#28077 [PATCH] gnu: qemu: Fix CVE-2017-{10664,10806,10911,11434}.

Message #5 received at submit@debbugs.gnu.org (full text, mbox, reply):

Received: (at submit) by debbugs.gnu.org; 13 Aug 2017 13:39:10 +0000
From debbugs-submit-bounces@debbugs.gnu.org Sun Aug 13 09:39:10 2017
Received: from localhost ([127.0.0.1]:59316 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1dgt6Z-0003ZG-Tu
	for submit@debbugs.gnu.org; Sun, 13 Aug 2017 09:39:10 -0400
Received: from eggs.gnu.org ([208.118.235.92]:55631)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <alexvong1995@gmail.com>) id 1dgt6S-0003Z8-Ju
 for submit@debbugs.gnu.org; Sun, 13 Aug 2017 09:38:59 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <alexvong1995@gmail.com>) id 1dgt6K-00081S-OM
 for submit@debbugs.gnu.org; Sun, 13 Aug 2017 09:38:47 -0400
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: *
X-Spam-Status: No, score=1.1 required=5.0 tests=BAYES_50,
 FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,T_DKIM_INVALID autolearn=disabled
 version=3.3.2
Received: from lists.gnu.org ([2001:4830:134:3::11]:37401)
 by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32)
 (Exim 4.71) (envelope-from <alexvong1995@gmail.com>)
 id 1dgt6K-00081J-Jp
 for submit@debbugs.gnu.org; Sun, 13 Aug 2017 09:38:44 -0400
Received: from eggs.gnu.org ([2001:4830:134:3::10]:46547)
 by lists.gnu.org with esmtp (Exim 4.71)
 (envelope-from <alexvong1995@gmail.com>) id 1dgt6H-00059U-MW
 for guix-patches@gnu.org; Sun, 13 Aug 2017 09:38:44 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <alexvong1995@gmail.com>) id 1dgt6E-0007wQ-8z
 for guix-patches@gnu.org; Sun, 13 Aug 2017 09:38:41 -0400
Received: from mail-pf0-x233.google.com ([2607:f8b0:400e:c00::233]:36716)
 by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
 (Exim 4.71) (envelope-from <alexvong1995@gmail.com>)
 id 1dgt6D-0007uz-Tk
 for guix-patches@gnu.org; Sun, 13 Aug 2017 09:38:38 -0400
Received: by mail-pf0-x233.google.com with SMTP id c28so32367665pfe.3
 for <guix-patches@gnu.org>; Sun, 13 Aug 2017 06:38:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=from:to:subject:date:message-id:user-agent:mime-version;
 bh=KrcmIXUDkOeAYc7RUi//5KLy0yy4NyU1yjxN6jO5sTE=;
 b=f7aOLtsnWhSie8VCHURcpWaewQWNTGJCml2y0x2nqcQR1NKos3QNxsOxj4YDC6EsFV
 lzjI3C3GykusYQsNmsKOQqpIV8P9opqRuQ/sfKrVp1FwM2ULqncz4oIrQNn164RIQgFq
 Qc/IpMaGVtODHA58f3aZC0DlJ+J89cvNoHCp9PtLKt0ELcNUDzmecFImbw+1w233pJCf
 sFX/M96ZNtXqWtx/A78ZVVTb6pnmV7Dl8wvr67LmS5zf+WQ3SeedshiR2eySISNRrgkI
 1JnWklntxep3lHkoUX2n3808DO//EMvbqp0Ig8uRtOG41x/et65dfQz1QZUxMINF/OqZ
 rQ/A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:subject:date:message-id:user-agent
 :mime-version;
 bh=KrcmIXUDkOeAYc7RUi//5KLy0yy4NyU1yjxN6jO5sTE=;
 b=YUtiH0ujDg8nyuHWbX8PSt8jD8Y+YMExcNXVbXXpJKAgEGRA9mEIepK5fRAqlXxFRV
 NomCwuaOMX1mgNhpqepCBEn6yh49dO/M2o8dm4V1ybMJ6zMkZtyXRzX8LUbQb0slv5XX
 urQUimBKuuzIUeljMDOZo+FeZ1tvdGN+SEC/+Q6ca+M3XnuxxalEEw+V9Q7JNJNYBEWx
 fCQ5nEj1qyUFS5gbficZF/FtMRT2fzqYpW3nzYpguF9TkB2xK8pyI5K1ZDOp3paXnId7
 jzkSNFokBNxd/HrVmHRqg6GSSxSiGS39+zQz0OM4HB69IdV1HpqCCbAMissxz6o0Z7KC
 fS9A==
X-Gm-Message-State: AHYfb5g/n2zKhk7ztG7JuIASBVujoiH8CqsS+wLwcHcXkKimGmS0HmHk
 CJKa5akN6f8UJQ==
X-Received: by 10.98.31.7 with SMTP id f7mr22435883pff.27.1502631515339;
 Sun, 13 Aug 2017 06:38:35 -0700 (PDT)
Received: from debian (1-36-201-133.static.netvigator.com. [1.36.201.133])
 by smtp.gmail.com with ESMTPSA id o10sm9640677pgc.81.2017.08.13.06.38.32
 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
 Sun, 13 Aug 2017 06:38:33 -0700 (PDT)
From: Alex Vong <alexvong1995@gmail.com>
To: guix-patches@gnu.org
Subject: [PATCH] gnu: qemu: Fix CVE-2017-{10664,10806,10911,11434}.
Date: Sun, 13 Aug 2017 21:38:18 +0800
Message-ID: <87pobz1tbp.fsf@gmail.com>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.2 (gnu/linux)
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="==-=-=";
 micalg=pgp-sha512; protocol="application/pgp-signature"
X-detected-operating-system: by eggs.gnu.org: Genre and OS details not
 recognized.
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x
X-Received-From: 2001:4830:134:3::11
X-Spam-Score: -3.8 (---)
X-Debbugs-Envelope-To: submit
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: 1.2 (+)
X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 
 Content preview:  Severity: important Tags: security Hello, This fixes a bunch
    of CVEs which were left unfixed. Most of the patches are copied from the
   upstream git repo. Except one is copied from Xen Security Advisory. [...] 
 
 Content analysis details:   (1.2 points, 10.0 required)
 
  pts rule name              description
 ---- ---------------------- --------------------------------------------------
  1.0 SPF_SOFTFAIL           SPF: sender does not match SPF record (softfail)
  0.2 FREEMAIL_ENVFROM_END_DIGIT Envelope-from freemail username ends in
                             digit (alexvong1995[at]gmail.com)
  0.0 FREEMAIL_FROM          Sender email is commonly abused enduser mail provider
                             (alexvong1995[at]gmail.com)
  0.0 T_DKIM_INVALID         DKIM-Signature header exists but is not valid

[Message part 1 (text/plain, inline)]

Severity: important
Tags: security

Hello,

This fixes a bunch of CVEs which were left unfixed. Most of the patches
are copied from the upstream git repo. Except one is copied from Xen
Security Advisory.

[0001-gnu-qemu-Fix-CVE-2017-10664-10806-10911-11434.patch (text/x-diff, inline)]

From f513dd18602c0321bedce3f4ebf4b0b6a77288ac Mon Sep 17 00:00:00 2001
From: Alex Vong <alexvong1995@gmail.com>
Date: Sun, 13 Aug 2017 19:42:59 +0800
Subject: [PATCH] gnu: qemu: Fix CVE-2017-{10664,10806,10911,11434}.

* gnu/packages/patches/qemu-CVE-2017-10664.patch,
gnu/packages/patches/qemu-CVE-2017-10806.patch,
gnu/packages/patches/qemu-CVE-2017-10911.patch,
gnu/packages/patches/qemu-CVE-2017-11434.patch: New files.
* gnu/local.mk (dist_patch_DATA): Add them.
* gnu/packages/virtualization.scm (qemu)[source]: Use them.
---
 gnu/local.mk                                   |   4 +
 gnu/packages/patches/qemu-CVE-2017-10664.patch |  58 ++++++++++++
 gnu/packages/patches/qemu-CVE-2017-10806.patch |  61 ++++++++++++
 gnu/packages/patches/qemu-CVE-2017-10911.patch | 123 +++++++++++++++++++++++++
 gnu/packages/patches/qemu-CVE-2017-11434.patch |  46 +++++++++
 gnu/packages/virtualization.scm                |   7 +-
 6 files changed, 298 insertions(+), 1 deletion(-)
 create mode 100644 gnu/packages/patches/qemu-CVE-2017-10664.patch
 create mode 100644 gnu/packages/patches/qemu-CVE-2017-10806.patch
 create mode 100644 gnu/packages/patches/qemu-CVE-2017-10911.patch
 create mode 100644 gnu/packages/patches/qemu-CVE-2017-11434.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index c12fd8559..f513a7490 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -988,7 +988,11 @@ dist_patch_DATA =						\
   %D%/packages/patches/qemu-CVE-2017-8379.patch			\
   %D%/packages/patches/qemu-CVE-2017-8380.patch			\
   %D%/packages/patches/qemu-CVE-2017-9524.patch			\
+  %D%/packages/patches/qemu-CVE-2017-10664.patch		\
+  %D%/packages/patches/qemu-CVE-2017-10806.patch		\
+  %D%/packages/patches/qemu-CVE-2017-10911.patch		\
   %D%/packages/patches/qemu-CVE-2017-11334.patch		\
+  %D%/packages/patches/qemu-CVE-2017-11434.patch		\
   %D%/packages/patches/qt4-ldflags.patch			\
   %D%/packages/patches/qtscript-disable-tests.patch		\
   %D%/packages/patches/quagga-reproducible-build.patch          \
diff --git a/gnu/packages/patches/qemu-CVE-2017-10664.patch b/gnu/packages/patches/qemu-CVE-2017-10664.patch
new file mode 100644
index 000000000..5a7406eaf
--- /dev/null
+++ b/gnu/packages/patches/qemu-CVE-2017-10664.patch
@@ -0,0 +1,58 @@
+Fix CVE-2017-10664:
+
+https://lists.gnu.org/archive/html/qemu-devel/2017-06/msg02693.html
+https://bugzilla.redhat.com/show_bug.cgi?id=1466190
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10664
+https://security-tracker.debian.org/tracker/CVE-2017-10664
+
+Patch copied from upstream source repository:
+
+https://git.qemu.org/gitweb.cgi?p=qemu.git;a=commitdiff;h=041e32b8d9d076980b4e35317c0339e57ab888f1
+
+From 041e32b8d9d076980b4e35317c0339e57ab888f1 Mon Sep 17 00:00:00 2001
+From: Max Reitz <mreitz@redhat.com>
+Date: Sun, 11 Jun 2017 14:37:14 +0200
+Subject: [PATCH] qemu-nbd: Ignore SIGPIPE
+
+qemu proper has done so for 13 years
+(8a7ddc38a60648257dc0645ab4a05b33d6040063), qemu-img and qemu-io have
+done so for four years (526eda14a68d5b3596be715505289b541288ef2a).
+Ignoring this signal is especially important in qemu-nbd because
+otherwise a client can easily take down the qemu-nbd server by dropping
+the connection when the server wants to send something, for example:
+
+$ qemu-nbd -x foo -f raw -t null-co:// &
+[1] 12726
+$ qemu-io -c quit nbd://localhost/bar
+can't open device nbd://localhost/bar: No export with name 'bar' available
+[1]  + 12726 broken pipe  qemu-nbd -x foo -f raw -t null-co://
+
+In this case, the client sends an NBD_OPT_ABORT and closes the
+connection (because it is not required to wait for a reply), but the
+server replies with an NBD_REP_ACK (because it is required to reply).
+
+Signed-off-by: Max Reitz <mreitz@redhat.com>
+Message-Id: <20170611123714.31292-1-mreitz@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+---
+ qemu-nbd.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/qemu-nbd.c b/qemu-nbd.c
+index 9464a0461c..4dd3fd4732 100644
+--- a/qemu-nbd.c
++++ b/qemu-nbd.c
+@@ -581,6 +581,10 @@ int main(int argc, char **argv)
+     sa_sigterm.sa_handler = termsig_handler;
+     sigaction(SIGTERM, &sa_sigterm, NULL);
+ 
++#ifdef CONFIG_POSIX
++    signal(SIGPIPE, SIG_IGN);
++#endif
++
+     module_call_init(MODULE_INIT_TRACE);
+     qcrypto_init(&error_fatal);
+ 
+-- 
+2.14.0
+
diff --git a/gnu/packages/patches/qemu-CVE-2017-10806.patch b/gnu/packages/patches/qemu-CVE-2017-10806.patch
new file mode 100644
index 000000000..202ced8cf
--- /dev/null
+++ b/gnu/packages/patches/qemu-CVE-2017-10806.patch
@@ -0,0 +1,61 @@
+Fix CVE-2017-10806:
+
+https://lists.nongnu.org/archive/html/qemu-devel/2017-05/msg03087.html
+https://bugzilla.redhat.com/show_bug.cgi?id=1468496
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10806
+https://security-tracker.debian.org/tracker/CVE-2017-10806
+
+Patch copied from upstream source repository:
+
+https://git.qemu.org/gitweb.cgi?p=qemu.git;a=commit;h=bd4a683505b27adc1ac809f71e918e58573d851d
+
+From bd4a683505b27adc1ac809f71e918e58573d851d Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Tue, 9 May 2017 13:01:28 +0200
+Subject: [PATCH] usb-redir: fix stack overflow in usbredir_log_data
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Don't reinvent a broken wheel, just use the hexdump function we have.
+
+Impact: low, broken code doesn't run unless you have debug logging
+enabled.
+
+Reported-by: 李强 <liqiang6-s@360.cn>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Message-id: 20170509110128.27261-1-kraxel@redhat.com
+---
+ hw/usb/redirect.c | 13 +------------
+ 1 file changed, 1 insertion(+), 12 deletions(-)
+
+diff --git a/hw/usb/redirect.c b/hw/usb/redirect.c
+index b001a27f05..ad5ef783a6 100644
+--- a/hw/usb/redirect.c
++++ b/hw/usb/redirect.c
+@@ -229,21 +229,10 @@ static void usbredir_log(void *priv, int level, const char *msg)
+ static void usbredir_log_data(USBRedirDevice *dev, const char *desc,
+     const uint8_t *data, int len)
+ {
+-    int i, j, n;
+-
+     if (dev->debug < usbredirparser_debug_data) {
+         return;
+     }
+-
+-    for (i = 0; i < len; i += j) {
+-        char buf[128];
+-
+-        n = sprintf(buf, "%s", desc);
+-        for (j = 0; j < 8 && i + j < len; j++) {
+-            n += sprintf(buf + n, " %02X", data[i + j]);
+-        }
+-        error_report("%s", buf);
+-    }
++    qemu_hexdump((char *)data, stderr, desc, len);
+ }
+ 
+ /*
+-- 
+2.14.1
+
diff --git a/gnu/packages/patches/qemu-CVE-2017-10911.patch b/gnu/packages/patches/qemu-CVE-2017-10911.patch
new file mode 100644
index 000000000..fed3fb8ff
--- /dev/null
+++ b/gnu/packages/patches/qemu-CVE-2017-10911.patch
@@ -0,0 +1,123 @@
+Fix CVE-2017-10911:
+
+https://xenbits.xen.org/xsa/advisory-216.html
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10911
+https://security-tracker.debian.org/tracker/CVE-2017-10911
+
+Patch copied from Xen Security Advisory:
+
+https://xenbits.xen.org/xsa/xsa216-qemuu.patch
+
+From: Jan Beulich <jbeulich@suse.com>
+Subject: xen/disk: don't leak stack data via response ring
+
+Rather than constructing a local structure instance on the stack, fill
+the fields directly on the shared ring, just like other (Linux)
+backends do. Build on the fact that all response structure flavors are
+actually identical (the old code did make this assumption too).
+
+This is XSA-216.
+
+Reported-by: Anthony Perard <anthony.perard@citrix.com>
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
+Acked-by: Anthony PERARD <anthony.perard@citrix.com>
+---
+v2: Add QEMU_PACKED to fix handling 32-bit guests by 64-bit qemu.
+
+--- a/hw/block/xen_blkif.h
++++ b/hw/block/xen_blkif.h
+@@ -14,9 +14,6 @@
+ struct blkif_common_request {
+     char dummy;
+ };
+-struct blkif_common_response {
+-    char dummy;
+-};
+ 
+ /* i386 protocol version */
+ #pragma pack(push, 4)
+@@ -36,13 +33,7 @@ struct blkif_x86_32_request_discard {
+     blkif_sector_t sector_number;    /* start sector idx on disk (r/w only)  */
+     uint64_t       nr_sectors;       /* # of contiguous sectors to discard   */
+ };
+-struct blkif_x86_32_response {
+-    uint64_t        id;              /* copied from request */
+-    uint8_t         operation;       /* copied from request */
+-    int16_t         status;          /* BLKIF_RSP_???       */
+-};
+ typedef struct blkif_x86_32_request blkif_x86_32_request_t;
+-typedef struct blkif_x86_32_response blkif_x86_32_response_t;
+ #pragma pack(pop)
+ 
+ /* x86_64 protocol version */
+@@ -62,20 +53,14 @@ struct blkif_x86_64_request_discard {
+     blkif_sector_t sector_number;    /* start sector idx on disk (r/w only)  */
+     uint64_t       nr_sectors;       /* # of contiguous sectors to discard   */
+ };
+-struct blkif_x86_64_response {
+-    uint64_t       __attribute__((__aligned__(8))) id;
+-    uint8_t         operation;       /* copied from request */
+-    int16_t         status;          /* BLKIF_RSP_???       */
+-};
+ typedef struct blkif_x86_64_request blkif_x86_64_request_t;
+-typedef struct blkif_x86_64_response blkif_x86_64_response_t;
+ 
+ DEFINE_RING_TYPES(blkif_common, struct blkif_common_request,
+-                  struct blkif_common_response);
++                  struct blkif_response);
+ DEFINE_RING_TYPES(blkif_x86_32, struct blkif_x86_32_request,
+-                  struct blkif_x86_32_response);
++                  struct blkif_response QEMU_PACKED);
+ DEFINE_RING_TYPES(blkif_x86_64, struct blkif_x86_64_request,
+-                  struct blkif_x86_64_response);
++                  struct blkif_response);
+ 
+ union blkif_back_rings {
+     blkif_back_ring_t        native;
+--- a/hw/block/xen_disk.c
++++ b/hw/block/xen_disk.c
+@@ -769,31 +769,30 @@ static int blk_send_response_one(struct
+     struct XenBlkDev  *blkdev = ioreq->blkdev;
+     int               send_notify   = 0;
+     int               have_requests = 0;
+-    blkif_response_t  resp;
+-    void              *dst;
+-
+-    resp.id        = ioreq->req.id;
+-    resp.operation = ioreq->req.operation;
+-    resp.status    = ioreq->status;
++    blkif_response_t  *resp;
+ 
+     /* Place on the response ring for the relevant domain. */
+     switch (blkdev->protocol) {
+     case BLKIF_PROTOCOL_NATIVE:
+-        dst = RING_GET_RESPONSE(&blkdev->rings.native, blkdev->rings.native.rsp_prod_pvt);
++        resp = RING_GET_RESPONSE(&blkdev->rings.native,
++                                 blkdev->rings.native.rsp_prod_pvt);
+         break;
+     case BLKIF_PROTOCOL_X86_32:
+-        dst = RING_GET_RESPONSE(&blkdev->rings.x86_32_part,
+-                                blkdev->rings.x86_32_part.rsp_prod_pvt);
++        resp = RING_GET_RESPONSE(&blkdev->rings.x86_32_part,
++                                 blkdev->rings.x86_32_part.rsp_prod_pvt);
+         break;
+     case BLKIF_PROTOCOL_X86_64:
+-        dst = RING_GET_RESPONSE(&blkdev->rings.x86_64_part,
+-                                blkdev->rings.x86_64_part.rsp_prod_pvt);
++        resp = RING_GET_RESPONSE(&blkdev->rings.x86_64_part,
++                                 blkdev->rings.x86_64_part.rsp_prod_pvt);
+         break;
+     default:
+-        dst = NULL;
+         return 0;
+     }
+-    memcpy(dst, &resp, sizeof(resp));
++
++    resp->id        = ioreq->req.id;
++    resp->operation = ioreq->req.operation;
++    resp->status    = ioreq->status;
++
+     blkdev->rings.common.rsp_prod_pvt++;
+ 
+     RING_PUSH_RESPONSES_AND_CHECK_NOTIFY(&blkdev->rings.common, send_notify);
diff --git a/gnu/packages/patches/qemu-CVE-2017-11434.patch b/gnu/packages/patches/qemu-CVE-2017-11434.patch
new file mode 100644
index 000000000..8c384b6c8
--- /dev/null
+++ b/gnu/packages/patches/qemu-CVE-2017-11434.patch
@@ -0,0 +1,46 @@
+Fix CVE-2017-11434:
+
+https://lists.gnu.org/archive/html/qemu-devel/2017-07/msg05001.html
+https://bugzilla.redhat.com/show_bug.cgi?id=1472611
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11434
+https://security-tracker.debian.org/tracker/CVE-2017-11434
+
+Patch copied from upstream source repository:
+
+https://git.qemu.org/gitweb.cgi?p=qemu.git;a=commit;h=413d463f43fbc4dd3a601e80a5724aa384a265a0
+
+From 413d463f43fbc4dd3a601e80a5724aa384a265a0 Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Mon, 17 Jul 2017 17:33:26 +0530
+Subject: [PATCH] slirp: check len against dhcp options array end
+
+While parsing dhcp options string in 'dhcp_decode', if an options'
+length 'len' appeared towards the end of 'bp_vend' array, ensuing
+read could lead to an OOB memory access issue. Add check to avoid it.
+
+This is CVE-2017-11434.
+
+Reported-by: Reno Robert <renorobert@gmail.com>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
+---
+ slirp/bootp.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/slirp/bootp.c b/slirp/bootp.c
+index 5a4646c182..5dd1a415b5 100644
+--- a/slirp/bootp.c
++++ b/slirp/bootp.c
+@@ -123,6 +123,9 @@ static void dhcp_decode(const struct bootp_t *bp, int *pmsg_type,
+             if (p >= p_end)
+                 break;
+             len = *p++;
++            if (p + len > p_end) {
++                break;
++            }
+             DPRINTF("dhcp: tag=%d len=%d\n", tag, len);
+ 
+             switch(tag) {
+-- 
+2.14.1
+
diff --git a/gnu/packages/virtualization.scm b/gnu/packages/virtualization.scm
index 49998120d..ab364cd1f 100644
--- a/gnu/packages/virtualization.scm
+++ b/gnu/packages/virtualization.scm
@@ -3,6 +3,7 @@
 ;;; Copyright © 2015, 2016, 2017 Mark H Weaver <mhw@netris.org>
 ;;; Copyright © 2016, 2017 Efraim Flashner <efraim@flashner.co.il>
 ;;; Copyright © 2016 Ricardo Wurmus <rekado@elephly.net>
+;;; Copyright © 2017 Alex Vong <alexvong1995@gmail.com>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -82,7 +83,11 @@
                                       "qemu-CVE-2017-8379.patch"
                                       "qemu-CVE-2017-8380.patch"
                                       "qemu-CVE-2017-9524.patch"
-                                      "qemu-CVE-2017-11334.patch"))
+                                      "qemu-CVE-2017-10664.patch"
+                                      "qemu-CVE-2017-10806.patch"
+                                      "qemu-CVE-2017-10911.patch"
+                                      "qemu-CVE-2017-11334.patch"
+                                      "qemu-CVE-2017-11434.patch"))
              (sha256
               (base32
                "08mhfs0ndbkyqgw7fjaa9vjxf4dinrly656f6hjzvmaz7hzc677h"))))
-- 
2.14.0

[Message part 3 (text/plain, inline)]

Cheers,
Alex

[signature.asc (application/pgp-signature, inline)]

Send a report that this bug log contains spam.