Fix CVE reference

CVE-2015-5154: ide: Check array bounds before writing to io_buffer (bz #1247143)
CVE-2015-3214: i8254: fix out-of-bounds memory access in pit_ioport_read() (bz #1243729)
CVE-2015-5154: pcnet: force the buffer access to be in bounds during tx (bz #1230538)

0001-ide-Check-array-bounds-before-writing-to-io_buffer-C.patch

@@ -0,0 +1,79 @@
+From fcb9de761d54ec4aaa44027a5ce95f7b3e36ebd9 Mon Sep 17 00:00:00 2001
+From: Kevin Wolf <kwolf@redhat.com>
+Date: Sun, 26 Jul 2015 23:42:53 -0400
+Subject: [PATCH 1/4] ide: Check array bounds before writing to io_buffer
+ (CVE-2015-5154)
+
+If the end_transfer_func of a command is called because enough data has
+been read or written for the current PIO transfer, and it fails to
+correctly call the command completion functions, the DRQ bit in the
+status register and s->end_transfer_func may remain set. This allows the
+guest to access further bytes in s->io_buffer beyond s->data_end, and
+eventually overflowing the io_buffer.
+
+One case where this currently happens is emulation of the ATAPI command
+START STOP UNIT.
+
+This patch fixes the problem by adding explicit array bounds checks
+before accessing the buffer instead of relying on end_transfer_func to
+function correctly.
+
+Cc: qemu-stable@nongnu.org
+Signed-off-by: Kevin Wolf <kwolf@redhat.com>
+Reviewed-by: John Snow <jsnow@redhat.com>
+(cherry picked from commit d2ff85854512574e7209f295e87b0835d5b032c6)
+---
+ hw/ide/core.c | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+diff --git a/hw/ide/core.c b/hw/ide/core.c
+index c943a4d..e2ad6ee 100644
+--- a/hw/ide/core.c
++++ b/hw/ide/core.c
+@@ -1901,6 +1901,10 @@ void ide_data_writew(void *opaque, uint32_t addr, uint32_t val)
+     }
+ 
+     p = s->data_ptr;
++    if (p + 2 > s->data_end) {
++        return;
++    }
++
+     *(uint16_t *)p = le16_to_cpu(val);
+     p += 2;
+     s->data_ptr = p;
+@@ -1922,6 +1926,10 @@ uint32_t ide_data_readw(void *opaque, uint32_t addr)
+     }
+ 
+     p = s->data_ptr;
++    if (p + 2 > s->data_end) {
++        return 0;
++    }
++
+     ret = cpu_to_le16(*(uint16_t *)p);
+     p += 2;
+     s->data_ptr = p;
+@@ -1943,6 +1951,10 @@ void ide_data_writel(void *opaque, uint32_t addr, uint32_t val)
+     }
+ 
+     p = s->data_ptr;
++    if (p + 4 > s->data_end) {
++        return;
++    }
++
+     *(uint32_t *)p = le32_to_cpu(val);
+     p += 4;
+     s->data_ptr = p;
+@@ -1964,6 +1976,10 @@ uint32_t ide_data_readl(void *opaque, uint32_t addr)
+     }
+ 
+     p = s->data_ptr;
++    if (p + 4 > s->data_end) {
++        return 0;
++    }
++
+     ret = cpu_to_le32(*(uint32_t *)p);
+     p += 4;
+     s->data_ptr = p;
+-- 
+2.5.0
+

0001-pxe-always-use-non-efi-roms.patch

@@ -0,0 +1,82 @@
+From 9cc96b9353238598cc70f4938c403f7d0dcaa994 Mon Sep 17 00:00:00 2001
+From: Lubomir Rintel <lkundrak@v3.sk>
+Date: Thu, 26 Feb 2015 10:02:13 +0100
+Subject: [PATCH] pxe: always use non-efi roms
+
+We don't ship efi versions.
+---
+ hw/net/e1000.c         | 2 +-
+ hw/net/ne2000.c        | 2 +-
+ hw/net/pcnet-pci.c     | 2 +-
+ hw/net/rtl8139.c       | 2 +-
+ hw/virtio/virtio-pci.c | 2 +-
+ 5 files changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/hw/net/e1000.c b/hw/net/e1000.c
+index 8387443..6e28e0f 100644
+--- a/hw/net/e1000.c
++++ b/hw/net/e1000.c
+@@ -1571,7 +1571,7 @@ static void e1000_class_init(ObjectClass *klass, void *data)
+ 
+     k->init = pci_e1000_init;
+     k->exit = pci_e1000_uninit;
+-    k->romfile = "efi-e1000.rom";
++    k->romfile = "pxe-e1000.rom";
+     k->vendor_id = PCI_VENDOR_ID_INTEL;
+     k->device_id = E1000_DEVID;
+     k->revision = 0x03;
+diff --git a/hw/net/ne2000.c b/hw/net/ne2000.c
+index 4c32e9e..12cf3ed 100644
+--- a/hw/net/ne2000.c
++++ b/hw/net/ne2000.c
+@@ -767,7 +767,7 @@ static void ne2000_class_init(ObjectClass *klass, void *data)
+ 
+     k->init = pci_ne2000_init;
+     k->exit = pci_ne2000_exit;
+-    k->romfile = "efi-ne2k_pci.rom",
++    k->romfile = "pxe-ne2k_pci.rom",
+     k->vendor_id = PCI_VENDOR_ID_REALTEK;
+     k->device_id = PCI_DEVICE_ID_REALTEK_8029;
+     k->class_id = PCI_CLASS_NETWORK_ETHERNET;
+diff --git a/hw/net/pcnet-pci.c b/hw/net/pcnet-pci.c
+index 6a5d806..945fff4 100644
+--- a/hw/net/pcnet-pci.c
++++ b/hw/net/pcnet-pci.c
+@@ -359,7 +359,7 @@ static void pcnet_class_init(ObjectClass *klass, void *data)
+ 
+     k->init = pci_pcnet_init;
+     k->exit = pci_pcnet_uninit;
+-    k->romfile = "efi-pcnet.rom",
++    k->romfile = "pxe-pcnet.rom",
+     k->vendor_id = PCI_VENDOR_ID_AMD;
+     k->device_id = PCI_DEVICE_ID_AMD_LANCE;
+     k->revision = 0x10;
+diff --git a/hw/net/rtl8139.c b/hw/net/rtl8139.c
+index 5329f44..4be91a1 100644
+--- a/hw/net/rtl8139.c
++++ b/hw/net/rtl8139.c
+@@ -3560,7 +3560,7 @@ static void rtl8139_class_init(ObjectClass *klass, void *data)
+ 
+     k->init = pci_rtl8139_init;
+     k->exit = pci_rtl8139_uninit;
+-    k->romfile = "efi-rtl8139.rom";
++    k->romfile = "pxe-rtl8139.rom";
+     k->vendor_id = PCI_VENDOR_ID_REALTEK;
+     k->device_id = PCI_DEVICE_ID_REALTEK_8139;
+     k->revision = RTL8139_PCI_REVID; /* >=0x20 is for 8139C+ */
+diff --git a/hw/virtio/virtio-pci.c b/hw/virtio/virtio-pci.c
+index ce97514..d815b0e 100644
+--- a/hw/virtio/virtio-pci.c
++++ b/hw/virtio/virtio-pci.c
+@@ -1445,7 +1445,7 @@ static void virtio_net_pci_class_init(ObjectClass *klass, void *data)
+     PCIDeviceClass *k = PCI_DEVICE_CLASS(klass);
+     VirtioPCIClass *vpciklass = VIRTIO_PCI_CLASS(klass);
+ 
+-    k->romfile = "efi-virtio.rom";
++    k->romfile = "pxe-virtio.rom";
+     k->vendor_id = PCI_VENDOR_ID_REDHAT_QUMRANET;
+     k->device_id = PCI_DEVICE_ID_VIRTIO_NET;
+     k->revision = VIRTIO_PCI_ABI_VERSION;
+-- 
+2.1.0
+

0002-fdc-force-the-fifo-access-to-be-in-bounds-of-the-all.patch

@@ -0,0 +1,82 @@
+From: Petr Matousek <pmatouse@redhat.com>
+Date: Wed, 6 May 2015 09:48:59 +0200
+Subject: [PATCH] fdc: force the fifo access to be in bounds of the allocated
+ buffer
+
+During processing of certain commands such as FD_CMD_READ_ID and
+FD_CMD_DRIVE_SPECIFICATION_COMMAND the fifo memory access could
+get out of bounds leading to memory corruption with values coming
+from the guest.
+
+Fix this by making sure that the index is always bounded by the
+allocated memory.
+
+This is CVE-2015-3456.
+
+Signed-off-by: Petr Matousek <pmatouse@redhat.com>
+Reviewed-by: John Snow <jsnow@redhat.com>
+Signed-off-by: John Snow <jsnow@redhat.com>
+(cherry picked from commit e907746266721f305d67bc0718795fedee2e824c)
+---
+ hw/block/fdc.c | 17 +++++++++++------
+ 1 file changed, 11 insertions(+), 6 deletions(-)
+
+diff --git a/hw/block/fdc.c b/hw/block/fdc.c
+index 2bf87c9..a9de4ab 100644
+--- a/hw/block/fdc.c
++++ b/hw/block/fdc.c
+@@ -1512,7 +1512,7 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl)
+ {
+     FDrive *cur_drv;
+     uint32_t retval = 0;
+-    int pos;
++    uint32_t pos;
+ 
+     cur_drv = get_cur_drv(fdctrl);
+     fdctrl->dsr &= ~FD_DSR_PWRDOWN;
+@@ -1521,8 +1521,8 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl)
+         return 0;
+     }
+     pos = fdctrl->data_pos;
++    pos %= FD_SECTOR_LEN;
+     if (fdctrl->msr & FD_MSR_NONDMA) {
+-        pos %= FD_SECTOR_LEN;
+         if (pos == 0) {
+             if (fdctrl->data_pos != 0)
+                 if (!fdctrl_seek_to_next_sect(fdctrl, cur_drv)) {
+@@ -1867,10 +1867,13 @@ static void fdctrl_handle_option(FDCtrl *fdctrl, int direction)
+ static void fdctrl_handle_drive_specification_command(FDCtrl *fdctrl, int direction)
+ {
+     FDrive *cur_drv = get_cur_drv(fdctrl);
++    uint32_t pos;
+ 
+-    if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x80) {
++    pos = fdctrl->data_pos - 1;
++    pos %= FD_SECTOR_LEN;
++    if (fdctrl->fifo[pos] & 0x80) {
+         /* Command parameters done */
+-        if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x40) {
++        if (fdctrl->fifo[pos] & 0x40) {
+             fdctrl->fifo[0] = fdctrl->fifo[1];
+             fdctrl->fifo[2] = 0;
+             fdctrl->fifo[3] = 0;
+@@ -1970,7 +1973,7 @@ static uint8_t command_to_handler[256];
+ static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value)
+ {
+     FDrive *cur_drv;
+-    int pos;
++    uint32_t pos;
+ 
+     /* Reset mode */
+     if (!(fdctrl->dor & FD_DOR_nRESET)) {
+@@ -2019,7 +2022,9 @@ static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value)
+     }
+ 
+     FLOPPY_DPRINTF("%s: %02x\n", __func__, value);
+-    fdctrl->fifo[fdctrl->data_pos++] = value;
++    pos = fdctrl->data_pos++;
++    pos %= FD_SECTOR_LEN;
++    fdctrl->fifo[pos] = value;
+     if (fdctrl->data_pos == fdctrl->data_len) {
+         /* We now have all parameters
+          * and will be able to treat the command

0002-i8254-fix-out-of-bounds-memory-access-in-pit_ioport_.patch

@@ -0,0 +1,45 @@
+From 1ed2665d9163d25cce12a1d8a764b939b2593c6e Mon Sep 17 00:00:00 2001
+From: Petr Matousek <pmatouse@redhat.com>
+Date: Wed, 17 Jun 2015 12:46:11 +0200
+Subject: [PATCH 2/4] i8254: fix out-of-bounds memory access in
+ pit_ioport_read()
+
+Due converting PIO to the new memory read/write api we no longer provide
+separate I/O region lenghts for read and write operations. As a result,
+reading from PIT Mode/Command register will end with accessing
+pit->channels with invalid index.
+
+Fix this by ignoring read from the Mode/Command register.
+
+This is CVE-2015-3214.
+
+Reported-by: Matt Tait <matttait@google.com>
+Fixes: 0505bcdec8228d8de39ab1a02644e71999e7c052
+Cc: qemu-stable@nongnu.org
+Signed-off-by: Petr Matousek <pmatouse@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+(cherry picked from commit d4862a87e31a51de9eb260f25c9e99a75efe3235)
+---
+ hw/timer/i8254.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/hw/timer/i8254.c b/hw/timer/i8254.c
+index 28152d8..a5dd681 100644
+--- a/hw/timer/i8254.c
++++ b/hw/timer/i8254.c
+@@ -196,6 +196,12 @@ static uint64_t pit_ioport_read(void *opaque, hwaddr addr,
+     PITChannelState *s;
+ 
+     addr &= 3;
++
++    if (addr == 3) {
++        /* Mode/Command register is write only, read is ignored */
++        return 0;
++    }
++
+     s = &pit->channels[addr];
+     if (s->status_latched) {
+         s->status_latched = 0;
+-- 
+2.5.0
+

0003-pcnet-fix-Negative-array-index-read.patch

@@ -0,0 +1,100 @@
+From c2c087239b676b7dcb75f74ed8509bd0d286ee1d Mon Sep 17 00:00:00 2001
+From: Gonglei <arei.gonglei@huawei.com>
+Date: Thu, 20 Nov 2014 19:35:02 +0800
+Subject: [PATCH 3/4] pcnet: fix Negative array index read
+
+s->xmit_pos maybe assigned to a negative value (-1),
+but in this branch variable s->xmit_pos as an index to
+array s->buffer. Let's add a check for s->xmit_pos.
+
+Signed-off-by: Gonglei <arei.gonglei@huawei.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Reviewed-by: Jason Wang <jasowang@redhat.com>
+Reviewed-by: Jason Wang <jasowang@redhat.com>
+Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
+(cherry picked from commit 7b50d00911ddd6d56a766ac5671e47304c20a21b)
+---
+ hw/net/pcnet.c | 55 ++++++++++++++++++++++++++++++-------------------------
+ 1 file changed, 30 insertions(+), 25 deletions(-)
+
+diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c
+index 7cb47b3..07069d7 100644
+--- a/hw/net/pcnet.c
++++ b/hw/net/pcnet.c
+@@ -1213,7 +1213,7 @@ static void pcnet_transmit(PCNetState *s)
+     hwaddr xmit_cxda = 0;
+     int count = CSR_XMTRL(s)-1;
+     int add_crc = 0;
+-
++    int bcnt;
+     s->xmit_pos = -1;
+ 
+     if (!CSR_TXON(s)) {
+@@ -1248,35 +1248,40 @@ static void pcnet_transmit(PCNetState *s)
+             s->xmit_pos = -1;
+             goto txdone;
+         }
++
++        if (s->xmit_pos < 0) {
++            goto txdone;
++        }
++
++        bcnt = 4096 - GET_FIELD(tmd.length, TMDL, BCNT);
++        s->phys_mem_read(s->dma_opaque, PHYSADDR(s, tmd.tbadr),
++                         s->buffer + s->xmit_pos, bcnt, CSR_BSWP(s));
++        s->xmit_pos += bcnt;
++        
+         if (!GET_FIELD(tmd.status, TMDS, ENP)) {
+-            int bcnt = 4096 - GET_FIELD(tmd.length, TMDL, BCNT);
+-            s->phys_mem_read(s->dma_opaque, PHYSADDR(s, tmd.tbadr),
+-                             s->buffer + s->xmit_pos, bcnt, CSR_BSWP(s));
+-            s->xmit_pos += bcnt;
+-        } else if (s->xmit_pos >= 0) {
+-            int bcnt = 4096 - GET_FIELD(tmd.length, TMDL, BCNT);
+-            s->phys_mem_read(s->dma_opaque, PHYSADDR(s, tmd.tbadr),
+-                             s->buffer + s->xmit_pos, bcnt, CSR_BSWP(s));
+-            s->xmit_pos += bcnt;
++            goto txdone;
++        }
++
+ #ifdef PCNET_DEBUG
+-            printf("pcnet_transmit size=%d\n", s->xmit_pos);
++        printf("pcnet_transmit size=%d\n", s->xmit_pos);
+ #endif
+-            if (CSR_LOOP(s)) {
+-                if (BCR_SWSTYLE(s) == 1)
+-                    add_crc = !GET_FIELD(tmd.status, TMDS, NOFCS);
+-                s->looptest = add_crc ? PCNET_LOOPTEST_CRC : PCNET_LOOPTEST_NOCRC;
+-                pcnet_receive(qemu_get_queue(s->nic), s->buffer, s->xmit_pos);
+-                s->looptest = 0;
+-            } else
+-                if (s->nic)
+-                    qemu_send_packet(qemu_get_queue(s->nic), s->buffer,
+-                                     s->xmit_pos);
+-
+-            s->csr[0] &= ~0x0008;   /* clear TDMD */
+-            s->csr[4] |= 0x0004;    /* set TXSTRT */
+-            s->xmit_pos = -1;
++        if (CSR_LOOP(s)) {
++            if (BCR_SWSTYLE(s) == 1)
++                add_crc = !GET_FIELD(tmd.status, TMDS, NOFCS);
++            s->looptest = add_crc ? PCNET_LOOPTEST_CRC : PCNET_LOOPTEST_NOCRC;
++            pcnet_receive(qemu_get_queue(s->nic), s->buffer, s->xmit_pos);
++            s->looptest = 0;
++        } else {
++            if (s->nic) {
++                qemu_send_packet(qemu_get_queue(s->nic), s->buffer,
++                                 s->xmit_pos);
++            }
+         }
+ 
++        s->csr[0] &= ~0x0008;   /* clear TDMD */
++        s->csr[4] |= 0x0004;    /* set TXSTRT */
++        s->xmit_pos = -1;
++
+     txdone:
+         SET_FIELD(&tmd.status, TMDS, OWN, 0);
+         TMDSTORE(&tmd, PHYSADDR(s,CSR_CXDA(s)));
+-- 
+2.5.0
+

0004-pcnet-force-the-buffer-access-to-be-in-bounds-during.patch

@@ -0,0 +1,50 @@
+From d913b8e2e9a6480bbefba2abc3e8f55bd9d1f1a7 Mon Sep 17 00:00:00 2001
+From: Petr Matousek <pmatouse@redhat.com>
+Date: Sun, 24 May 2015 10:53:44 +0200
+Subject: [PATCH 4/4] pcnet: force the buffer access to be in bounds during tx
+
+4096 is the maximum length per TMD and it is also currently the size of
+the relay buffer pcnet driver uses for sending the packet data to QEMU
+for further processing. With packet spanning multiple TMDs it can
+happen that the overall packet size will be bigger than sizeof(buffer),
+which results in memory corruption.
+
+Fix this by only allowing to queue maximum sizeof(buffer) bytes.
+
+This is CVE-2015-3209.
+
+[Fixed 3-space indentation to QEMU's 4-space coding standard.
+--Stefan]
+
+Signed-off-by: Petr Matousek <pmatouse@redhat.com>
+Reported-by: Matt Tait <matttait@google.com>
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
+Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
+(cherry picked from commit 9f7c594c006289ad41169b854d70f5da6e400a2a)
+---
+ hw/net/pcnet.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c
+index 07069d7..a577daf 100644
+--- a/hw/net/pcnet.c
++++ b/hw/net/pcnet.c
+@@ -1254,6 +1254,14 @@ static void pcnet_transmit(PCNetState *s)
+         }
+ 
+         bcnt = 4096 - GET_FIELD(tmd.length, TMDL, BCNT);
++
++        /* if multi-tmd packet outsizes s->buffer then skip it silently.
++           Note: this is not what real hw does */
++        if (s->xmit_pos + bcnt > sizeof(s->buffer)) {
++            s->xmit_pos = -1;
++            goto txdone;
++        }
++
+         s->phys_mem_read(s->dma_opaque, PHYSADDR(s, tmd.tbadr),
+                          s->buffer + s->xmit_pos, bcnt, CSR_BSWP(s));
+         s->xmit_pos += bcnt;
+-- 
+2.5.0
+

qemu.spec

@@ -22,14 +22,14 @@
 
 %if 0%{?rhel}
 # RHEL-specific defaults:
-%bcond_without kvmonly          # enabled
+%bcond_with    kvmonly          # enabled
 %bcond_without exclusive_x86_64 # enabled
 %bcond_with    rbd              # disabled
 %bcond_without spice            # enabled
 %bcond_without seccomp          # enabled
-%bcond_with    xfsprogs         # disabled
-%bcond_with    separate_kvm     # disabled - for EPEL
-%bcond_with    gtk              # disabled
+%bcond_without xfsprogs         # disabled
+%bcond_without separate_kvm     # disabled - for EPEL
+%bcond_without gtk              # disabled
 %else
 # General defaults:
 %bcond_with    kvmonly          # disabled
@@ -89,7 +89,7 @@
 %global need_qemu_kvm 1
 %endif
 %ifarch ppc64
-%global system_ppc    kvm
+#global system_ppc    kvm
 %global kvm_package   system-ppc
 %global kvm_target    ppc64
 %global need_kvm_modfile 1
@@ -121,10 +121,10 @@
 %global system_microblaze   system-microblaze
 %global system_mips   system-mips
 %global system_or32   system-or32
-%global system_ppc    system-ppc
+#global system_ppc    system-ppc
 %global system_s390x  system-s390x
 %global system_sh4    system-sh4
-%global system_sparc  system-sparc
+#global system_sparc  system-sparc
 %global system_x86    system-x86
 %global system_xtensa   system-xtensa
 %global system_unicore32   system-unicore32
@@ -132,22 +132,30 @@
 %endif
 
 # libfdt is only needed to build ARM, Microblaze or PPC emulators
+%if 0%{?rhel}
+%global need_fdt      0
+%else
 %if 0%{?system_arm:1}%{?system_microblaze:1}%{?system_ppc:1}
 %global need_fdt      1
 %endif
+%endif
 
+%if 0%{?rhel}
+%define with_xen 0
+%else
 # Xen is available only on i386 x86_64 (from libvirt spec)
 %ifnarch %{ix86} x86_64
 %define with_xen 0
 %else
 %define with_xen 1
 %endif
+%endif
 
 
 Summary: QEMU is a FAST! processor emulator
 Name: qemu
 Version: 2.0.0
-Release: 1%{?dist}
+Release: 1%{?dist}.6
 Epoch: 2
 License: GPLv2+ and LGPLv2+ and BSD
 Group: Development/Tools
@@ -156,6 +164,9 @@ URL: http://www.qemu.org/
 %if %{with kvmonly}
 ExclusiveArch: %{kvm_archs}
 %endif
+# XXX: The rom packages need to be updated to cross compile like fedora does,
+# otherwise qemu-system-x86 deps are broken on ppc64
+ExcludeArch: ppc64
 
 # OOM killer breaks builds with parallel make on s390(x)
 %ifarch s390 s390x
@@ -188,10 +199,29 @@ Source12: bridge.conf
 Source13: qemu-kvm.sh
 
 # Change gtk quit accelerator to ctrl+shift+q (bz #1062393)
-# Patches queued for 2.1
 Patch0001: 0001-Change-gtk-quit-accelerator-to-ctrl-shift-q-bz-10623.patch
 
+# CVE-2015-3456: fdc: out-of-bounds fifo buffer memory access # (bz #1221152)
+Patch0002: 0002-fdc-force-the-fifo-access-to-be-in-bounds-of-the-all.patch
+
+# CVE-2015-5154: ide: Check array bounds before writing to io_buffer (bz #1247143)
+Patch0003: 0001-ide-Check-array-bounds-before-writing-to-io_buffer-C.patch
+
+# CVE-2015-3214: i8254: fix out-of-bounds memory access in pit_ioport_read() (bz #1243729)
+Patch0004: 0002-i8254-fix-out-of-bounds-memory-access-in-pit_ioport_.patch
+
+# CVE-2015-3209: pcnet: force the buffer access to be in bounds during tx (bz #1230538)
+Patch0005: 0003-pcnet-fix-Negative-array-index-read.patch
+Patch0006: 0004-pcnet-force-the-buffer-access-to-be-in-bounds-during.patch
+
+# EPEL specific patches
+Patch6661: 0001-pxe-always-use-non-efi-roms.patch
+
+%if 0%{?rhel}
+BuildRequires: SDL-devel
+%else
 BuildRequires: SDL2-devel
+%endif
 BuildRequires: zlib-devel
 BuildRequires: which
 BuildRequires: chrpath
@@ -248,7 +278,7 @@ BuildRequires: bluez-libs-devel
 BuildRequires: brlapi-devel
 %if 0%{?need_fdt:1}
 # For FDT device tree support
-BuildRequires: libfdt-devel
+#BuildRequires: libfdt-devel
 %endif
 # For virtfs
 BuildRequires: libcap-devel
@@ -281,11 +311,10 @@ BuildRequires: librdmacm-devel
 BuildRequires: qemu-sanity-check-nodeps
 BuildRequires: kernel
 %endif
-BuildRequires: iasl
 %if %{with_xen}
 BuildRequires: xen-devel
 %endif
-
+BuildRequires: /usr/bin/vi
 
 %if 0%{?user:1}
 Requires: %{name}-%{user} = %{epoch}:%{version}-%{release}
@@ -383,6 +412,9 @@ This package provides a command line tool for manipulating disk images
 %package  common
 Summary: QEMU common files needed by all QEMU targets
 Group: Development/Tools
+%if %{with separate_kvm}
+Requires: qemu-kvm-common
+%endif
 Requires(post): /usr/bin/getent
 Requires(post): /usr/sbin/groupadd
 Requires(post): /usr/sbin/useradd
@@ -458,9 +490,13 @@ Provides: kvm = 85
 Obsoletes: kvm < 85
 Requires: seavgabios-bin
 # First version that ships bios-256k.bin
+%if 0%{?rhel}
+Requires: sgabios-bin >= 1.7.2.2-5
+%else
 Requires: seabios-bin >= 1.7.4-3
-Requires: sgabios-bin
-Requires: ipxe-roms-qemu >= 20130517-2.gitc4bce43
+%endif
+#Requires: ipxe-roms-qemu >= 20130517-2.gitc4bce43
+Requires: ipxe-roms-qemu
 %if 0%{?have_seccomp:1}
 Requires: libseccomp >= 1.0.0
 %endif
@@ -700,6 +736,22 @@ CAC emulation development files.
 # Patches queued for 2.1
 %patch0001 -p1
 
+# CVE-2015-3456: fdc: out-of-bounds fifo buffer memory access # (bz #1221152)
+%patch0002 -p1
+
+# CVE-2015-5154: ide: Check array bounds before writing to io_buffer (bz #1247143)
+%patch0003 -p1
+
+# CVE-2015-3214: i8254: fix out-of-bounds memory access in pit_ioport_read() (bz #1243729)
+%patch0004 -p1
+
+# CVE-2015-3209: pcnet: force the buffer access to be in bounds during tx (bz #1230538)
+%patch0005 -p1
+%patch0006 -p1
+
+# EPEL patches
+%patch6661 -p1
+
 
 %build
 %if %{with kvmonly}
@@ -708,8 +760,14 @@ CAC emulation development files.
     buildarch="i386-softmmu x86_64-softmmu alpha-softmmu arm-softmmu \
     cris-softmmu lm32-softmmu m68k-softmmu microblaze-softmmu \
     microblazeel-softmmu mips-softmmu mipsel-softmmu mips64-softmmu \
-    mips64el-softmmu or32-softmmu ppc-softmmu ppcemb-softmmu ppc64-softmmu \
-    s390x-softmmu sh4-softmmu sh4eb-softmmu sparc-softmmu sparc64-softmmu \
+    mips64el-softmmu or32-softmmu \
+%if 0%{?system_ppc:1}
+    ppc-softmmu ppcemb-softmmu ppc64-softmmu \
+%endif
+    s390x-softmmu sh4-softmmu sh4eb-softmmu \
+%if 0%{?system_sparc:1}
+    sparc-softmmu sparc64-softmmu \
+%endif
     xtensa-softmmu xtensaeb-softmmu unicore32-softmmu moxie-softmmu \
     i386-linux-user x86_64-linux-user aarch64-linux-user alpha-linux-user \
     arm-linux-user armeb-linux-user cris-linux-user m68k-linux-user \
@@ -777,7 +835,11 @@ sed -i.debug 's/"-g $CFLAGS"/"$CFLAGS"/g' configure
 %ifarch s390
     --enable-tcg-interpreter \
 %endif
+%if 0%{?rhel}
+    --with-sdlabi="1.2" \
+%else
     --with-sdlabi="2.0" \
+%endif
     --enable-quorum \
     "$@"
 
@@ -896,7 +958,9 @@ rm -rf ${RPM_BUILD_ROOT}%{_datadir}/%{name}/sgabios.bin
 # for other paths, yet.
 pxe_link() {
   ln -s ../ipxe/$2.rom %{buildroot}%{_datadir}/%{name}/pxe-$1.rom
+%if 0%{?rhel} == 0
   ln -s ../ipxe.efi/$2.rom %{buildroot}%{_datadir}/%{name}/efi-$1.rom
+%endif
 }
 
 pxe_link e1000 8086100e
@@ -916,8 +980,10 @@ rom_link ../seavgabios/vgabios-stdvga.bin vgabios-stdvga.bin
 rom_link ../seavgabios/vgabios-vmware.bin vgabios-vmware.bin
 rom_link ../seabios/bios.bin bios.bin
 rom_link ../seabios/bios-256k.bin bios-256k.bin
+%if 0%{?rhel} == 0
 rom_link ../seabios/acpi-dsdt.aml acpi-dsdt.aml
 rom_link ../seabios/q35-acpi-dsdt.aml q35-acpi-dsdt.aml
+%endif
 rom_link ../sgabios/sgabios.bin sgabios.bin
 %endif
 
@@ -979,11 +1045,13 @@ find $RPM_BUILD_ROOT -name '*.la' -or -name '*.a' | xargs rm -f
 find $RPM_BUILD_ROOT -name "libcacard.so*" -exec chmod +x \{\} \;
 
 %if %{with separate_kvm}
+rm -f $RPM_BUILD_ROOT%{_bindir}/kvm_stat
 rm -f $RPM_BUILD_ROOT%{_bindir}/qemu-kvm
 rm -f $RPM_BUILD_ROOT%{_bindir}/qemu-img
 rm -f $RPM_BUILD_ROOT%{_bindir}/qemu-io
 rm -f $RPM_BUILD_ROOT%{_bindir}/qemu-nbd
 rm -f $RPM_BUILD_ROOT%{_mandir}/man1/qemu-img.1*
+rm -f $RPM_BUILD_ROOT%{_mandir}/man1/qemu-kvm.1*
 rm -f $RPM_BUILD_ROOT%{_mandir}/man8/qemu-nbd.8*
 
 rm -f $RPM_BUILD_ROOT%{_sbindir}/ksmtuned
@@ -996,11 +1064,14 @@ rm -f $RPM_BUILD_ROOT/lib/systemd/system/ksmtuned.service
 rm -f $RPM_BUILD_ROOT%{_bindir}/qemu-ga
 rm -f $RPM_BUILD_ROOT%{_unitdir}/qemu-guest-agent.service
 rm -f $RPM_BUILD_ROOT%{_udevdir}/99-qemu-guest-agent.rules
+rm -f $RPM_BUILD_ROOT%{_udevdir}/80-kvm.rules
 
 rm -f $RPM_BUILD_ROOT%{_bindir}/vscclient
 rm -f $RPM_BUILD_ROOT%{_libdir}/libcacard*
 rm -f $RPM_BUILD_ROOT%{_libdir}/pkgconfig/libcacard.pc
 rm -rf $RPM_BUILD_ROOT%{_includedir}/cacard
+
+rm -f $RPM_BUILD_ROOT%{_libexecdir}/qemu-bridge-helper
 %endif
 
 # When building using 'rpmbuild' or 'fedpkg local', RPATHs can be left in
@@ -1095,10 +1166,12 @@ getent passwd qemu >/dev/null || \
 %files
 %defattr(-,root,root)
 
+%if %{without separate_kvm}
 %ifarch %{kvm_archs}
 %files kvm
 %defattr(-,root,root)
 %endif
+%endif
 
 %files common -f %{name}.lang
 %defattr(-,root,root)
@@ -1118,7 +1191,9 @@ getent passwd qemu >/dev/null || \
 %{_mandir}/man1/qemu.1*
 %{_mandir}/man1/virtfs-proxy-helper.1*
 %{_bindir}/virtfs-proxy-helper
+%if %{without separate_kvm}
 %attr(4755, root, root) %{_libexecdir}/qemu-bridge-helper
+%endif
 %config(noreplace) %{_sysconfdir}/sasl2/qemu.conf
 %dir %{_sysconfdir}/qemu
 %config(noreplace) %{_sysconfdir}/qemu/bridge.conf
@@ -1213,8 +1288,10 @@ getent passwd qemu >/dev/null || \
 %{_mandir}/man1/qemu-system-i386.1*
 %{_mandir}/man1/qemu-system-x86_64.1*
 %endif
+%if 0%{?rhel} == 0
 %{_datadir}/%{name}/acpi-dsdt.aml
 %{_datadir}/%{name}/q35-acpi-dsdt.aml
+%endif
 %{_datadir}/%{name}/bios.bin
 %{_datadir}/%{name}/bios-256k.bin
 %{_datadir}/%{name}/sgabios.bin
@@ -1227,15 +1304,17 @@ getent passwd qemu >/dev/null || \
 %{_datadir}/%{name}/vgabios-stdvga.bin
 %{_datadir}/%{name}/vgabios-vmware.bin
 %{_datadir}/%{name}/pxe-e1000.rom
-%{_datadir}/%{name}/efi-e1000.rom
 %{_datadir}/%{name}/pxe-virtio.rom
-%{_datadir}/%{name}/efi-virtio.rom
 %{_datadir}/%{name}/pxe-pcnet.rom
-%{_datadir}/%{name}/efi-pcnet.rom
 %{_datadir}/%{name}/pxe-rtl8139.rom
-%{_datadir}/%{name}/efi-rtl8139.rom
 %{_datadir}/%{name}/pxe-ne2k_pci.rom
+%if 0%{?rhel} == 0
+%{_datadir}/%{name}/efi-e1000.rom
+%{_datadir}/%{name}/efi-virtio.rom
+%{_datadir}/%{name}/efi-pcnet.rom
+%{_datadir}/%{name}/efi-rtl8139.rom
 %{_datadir}/%{name}/efi-ne2k_pci.rom
+%endif
 %config(noreplace) %{_sysconfdir}/qemu/target-x86_64.conf
 %if %{without separate_kvm}
 %ifarch %{ix86} x86_64
@@ -1245,11 +1324,13 @@ getent passwd qemu >/dev/null || \
 %endif
 %endif
 
+%if %{without separate_kvm}
 %ifarch %{kvm_archs}
 %files kvm-tools
 %defattr(-,root,root,-)
 %{_bindir}/kvm_stat
 %endif
+%endif
 
 %if 0%{?system_alpha:1}
 %files %{system_alpha}
@@ -1372,6 +1453,8 @@ getent passwd qemu >/dev/null || \
 %{_mandir}/man1/qemu-system-sparc64.1*
 %{_datadir}/%{name}/QEMU,tcx.bin
 %{_datadir}/%{name}/QEMU,cgthree.bin
+%else
+%exclude %{_datadir}/%{name}/QEMU,cgthree.bin
 %endif
 
 %if 0%{?system_ppc:1}
@@ -1450,6 +1533,26 @@ getent passwd qemu >/dev/null || \
 %endif
 
 %changelog
+* Mon Nov 02 2015 Lubomir Rintel <lkundrak@v3.sk> - 2:2.0.0-1.6
+- CVE-2015-5154: ide: Check array bounds before writing to io_buffer (bz #1247143)
+- CVE-2015-3214: i8254: fix out-of-bounds memory access in pit_ioport_read() (bz #1243729)
+- CVE-2015-3209: pcnet: force the buffer access to be in bounds during tx (bz #1230538)
+
+* Mon May 25 2015 Lubomir Rintel <lkundrak@v3.sk> - 2:2.0.0-1.5
+- CVE-2015-3456: fdc: out-of-bounds fifo buffer memory access (bz #1221152)
+
+* Thu Feb 26 2015 Lubomir Rintel <lkundrak@v3.sk> - 2:2.0.0-1.4
+- Avoid using EFI boot ROMs, el7 ipxe does not ship them
+
+* Fri Oct 10 2014 Lubomir Rintel <lkundrak@v3.sk> - 2:2.0.0-1.3
+- Bring back the bios-256k.bin link
+
+* Fri Oct 10 2014 Lubomir Rintel <lkundrak@v3.sk> - 2:2.0.0-1.2
+- Avoid broken symbolic links (bz #1114432)
+
+* Fri Apr 18 2014 Lubomir Rintel <lkundrak@v3.sk> - 2:2.0.0-1.1
+- Build for EPEL7
+
 * Thu Apr 17 2014 Cole Robinson <crobinso@redhat.com> - 2:2.0.0-1
 - Update to 2.0.0 GA