main/qemu: security fix for CVE-2015-4037

ref #4324 fixes #4328 (cherry picked from commit 786a06d135bec56c5f93b9b5a0099cb34957f1da)
author: Natanael Copa <ncopa@alpinelinux.org> 2015-07-08 07:58:45 +0000
committer: Natanael Copa <ncopa@alpinelinux.org> 2015-07-08 08:01:44 +0000
commit: 3397c7cce9410a6c2e244bfd6727eac84eca7d8a (patch)
tree: 952659cc1d140d8c9029094becc078d91344fa89
parent: ec4ed8ceca43a549be0a902d25bf21c1a74e1beb (diff)
download: alpine_aports-3397c7cce9410a6c2e244bfd6727eac84eca7d8a.tar.bz2
alpine_aports-3397c7cce9410a6c2e244bfd6727eac84eca7d8a.tar.xz
alpine_aports-3397c7cce9410a6c2e244bfd6727eac84eca7d8a.zip
2 files changed, 54 insertions, 0 deletions
diff --git a/main/qemu/APKBUILD b/main/qemu/APKBUILD
index 1ee54abe31..f02c4fd5b1 100644
--- a/main/qemu/APKBUILD
+++ b/main/qemu/APKBUILD
@@ -96,6 +96,7 @@ source="http://wiki.qemu-project.org/download/qemu-$pkgver.tar.bz2
        fix-sigevent-and-sigval_t.patch
        CVE-2015-3456.patch
+        CVE-2015-4037.patch
        qemu-guest-agent.confd
        qemu-guest-agent.initd
@@ -295,6 +296,7 @@ d364208c4847ad2baeb237900befecd1  0006-linux-user-signal.c-define-__SIGRTMIN-MAX
 bc5f2e41ed3b6d6d30b672adab82e3e1  musl-F_SHLCK-and-F_EXLCK.patch
 9afbd6c9586229ce64275f012d665e2a  fix-sigevent-and-sigval_t.patch
 5e8a68940c4e0267e795a6ddd144e00e  CVE-2015-3456.patch
+97045abdf8d0543691e52f9fdf0c8d52  CVE-2015-4037.patch
 1663bc6977f6886a58394155b1bf3676  qemu-guest-agent.confd
 4cb15a1c3de2691dd65842f2325dfe22  qemu-guest-agent.initd
 66660f143235201249dc0648b39b86ee  80-kvm.rules"
@@ -304,6 +306,7 @@ af35304b165622a53f7557b59ffd8da5030f5fd444e669c862f9410131f3b987  0001-elfload-l
 eefd597197223899d3b12d8274af493153e270fd06ea8622e33d6eaeae063d40  musl-F_SHLCK-and-F_EXLCK.patch
 9abdf3410dea742cac3552363950c8a7fbcec8dd2bfd68e3c417a284f4e702f5  fix-sigevent-and-sigval_t.patch
 de69a47daf292fd0cc01c925a23c9fadbac0fb60c322bf89260cccceb47ca204  CVE-2015-3456.patch
+6bb3f4bb71716bdde8ff417b76ceb4cee336ae93a65b2ae1db15406f382c0299  CVE-2015-4037.patch
 d84e53a94584f37f3bd1b21f44077b5de0d07094c6729f26ae20ab1f7b9cc298  qemu-guest-agent.confd
 91f5ba66b56bb9a3e0d134de3ea756794d5f09fe8a14a4b0d3d95f69a9245c60  qemu-guest-agent.initd
 37f666f1cdb7d8a62171de69b531681dcb0fba74236729dac8b6c019232eba84  80-kvm.rules"
@@ -313,6 +316,7 @@ ec84b27648c01c6e58781295dcd0c2ff8e5a635f9836ef50c1da5d0ed125db1afc4cb5b01cb97606
 5de10f7e8abae16d1d7521e5ca1bfb62a8f295b324bea84f122f882b7b9354c21e5a00b20a1c5484c1b737b937e53c4ca6979e55705522f0779a5669725369f5  musl-F_SHLCK-and-F_EXLCK.patch
 e3f006c28318669356cd5b778f26774f06b0a40a4ac852573379df63efcc8276869958faec16797a38bf96c6061dfc040309e462d8559984f67eaf4af701ca1a  fix-sigevent-and-sigval_t.patch
 81485e26e30314b075a154cbce841fa3b803b70d8539a5ce00e57ec2020ab801d88c35631805811d003505dfd1909a5b70307fdbd8a192986f53143669465bd8  CVE-2015-3456.patch
+8dc68c2f511a28b0c1896b89922fab8e31dea4eefe18a69e6c068dd799cfc5a5a8b2ed8c3f5d17584932ddb9a2bf72d72fdaaf19c2129babf9a8e8f4ce150659  CVE-2015-4037.patch
 d90c034cae3f9097466854ed1a9f32ab4b02089fcdf7320e8f4da13b2b1ff65067233f48809911485e4431d7ec1a22448b934121bc9522a2dc489009e87e2b1f  qemu-guest-agent.confd
 69457d757909b990f4fdfaef621696e5a5d287b42bc58e553cb52d85191788a269e91c0475bfb7223d3a9120c19cdf4d749b4d54013a644f33d0551517cdf094  qemu-guest-agent.initd
 9b7a89b20fcf737832cb7b4d5dc7d8301dd88169cbe5339eda69fbb51c2e537d8cb9ec7cf37600899e734209e63410d50d0821bce97e401421db39c294d97be2  80-kvm.rules"
diff --git a/main/qemu/CVE-2015-4037.patch b/main/qemu/CVE-2015-4037.patch
new file mode 100644
index 0000000000..fb36234531
--- /dev/null
+++ b/main/qemu/CVE-2015-4037.patch
@@ -0,0 +1,50 @@
+From: Michael Tokarev <mjt@tls.msk.ru>
+Date: Thu, 28 May 2015 14:12:26 +0300
+Subject: [PATCH] slirp: use less predictable directory name in /tmp for smb
+ config (CVE-2015-4037)
+In this version I used mkdtemp(3) which is:
+        _BSD_SOURCE
+        || /* Since glibc 2.10: */
+            (_POSIX_C_SOURCE >= 200809L || _XOPEN_SOURCE >= 700)
+(POSIX.1-2008), so should be available on systems we care about.
+While at it, reset the resulting directory name within smb structure
+on error so cleanup function wont try to remove directory which we
+failed to create.
+Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
+Reviewed-by: Markus Armbruster <armbru@redhat.com>
+(cherry picked from commit 8b8f1c7e9ddb2e88a144638f6527bf70e32343e3)
+---
+ net/slirp.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+diff --git a/net/slirp.c b/net/slirp.c
+index 9bbed74..3090c10 100644
+--- a/net/slirp.c
+++ b/net/slirp.c
+@@ -481,7 +481,6 @@ static void slirp_smb_cleanup(SlirpState *s)
+ static int slirp_smb(SlirpState* s, const char *exported_dir,
+                      struct in_addr vserver_addr)
+ {
+-    static int instance;
+     char smb_conf[128];
+     char smb_cmdline[128];
+     struct passwd *passwd;
+@@ -505,10 +504,10 @@ static int slirp_smb(SlirpState* s, const char *exported_dir,
+         return -1;
+     }
+ 
+-    snprintf(s->smb_dir, sizeof(s->smb_dir), "/tmp/qemu-smb.%ld-%d",
+-             (long)getpid(), instance++);
+-    if (mkdir(s->smb_dir, 0700) < 0) {
+    snprintf(s->smb_dir, sizeof(s->smb_dir), "/tmp/qemu-smb.XXXXXX");
+    if (!mkdtemp(s->smb_dir)) {
+         error_report("could not create samba server dir '%s'", s->smb_dir);
+        s->smb_dir[0] = 0;
+         return -1;
+     }
+     snprintf(smb_conf, sizeof(smb_conf), "%s/%s", s->smb_dir, "smb.conf");
author	Natanael Copa <ncopa@alpinelinux.org>	2015-07-08 07:58:45 +0000
committer	Natanael Copa <ncopa@alpinelinux.org>	2015-07-08 08:01:44 +0000
commit	3397c7cce9410a6c2e244bfd6727eac84eca7d8a (patch)
tree	952659cc1d140d8c9029094becc078d91344fa89
parent	ec4ed8ceca43a549be0a902d25bf21c1a74e1beb (diff)
download	alpine_aports-3397c7cce9410a6c2e244bfd6727eac84eca7d8a.tar.bz2 alpine_aports-3397c7cce9410a6c2e244bfd6727eac84eca7d8a.tar.xz alpine_aports-3397c7cce9410a6c2e244bfd6727eac84eca7d8a.zip

diff --git a/main/qemu/APKBUILD b/main/qemu/APKBUILD index 1ee54abe31..f02c4fd5b1 100644 --- a/main/qemu/APKBUILD +++ b/main/qemu/APKBUILD
@@ -96,6 +96,7 @@ source="http://wiki.qemu-project.org/download/qemu-$pkgver.tar.bz2
96	fix-sigevent-and-sigval_t.patch	96	fix-sigevent-and-sigval_t.patch
97		97
98	CVE-2015-3456.patch	98	CVE-2015-3456.patch
		99	CVE-2015-4037.patch
99		100
100	qemu-guest-agent.confd	101	qemu-guest-agent.confd
101	qemu-guest-agent.initd	102	qemu-guest-agent.initd
@@ -295,6 +296,7 @@ d364208c4847ad2baeb237900befecd1 0006-linux-user-signal.c-define-__SIGRTMIN-MAX
295	bc5f2e41ed3b6d6d30b672adab82e3e1 musl-F_SHLCK-and-F_EXLCK.patch	296	bc5f2e41ed3b6d6d30b672adab82e3e1 musl-F_SHLCK-and-F_EXLCK.patch
296	9afbd6c9586229ce64275f012d665e2a fix-sigevent-and-sigval_t.patch	297	9afbd6c9586229ce64275f012d665e2a fix-sigevent-and-sigval_t.patch
297	5e8a68940c4e0267e795a6ddd144e00e CVE-2015-3456.patch	298	5e8a68940c4e0267e795a6ddd144e00e CVE-2015-3456.patch
		299	97045abdf8d0543691e52f9fdf0c8d52 CVE-2015-4037.patch
298	1663bc6977f6886a58394155b1bf3676 qemu-guest-agent.confd	300	1663bc6977f6886a58394155b1bf3676 qemu-guest-agent.confd
299	4cb15a1c3de2691dd65842f2325dfe22 qemu-guest-agent.initd	301	4cb15a1c3de2691dd65842f2325dfe22 qemu-guest-agent.initd
300	66660f143235201249dc0648b39b86ee 80-kvm.rules"	302	66660f143235201249dc0648b39b86ee 80-kvm.rules"
@@ -304,6 +306,7 @@ af35304b165622a53f7557b59ffd8da5030f5fd444e669c862f9410131f3b987 0001-elfload-l
304	eefd597197223899d3b12d8274af493153e270fd06ea8622e33d6eaeae063d40 musl-F_SHLCK-and-F_EXLCK.patch	306	eefd597197223899d3b12d8274af493153e270fd06ea8622e33d6eaeae063d40 musl-F_SHLCK-and-F_EXLCK.patch
305	9abdf3410dea742cac3552363950c8a7fbcec8dd2bfd68e3c417a284f4e702f5 fix-sigevent-and-sigval_t.patch	307	9abdf3410dea742cac3552363950c8a7fbcec8dd2bfd68e3c417a284f4e702f5 fix-sigevent-and-sigval_t.patch
306	de69a47daf292fd0cc01c925a23c9fadbac0fb60c322bf89260cccceb47ca204 CVE-2015-3456.patch	308	de69a47daf292fd0cc01c925a23c9fadbac0fb60c322bf89260cccceb47ca204 CVE-2015-3456.patch
		309	6bb3f4bb71716bdde8ff417b76ceb4cee336ae93a65b2ae1db15406f382c0299 CVE-2015-4037.patch
307	d84e53a94584f37f3bd1b21f44077b5de0d07094c6729f26ae20ab1f7b9cc298 qemu-guest-agent.confd	310	d84e53a94584f37f3bd1b21f44077b5de0d07094c6729f26ae20ab1f7b9cc298 qemu-guest-agent.confd
308	91f5ba66b56bb9a3e0d134de3ea756794d5f09fe8a14a4b0d3d95f69a9245c60 qemu-guest-agent.initd	311	91f5ba66b56bb9a3e0d134de3ea756794d5f09fe8a14a4b0d3d95f69a9245c60 qemu-guest-agent.initd
309	37f666f1cdb7d8a62171de69b531681dcb0fba74236729dac8b6c019232eba84 80-kvm.rules"	312	37f666f1cdb7d8a62171de69b531681dcb0fba74236729dac8b6c019232eba84 80-kvm.rules"
@@ -313,6 +316,7 @@ ec84b27648c01c6e58781295dcd0c2ff8e5a635f9836ef50c1da5d0ed125db1afc4cb5b01cb97606
313	5de10f7e8abae16d1d7521e5ca1bfb62a8f295b324bea84f122f882b7b9354c21e5a00b20a1c5484c1b737b937e53c4ca6979e55705522f0779a5669725369f5 musl-F_SHLCK-and-F_EXLCK.patch	316	5de10f7e8abae16d1d7521e5ca1bfb62a8f295b324bea84f122f882b7b9354c21e5a00b20a1c5484c1b737b937e53c4ca6979e55705522f0779a5669725369f5 musl-F_SHLCK-and-F_EXLCK.patch
314	e3f006c28318669356cd5b778f26774f06b0a40a4ac852573379df63efcc8276869958faec16797a38bf96c6061dfc040309e462d8559984f67eaf4af701ca1a fix-sigevent-and-sigval_t.patch	317	e3f006c28318669356cd5b778f26774f06b0a40a4ac852573379df63efcc8276869958faec16797a38bf96c6061dfc040309e462d8559984f67eaf4af701ca1a fix-sigevent-and-sigval_t.patch
315	81485e26e30314b075a154cbce841fa3b803b70d8539a5ce00e57ec2020ab801d88c35631805811d003505dfd1909a5b70307fdbd8a192986f53143669465bd8 CVE-2015-3456.patch	318	81485e26e30314b075a154cbce841fa3b803b70d8539a5ce00e57ec2020ab801d88c35631805811d003505dfd1909a5b70307fdbd8a192986f53143669465bd8 CVE-2015-3456.patch
		319	8dc68c2f511a28b0c1896b89922fab8e31dea4eefe18a69e6c068dd799cfc5a5a8b2ed8c3f5d17584932ddb9a2bf72d72fdaaf19c2129babf9a8e8f4ce150659 CVE-2015-4037.patch
316	d90c034cae3f9097466854ed1a9f32ab4b02089fcdf7320e8f4da13b2b1ff65067233f48809911485e4431d7ec1a22448b934121bc9522a2dc489009e87e2b1f qemu-guest-agent.confd	320	d90c034cae3f9097466854ed1a9f32ab4b02089fcdf7320e8f4da13b2b1ff65067233f48809911485e4431d7ec1a22448b934121bc9522a2dc489009e87e2b1f qemu-guest-agent.confd
317	69457d757909b990f4fdfaef621696e5a5d287b42bc58e553cb52d85191788a269e91c0475bfb7223d3a9120c19cdf4d749b4d54013a644f33d0551517cdf094 qemu-guest-agent.initd	321	69457d757909b990f4fdfaef621696e5a5d287b42bc58e553cb52d85191788a269e91c0475bfb7223d3a9120c19cdf4d749b4d54013a644f33d0551517cdf094 qemu-guest-agent.initd
318	9b7a89b20fcf737832cb7b4d5dc7d8301dd88169cbe5339eda69fbb51c2e537d8cb9ec7cf37600899e734209e63410d50d0821bce97e401421db39c294d97be2 80-kvm.rules"	322	9b7a89b20fcf737832cb7b4d5dc7d8301dd88169cbe5339eda69fbb51c2e537d8cb9ec7cf37600899e734209e63410d50d0821bce97e401421db39c294d97be2 80-kvm.rules"


diff --git a/main/qemu/CVE-2015-4037.patch b/main/qemu/CVE-2015-4037.patch new file mode 100644 index 0000000000..fb36234531 --- /dev/null +++ b/main/qemu/CVE-2015-4037.patch
@@ -0,0 +1,50 @@
		1	From: Michael Tokarev <mjt@tls.msk.ru>
		2	Date: Thu, 28 May 2015 14:12:26 +0300
		3	Subject: [PATCH] slirp: use less predictable directory name in /tmp for smb
		4	config (CVE-2015-4037)
		5
		6	In this version I used mkdtemp(3) which is:
		7
		8	_BSD_SOURCE
		9	\|\| /* Since glibc 2.10: */
		10	(_POSIX_C_SOURCE >= 200809L \|\| _XOPEN_SOURCE >= 700)
		11
		12	(POSIX.1-2008), so should be available on systems we care about.
		13
		14	While at it, reset the resulting directory name within smb structure
		15	on error so cleanup function wont try to remove directory which we
		16	failed to create.
		17
		18	Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
		19	Reviewed-by: Markus Armbruster <armbru@redhat.com>
		20	(cherry picked from commit 8b8f1c7e9ddb2e88a144638f6527bf70e32343e3)
		21	---
		22	net/slirp.c \| 7 +++----
		23	1 file changed, 3 insertions(+), 4 deletions(-)
		24
		25	diff --git a/net/slirp.c b/net/slirp.c
		26	index 9bbed74..3090c10 100644
		27	--- a/net/slirp.c
		28	+++ b/net/slirp.c
		29	@@ -481,7 +481,6 @@ static void slirp_smb_cleanup(SlirpState *s)
		30	static int slirp_smb(SlirpState* s, const char *exported_dir,
		31	struct in_addr vserver_addr)
		32	{
		33	- static int instance;
		34	char smb_conf[128];
		35	char smb_cmdline[128];
		36	struct passwd *passwd;
		37	@@ -505,10 +504,10 @@ static int slirp_smb(SlirpState* s, const char *exported_dir,
		38	return -1;
		39	}
		40
		41	- snprintf(s->smb_dir, sizeof(s->smb_dir), "/tmp/qemu-smb.%ld-%d",
		42	- (long)getpid(), instance++);
		43	- if (mkdir(s->smb_dir, 0700) < 0) {
		44	+ snprintf(s->smb_dir, sizeof(s->smb_dir), "/tmp/qemu-smb.XXXXXX");
		45	+ if (!mkdtemp(s->smb_dir)) {
		46	error_report("could not create samba server dir '%s'", s->smb_dir);
		47	+ s->smb_dir[0] = 0;
		48	return -1;
		49	}
		50	snprintf(smb_conf, sizeof(smb_conf), "%s/%s", s->smb_dir, "smb.conf");