Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

qemu: add patches for CVE-2020-7039 and CVE-2020-7211 #79050

Merged
merged 1 commit into from Feb 10, 2020

Conversation

@andrew-d
Copy link
Contributor

@andrew-d andrew-d commented Feb 1, 2020

Motivation for this change

Patch two known CVEs in QEMU.

Fixes #78762

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.

cc @ckauhaus

@andrew-d andrew-d requested a review from risicle Feb 1, 2020
@andrew-d
Copy link
Contributor Author

@andrew-d andrew-d commented Feb 1, 2020

@GrahamcOfBorg build qemu

@risicle
Copy link
Contributor

@risicle risicle commented Feb 1, 2020

What is the origin of the CVE-2020-7039 patch and why isn't it fetchable?

@andrew-d
Copy link
Contributor Author

@andrew-d andrew-d commented Feb 1, 2020

It's a manually-merged version of these three commits:
https://gitlab.freedesktop.org/slirp/libslirp/commit/2655fffed7a9e765bcb4701dd876e9dab975f289
https://gitlab.freedesktop.org/slirp/libslirp/commit/82ebe9c370a0e2970fb5695aa19aa5214a6a1c80
https://gitlab.freedesktop.org/slirp/libslirp/commit/ce131029d6d4a405cb7d3ac6716d03e58fb4a5d9

It's not fetchable because it includes an entry to the CHANGELOG which causes it to fail to apply. In the version in this PR, that section is dropped.

@andrew-d
Copy link
Contributor Author

@andrew-d andrew-d commented Feb 1, 2020

(and those three commits were obtained from the links in the NVD entry)

@risicle
Copy link
Contributor

@risicle risicle commented Feb 2, 2020

Will the excludes option to fetchpatch not strip the changelog out?

@andrew-d andrew-d force-pushed the andrew-d:andrew/qemu-CVEs branch from aa583d3 to ef3addb Feb 2, 2020
@andrew-d
Copy link
Contributor Author

@andrew-d andrew-d commented Feb 2, 2020

@risicle - TIL about the excludes option; thanks! That seems to have worked, so I switched to that.

@GrahamcOfBorg build qemu

@risicle
risicle approved these changes Feb 2, 2020
Copy link
Contributor

@risicle risicle left a comment

LGTM on non-nixos linux x86_64 & macos 10.14.

@ckauhaus
Copy link
Contributor

@ckauhaus ckauhaus commented Feb 10, 2020

Built and smoke-tested successfully on NixOS. LGTM.

@ckauhaus ckauhaus merged commit edfd964 into NixOS:master Feb 10, 2020
15 checks passed
15 checks passed
Evaluation Performance Report Evaluator Performance Report
Details
grahamcofborg-eval ^.^!
Details
grahamcofborg-eval-check-maintainers matching changed paths to changed attrs...
Details
grahamcofborg-eval-check-meta config.nix: checkMeta = true
Details
grahamcofborg-eval-darwin nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="ofborg"; } ./pkgs/top-level/release.nix -A darwin-tested
Details
grahamcofborg-eval-nixos nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="ofborg"; } ./nixos/release-combined.nix -A tested
Details
grahamcofborg-eval-nixos-manual nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="ofborg"; } ./nixos/release.nix -A manual
Details
grahamcofborg-eval-nixos-options nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="ofborg"; } ./nixos/release.nix -A options
Details
grahamcofborg-eval-nixpkgs-manual nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="ofborg"; } ./pkgs/top-level/release.nix -A manual
Details
grahamcofborg-eval-nixpkgs-tarball nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="ofborg"; } ./pkgs/top-level/release.nix -A tarball
Details
grahamcofborg-eval-nixpkgs-unstable-jobset nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="ofborg"; } ./pkgs/top-level/release.nix -A unstable
Details
grahamcofborg-eval-package-list nix-env -qa --json --file .
Details
grahamcofborg-eval-package-list-no-aliases nix-env -qa --json --file . --arg config { allowAliases = false; }
Details
qemu on aarch64-linux Success
Details
qemu on x86_64-linux Success
Details
@zowoq zowoq mentioned this pull request Oct 24, 2020
4 of 10 tasks complete
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

4 participants
You can’t perform that action at this time.