qemu: Upgrade 8.2.1 -> 8.2.2

This was a bugfix release, this version fixed several important fixes according to upstream. Dropped CVE-2023-6683.patch since already contained the fix. (From OE-Core rev: f548a3a24f3fc26b09e2fcc8544065beb5293f91) Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Xiangyu Chen <xiangyu.chen@windriver.com> 2024-07-08 17:34:04 +0800
committer: Steve Sakoman <steve@sakoman.com> 2024-07-12 05:47:20 -0700
commit: 47789523ddcc62fde6c55eb1bfbfe7bd3ce4cd11 (patch)
tree: ea6e403232bed2f99e5ec8942c0e6b6c2d4b6c8d /meta/recipes-devtools
parent: 262cb8eb147844e746464f97c12f772d1c33563e (diff)
download: poky-47789523ddcc62fde6c55eb1bfbfe7bd3ce4cd11.tar.gz
5 files changed, 1 insertions, 93 deletions
diff --git a/meta/recipes-devtools/qemu/qemu-native_8.2.1.bb b/meta/recipes-devtools/qemu/qemu-native_8.2.2.bb
index a77953529b..a77953529b 100644
--- a/meta/recipes-devtools/qemu/qemu-native_8.2.1.bb
+++ b/meta/recipes-devtools/qemu/qemu-native_8.2.2.bb
diff --git a/meta/recipes-devtools/qemu/qemu-system-native_8.2.1.bb b/meta/recipes-devtools/qemu/qemu-system-native_8.2.2.bb
index 0634b34242..0634b34242 100644
--- a/meta/recipes-devtools/qemu/qemu-system-native_8.2.1.bb
+++ b/meta/recipes-devtools/qemu/qemu-system-native_8.2.2.bb
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index d22bc31ce3..e121ae70cc 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -39,7 +39,6 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
           file://0003-linux-user-Add-strace-for-shmat.patch \
           file://0004-linux-user-Rewrite-target_shmat.patch \
           file://0005-tests-tcg-Check-that-shmat-does-not-break-proc-self-.patch \
-           file://CVE-2023-6683.patch \
           file://qemu-guest-agent.init \
           file://qemu-guest-agent.udev \
           file://CVE-2024-3446-01.patch \
@@ -63,7 +62,7 @@ SRC_URI:append:class-native = " \
        file://0012-linux-user-workaround-for-missing-MAP_SHARED_VALIDAT.patch \
        "
-SRC_URI[sha256sum] = "8562751158175f9d187c5f22b57555abe3c870f0325c8ced12c34c6d987729be"
+SRC_URI[sha256sum] = "847346c1b82c1a54b2c38f6edbd85549edeb17430b7d4d3da12620e2962bc4f3"
 CVE_STATUS[CVE-2007-0998] = "not-applicable-config: The VNC server can expose host files uder some circumstances. We don't enable it by default."
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2023-6683.patch b/meta/recipes-devtools/qemu/qemu/CVE-2023-6683.patch
deleted file mode 100644
index 732cb6af18..0000000000
--- a/meta/recipes-devtools/qemu/qemu/CVE-2023-6683.patch
+++ /dev/null
@@ -1,91 +0,0 @@
-From 405484b29f6548c7b86549b0f961b906337aa68a Mon Sep 17 00:00:00 2001
-From: Fiona Ebner <f.ebner@proxmox.com>
-Date: Wed, 24 Jan 2024 11:57:48 +0100
-Subject: [PATCH] ui/clipboard: mark type as not available when there is no
- data
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-With VNC, a client can send a non-extended VNC_MSG_CLIENT_CUT_TEXT
-message with len=0. In qemu_clipboard_set_data(), the clipboard info
-will be updated setting data to NULL (because g_memdup(data, size)
-returns NULL when size is 0). If the client does not set the
-VNC_ENCODING_CLIPBOARD_EXT feature when setting up the encodings, then
-the 'request' callback for the clipboard peer is not initialized.
-Later, because data is NULL, qemu_clipboard_request() can be reached
-via vdagent_chr_write() and vdagent_clipboard_recv_request() and
-there, the clipboard owner's 'request' callback will be attempted to
-be called, but that is a NULL pointer.
-In particular, this can happen when using the KRDC (22.12.3) VNC
-client.
-Another scenario leading to the same issue is with two clients (say
-noVNC and KRDC):
-The noVNC client sets the extension VNC_FEATURE_CLIPBOARD_EXT and
-initializes its cbpeer.
-The KRDC client does not, but triggers a vnc_client_cut_text() (note
-it's not the _ext variant)). There, a new clipboard info with it as
-the 'owner' is created and via qemu_clipboard_set_data() is called,
-which in turn calls qemu_clipboard_update() with that info.
-In qemu_clipboard_update(), the notifier for the noVNC client will be
-called, i.e. vnc_clipboard_notify() and also set vs->cbinfo for the
-noVNC client. The 'owner' in that clipboard info is the clipboard peer
-for the KRDC client, which did not initialize the 'request' function.
-That sounds correct to me, it is the owner of that clipboard info.
-Then when noVNC sends a VNC_MSG_CLIENT_CUT_TEXT message (it did set
-the VNC_FEATURE_CLIPBOARD_EXT feature correctly, so a check for it
-passes), that clipboard info is passed to qemu_clipboard_request() and
-the original segfault still happens.
-Fix the issue by handling updates with size 0 differently. In
-particular, mark in the clipboard info that the type is not available.
-While at it, switch to g_memdup2(), because g_memdup() is deprecated.
-Cc: qemu-stable@nongnu.org
-Fixes: CVE-2023-6683
-Reported-by: Markus Frank <m.frank@proxmox.com>
-Suggested-by: Marc-André Lureau <marcandre.lureau@redhat.com>
-Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
-Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
-Tested-by: Markus Frank <m.frank@proxmox.com>
-Message-ID: <20240124105749.204610-1-f.ebner@proxmox.com>
-CVE: CVE-2023-6683
-Upstream-Status: Backport [https://github.com/qemu/qemu/commit/405484b29f6548c7b86549b0f961b906337aa68a]
-Signed-off-by: Simone Weiß <simone.p.weiss@posteo.com>
---
- ui/clipboard.c | 12 +++++++++---
- 1 file changed, 9 insertions(+), 3 deletions(-)
-diff --git a/ui/clipboard.c b/ui/clipboard.c
-index 3d14bffaf80f..b3f6fa3c9e1f 100644
--- a/ui/clipboard.c
-+++ b/ui/clipboard.c
-@@ -163,9 +163,15 @@ void qemu_clipboard_set_data(QemuClipboardPeer *peer,
-     }
- 
-     g_free(info->types[type].data);
-    info->types[type].data = g_memdup(data, size);
-    info->types[type].size = size;
-    info->types[type].available = true;
-+    if (size) {
-+        info->types[type].data = g_memdup2(data, size);
-+        info->types[type].size = size;
-+        info->types[type].available = true;
-+    } else {
-+        info->types[type].data = NULL;
-+        info->types[type].size = 0;
-+        info->types[type].available = false;
-+    }
- 
-     if (update) {
-         qemu_clipboard_update(info);
diff --git a/meta/recipes-devtools/qemu/qemu_8.2.1.bb b/meta/recipes-devtools/qemu/qemu_8.2.2.bb
index dc1352232e..dc1352232e 100644
--- a/meta/recipes-devtools/qemu/qemu_8.2.1.bb
+++ b/meta/recipes-devtools/qemu/qemu_8.2.2.bb
author	Xiangyu Chen <xiangyu.chen@windriver.com>	2024-07-08 17:34:04 +0800
committer	Steve Sakoman <steve@sakoman.com>	2024-07-12 05:47:20 -0700
commit	47789523ddcc62fde6c55eb1bfbfe7bd3ce4cd11 (patch)
tree	ea6e403232bed2f99e5ec8942c0e6b6c2d4b6c8d /meta/recipes-devtools
parent	262cb8eb147844e746464f97c12f772d1c33563e (diff)
download	poky-47789523ddcc62fde6c55eb1bfbfe7bd3ce4cd11.tar.gz

diff --git a/meta/recipes-devtools/qemu/qemu-native_8.2.1.bb b/meta/recipes-devtools/qemu/qemu-native_8.2.2.bb index a77953529b..a77953529b 100644 --- a/meta/recipes-devtools/qemu/qemu-native_8.2.1.bb +++ b/meta/recipes-devtools/qemu/qemu-native_8.2.2.bb


diff --git a/meta/recipes-devtools/qemu/qemu-system-native_8.2.1.bb b/meta/recipes-devtools/qemu/qemu-system-native_8.2.2.bb index 0634b34242..0634b34242 100644 --- a/meta/recipes-devtools/qemu/qemu-system-native_8.2.1.bb +++ b/meta/recipes-devtools/qemu/qemu-system-native_8.2.2.bb


diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index d22bc31ce3..e121ae70cc 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -39,7 +39,6 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
39	file://0003-linux-user-Add-strace-for-shmat.patch \	39	file://0003-linux-user-Add-strace-for-shmat.patch \
40	file://0004-linux-user-Rewrite-target_shmat.patch \	40	file://0004-linux-user-Rewrite-target_shmat.patch \
41	file://0005-tests-tcg-Check-that-shmat-does-not-break-proc-self-.patch \	41	file://0005-tests-tcg-Check-that-shmat-does-not-break-proc-self-.patch \
42	file://CVE-2023-6683.patch \
43	file://qemu-guest-agent.init \	42	file://qemu-guest-agent.init \
44	file://qemu-guest-agent.udev \	43	file://qemu-guest-agent.udev \
45	file://CVE-2024-3446-01.patch \	44	file://CVE-2024-3446-01.patch \
@@ -63,7 +62,7 @@ SRC_URI:append:class-native = " \
63	file://0012-linux-user-workaround-for-missing-MAP_SHARED_VALIDAT.patch \	62	file://0012-linux-user-workaround-for-missing-MAP_SHARED_VALIDAT.patch \
64	"	63	"
65		64
66	SRC_URI[sha256sum] = "8562751158175f9d187c5f22b57555abe3c870f0325c8ced12c34c6d987729be"	65	SRC_URI[sha256sum] = "847346c1b82c1a54b2c38f6edbd85549edeb17430b7d4d3da12620e2962bc4f3"
67		66
68	CVE_STATUS[CVE-2007-0998] = "not-applicable-config: The VNC server can expose host files uder some circumstances. We don't enable it by default."	67	CVE_STATUS[CVE-2007-0998] = "not-applicable-config: The VNC server can expose host files uder some circumstances. We don't enable it by default."
69		68


diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2023-6683.patch b/meta/recipes-devtools/qemu/qemu/CVE-2023-6683.patch deleted file mode 100644 index 732cb6af18..0000000000 --- a/meta/recipes-devtools/qemu/qemu/CVE-2023-6683.patch +++ /dev/null
@@ -1,91 +0,0 @@
1	From 405484b29f6548c7b86549b0f961b906337aa68a Mon Sep 17 00:00:00 2001
2	From: Fiona Ebner <f.ebner@proxmox.com>
3	Date: Wed, 24 Jan 2024 11:57:48 +0100
4	Subject: [PATCH] ui/clipboard: mark type as not available when there is no
5	data
6	MIME-Version: 1.0
7	Content-Type: text/plain; charset=UTF-8
8	Content-Transfer-Encoding: 8bit
9
10	With VNC, a client can send a non-extended VNC_MSG_CLIENT_CUT_TEXT
11	message with len=0. In qemu_clipboard_set_data(), the clipboard info
12	will be updated setting data to NULL (because g_memdup(data, size)
13	returns NULL when size is 0). If the client does not set the
14	VNC_ENCODING_CLIPBOARD_EXT feature when setting up the encodings, then
15	the 'request' callback for the clipboard peer is not initialized.
16	Later, because data is NULL, qemu_clipboard_request() can be reached
17	via vdagent_chr_write() and vdagent_clipboard_recv_request() and
18	there, the clipboard owner's 'request' callback will be attempted to
19	be called, but that is a NULL pointer.
20
21	In particular, this can happen when using the KRDC (22.12.3) VNC
22	client.
23
24	Another scenario leading to the same issue is with two clients (say
25	noVNC and KRDC):
26
27	The noVNC client sets the extension VNC_FEATURE_CLIPBOARD_EXT and
28	initializes its cbpeer.
29
30	The KRDC client does not, but triggers a vnc_client_cut_text() (note
31	it's not the _ext variant)). There, a new clipboard info with it as
32	the 'owner' is created and via qemu_clipboard_set_data() is called,
33	which in turn calls qemu_clipboard_update() with that info.
34
35	In qemu_clipboard_update(), the notifier for the noVNC client will be
36	called, i.e. vnc_clipboard_notify() and also set vs->cbinfo for the
37	noVNC client. The 'owner' in that clipboard info is the clipboard peer
38	for the KRDC client, which did not initialize the 'request' function.
39	That sounds correct to me, it is the owner of that clipboard info.
40
41	Then when noVNC sends a VNC_MSG_CLIENT_CUT_TEXT message (it did set
42	the VNC_FEATURE_CLIPBOARD_EXT feature correctly, so a check for it
43	passes), that clipboard info is passed to qemu_clipboard_request() and
44	the original segfault still happens.
45
46	Fix the issue by handling updates with size 0 differently. In
47	particular, mark in the clipboard info that the type is not available.
48
49	While at it, switch to g_memdup2(), because g_memdup() is deprecated.
50
51	Cc: qemu-stable@nongnu.org
52	Fixes: CVE-2023-6683
53	Reported-by: Markus Frank <m.frank@proxmox.com>
54	Suggested-by: Marc-André Lureau <marcandre.lureau@redhat.com>
55	Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
56	Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
57	Tested-by: Markus Frank <m.frank@proxmox.com>
58	Message-ID: <20240124105749.204610-1-f.ebner@proxmox.com>
59
60	CVE: CVE-2023-6683
61
62	Upstream-Status: Backport [https://github.com/qemu/qemu/commit/405484b29f6548c7b86549b0f961b906337aa68a]
63	Signed-off-by: Simone Weiß <simone.p.weiss@posteo.com>
64
65	---
66	ui/clipboard.c \| 12 +++++++++---
67	1 file changed, 9 insertions(+), 3 deletions(-)
68
69	diff --git a/ui/clipboard.c b/ui/clipboard.c
70	index 3d14bffaf80f..b3f6fa3c9e1f 100644
71	--- a/ui/clipboard.c
72	+++ b/ui/clipboard.c
73	@@ -163,9 +163,15 @@ void qemu_clipboard_set_data(QemuClipboardPeer *peer,
74	}
75
76	g_free(info->types[type].data);
77	- info->types[type].data = g_memdup(data, size);
78	- info->types[type].size = size;
79	- info->types[type].available = true;
80	+ if (size) {
81	+ info->types[type].data = g_memdup2(data, size);
82	+ info->types[type].size = size;
83	+ info->types[type].available = true;
84	+ } else {
85	+ info->types[type].data = NULL;
86	+ info->types[type].size = 0;
87	+ info->types[type].available = false;
88	+ }
89
90	if (update) {
91	qemu_clipboard_update(info);


diff --git a/meta/recipes-devtools/qemu/qemu_8.2.1.bb b/meta/recipes-devtools/qemu/qemu_8.2.2.bb index dc1352232e..dc1352232e 100644 --- a/meta/recipes-devtools/qemu/qemu_8.2.1.bb +++ b/meta/recipes-devtools/qemu/qemu_8.2.2.bb