Bug 205813 - emulators/qemu-sbruno: multiple vulnerabilities
Summary: emulators/qemu-sbruno: multiple vulnerabilities
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: Sean Bruno
URL:
Keywords: security
Depends on:
Blocks:
 
Reported: 2016-01-03 02:19 UTC by Jason Unovitch
Modified: 2016-03-21 16:09 UTC (History)
2 users (show)

See Also:
bugzilla: maintainer-feedback? (sbruno)
junovitch: merge-quarterly?


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 commit-hook freebsd_committer 2016-01-03 02:26:01 UTC
A commit references this bug:

Author: junovitch
Date: Sun Jan  3 02:25:00 UTC 2016
New revision: 405110
URL: https://svnweb.freebsd.org/changeset/ports/405110

Log:
  Document recent QEMU denial of service vulnerabilities

  PR:		205813
  PR:		205814
  Security:	CVE-2015-8701
  Security:	CVE-2015-8666
  Security:	CVE-2015-8619
  Security:	CVE-2015-8613
  Security:	CVE-2015-8567
  Security:	CVE-2015-8568
  Security:	CVE-2015-8558
  Security:	CVE-2015-7549
  Security:	CVE-2015-8504
  Security:	CVE-2015-7504
  Security:	CVE-2015-7512
  Security:	CVE-2015-8345
  Security:	https://vuxml.FreeBSD.org/freebsd/1384f2fd-b1be-11e5-9728-002590263bf5.html
  Security:	https://vuxml.FreeBSD.org/freebsd/152acff3-b1bd-11e5-9728-002590263bf5.html
  Security:	https://vuxml.FreeBSD.org/freebsd/62ab8707-b1bc-11e5-9728-002590263bf5.html
  Security:	https://vuxml.FreeBSD.org/freebsd/b3f9f8ef-b1bb-11e5-9728-002590263bf5.html
  Security:	https://vuxml.FreeBSD.org/freebsd/9ad8993e-b1ba-11e5-9728-002590263bf5.html
  Security:	https://vuxml.FreeBSD.org/freebsd/60cb2055-b1b8-11e5-9728-002590263bf5.html
  Security:	https://vuxml.FreeBSD.org/freebsd/3fb06284-b1b7-11e5-9728-002590263bf5.html
  Security:	https://vuxml.FreeBSD.org/freebsd/67feba97-b1b5-11e5-9728-002590263bf5.html
  Security:	https://vuxml.FreeBSD.org/freebsd/405446f4-b1b3-11e5-9728-002590263bf5.html
  Security:	https://vuxml.FreeBSD.org/freebsd/b56fe6bb-b1b1-11e5-9728-002590263bf5.html

Changes:
  head/security/vuxml/vuln.xml
Comment 2 Jason Unovitch freebsd_committer 2016-01-03 02:35:27 UTC
PR:
- Add bofh@ as a courtesy CC... I'm unsure what level these ports are going to be kept in sync in the future.
- Add security tag and add ports-secteam to CC
- Add merge-quarterly? as there will be something to MFH

Comments:
None of these have hit upstream at this time.  I'm unsure how you want to proceed but just we have everything documented as reported so all we'll have to do is fix the version numbers documented in VuXML when we roll out a fix.
Comment 3 Sean Bruno freebsd_committer 2016-01-03 22:35:23 UTC
Hrm ... it doesn't look like these patches have been accepted upstream at the moment.  Should we hold off until upstream decides to "do something" here?
Comment 4 Muhammad Moinur Rahman freebsd_committer 2016-01-04 11:23:26 UTC
Considering Christmas and New Year I would like to await till the end of this week for both my qemu-*.
Comment 5 Jason Unovitch freebsd_committer 2016-01-04 12:04:34 UTC
All the open qemu CVEs are just local denial of service issues. I say these are low on the risk level side of things. We've identified them and are tracking them here for the time being until upstream integrates the fixes.
Comment 9 Sean Bruno freebsd_committer 2016-01-20 16:22:56 UTC
CVE-2015-8619

Not patched
Comment 11 Sean Bruno freebsd_committer 2016-02-09 13:58:59 UTC
(In reply to Sean Bruno from comment #9)
https://github.com/qemu/qemu/commit/64ffbe04eaafebf4045a3ace52a360c14959d196
Comment 12 Sean Bruno freebsd_committer 2016-02-09 13:59:39 UTC
Currently, all CVE's marked in this bugzilla ticket are patched upstream.  I'm waiting for an update to fix compilation on FreeBSD that has been pulled into the trivial branch.
Comment 13 commit-hook freebsd_committer 2016-02-13 19:19:06 UTC
A commit references this bug:

Author: sbruno
Date: Sat Feb 13 19:18:12 UTC 2016
New revision: 408825
URL: https://svnweb.freebsd.org/changeset/ports/408825

Log:
  Update qemu-sbruno and qemu-user-static.

  Sync bsd-user do_obreak with linux-user (do_brk).

  Merging to QEMU upstream provides fixes for the following CVEs:
  CVE-2015-8345
  CVE-2015-8567
  CVE-2015-8568
  CVE-2015-8613
  CVE-2015-8619
  CVE-2015-8701

  libvxl upstream has been updated to 1.12 and has accepted a slightly
  modified version that addresses the issue in the patch.

  PR:		205813

Changes:
  head/emulators/qemu-sbruno/Makefile
  head/emulators/qemu-sbruno/distinfo
  head/emulators/qemu-sbruno/files/patch-disas-libvixl-a64-disasm-a64.cc
Comment 14 commit-hook freebsd_committer 2016-02-13 22:29:22 UTC
A commit references this bug:

Author: junovitch
Date: Sat Feb 13 22:28:41 UTC 2016
New revision: 408831
URL: https://svnweb.freebsd.org/changeset/ports/408831

Log:
  Reflect QEMU DoS vulnerabilities now fixed in qemu-sbruno/qemu-user-static

  PR:		205813
  Security:	CVE-2015-8345
  Security:	CVE-2015-8567
  Security:	CVE-2015-8568
  Security:	CVE-2015-8613
  Security:	CVE-2015-8619
  Security:	CVE-2015-8701
  Security:	https://vuxml.FreeBSD.org/freebsd/1384f2fd-b1be-11e5-9728-002590263bf5.html
  Security:	https://vuxml.FreeBSD.org/freebsd/62ab8707-b1bc-11e5-9728-002590263bf5.html
  Security:	https://vuxml.FreeBSD.org/freebsd/9ad8993e-b1ba-11e5-9728-002590263bf5.html
  Security:	https://vuxml.FreeBSD.org/freebsd/b3f9f8ef-b1bb-11e5-9728-002590263bf5.html
  Security:	https://vuxml.FreeBSD.org/freebsd/b56fe6bb-b1b1-11e5-9728-002590263bf5.html

Changes:
  head/security/vuxml/vuln.xml
Comment 15 Jason Unovitch freebsd_committer 2016-02-13 22:33:31 UTC
(In reply to Sean Bruno from comment #12)

Thanks Sean. Do you want me to pursue an MFH for quarterly or would you like to purse it?
Comment 16 Sean Bruno freebsd_committer 2016-02-14 14:50:58 UTC
(In reply to Jason Unovitch from comment #15)
Oh, hrm ... I don't normally even pay attention to quarterlies.  So, if you have the spare cycles, please do so.
Comment 17 Jason Unovitch freebsd_committer 2016-02-14 19:34:54 UTC
(In reply to Sean Bruno from comment #16)
It looks like there are still QA issues to be addressed with the revision in head:
===> Checking for items in STAGEDIR missing from pkg-plist
Error: Orphaned: bin/ivshmem-client
Error: Orphaned: bin/ivshmem-server

What option are they tied to?  I can address them if you let me know which option to prefix them with and MFH the batch of commits or I can wait until you address it and MFH the commits.
Comment 18 Sean Bruno freebsd_committer 2016-02-15 20:21:24 UTC
(In reply to Jason Unovitch from comment #17)
I've done one more pass over emulators/qemu-sbruno

How does it look to you now?
Comment 19 Jason Unovitch freebsd_committer 2016-02-17 02:12:03 UTC
(In reply to Sean Bruno from comment #18)
It's failing to build. See portsmon: http://portsmon.FreeBSD.org/portoverview.py?category=emulators&portname=qemu-sbruno
Comment 20 Jason Unovitch freebsd_committer 2016-02-21 14:30:51 UTC
After r409146, it fails to link on 10.x i386 and 11.x i386 with:

cpus.o: In function `icount_warp_rt':
/wrkdirs/usr/ports/emulators/qemu-sbruno/work/qemu-bsd-user-cada59f/cpus.c:343: undefined reference to `__atomic_load_8'
c++: error: linker command failed with exit code 1 (use -v to see invocation)

Full log: https://people.FreeBSD.org/~junovitch/poudriere/PR205813/qemu-sbruno-2.5.50.g20160215_2.log
Comment 21 Sean Bruno freebsd_committer 2016-03-21 16:09:48 UTC
(In reply to Jason Unovitch from comment #20)
I've disabled i386 builds while I deal with upstream.  I consider this closed for now.