Bug 202402 - emulators/qemu-devel emulators/qemu-sbruno: multiple vulnerabilities (CVE-2015-5154, CVE-2015-5166, CVE-2015-5165)
Summary: emulators/qemu-devel emulators/qemu-sbruno: multiple vulnerabilities (CVE-201...
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Some People
Assignee: Jason Unovitch
URL:
Keywords: security
Depends on: 202864
Blocks:
  Show dependency treegraph
 
Reported: 2015-08-17 23:59 UTC by Jason Unovitch
Modified: 2016-01-03 02:28 UTC (History)
4 users (show)

See Also:
bugzilla: maintainer-feedback? (bofh)
junovitch: merge-quarterly?


Attachments
security/vuxml update for qemu (2.17 KB, patch)
2015-08-19 01:48 UTC, Jason Unovitch
no flags Details | Diff
security/vuxml update for qemu (3.32 KB, patch)
2015-08-19 02:04 UTC, Jason Unovitch
no flags Details | Diff
emulators/qemu-sbruno 2015Q3 build with r394418 r395787 r396026 (176.85 KB, text/x-log)
2015-09-04 16:51 UTC, Jason Unovitch
no flags Details
emulators/qemu-devel 2015Q3 build with r395861 and r396024 (174.33 KB, text/x-log)
2015-09-04 16:52 UTC, Jason Unovitch
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Jason Unovitch freebsd_committer 2015-08-18 00:08:50 UTC
This work is related to QEMU issues that the Xen Project released security advisories for in bug 201931:

Issue: http://xenbits.xen.org/xsa/advisory-138.html
Fixed: https://svnweb.freebsd.org/changeset/ports/393514

Issue: http://xenbits.xen.org/xsa/advisory-139.html
Issue: http://xenbits.xen.org/xsa/advisory-140.html
Fixed: https://svnweb.freebsd.org/changeset/ports/394506
Comment 2 Sean Bruno freebsd_committer 2015-08-18 14:38:44 UTC
emulators/qemu-sbruno was updated to 2.4.0 at svn rev 394418

This pull includes all three referenced commits:

https://github.com/seanbruno/qemu-bsd-user/tree/bsd-user
Comment 3 Jason Unovitch freebsd_committer 2015-08-19 01:48:13 UTC
Created attachment 160003 [details]
security/vuxml update for qemu

Extend the QEMU related xen-tools CVEs to include the qemu-* ports
Comment 4 Jason Unovitch freebsd_committer 2015-08-19 01:49:07 UTC
(In reply to Sean Bruno from comment #2)
vuxml will document 2.4.50.g20150814 as being fixed and qemu and qemu-devel as being vulnerable.
Comment 5 Jason Unovitch freebsd_committer 2015-08-19 02:04:32 UTC
Created attachment 160004 [details]
security/vuxml update for qemu

* revise to use URL reference to QEMU git and mention QEMU in topic *

Extend the QEMU related xen-tools CVEs to include the qemu-* ports
Comment 6 commit-hook freebsd_committer 2015-08-19 22:06:33 UTC
A commit references this bug:

Author: junovitch
Date: Wed Aug 19 22:06:18 UTC 2015
New revision: 394816
URL: https://svnweb.freebsd.org/changeset/ports/394816

Log:
  Extend recent QEMU related xen-tools CVEs to include the qemu-* ports

  PR:		202402
  Security:	CVE-2015-5154
  Security:	CVE-2015-5165
  Security:	CVE-2015-5166
  Security:	da451130-365d-11e5-a4a5-002590263bf5
  Security:	f06f20dc-4347-11e5-93ad-002590263bf5
  Security:	ee99899d-4347-11e5-93ad-002590263bf5
  Approved by:	feld (mentor)

Changes:
  head/security/vuxml/vuln.xml
Comment 7 Sean Bruno freebsd_committer 2015-09-02 16:18:41 UTC
I've fired off an update to emulators/qemu to bring the port up to 2.4.0

Is this suffificent?
Comment 8 Jason Unovitch freebsd_committer 2015-09-03 00:58:43 UTC
Set merge-quarterly?

Approved by ports-secteam for MFH of the following security updates (plus a build fix)?

emulators/qemu-devel
https://svnweb.FreeBSD.org/changeset/ports/395861

emulators/qemu-sbruno
https://svnweb.FreeBSD.org/changeset/ports/394418
https://svnweb.FreeBSD.org/changeset/ports/395787

Note I've validated earlier commits on qemu-sbruno are superseded by r394418 and not needed for MFH.
Comment 9 Jason Unovitch freebsd_committer 2015-09-03 01:00:47 UTC
(In reply to Sean Bruno from comment #7)

Sean, with emulators/qemu-devel at 2.4.0 we are covered there but what should we do for the legacy emulators/qemu port?  This is required because of the reason mentioned at https://wiki.FreeBSD.org/qemu, correct?

"Note: If you want to use the KQEMU accelerator you need to use the old /usr/ports/emulators/qemu port instead and enable its KQEMU knob (otherwise qemu is much slower), this installs /usr/ports/emulators/kqemu-kmod-devel as a dependency and(!) builds kqemu support into the port. The qemu-devel port no longer supports kqemu (support was removed upstream.)"
Comment 10 Jason Unovitch freebsd_committer 2015-09-03 02:31:28 UTC
Tag depends on bug 202864. r395861 for emulators/qemu-devel is not enough as it does not compile (patch failure) as is and still fails build after resolving it.

(In reply to Jason Unovitch from comment #8)
> emulators/qemu-devel
> https://svnweb.FreeBSD.org/changeset/ports/395861
I retract the request for quarterly MFH until the build issues in bug 202864 can be resolved.
Comment 11 commit-hook freebsd_committer 2015-09-03 17:40:25 UTC
A commit references this bug:

Author: sbruno
Date: Thu Sep  3 17:39:42 UTC 2015
New revision: 396024
URL: https://svnweb.freebsd.org/changeset/ports/396024

Log:
  Build fixes for 2.4.0
  - regenerate patch-pcap
  - Escape --extra-ldflags as it looks like the qemu builder is eating spaces
    or lines making it frustrating to use.

  PR:	202402 202536 202864

Changes:
  head/emulators/qemu-devel/Makefile
  head/emulators/qemu-devel/files/pcap-patch
Comment 12 Jason Unovitch freebsd_committer 2015-09-04 16:51:40 UTC
Created attachment 160724 [details]
emulators/qemu-sbruno 2015Q3 build with r394418 r395787 r396026

Build tested on:
9.3-RELEASE-p24     amd64
9.3-RELEASE-p24     i386
10.1-RELEASE-p19    amd64
10.1-RELEASE-p19    i386
10.2-RELEASE-p2     amd64
10.2-RELEASE-p2     i386
11.0-CURRENTr286886 amd64
11.0-CURRENTr286888 i386
Comment 13 Jason Unovitch freebsd_committer 2015-09-04 16:52:27 UTC
Created attachment 160725 [details]
emulators/qemu-devel 2015Q3 build with r395861 and r396024

Build tested on:
9.3-RELEASE-p24     amd64
9.3-RELEASE-p24     i386
10.1-RELEASE-p19    amd64
10.1-RELEASE-p19    i386
10.2-RELEASE-p2     amd64
10.2-RELEASE-p2     i386
11.0-CURRENTr286886 amd64
11.0-CURRENTr286888 i386
Comment 14 commit-hook freebsd_committer 2015-09-04 17:25:21 UTC
A commit references this bug:

Author: junovitch
Date: Fri Sep  4 17:24:38 UTC 2015
New revision: 396122
URL: https://svnweb.freebsd.org/changeset/ports/396122

Log:
  MFH: r395861 r396024 r394418 r395787 r396026

  r395861
  QEMU update to 2.4.0
  - remove patch files accepted and merge upstream
  - Add new vgabios-virtio

  r396024
  Build fixes for 2.4.0
  - regenerate patch-pcap
  - Escape --extra-ldflags as it looks like the qemu builder is eating spaces
    or lines making it frustrating to use.

  PR:	202402 202536 202864

  r394418
  Update qemu-sbruno to track bsd-user branch on github.  I *am* the
  upstream of this port and maintainer notified developers on 07/17/15 to
  update his ports while he is AFK.

  Sync's to pre-release 2.4.0

  Differential Revision:	https://reviews.freebsd.org/D3385

  r395787
  Build fix:
  - Remove etc/qemu/target-x86_64.conf.sample dropped by upstream
  - Add vgabios-virtio.bin

  r396026
  Fix Makefile so that those who want to use this port directly can still
  build.

  PR:	202536

  PR:		202402
  Security:	CVE-2015-5154
  Security:	CVE-2015-5165
  Security:	CVE-2015-5166
  Security:	da451130-365d-11e5-a4a5-002590263bf5
  Security:	f06f20dc-4347-11e5-93ad-002590263bf5
  Security:	ee99899d-4347-11e5-93ad-002590263bf5
  Approved by:	ports-secteam (feld), feld (mentor)

Changes:
_U  branches/2015Q3/
  branches/2015Q3/emulators/qemu-devel/Makefile
  branches/2015Q3/emulators/qemu-devel/distinfo
  branches/2015Q3/emulators/qemu-devel/files/patch-90_security
  branches/2015Q3/emulators/qemu-devel/files/patch-CVE-2015-3209
  branches/2015Q3/emulators/qemu-devel/files/patch-CVE-2015-3456
  branches/2015Q3/emulators/qemu-devel/files/patch-include-qemu-aes.h
  branches/2015Q3/emulators/qemu-devel/files/patch-tapclose
  branches/2015Q3/emulators/qemu-devel/files/pcap-patch
  branches/2015Q3/emulators/qemu-devel/pkg-plist
  branches/2015Q3/emulators/qemu-sbruno/Makefile
  branches/2015Q3/emulators/qemu-sbruno/distinfo
  branches/2015Q3/emulators/qemu-sbruno/files/patch-CVE-2015-3209
  branches/2015Q3/emulators/qemu-sbruno/files/patch-include-qemu-aes.h
  branches/2015Q3/emulators/qemu-sbruno/pkg-plist
Comment 15 commit-hook freebsd_committer 2015-09-04 17:25:27 UTC
A commit references this bug:

Author: junovitch
Date: Fri Sep  4 17:24:39 UTC 2015
New revision: 396122
URL: https://svnweb.freebsd.org/changeset/ports/396122

Log:
  MFH: r395861 r396024 r394418 r395787 r396026

  r395861
  QEMU update to 2.4.0
  - remove patch files accepted and merge upstream
  - Add new vgabios-virtio

  r396024
  Build fixes for 2.4.0
  - regenerate patch-pcap
  - Escape --extra-ldflags as it looks like the qemu builder is eating spaces
    or lines making it frustrating to use.

  PR:	202402 202536 202864

  r394418
  Update qemu-sbruno to track bsd-user branch on github.  I *am* the
  upstream of this port and maintainer notified developers on 07/17/15 to
  update his ports while he is AFK.

  Sync's to pre-release 2.4.0

  Differential Revision:	https://reviews.freebsd.org/D3385

  r395787
  Build fix:
  - Remove etc/qemu/target-x86_64.conf.sample dropped by upstream
  - Add vgabios-virtio.bin

  r396026
  Fix Makefile so that those who want to use this port directly can still
  build.

  PR:	202536

  PR:		202402
  Security:	CVE-2015-5154
  Security:	CVE-2015-5165
  Security:	CVE-2015-5166
  Security:	da451130-365d-11e5-a4a5-002590263bf5
  Security:	f06f20dc-4347-11e5-93ad-002590263bf5
  Security:	ee99899d-4347-11e5-93ad-002590263bf5
  Approved by:	ports-secteam (feld), feld (mentor)

Changes:
_U  branches/2015Q3/
  branches/2015Q3/emulators/qemu-devel/Makefile
  branches/2015Q3/emulators/qemu-devel/distinfo
  branches/2015Q3/emulators/qemu-devel/files/patch-90_security
  branches/2015Q3/emulators/qemu-devel/files/patch-CVE-2015-3209
  branches/2015Q3/emulators/qemu-devel/files/patch-CVE-2015-3456
  branches/2015Q3/emulators/qemu-devel/files/patch-include-qemu-aes.h
  branches/2015Q3/emulators/qemu-devel/files/patch-tapclose
  branches/2015Q3/emulators/qemu-devel/files/pcap-patch
  branches/2015Q3/emulators/qemu-devel/pkg-plist
  branches/2015Q3/emulators/qemu-sbruno/Makefile
  branches/2015Q3/emulators/qemu-sbruno/distinfo
  branches/2015Q3/emulators/qemu-sbruno/files/patch-CVE-2015-3209
  branches/2015Q3/emulators/qemu-sbruno/files/patch-include-qemu-aes.h
  branches/2015Q3/emulators/qemu-sbruno/pkg-plist
Comment 16 Jason Unovitch freebsd_committer 2015-09-04 17:27:42 UTC
(In reply to Sean Bruno from comment #7)

Sean, that last item left would be what to do with emulators/qemu now that emulators/qemu-devel|qemu-sbruno have been fixed and MFH'd.   Any suggestions?
Comment 17 Sean Bruno freebsd_committer 2015-09-04 17:38:56 UTC
(In reply to Jason Unovitch from comment #16)

If we were voting, I'd delete emulators/qemu and move emulators/qemu-devel into its place.

But, there are features in the old and crusty qemu that people still use that are incompatible with upstream qemu.  I'd like to defer to Juergen in this matter before taking any action.
Comment 18 Sean Bruno freebsd_committer 2015-12-21 16:09:53 UTC
This may be irrelevant now.  New maintainer has updates emulators/qemu to the stable release.

I'm about to update qemu-sbruno to the 2.5.0 branch.
Comment 19 Jason Unovitch freebsd_committer 2015-12-22 00:54:01 UTC
(In reply to Sean Bruno from comment #18)
Thanks.  After the qemu-sbruno port update I'll dig through QEMU changelogs and ensure we are all caught up on VuXML entries and close the related PRs afterwards.
Comment 20 Jason Unovitch freebsd_committer 2016-01-01 20:57:19 UTC
Take PR to finish any VuXML documentation.  Unfortunately I am not finding a "security advisory" page like most projects have so I am digging through changelogs to reflect the correct fixed version.  Muhammad and Sean, I appreciate you catching the ports up.  If I see any outstanding issues after getting all the issues documented I'll pass on a heads up.
Comment 21 Jason Unovitch freebsd_committer 2016-01-03 02:28:22 UTC
We are effectively caught up on any VuXML related documentation with the following three commits:

https://svnweb.FreeBSD.org/changeset/ports/405035
https://svnweb.FreeBSD.org/changeset/ports/405069
https://svnweb.FreeBSD.org/changeset/ports/405110

Closing this PR now.  All the issues reported since this PR are documented in bug 205813 and bug 205813.