M gnu/local.mk => gnu/local.mk +4 -0
@@ 989,7 989,11 @@ dist_patch_DATA = \
%D%/packages/patches/qemu-CVE-2017-8379.patch \
%D%/packages/patches/qemu-CVE-2017-8380.patch \
%D%/packages/patches/qemu-CVE-2017-9524.patch \
+ %D%/packages/patches/qemu-CVE-2017-10664.patch \
+ %D%/packages/patches/qemu-CVE-2017-10806.patch \
+ %D%/packages/patches/qemu-CVE-2017-10911.patch \
%D%/packages/patches/qemu-CVE-2017-11334.patch \
+ %D%/packages/patches/qemu-CVE-2017-11434.patch \
%D%/packages/patches/qt4-ldflags.patch \
%D%/packages/patches/qtscript-disable-tests.patch \
%D%/packages/patches/quagga-reproducible-build.patch \
A gnu/packages/patches/qemu-CVE-2017-10664.patch => gnu/packages/patches/qemu-CVE-2017-10664.patch +27 -0
@@ 0,0 1,27 @@
+Fix CVE-2017-10664:
+
+https://lists.gnu.org/archive/html/qemu-devel/2017-06/msg02693.html
+https://bugzilla.redhat.com/show_bug.cgi?id=1466190
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10664
+https://security-tracker.debian.org/tracker/CVE-2017-10664
+
+Patch copied from upstream source repository:
+
+https://git.qemu.org/gitweb.cgi?p=qemu.git;a=commitdiff;h=041e32b8d9d076980b4e35317c0339e57ab888f1
+
+diff --git a/qemu-nbd.c b/qemu-nbd.c
+index 9464a0461c..4dd3fd4732 100644
+--- a/qemu-nbd.c
++++ b/qemu-nbd.c
+@@ -581,6 +581,10 @@ int main(int argc, char **argv)
+ sa_sigterm.sa_handler = termsig_handler;
+ sigaction(SIGTERM, &sa_sigterm, NULL);
+
++#ifdef CONFIG_POSIX
++ signal(SIGPIPE, SIG_IGN);
++#endif
++
+ module_call_init(MODULE_INIT_TRACE);
+ qcrypto_init(&error_fatal);
+
+
A gnu/packages/patches/qemu-CVE-2017-10806.patch => gnu/packages/patches/qemu-CVE-2017-10806.patch +38 -0
@@ 0,0 1,38 @@
+Fix CVE-2017-10806:
+
+https://lists.nongnu.org/archive/html/qemu-devel/2017-05/msg03087.html
+https://bugzilla.redhat.com/show_bug.cgi?id=1468496
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10806
+https://security-tracker.debian.org/tracker/CVE-2017-10806
+
+Patch copied from upstream source repository:
+
+https://git.qemu.org/gitweb.cgi?p=qemu.git;a=commit;h=bd4a683505b27adc1ac809f71e918e58573d851d
+
+diff --git a/hw/usb/redirect.c b/hw/usb/redirect.c
+index b001a27f05..ad5ef783a6 100644
+--- a/hw/usb/redirect.c
++++ b/hw/usb/redirect.c
+@@ -229,21 +229,10 @@ static void usbredir_log(void *priv, int level, const char *msg)
+ static void usbredir_log_data(USBRedirDevice *dev, const char *desc,
+ const uint8_t *data, int len)
+ {
+- int i, j, n;
+-
+ if (dev->debug < usbredirparser_debug_data) {
+ return;
+ }
+-
+- for (i = 0; i < len; i += j) {
+- char buf[128];
+-
+- n = sprintf(buf, "%s", desc);
+- for (j = 0; j < 8 && i + j < len; j++) {
+- n += sprintf(buf + n, " %02X", data[i + j]);
+- }
+- error_report("%s", buf);
+- }
++ qemu_hexdump((char *)data, stderr, desc, len);
+ }
+
+ /*
A gnu/packages/patches/qemu-CVE-2017-10911.patch => gnu/packages/patches/qemu-CVE-2017-10911.patch +106 -0
@@ 0,0 1,106 @@
+Fix CVE-2017-10911:
+
+https://xenbits.xen.org/xsa/advisory-216.html
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10911
+https://security-tracker.debian.org/tracker/CVE-2017-10911
+
+Patch copied from Xen Security Advisory:
+
+https://xenbits.xen.org/xsa/xsa216-qemuu.patch
+
+--- a/hw/block/xen_blkif.h
++++ b/hw/block/xen_blkif.h
+@@ -14,9 +14,6 @@
+ struct blkif_common_request {
+ char dummy;
+ };
+-struct blkif_common_response {
+- char dummy;
+-};
+
+ /* i386 protocol version */
+ #pragma pack(push, 4)
+@@ -36,13 +33,7 @@ struct blkif_x86_32_request_discard {
+ blkif_sector_t sector_number; /* start sector idx on disk (r/w only) */
+ uint64_t nr_sectors; /* # of contiguous sectors to discard */
+ };
+-struct blkif_x86_32_response {
+- uint64_t id; /* copied from request */
+- uint8_t operation; /* copied from request */
+- int16_t status; /* BLKIF_RSP_??? */
+-};
+ typedef struct blkif_x86_32_request blkif_x86_32_request_t;
+-typedef struct blkif_x86_32_response blkif_x86_32_response_t;
+ #pragma pack(pop)
+
+ /* x86_64 protocol version */
+@@ -62,20 +53,14 @@ struct blkif_x86_64_request_discard {
+ blkif_sector_t sector_number; /* start sector idx on disk (r/w only) */
+ uint64_t nr_sectors; /* # of contiguous sectors to discard */
+ };
+-struct blkif_x86_64_response {
+- uint64_t __attribute__((__aligned__(8))) id;
+- uint8_t operation; /* copied from request */
+- int16_t status; /* BLKIF_RSP_??? */
+-};
+ typedef struct blkif_x86_64_request blkif_x86_64_request_t;
+-typedef struct blkif_x86_64_response blkif_x86_64_response_t;
+
+ DEFINE_RING_TYPES(blkif_common, struct blkif_common_request,
+- struct blkif_common_response);
++ struct blkif_response);
+ DEFINE_RING_TYPES(blkif_x86_32, struct blkif_x86_32_request,
+- struct blkif_x86_32_response);
++ struct blkif_response QEMU_PACKED);
+ DEFINE_RING_TYPES(blkif_x86_64, struct blkif_x86_64_request,
+- struct blkif_x86_64_response);
++ struct blkif_response);
+
+ union blkif_back_rings {
+ blkif_back_ring_t native;
+--- a/hw/block/xen_disk.c
++++ b/hw/block/xen_disk.c
+@@ -769,31 +769,30 @@ static int blk_send_response_one(struct
+ struct XenBlkDev *blkdev = ioreq->blkdev;
+ int send_notify = 0;
+ int have_requests = 0;
+- blkif_response_t resp;
+- void *dst;
+-
+- resp.id = ioreq->req.id;
+- resp.operation = ioreq->req.operation;
+- resp.status = ioreq->status;
++ blkif_response_t *resp;
+
+ /* Place on the response ring for the relevant domain. */
+ switch (blkdev->protocol) {
+ case BLKIF_PROTOCOL_NATIVE:
+- dst = RING_GET_RESPONSE(&blkdev->rings.native, blkdev->rings.native.rsp_prod_pvt);
++ resp = RING_GET_RESPONSE(&blkdev->rings.native,
++ blkdev->rings.native.rsp_prod_pvt);
+ break;
+ case BLKIF_PROTOCOL_X86_32:
+- dst = RING_GET_RESPONSE(&blkdev->rings.x86_32_part,
+- blkdev->rings.x86_32_part.rsp_prod_pvt);
++ resp = RING_GET_RESPONSE(&blkdev->rings.x86_32_part,
++ blkdev->rings.x86_32_part.rsp_prod_pvt);
+ break;
+ case BLKIF_PROTOCOL_X86_64:
+- dst = RING_GET_RESPONSE(&blkdev->rings.x86_64_part,
+- blkdev->rings.x86_64_part.rsp_prod_pvt);
++ resp = RING_GET_RESPONSE(&blkdev->rings.x86_64_part,
++ blkdev->rings.x86_64_part.rsp_prod_pvt);
+ break;
+ default:
+- dst = NULL;
+ return 0;
+ }
+- memcpy(dst, &resp, sizeof(resp));
++
++ resp->id = ioreq->req.id;
++ resp->operation = ioreq->req.operation;
++ resp->status = ioreq->status;
++
+ blkdev->rings.common.rsp_prod_pvt++;
+
+ RING_PUSH_RESPONSES_AND_CHECK_NOTIFY(&blkdev->rings.common, send_notify);
A gnu/packages/patches/qemu-CVE-2017-11434.patch => gnu/packages/patches/qemu-CVE-2017-11434.patch +25 -0
@@ 0,0 1,25 @@
+Fix CVE-2017-11434:
+
+https://lists.gnu.org/archive/html/qemu-devel/2017-07/msg05001.html
+https://bugzilla.redhat.com/show_bug.cgi?id=1472611
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11434
+https://security-tracker.debian.org/tracker/CVE-2017-11434
+
+Patch copied from upstream source repository:
+
+https://git.qemu.org/gitweb.cgi?p=qemu.git;a=commit;h=413d463f43fbc4dd3a601e80a5724aa384a265a0
+
+diff --git a/slirp/bootp.c b/slirp/bootp.c
+index 5a4646c182..5dd1a415b5 100644
+--- a/slirp/bootp.c
++++ b/slirp/bootp.c
+@@ -123,6 +123,9 @@ static void dhcp_decode(const struct bootp_t *bp, int *pmsg_type,
+ if (p >= p_end)
+ break;
+ len = *p++;
++ if (p + len > p_end) {
++ break;
++ }
+ DPRINTF("dhcp: tag=%d len=%d\n", tag, len);
+
+ switch(tag) {
M gnu/packages/virtualization.scm => gnu/packages/virtualization.scm +6 -1
@@ 3,6 3,7 @@
;;; Copyright © 2015, 2016, 2017 Mark H Weaver <mhw@netris.org>
;;; Copyright © 2016, 2017 Efraim Flashner <efraim@flashner.co.il>
;;; Copyright © 2016 Ricardo Wurmus <rekado@elephly.net>
+;;; Copyright © 2017 Alex Vong <alexvong1995@gmail.com>
;;;
;;; This file is part of GNU Guix.
;;;
@@ 82,7 83,11 @@
"qemu-CVE-2017-8379.patch"
"qemu-CVE-2017-8380.patch"
"qemu-CVE-2017-9524.patch"
- "qemu-CVE-2017-11334.patch"))
+ "qemu-CVE-2017-10664.patch"
+ "qemu-CVE-2017-10806.patch"
+ "qemu-CVE-2017-10911.patch"
+ "qemu-CVE-2017-11334.patch"
+ "qemu-CVE-2017-11434.patch"))
(sha256
(base32
"08mhfs0ndbkyqgw7fjaa9vjxf4dinrly656f6hjzvmaz7hzc677h"))))