diff --git a/0001-target-i386-the-sgx_epc_get_section-stub-is-reachabl.patch b/0001-target-i386-the-sgx_epc_get_section-stub-is-reachabl.patch index cc5ada9..5245b0f 100644 --- a/0001-target-i386-the-sgx_epc_get_section-stub-is-reachabl.patch +++ b/0001-target-i386-the-sgx_epc_get_section-stub-is-reachabl.patch @@ -1,10 +1,10 @@ +From e54512fe75f85640c0c73e53e6f8bd0b9d193529 Mon Sep 17 00:00:00 2001 From: Paolo Bonzini Date: Tue, 1 Feb 2022 20:09:37 +0100 -Subject: [PATCH] target/i386: the sgx_epc_get_section stub is reachable +Subject: [PATCH 1/7] target/i386: the sgx_epc_get_section stub is reachable MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit -Content-type: text/plain The sgx_epc_get_section stub is reachable from cpu_x86_cpuid. It should not assert, instead it should just return true just like @@ -28,3 +28,6 @@ index 26833eb233..16b1dfd90b 100644 - g_assert_not_reached(); + return true; } +-- +2.37.3 + diff --git a/0001-tests-Disable-pci_virtio_vga-for-ppc64.patch b/0002-tests-Disable-pci_virtio_vga-for-ppc64.patch similarity index 90% rename from 0001-tests-Disable-pci_virtio_vga-for-ppc64.patch rename to 0002-tests-Disable-pci_virtio_vga-for-ppc64.patch index 26d8ed7..48c4203 100644 --- a/0001-tests-Disable-pci_virtio_vga-for-ppc64.patch +++ b/0002-tests-Disable-pci_virtio_vga-for-ppc64.patch @@ -1,7 +1,7 @@ -From f6d5fd60f54fb9dcdc3733154637a3a214f5d5af Mon Sep 17 00:00:00 2001 +From 2f0a0afbf915d36c39c5cfac1e31c6edc7f47bef Mon Sep 17 00:00:00 2001 From: "Eduardo Lima (Etrunko)" Date: Thu, 1 Sep 2022 12:43:49 -0300 -Subject: [PATCH] tests: Disable pci_virtio_vga for ppc64 +Subject: [PATCH 2/7] tests: Disable pci_virtio_vga for ppc64 starting QEMU: exec ./qemu-system-ppc64 -qtest unix:/tmp/qtest-2378197.sock -qtest-log /dev/null -chardev socket,path=/tmp/qtest-2378197.qmp,id=char0 -mon chardev=char0,mode=control -display none -vga none -device virtio-vga -accel qtest stderr: @@ -28,5 +28,5 @@ index ace3bb28e0..628dad4cf2 100644 } -- -2.37.2 +2.37.3 diff --git a/0003-Revert-linux-user-add-more-compat-ioctl-definitions.patch b/0003-Revert-linux-user-add-more-compat-ioctl-definitions.patch index e263067..f69907e 100644 --- a/0003-Revert-linux-user-add-more-compat-ioctl-definitions.patch +++ b/0003-Revert-linux-user-add-more-compat-ioctl-definitions.patch @@ -1,7 +1,7 @@ -From ebff02a43374c1138d4f8b2c07d2088a3921c288 Mon Sep 17 00:00:00 2001 +From 5c1d2f920c14d6e8f4ac7abc62714eadaa60f228 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= Date: Tue, 10 Jan 2023 12:37:14 -0500 -Subject: [PATCH 1/2] Revert "linux-user: add more compat ioctl definitions" +Subject: [PATCH 3/7] Revert "linux-user: add more compat ioctl definitions" MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit @@ -27,7 +27,7 @@ Signed-off-by: Daniel P. Berrangé 1 file changed, 25 deletions(-) diff --git a/linux-user/syscall.c b/linux-user/syscall.c -index 1f8c10f8ef..9c1e9555e1 100644 +index 24b25759be..10af5e0d8e 100644 --- a/linux-user/syscall.c +++ b/linux-user/syscall.c @@ -111,31 +111,6 @@ @@ -63,5 +63,5 @@ index 1f8c10f8ef..9c1e9555e1 100644 #include #endif -- -2.38.1 +2.37.3 diff --git a/0004-Revert-linux-user-fix-compat-with-glibc-2.36-sys-mou.patch b/0004-Revert-linux-user-fix-compat-with-glibc-2.36-sys-mou.patch index 08f5180..6487990 100644 --- a/0004-Revert-linux-user-fix-compat-with-glibc-2.36-sys-mou.patch +++ b/0004-Revert-linux-user-fix-compat-with-glibc-2.36-sys-mou.patch @@ -1,7 +1,7 @@ -From f0f11a1435802b5c8ee8337a7b0c0f337d8f9936 Mon Sep 17 00:00:00 2001 +From b40cf0a490c28d5b79e05382d061983b92a7b2b3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= Date: Tue, 10 Jan 2023 12:37:25 -0500 -Subject: [PATCH 2/2] Revert "linux-user: fix compat with glibc >= 2.36 +Subject: [PATCH 4/7] Revert "linux-user: fix compat with glibc >= 2.36 sys/mount.h" MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 @@ -29,7 +29,7 @@ Signed-off-by: Daniel P. Berrangé 2 files changed, 20 deletions(-) diff --git a/linux-user/syscall.c b/linux-user/syscall.c -index 9c1e9555e1..f2b7634f5e 100644 +index 10af5e0d8e..d974c76b60 100644 --- a/linux-user/syscall.c +++ b/linux-user/syscall.c @@ -95,25 +95,7 @@ @@ -59,10 +59,10 @@ index 9c1e9555e1..f2b7634f5e 100644 #if defined(CONFIG_FIEMAP) #include diff --git a/meson.build b/meson.build -index 175517eafd..32fed7ea6e 100644 +index 5c6b5a1c75..3172b01089 100644 --- a/meson.build +++ b/meson.build -@@ -2039,8 +2039,6 @@ config_host_data.set('HAVE_OPTRESET', +@@ -2032,8 +2032,6 @@ config_host_data.set('HAVE_OPTRESET', cc.has_header_symbol('getopt.h', 'optreset')) config_host_data.set('HAVE_IPPROTO_MPTCP', cc.has_header_symbol('netinet/in.h', 'IPPROTO_MPTCP')) @@ -72,5 +72,5 @@ index 175517eafd..32fed7ea6e 100644 # has_member config_host_data.set('HAVE_SIGEV_NOTIFY_THREAD_ID', -- -2.38.1 +2.37.3 diff --git a/0006-PATCH-test-vmstate-fix-bad-GTree-usage-use-after-fre.patch b/0006-PATCH-test-vmstate-fix-bad-GTree-usage-use-after-fre.patch new file mode 100644 index 0000000..7ad17be --- /dev/null +++ b/0006-PATCH-test-vmstate-fix-bad-GTree-usage-use-after-fre.patch @@ -0,0 +1,43 @@ +From 930def8769940600dd7dd587ec2accd4a8b6e1f8 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= +Date: Mon, 27 Feb 2023 16:02:51 +0000 +Subject: [PATCH 6/7] [PATCH] test-vmstate: fix bad GTree usage, use-after-free +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +According to g_tree_foreach() documentation: +"The tree may not be modified while iterating over it (you can't +add/remove items)." + +Fixes: 9a85e4b8f6 ("migration: Support gtree migration") +Cc: Eric Auger +Signed-off-by: Marc-André Lureau +--- + tests/unit/test-vmstate.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/tests/unit/test-vmstate.c b/tests/unit/test-vmstate.c +index 541bb4f63e..36b253eb67 100644 +--- a/tests/unit/test-vmstate.c ++++ b/tests/unit/test-vmstate.c +@@ -1074,7 +1074,6 @@ static gboolean diff_tree(gpointer key, gpointer value, gpointer data) + struct match_node_data d = {tp->tree2, key, value}; + + g_tree_foreach(tp->tree2, tp->match_node, &d); +- g_tree_remove(tp->tree1, key); + return false; + } + +@@ -1084,7 +1083,7 @@ static void compare_trees(GTree *tree1, GTree *tree2, + struct tree_cmp_data tp = {tree1, tree2, function}; + + g_tree_foreach(tree1, diff_tree, &tp); +- assert(g_tree_nnodes(tree1) == 0); ++ g_tree_destroy(g_tree_ref(tree1)); + assert(g_tree_nnodes(tree2) == 0); + } + +-- +2.37.3 + diff --git a/0007-tests-Ensure-TAP-version-is-printed-before-other-mes.patch b/0007-tests-Ensure-TAP-version-is-printed-before-other-mes.patch new file mode 100644 index 0000000..c142e77 --- /dev/null +++ b/0007-tests-Ensure-TAP-version-is-printed-before-other-mes.patch @@ -0,0 +1,42 @@ +From 4021e0a116b568c312b864dfc27dfeed3317538a Mon Sep 17 00:00:00 2001 +From: "Richard W.M. Jones" +Date: Mon, 27 Feb 2023 17:37:10 +0000 +Subject: [PATCH 7/7] tests: Ensure TAP version is printed before other + messages + +These two tests were failing with this error: + + stderr: + TAP parsing error: version number must be on the first line + [...] + Unknown TAP version. The first line MUST be `TAP version `. Assuming version 12. + +This can be fixed by ensuring we always call g_test_init first in the +body of main. + +Thanks: Daniel Berrange, for diagnosing the problem +Signed-off-by: Richard W.M. Jones +--- + tests/qtest/rtl8139-test.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/tests/qtest/rtl8139-test.c b/tests/qtest/rtl8139-test.c +index 8fa3313cc3..90bb616974 100644 +--- a/tests/qtest/rtl8139-test.c ++++ b/tests/qtest/rtl8139-test.c +@@ -196,9 +196,10 @@ int main(int argc, char **argv) + { + int ret; + +- qtest_start("-device rtl8139"); +- + g_test_init(&argc, &argv, NULL); ++ ++ qtest_start("-device rtl8139"); ++ + qtest_add_func("/rtl8139/nop", nop); + qtest_add_func("/rtl8139/timer", test_init); + +-- +2.37.3 + diff --git a/0008-qga-win32-local-privilege-escalation.patch b/0008-qga-win32-local-privilege-escalation.patch new file mode 100644 index 0000000..9359cc8 --- /dev/null +++ b/0008-qga-win32-local-privilege-escalation.patch @@ -0,0 +1,129 @@ +From 0575c4d5cb7520850359aeff62e11e80e5b65c55 Mon Sep 17 00:00:00 2001 +From: Konstantin Kostiuk +Date: Fri, 3 Mar 2023 21:20:08 +0200 +Subject: [PATCH] qga/win32: Use rundll for VSS installation + +The custom action uses cmd.exe to run VSS Service installation +and removal which causes an interactive command shell to spawn. +This shell can be used to execute any commands as a SYSTEM user. +Even if call qemu-ga.exe directly the interactive command shell +will be spawned as qemu-ga.exe is a console application and used +by users from the console as well as a service. + +As VSS Service runs from DLL which contains the installer and +uninstaller code, it can be run directly by rundll32.exe without +any interactive command shell. + +Add specific entry points for rundll which is just a wrapper +for COMRegister/COMUnregister functions with proper arguments. + +resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2167423 +fixes: CVE-2023-0664 (part 2 of 2) + +Signed-off-by: Konstantin Kostiuk +Reviewed-by: Yan Vugenfirer +Reported-by: Brian Wiltse +--- + qga/installer/qemu-ga.wxs | 10 +++++----- + qga/vss-win32/install.cpp | 9 +++++++++ + qga/vss-win32/qga-vss.def | 2 ++ + 3 files changed, 16 insertions(+), 5 deletions(-) + +diff --git a/qga/installer/qemu-ga.wxs b/qga/installer/qemu-ga.wxs +index 813d1c6ca6..de006c8785 100644 +--- a/qga/installer/qemu-ga.wxs ++++ b/qga/installer/qemu-ga.wxs +@@ -115,22 +115,22 @@ + + + +- ++ + + + + + + +diff --git a/qga/vss-win32/install.cpp b/qga/vss-win32/install.cpp +index b57508fbe0..68662a6dfc 100644 +--- a/qga/vss-win32/install.cpp ++++ b/qga/vss-win32/install.cpp +@@ -357,6 +357,15 @@ out: + return hr; + } + ++STDAPI_(void) CALLBACK DLLCOMRegister(HWND, HINSTANCE, LPSTR, int) ++{ ++ COMRegister(); ++} ++ ++STDAPI_(void) CALLBACK DLLCOMUnregister(HWND, HINSTANCE, LPSTR, int) ++{ ++ COMUnregister(); ++} + + static BOOL CreateRegistryKey(LPCTSTR key, LPCTSTR value, LPCTSTR data) + { +diff --git a/qga/vss-win32/qga-vss.def b/qga/vss-win32/qga-vss.def +index 927782c31b..ee97a81427 100644 +--- a/qga/vss-win32/qga-vss.def ++++ b/qga/vss-win32/qga-vss.def +@@ -1,6 +1,8 @@ + LIBRARY "QGA-PROVIDER.DLL" + + EXPORTS ++ DLLCOMRegister ++ DLLCOMUnregister + COMRegister PRIVATE + COMUnregister PRIVATE + DllCanUnloadNow PRIVATE + +From e7e43c4e11390aba32cb42421c68790c10501232 Mon Sep 17 00:00:00 2001 +From: Konstantin Kostiuk +Date: Fri, 3 Mar 2023 21:20:07 +0200 +Subject: [PATCH] qga/win32: Remove change action from MSI installer + +Remove the 'change' button from "Programs and Features" because it does +not checks if a user is an admin or not. The installer has no components +to choose from and always installs everything. So the 'change' button is +not obviously needed but can create a security issue. + +resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2167423 +fixes: CVE-2023-0664 (part 1 of 2) + +Signed-off-by: Konstantin Kostiuk +Reviewed-by: Yan Vugenfirer +Reported-by: Brian Wiltse +--- + qga/installer/qemu-ga.wxs | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/qga/installer/qemu-ga.wxs b/qga/installer/qemu-ga.wxs +index de006c8785..949ba07fd2 100644 +--- a/qga/installer/qemu-ga.wxs ++++ b/qga/installer/qemu-ga.wxs +@@ -31,6 +31,7 @@ + /> + + ++ + diff --git a/qemu.spec b/qemu.spec index 8520a46..23d165e 100644 --- a/qemu.spec +++ b/qemu.spec @@ -114,6 +114,11 @@ %global have_dbus_display 0 %endif +%global have_libblkio 0 +%if 0%{?fedora} >= 37 +%global have_libblkio 1 +%endif + %global have_sdl_image %{defined fedora} %global have_fdt 1 %global have_opengl 1 @@ -163,7 +168,11 @@ %global qemudocdir %{_docdir}/%{name} %define evr %{epoch}:%{version}-%{release} +%if %{have_libblkio} %define requires_block_blkio Requires: %{name}-block-blkio = %{evr} +%else +%define requires_block_blkio %{nil} +%endif %define requires_block_curl Requires: %{name}-block-curl = %{evr} %define requires_block_dmg Requires: %{name}-block-dmg = %{evr} %if %{have_block_gluster} @@ -312,11 +321,11 @@ Obsoletes: %{name}-system-unicore32-core <= %{epoch}:%{version}-%{release} %endif # To prevent rpmdev-bumpspec breakage -%global baserelease 6 +%global baserelease 2 Summary: QEMU is a FAST! processor emulator Name: qemu -Version: 7.2.0 +Version: 7.2.1 Release: %{baserelease}%{?rcrel}.0.riscv64%{?dist} Epoch: 2 License: GPLv2 and BSD and MIT and CC-BY @@ -337,10 +346,19 @@ Source36: README.tests # Fix SGX assert Patch: 0001-target-i386-the-sgx_epc_get_section-stub-is-reachabl.patch -Patch: 0001-tests-Disable-pci_virtio_vga-for-ppc64.patch +Patch: 0002-tests-Disable-pci_virtio_vga-for-ppc64.patch # Fix compat with kernel-headers >= 6.1 Patch: 0003-Revert-linux-user-add-more-compat-ioctl-definitions.patch Patch: 0004-Revert-linux-user-fix-compat-with-glibc-2.36-sys-mou.patch +# Fix build with glib2 2.75.3 +# https://bugzilla.redhat.com/show_bug.cgi?id=2173639 +# https://gitlab.com/qemu-project/qemu/-/issues/1518 +# Patch is NOT UPSTREAM. +Patch: 0006-PATCH-test-vmstate-fix-bad-GTree-usage-use-after-fre.patch +# Fix one of the tests. Sent upstream 2023-02-27. +Patch: 0007-tests-Ensure-TAP-version-is-printed-before-other-mes.patch +# qga/win32: Fix local privilege escalation issue (CVE-2023-0664) +Patch: 0008-qga-win32-local-privilege-escalation.patch BuildRequires: meson >= %{meson_version} BuildRequires: zlib-devel @@ -404,7 +422,9 @@ BuildRequires: pkgconfig(gbm) BuildRequires: perl-Test-Harness BuildRequires: libslirp-devel BuildRequires: libbpf-devel >= 1.0.0 +%if %{have_libblkio} BuildRequires: libblkio-devel +%endif # Fedora specific @@ -615,6 +635,7 @@ Install this package if you want access to the avocado_qemu tests, or qemu-iotests. +%if %{have_libblkio} %package block-blkio Summary: QEMU blkio block driver Requires: %{name}-common%{?_isa} = %{epoch}:%{version}-%{release} @@ -623,6 +644,7 @@ This package provides the additional blkio block driver for QEMU. Install this package if you want to access disks over vhost-user-blk, vdpa-blk, and other transports using the libblkio library. +%endif %package block-curl @@ -1610,7 +1632,9 @@ run_configure \ %ifarch %{ix86} x86_64 --enable-avx2 \ %endif +%if %{have_libblkio} --enable-blkio \ +%endif --enable-bpf \ --enable-cap-ng \ --enable-capstone \ @@ -2226,8 +2250,10 @@ useradd -r -u 107 -g qemu -G kvm -d / -s /sbin/nologin \ %{testsdir} %{_libdir}/%{name}/accel-qtest-*.so +%if %{have_libblkio} %files block-blkio %{_libdir}/%{name}/block-blkio.so +%endif %files block-curl %{_libdir}/%{name}/block-curl.so %files block-iscsi @@ -2767,9 +2793,20 @@ useradd -r -u 107 -g qemu -G kvm -d / -s /sbin/nologin \ %changelog -* Thu Apr 06 2023 David Abdurachmanov - 7.2.0-6.0.riscv64 +* Fri May 12 2023 David Abdurachmanov - 2:7.2.1-2.0.riscv64 - Add support for riscv64 +* Fri Apr 21 2023 Mauro Matteo Cascella - 2:7.2.1-2 +- qga/win32: Fix local privilege escalation issue (CVE-2023-0664) (rhbz#2175700) + +* Wed Apr 19 2023 Eduardo Lima (Etrunko) - 7.2.1-1 +- Rebase to qemu 7.2.1 + +* Mon Feb 27 2023 Richard W.M. Jones - 7.2.0-7 +- Fix virtio-blk-pci detect-zeroes=unmap (RHBZ#2173357) +- Fix build with glib2 2.75.3 (RHBZ#2173639) +- Disable the tests on i686 + * Tue Jan 31 2023 Stefan Hajnoczi - 7.2.0-6 - Enable libblkio diff --git a/sources b/sources index c45f059..c94b8cd 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (qemu-7.2.0.tar.xz) = f3cfa00da739ba819a218d7e6e95c77fb79a8e0f487b024ddd281602e785249b81144595e3f8c746c32a4f5c4d1a88c6aebae3c162603edfbb50ae3722d7ed13 +SHA512 (qemu-7.2.1.tar.xz) = e286dc66c923a5df77eb02d69235d048e80a7cced638fae52fbed385b4c3cd736cfea66bb3c9843bebf0a33e81ea141fc015e0bd82108df304f148ce59d9ae8a