app-emulation/qemu: Bump to 2.2.0

author: Felix Janda <felix.janda@posteo.de> 2015-06-07 21:17:51 +0200
committer: Anthony G. Basile <blueness@gentoo.org> 2015-06-08 08:27:39 -0400
commit: dd8f541bb891cc198527837f2eedb81594efb1f3 (patch)
tree: 51138897b31fa536b06aa8baad112071476e3abc
parent: sys-apps/hdparm: Bump to 9.45 (diff)
download: hardened-dev-dd8f541bb891cc198527837f2eedb81594efb1f3.tar.gz
hardened-dev-dd8f541bb891cc198527837f2eedb81594efb1f3.tar.bz2
hardened-dev-dd8f541bb891cc198527837f2eedb81594efb1f3.zip
5 files changed, 402 insertions, 11 deletions
diff --git a/app-emulation/qemu/Manifest b/app-emulation/qemu/Manifest
index 843de4ba..c77f5c35 100644
--- a/app-emulation/qemu/Manifest
+++ b/app-emulation/qemu/Manifest
@@ -10,12 +10,15 @@ AUX qemu-2.1.0-CVE-2014-5388.patch 1093 SHA256 df7c11ffb519f9a4c0db177359c5fe977
 AUX qemu-2.1.1-readlink-self.patch 2933 SHA256 3133ec1a0f0126d3362c9420602a1fdfc76fafacac8b41f5bd755e7542ee4188 SHA512 7ee06e119007e6dc08f254cbfdcc6de1c914181f60e69434190fe507a80b7d0f9e8682f0213d447481f39e145fcb0be2e118516238addb5c4326533fc0db143f WHIRLPOOL 54edcb4510546c69dedf78a2070f22e7ef2809b35a66dc2e5d356f2f1b22eea8baa5b17ed4a4d9860ee6b864fac92eb9d1bbb6daeb6e2d80e3cc702f32039996
 AUX qemu-2.1.2-vnc-sanitize-bits.patch 1279 SHA256 ef1e748fd9ffa0eb8ef412e6ea3cc96522e0ca91cf7201e6702d260ca50cbac5 SHA512 7e1a744928eb8edb76b18e58cf94da38ad1030f49ceb38f5e081d852573f8f314f998639c8e97fee27a53f51abe495b27406daa02b670a620ab2db165a47429e WHIRLPOOL bc024286739b56038bfebd6c2ad71addd9565a833f21a7a48cadbe7403c3e93c889cb2223d044448634cc93b6dc45a268299ea1b5b18c09b3477bb6e12fb0506
 AUX qemu-2.2.0-_sigev_un.patch 636 SHA256 f3b9a4d6162c553f3110ad22716305818e2130e2ff5d628faf044fc58a5e3cb5 SHA512 f72b879daede5184904f64cabb276de96299a37a93fce444d09e9068671009e95a5e5d6b815ec41a5db5b3807de14d470a56bba5806ffd4dfec577577b046ccb WHIRLPOOL 9453ad4966e10d504f3e867fd984642a3c1ee3ae847b5ca56196fd1f9e6c0f2d7b52ca07446212af72fef6d0ded1527a5eb306fa6cd915e8dd9ce11523362bac
+AUX qemu-2.2.1-CVE-2015-1779-1.patch 8631 SHA256 17ea04bb0571f3a346eb25ce2d61fd7053515767adedfde567fd39205993c600 SHA512 191dde0754b9466d87cf99a578ac07f0902f373156f4d5ff98540b9099a6fa8e29ba4ca9d4a5a21ae5dbba2b80c36600ea0bd2c31fa0c8734926514015166ab8 WHIRLPOOL 2be2f490eb32857b2b218761df3580bc31eb5a89bf1b289a048e9fd489cdb024869399481345b5ecb09a45c4fbf1ee4639062ae1fdbee9781e66ca6cc8af4cac
+AUX qemu-2.2.1-CVE-2015-1779-2.patch 2318 SHA256 4c0966520bf09df25d99c883f94037e765406dd4097dd704e66361bb07f73679 SHA512 7a85bc8e00c60c6c36790d1169f0d84d2c75fe81c1700b4f764ddcb0d0587d4b6d228d80e65fead035e3ab99449aad2f559071edf9145ff7a755506f3ff05b0e WHIRLPOOL 078388c50367d41c810a02aa795b6ad0df381582bdd2725ae125243ee5921aa4057494f063a7de49da6b6f6343f37a3c83d96ef6d92c22e722972c8e4ea968dc
+AUX qemu-2.3.0-CVE-2015-3456.patch 2853 SHA256 efac61bf9c20d5d08ef47bc9d51be5c8bd519f1d970ba3c3506c5760bf807e7d SHA512 5fed59ae67a962d187418f4bd57cebe901f9bcba817694b5e2a57daf77c34a406ed7c1f278e12d813304e58c48a24493b4e001a9ee4045bab2608f1730715ac7 WHIRLPOOL 9ad5237aa1bbe46a8493e331bb9c2152c36f9c877582485e1cf811b09430bad97a9f3b6bc52face7e4287f9c9fe4f1891de154a62ba93ea454c3ed9d44e8f729
 AUX qemu-9999-cflags.patch 347 SHA256 fe3bcbe83e81225b2c722578a0a976fcb724419d5208bbd6d02fb543e80b7e12 SHA512 e1b8be744170d61a2155b23a8394db01f8af6dc70ec033e71b2ff46f72975704836d42b96d7904e5d462289c5f8f24317f2fb28698f18a77ab1de02829e585eb WHIRLPOOL 2d972c7e40292f424fd37a4c1af04d2be095c215211ec2e1d15d8457df553342ffc02a7d39985f817fbbf5342e422d30e439c35a925341cf9b852ca7ff15a308
 AUX qemu-9999-virtfs-proxy-helper-accept.patch 973 SHA256 91cc9e024aa09ea3dd23ec52c561047656acc89f0ad0d5ddccce354c1ac4d282 SHA512 031cb1c35b479b18032f56a07fa2fa6d392a7f0919acd3636bf122ab7f75dcfbb5fc0e26e18a8a31a9888409f81c2e08438a1af999232418d940167c5031a92b WHIRLPOOL ea4dc08230289a147fd55d0bd9e32896cd4491130084fc45b4043f41caf611f07d4587cc485e6d25ba3f6fbc66939ed8faf3c2017bf33ab10e1885277fa3f6ff
 AUX qemu-binfmt.initd-r1 7023 SHA256 3572c110c6f217754e638796400a5901910a2e61b8818c8569f8258b103ebcc6 SHA512 773af64fef164c00945acf5881e64a10141aa8fdc85491e57bf8dcc7c800a4f81879527998a0896a42f921edcbf5f741beb31ac2a82e45cba506c7b8461733c8 WHIRLPOOL 30382fe347248683e989c2b7fbd804ce26173b313746d80467029b2ad3594f414628f7537120b168a0e700c424d3525528eb632b07e16544c2fd07f418f3187c
 AUX qemu-kvm-1.4 68 SHA256 8b1adf198129f001e75a2311fc420c168094d1084d2163cdf6a32b3b23c96137 SHA512 706fab4d155c410acc292e67fb354ce7dcd17f7e33f2ca8c9c44035ea128f8d36f89e27cf87ebe22721f5676be9e7f2ae5484fd000183c8ffd7854e02eb3d120 WHIRLPOOL ef795330b592cef8e3d92f52a77eb77a671e6aa1a47d07531917b5c1c09e72e5df1a44aea939b086e0a3c5ef2a5cea9223556a46ceae73e55300475c42f07067
 DIST qemu-2.1.2.tar.bz2 23563255 SHA256 fd10f5e45cf5a736fa5a3e1c279ae9821534e700beb7d1aab88a07648a394885 SHA512 73ef758c82b23eec649c807bee8937d7fbf267278f7777adbdb22b738672543b826d211a4b523f38cee3e2b01f05ccf40a75756fc19c911362988d8e86d5cd58 WHIRLPOOL 5703d0aa8bb4366bb7aeb44fa4f3d1b54f188de42cd8c82e894584f627802b80a3dde1aa3b15fe8602a1891ec61ac66b3cd44ec031385cca88768f375c15b554
-DIST qemu-2.2.0.tar.bz2 24316697 SHA256 b68c9b6c7c694f5489b5a6bffe993cd976ffbb78e7d178eb3bc016caf460039c SHA512 c1a42cc53a01175875411cad13defaab46f97740897b89f19fbf345106534f83fc707fae4a58d890f64eea475b940b934c7531a6ed04aa01f54cadb52b0b5909 WHIRLPOOL a9cb92406d4f2cfd6b7989c9876f7df4b305083241110e7b2bf16642cfd77531c48a48753745dfeb31b9aa7d71a2d4d3f8c5aba797918c9c60e920c79066ea2d
+DIST qemu-2.2.1.tar.bz2 24483500 SHA256 4617154c6ef744b83e10b744e392ad111dd351d435d6563ce24d8da75b1335a0 SHA512 970ead0c92fc04502c6d3a8dbfafa5797667b3d276a1a25ddbe991d20d8e17a588905ecbffa77fb3b9d12e481ac3776ca4c38fe89a5e4c96dc2fb045214bfa9f WHIRLPOOL 9226ce4a4f5c7247d6ab34eb8b45c9a91416ee5849dbe25b9d15cddbd6aba2b8da77280f6055d363a81ddec515d28bf501351cb7e21ecfb4bfe42cdb7e349788
 EBUILD qemu-2.1.2-r99.ebuild 18542 SHA256 3e1df3e683e3e0f98abef9d912cccb8292be1d5ac96de4982c16829f209f3451 SHA512 0338892629e480794ecc6201f6eda7259201f9add8f6e1c3f7487826455398d30dd0d78fc794b73bd73bd206b7ae2810f3d5ed74abbc435a9685c3429173fea1 WHIRLPOOL 4167e7c6d0810c93a926c84fd3fa4b46624881205ad2eae3f11e5a03bfb8231c3e265bd986bf24b8e1f7eaf41e6a2f3c8964d416e0ac95ab406383aa4d0c6e28
-EBUILD qemu-2.2.0-r99.ebuild 18600 SHA256 6b08c04633014da35b77be5d84f371c559777d8d9639a10540a1f916bf3df31d SHA512 b637260d08baf906437db3d111f2e340fda91ac47fa360ef85575b1b8cf90c5e00bb1ae2f22d40b36959d7c85e28616c3ea78d4b259e36e42dbf415b8d407fc0 WHIRLPOOL 8035107f638b0df274ce518ec53fae98a82aa7504284fbeaffaf0582b08229ce9e99f0c3a318a98afd069d91e568d08fa9f7061b6bfa1cfc1ac5425654d05bb9
+EBUILD qemu-2.2.1-r99.ebuild 18744 SHA256 15c5267816cbc7798b2aa0c342bd0a0254550d2fdb1497f3237aa33b53c8c59f SHA512 c7c90792a79fbf226e41f8dd61d5f3b1046a1e9c130d3216a0c29d374a09ec5aa8575e2578b843f37fd04645e2804ae91298924d307aff25922d7461bf52fe78 WHIRLPOOL ef73221242451e8772598ee1b0e346f4aa94ec59c1daf58ca9ac35d49e431c687ca5d80155e4e5846a3f76d35330a1043f9ae9018c19e0e1fc828711298aebae
 MISC metadata.xml 3774 SHA256 45d220d5c3fedecb5c318e2ab1fa796391f5fd3db09e4ef218b3bc7cb3cb10e1 SHA512 90b16206b5398b4044132d930b417372e1d305a93b062c895bc3b46ae64a19aa96d2471b5838f960cca7c6c30ce58571f332731f02eaeee17e4204469c5d6330 WHIRLPOOL f5498b8cb14aeeacdfd1da30c26ceca282bba3042a6288496d624d91c3c26c1bed34c42374db04e06378c8efd78010d3bef76c41c1aa529ccf17cec513ed1fa8
diff --git a/app-emulation/qemu/files/qemu-2.2.1-CVE-2015-1779-1.patch b/app-emulation/qemu/files/qemu-2.2.1-CVE-2015-1779-1.patch
new file mode 100644
index 00000000..35ef8fde
--- /dev/null
+++ b/app-emulation/qemu/files/qemu-2.2.1-CVE-2015-1779-1.patch
@@ -0,0 +1,241 @@
+From a2bebfd6e09d285aa793cae3fb0fc3a39a9fee6e Mon Sep 17 00:00:00 2001
+From: "Daniel P. Berrange" <berrange@redhat.com>
+Date: Mon, 23 Mar 2015 22:58:21 +0000
+Subject: [PATCH] CVE-2015-1779: incrementally decode websocket frames
+
+The logic for decoding websocket frames wants to fully
+decode the frame header and payload, before allowing the
+VNC server to see any of the payload data. There is no
+size limit on websocket payloads, so this allows a
+malicious network client to consume 2^64 bytes in memory
+in QEMU. It can trigger this denial of service before
+the VNC server even performs any authentication.
+
+The fix is to decode the header, and then incrementally
+decode the payload data as it is needed. With this fix
+the websocket decoder will allow at most 4k of data to
+be buffered before decoding and processing payload.
+
+Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
+
+[ kraxel: fix frequent spurious disconnects, suggested by Peter Maydell ]
+
+  @@ -361,7 +361,7 @@ int vncws_decode_frame_payload(Buffer *input,
+  -        *payload_size = input->offset;
+  +        *payload_size = *payload_remain;
+
+[ kraxel: fix 32bit build ]
+
+  @@ -306,7 +306,7 @@ struct VncState
+  -    uint64_t ws_payload_remain;
+  +    size_t ws_payload_remain;
+
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+---
+ ui/vnc-ws.c | 105 ++++++++++++++++++++++++++++++++++++++++--------------------
+ ui/vnc-ws.h |   9 ++++--
+ ui/vnc.h    |   2 ++
+ 3 files changed, 80 insertions(+), 36 deletions(-)
+
+diff --git a/ui/vnc-ws.c b/ui/vnc-ws.c
+index 85dbb7e..0b7de4e 100644
+--- a/ui/vnc-ws.c
++++ b/ui/vnc-ws.c
+@@ -107,7 +107,7 @@ long vnc_client_read_ws(VncState *vs)
+ {
+     int ret, err;
+     uint8_t *payload;
+-    size_t payload_size, frame_size;
++    size_t payload_size, header_size;
+     VNC_DEBUG("Read websocket %p size %zd offset %zd\n", vs->ws_input.buffer,
+             vs->ws_input.capacity, vs->ws_input.offset);
+     buffer_reserve(&vs->ws_input, 4096);
+@@ -117,18 +117,39 @@ long vnc_client_read_ws(VncState *vs)
+     }
+     vs->ws_input.offset += ret;
+ 
+-    /* make sure that nothing is left in the ws_input buffer */
++    ret = 0;
++    /* consume as much of ws_input buffer as possible */
+     do {
+-        err = vncws_decode_frame(&vs->ws_input, &payload,
+-                              &payload_size, &frame_size);
+-        if (err <= 0) {
+-            return err;
++        if (vs->ws_payload_remain == 0) {
++            err = vncws_decode_frame_header(&vs->ws_input,
++                                            &header_size,
++                                            &vs->ws_payload_remain,
++                                            &vs->ws_payload_mask);
++            if (err <= 0) {
++                return err;
++            }
++
++            buffer_advance(&vs->ws_input, header_size);
+         }
++        if (vs->ws_payload_remain != 0) {
++            err = vncws_decode_frame_payload(&vs->ws_input,
++                                             &vs->ws_payload_remain,
++                                             &vs->ws_payload_mask,
++                                             &payload,
++                                             &payload_size);
++            if (err < 0) {
++                return err;
++            }
++            if (err == 0) {
++                return ret;
++            }
++            ret += err;
+ 
+-        buffer_reserve(&vs->input, payload_size);
+-        buffer_append(&vs->input, payload, payload_size);
++            buffer_reserve(&vs->input, payload_size);
++            buffer_append(&vs->input, payload, payload_size);
+ 
+-        buffer_advance(&vs->ws_input, frame_size);
++            buffer_advance(&vs->ws_input, payload_size);
++        }
+     } while (vs->ws_input.offset > 0);
+ 
+     return ret;
+@@ -265,15 +286,14 @@ void vncws_encode_frame(Buffer *output, const void *payload,
+     buffer_append(output, payload, payload_size);
+ }
+ 
+-int vncws_decode_frame(Buffer *input, uint8_t **payload,
+-                           size_t *payload_size, size_t *frame_size)
++int vncws_decode_frame_header(Buffer *input,
++                              size_t *header_size,
++                              size_t *payload_remain,
++                              WsMask *payload_mask)
+ {
+     unsigned char opcode = 0, fin = 0, has_mask = 0;
+-    size_t header_size = 0;
+-    uint32_t *payload32;
++    size_t payload_len;
+     WsHeader *header = (WsHeader *)input->buffer;
+-    WsMask mask;
+-    int i;
+ 
+     if (input->offset < WS_HEAD_MIN_LEN + 4) {
+         /* header not complete */
+@@ -283,7 +303,7 @@ int vncws_decode_frame(Buffer *input, uint8_t **payload,
+     fin = (header->b0 & 0x80) >> 7;
+     opcode = header->b0 & 0x0f;
+     has_mask = (header->b1 & 0x80) >> 7;
+-    *payload_size = header->b1 & 0x7f;
++    payload_len = header->b1 & 0x7f;
+ 
+     if (opcode == WS_OPCODE_CLOSE) {
+         /* disconnect */
+@@ -300,40 +320,57 @@ int vncws_decode_frame(Buffer *input, uint8_t **payload,
+         return -2;
+     }
+ 
+-    if (*payload_size < 126) {
+-        header_size = 6;
+-        mask = header->u.m;
+-    } else if (*payload_size == 126 && input->offset >= 8) {
+-        *payload_size = be16_to_cpu(header->u.s16.l16);
+-        header_size = 8;
+-        mask = header->u.s16.m16;
+-    } else if (*payload_size == 127 && input->offset >= 14) {
+-        *payload_size = be64_to_cpu(header->u.s64.l64);
+-        header_size = 14;
+-        mask = header->u.s64.m64;
++    if (payload_len < 126) {
++        *payload_remain = payload_len;
++        *header_size = 6;
++        *payload_mask = header->u.m;
++    } else if (payload_len == 126 && input->offset >= 8) {
++        *payload_remain = be16_to_cpu(header->u.s16.l16);
++        *header_size = 8;
++        *payload_mask = header->u.s16.m16;
++    } else if (payload_len == 127 && input->offset >= 14) {
++        *payload_remain = be64_to_cpu(header->u.s64.l64);
++        *header_size = 14;
++        *payload_mask = header->u.s64.m64;
+     } else {
+         /* header not complete */
+         return 0;
+     }
+ 
+-    *frame_size = header_size + *payload_size;
++    return 1;
++}
++
++int vncws_decode_frame_payload(Buffer *input,
++                               size_t *payload_remain, WsMask *payload_mask,
++                               uint8_t **payload, size_t *payload_size)
++{
++    size_t i;
++    uint32_t *payload32;
+ 
+-    if (input->offset < *frame_size) {
+-        /* frame not complete */
++    *payload = input->buffer;
++    /* If we aren't at the end of the payload, then drop
++     * off the last bytes, so we're always multiple of 4
++     * for purpose of unmasking, except at end of payload
++     */
++    if (input->offset < *payload_remain) {
++        *payload_size = input->offset - (input->offset % 4);
++    } else {
++        *payload_size = *payload_remain;
++    }
++    if (*payload_size == 0) {
+         return 0;
+     }
+-
+-    *payload = input->buffer + header_size;
++    *payload_remain -= *payload_size;
+ 
+     /* unmask frame */
+     /* process 1 frame (32 bit op) */
+     payload32 = (uint32_t *)(*payload);
+     for (i = 0; i < *payload_size / 4; i++) {
+-        payload32[i] ^= mask.u;
++        payload32[i] ^= payload_mask->u;
+     }
+     /* process the remaining bytes (if any) */
+     for (i *= 4; i < *payload_size; i++) {
+-        (*payload)[i] ^= mask.c[i % 4];
++        (*payload)[i] ^= payload_mask->c[i % 4];
+     }
+ 
+     return 1;
+diff --git a/ui/vnc-ws.h b/ui/vnc-ws.h
+index ef229b7..14d4230 100644
+--- a/ui/vnc-ws.h
++++ b/ui/vnc-ws.h
+@@ -83,7 +83,12 @@ long vnc_client_read_ws(VncState *vs);
+ void vncws_process_handshake(VncState *vs, uint8_t *line, size_t size);
+ void vncws_encode_frame(Buffer *output, const void *payload,
+             const size_t payload_size);
+-int vncws_decode_frame(Buffer *input, uint8_t **payload,
+-                               size_t *payload_size, size_t *frame_size);
++int vncws_decode_frame_header(Buffer *input,
++                              size_t *header_size,
++                              size_t *payload_remain,
++                              WsMask *payload_mask);
++int vncws_decode_frame_payload(Buffer *input,
++                               size_t *payload_remain, WsMask *payload_mask,
++                               uint8_t **payload, size_t *payload_size);
+ 
+ #endif /* __QEMU_UI_VNC_WS_H */
+diff --git a/ui/vnc.h b/ui/vnc.h
+index e19ac39..3f7c6a9 100644
+--- a/ui/vnc.h
++++ b/ui/vnc.h
+@@ -306,6 +306,8 @@ struct VncState
+ #ifdef CONFIG_VNC_WS
+     Buffer ws_input;
+     Buffer ws_output;
++    size_t ws_payload_remain;
++    WsMask ws_payload_mask;
+ #endif
+     /* current output mode information */
+     VncWritePixels *write_pixels;
+-- 
+2.3.5
+
diff --git a/app-emulation/qemu/files/qemu-2.2.1-CVE-2015-1779-2.patch b/app-emulation/qemu/files/qemu-2.2.1-CVE-2015-1779-2.patch
new file mode 100644
index 00000000..c7a8c8b3
--- /dev/null
+++ b/app-emulation/qemu/files/qemu-2.2.1-CVE-2015-1779-2.patch
@@ -0,0 +1,58 @@
+From 2cdb5e142fb93e875fa53c52864ef5eb8d5d8b41 Mon Sep 17 00:00:00 2001
+From: "Daniel P. Berrange" <berrange@redhat.com>
+Date: Mon, 23 Mar 2015 22:58:22 +0000
+Subject: [PATCH] CVE-2015-1779: limit size of HTTP headers from websockets
+ clients
+
+The VNC server websockets decoder will read and buffer data from
+websockets clients until it sees the end of the HTTP headers,
+as indicated by \r\n\r\n. In theory this allows a malicious to
+trick QEMU into consuming an arbitrary amount of RAM. In practice,
+because QEMU runs g_strstr_len() across the buffered header data,
+it will spend increasingly long burning CPU time searching for
+the substring match and less & less time reading data. So while
+this does cause arbitrary memory growth, the bigger problem is
+that QEMU will be burning 100% of available CPU time.
+
+A novnc websockets client typically sends headers of around
+512 bytes in length. As such it is reasonable to place a 4096
+byte limit on the amount of data buffered while searching for
+the end of HTTP headers.
+
+Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+---
+ ui/vnc-ws.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/ui/vnc-ws.c b/ui/vnc-ws.c
+index 0b7de4e..62eb97f 100644
+--- a/ui/vnc-ws.c
++++ b/ui/vnc-ws.c
+@@ -81,8 +81,11 @@ void vncws_handshake_read(void *opaque)
+     VncState *vs = opaque;
+     uint8_t *handshake_end;
+     long ret;
+-    buffer_reserve(&vs->ws_input, 4096);
+-    ret = vnc_client_read_buf(vs, buffer_end(&vs->ws_input), 4096);
++    /* Typical HTTP headers from novnc are 512 bytes, so limiting
++     * total header size to 4096 is easily enough. */
++    size_t want = 4096 - vs->ws_input.offset;
++    buffer_reserve(&vs->ws_input, want);
++    ret = vnc_client_read_buf(vs, buffer_end(&vs->ws_input), want);
+ 
+     if (!ret) {
+         if (vs->csock == -1) {
+@@ -99,6 +102,9 @@ void vncws_handshake_read(void *opaque)
+         vncws_process_handshake(vs, vs->ws_input.buffer, vs->ws_input.offset);
+         buffer_advance(&vs->ws_input, handshake_end - vs->ws_input.buffer +
+                 strlen(WS_HANDSHAKE_END));
++    } else if (vs->ws_input.offset >= 4096) {
++        VNC_DEBUG("End of headers not found in first 4096 bytes\n");
++        vnc_client_error(vs);
+     }
+ }
+ 
+-- 
+2.3.5
+
diff --git a/app-emulation/qemu/files/qemu-2.3.0-CVE-2015-3456.patch b/app-emulation/qemu/files/qemu-2.3.0-CVE-2015-3456.patch
new file mode 100644
index 00000000..87697d08
--- /dev/null
+++ b/app-emulation/qemu/files/qemu-2.3.0-CVE-2015-3456.patch
@@ -0,0 +1,86 @@
+https://bugs.gentoo.org/549404
+
+From e907746266721f305d67bc0718795fedee2e824c Mon Sep 17 00:00:00 2001
+From: Petr Matousek <pmatouse@redhat.com>
+Date: Wed, 6 May 2015 09:48:59 +0200
+Subject: [PATCH] fdc: force the fifo access to be in bounds of the allocated buffer
+
+During processing of certain commands such as FD_CMD_READ_ID and
+FD_CMD_DRIVE_SPECIFICATION_COMMAND the fifo memory access could
+get out of bounds leading to memory corruption with values coming
+from the guest.
+
+Fix this by making sure that the index is always bounded by the
+allocated memory.
+
+This is CVE-2015-3456.
+
+Signed-off-by: Petr Matousek <pmatouse@redhat.com>
+Reviewed-by: John Snow <jsnow@redhat.com>
+Signed-off-by: John Snow <jsnow@redhat.com>
+---
+ hw/block/fdc.c |   17 +++++++++++------
+ 1 files changed, 11 insertions(+), 6 deletions(-)
+
+diff --git a/hw/block/fdc.c b/hw/block/fdc.c
+index f72a392..d8a8edd 100644
+--- a/hw/block/fdc.c
++++ b/hw/block/fdc.c
+@@ -1497,7 +1497,7 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl)
+ {
+     FDrive *cur_drv;
+     uint32_t retval = 0;
+-    int pos;
++    uint32_t pos;
+ 
+     cur_drv = get_cur_drv(fdctrl);
+     fdctrl->dsr &= ~FD_DSR_PWRDOWN;
+@@ -1506,8 +1506,8 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl)
+         return 0;
+     }
+     pos = fdctrl->data_pos;
++    pos %= FD_SECTOR_LEN;
+     if (fdctrl->msr & FD_MSR_NONDMA) {
+-        pos %= FD_SECTOR_LEN;
+         if (pos == 0) {
+             if (fdctrl->data_pos != 0)
+                 if (!fdctrl_seek_to_next_sect(fdctrl, cur_drv)) {
+@@ -1852,10 +1852,13 @@ static void fdctrl_handle_option(FDCtrl *fdctrl, int direction)
+ static void fdctrl_handle_drive_specification_command(FDCtrl *fdctrl, int direction)
+ {
+     FDrive *cur_drv = get_cur_drv(fdctrl);
++    uint32_t pos;
+ 
+-    if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x80) {
++    pos = fdctrl->data_pos - 1;
++    pos %= FD_SECTOR_LEN;
++    if (fdctrl->fifo[pos] & 0x80) {
+         /* Command parameters done */
+-        if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x40) {
++        if (fdctrl->fifo[pos] & 0x40) {
+             fdctrl->fifo[0] = fdctrl->fifo[1];
+             fdctrl->fifo[2] = 0;
+             fdctrl->fifo[3] = 0;
+@@ -1955,7 +1958,7 @@ static uint8_t command_to_handler[256];
+ static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value)
+ {
+     FDrive *cur_drv;
+-    int pos;
++    uint32_t pos;
+ 
+     /* Reset mode */
+     if (!(fdctrl->dor & FD_DOR_nRESET)) {
+@@ -2004,7 +2007,9 @@ static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value)
+     }
+ 
+     FLOPPY_DPRINTF("%s: %02x\n", __func__, value);
+-    fdctrl->fifo[fdctrl->data_pos++] = value;
++    pos = fdctrl->data_pos++;
++    pos %= FD_SECTOR_LEN;
++    fdctrl->fifo[pos] = value;
+     if (fdctrl->data_pos == fdctrl->data_len) {
+         /* We now have all parameters
+          * and will be able to treat the command
+-- 
+1.7.0.4
+
diff --git a/app-emulation/qemu/qemu-2.2.0-r99.ebuild b/app-emulation/qemu/qemu-2.2.1-r99.ebuild
index 8bdbc957..5b8baf15 100644
--- a/app-emulation/qemu/qemu-2.2.0-r99.ebuild
+++ b/app-emulation/qemu/qemu-2.2.1-r99.ebuild
@@ -1,10 +1,10 @@
 # Copyright 1999-2015 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/app-emulation/qemu/qemu-2.2.0.ebuild,v 1.3 2015/03/12 10:06:51 ago Exp $
+# $Header: /var/cvsroot/gentoo-x86/app-emulation/qemu/qemu-2.2.1-r2.ebuild,v 1.3 2015/05/14 07:09:58 ago Exp $
 
 EAPI=5
 
-PYTHON_COMPAT=( python{2_6,2_7} )
+PYTHON_COMPAT=( python2_7 )
 PYTHON_REQ_USE="ncurses,readline"
 
 inherit eutils flag-o-matic linux-info toolchain-funcs multilib python-r1 \
@@ -20,9 +20,8 @@ if [[ ${PV} = *9999* ]]; then
 else
 	SRC_URI="http://wiki.qemu-project.org/download/${P}.tar.bz2
 	${BACKPORTS:+
-		http://dev.gentoo.org/~cardoe/distfiles/${P}-${BACKPORTS}.tar.xz
-		http://dev.gentoo.org/~tamiko/distfiles/${P}-${BACKPORTS}.tar.xz}"
-	KEYWORDS="amd64 ~ppc ~x86"
+		http://dev.gentoo.org/~cardoe/distfiles/${P}-${BACKPORTS}.tar.xz}"
+	KEYWORDS="amd64 ~ppc ~ppc64 x86 ~x86-fbsd"
 fi
 
 DESCRIPTION="QEMU + Kernel-based Virtual Machine userland tools"
@@ -77,13 +76,13 @@ SOFTMMU_LIB_DEPEND="${COMMON_LIB_DEPEND}
 	curl? ( >=net-misc/curl-7.15.4[static-libs(+)] )
 	fdt? ( >=sys-apps/dtc-1.4.0[static-libs(+)] )
 	glusterfs? ( >=sys-cluster/glusterfs-3.4.0[static-libs(+)] )
-	infiniband? ( sys-infiniband/librdmacm[static-libs(+)] )
-	jpeg? ( virtual/jpeg[static-libs(+)] )
+	infiniband? ( sys-infiniband/librdmacm:=[static-libs(+)] )
+	jpeg? ( virtual/jpeg:=[static-libs(+)] )
 	lzo? ( dev-libs/lzo:2[static-libs(+)] )
 	ncurses? ( sys-libs/ncurses[static-libs(+)] )
 	nfs? ( >=net-fs/libnfs-1.9.3[static-libs(+)] )
 	numa? ( sys-process/numactl[static-libs(+)] )
-	png? ( media-libs/libpng[static-libs(+)] )
+	png? ( media-libs/libpng:0=[static-libs(+)] )
 	rbd? ( sys-cluster/ceph[static-libs(+)] )
 	sasl? ( dev-libs/cyrus-sasl[static-libs(+)] )
 	sdl? ( >=media-libs/libsdl-1.2.11[static-libs(+)] )
@@ -246,6 +245,7 @@ pkg_pretend() {
 
 pkg_setup() {
 	enewgroup kvm 78
+	python_setup
 }
 
 src_prepare() {
@@ -258,6 +258,9 @@ src_prepare() {
 	use nls || rm -f po/*.po
 
 	epatch "${FILESDIR}"/qemu-1.7.0-cflags.patch
+	epatch "${FILESDIR}"/${P}-CVE-2015-1779-1.patch #544328
+	epatch "${FILESDIR}"/${P}-CVE-2015-1779-2.patch #544328
+	epatch "${FILESDIR}"/${PN}-2.3.0-CVE-2015-3456.patch #549404
 
 	# Patching for musl
 	epatch "${FILESDIR}"/${PN}-2.0.0-F_SHLCK-and-F_EXLCK.patch
@@ -399,7 +402,7 @@ qemu_src_configure() {
 		gcc-specs-pie && conf_opts+=( --enable-pie )
 	fi
 
-	einfo "./configure ${conf_opts[*]}"
+	einfo "../configure ${conf_opts[*]}"
 	cd "${builddir}"
 	../configure "${conf_opts[@]}" || die "configure failed"
author	Felix Janda <felix.janda@posteo.de>	2015-06-07 21:17:51 +0200
committer	Anthony G. Basile <blueness@gentoo.org>	2015-06-08 08:27:39 -0400
commit	dd8f541bb891cc198527837f2eedb81594efb1f3 (patch)
tree	51138897b31fa536b06aa8baad112071476e3abc
parent	sys-apps/hdparm: Bump to 9.45 (diff)
download	hardened-dev-dd8f541bb891cc198527837f2eedb81594efb1f3.tar.gz hardened-dev-dd8f541bb891cc198527837f2eedb81594efb1f3.tar.bz2 hardened-dev-dd8f541bb891cc198527837f2eedb81594efb1f3.zip