6yyzqyx4";
+     })
+
+    (fetchurl {
+      name = "CVE-2017-5898.patch";
+      url = "http://git.qemu-project.org/?p=qemu.git;a=patch;h=c7dfbf322595ded4e70b626bf83158a9f3807c6a";
+      sha256 = "1y2j0qw04s8fl0cs8i619y08kj75lxn3c0y19g710fzpk3rq8dvn";
+     })
+
+    (fetchurl {
+      name = "CVE-2017-5931.patch";
+      url = "http://git.qemu-project.org/?p=qemu.git;a=patch;h=a08aaff811fb194950f79711d2afe5a892ae03a4";
+      sha256 = "0hlih9jhbb1mb174hvxs7pf7lgcs7s9g705ri9rliw7wrhqdpja5";
+     })
+
+    (fetchurl {
+      name = "CVE-2017-5973.patch";
+      url = "http://git.qemu-project.org/?p=qemu.git;a=patch;h=f89b60f6e5fee3923bedf80e82b4e5efc1bb156b";
+      sha256 = "06niyighjxb4p5z2as3mqfmrwrzn4sq47j7raipbq9gnda7x9sw6";
+     })
+
   ] ++ optional nixosTestRunner ./force-uid0-on-9p.patch;
+
   hardeningDisable = [ "stackprotector" ];
 
   configureFlags =