main/qemu: security fix for CVE-2015-4037

fixes #4326
author: Natanael Copa <ncopa@alpinelinux.org> 2015-07-08 07:58:45 +0000
committer: Natanael Copa <ncopa@alpinelinux.org> 2015-08-05 12:18:12 +0000
commit: a882568554dd0e1848d1891e7756d5d036ab516a (patch)
tree: 694567452d81ea9224ec1632a10b543fb67a2079
parent: 30e6eb8fa7fd4faaf222021010b41379f502a70d (diff)
download: aports-a882568554dd0e1848d1891e7756d5d036ab516a.tar.bz2
aports-a882568554dd0e1848d1891e7756d5d036ab516a.tar.xz
2 files changed, 55 insertions, 1 deletions
diff --git a/main/qemu/APKBUILD b/main/qemu/APKBUILD
index c6a53d1176..28806bda51 100644
--- a/main/qemu/APKBUILD
+++ b/main/qemu/APKBUILD
@@ -1,7 +1,7 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=qemu
 pkgver=2.1.3
-pkgrel=0
+pkgrel=1
 pkgdesc="QEMU is a generic machine emulator and virtualizer"
 url="http://qemu.org/"
 arch="all"
@@ -80,6 +80,7 @@ source="http://wiki.qemu-project.org/download/qemu-$pkgver.tar.bz2
 	CVE-2014-9718.patch
 	CVE-2015-1779.patch
 	CVE-2015-3456.patch
+	CVE-2015-4037.patch
 
 	qemu-guest-agent.confd
 	qemu-guest-agent.initd
@@ -244,6 +245,7 @@ bc5f2e41ed3b6d6d30b672adab82e3e1  musl-F_SHLCK-and-F_EXLCK.patch
 822717a977a9d82d63da00512713f50e  CVE-2014-9718.patch
 59314f55d3f1d7fd25b1d42ca8ab950a  CVE-2015-1779.patch
 5e8a68940c4e0267e795a6ddd144e00e  CVE-2015-3456.patch
+97045abdf8d0543691e52f9fdf0c8d52  CVE-2015-4037.patch
 1663bc6977f6886a58394155b1bf3676  qemu-guest-agent.confd
 2035cd781ea810e94bda250c609d8d90  qemu-guest-agent.initd
 66660f143235201249dc0648b39b86ee  80-kvm.rules"
@@ -255,6 +257,7 @@ de64781b2ef71e53c94f3f411bc26ad39e2b6cb581217dbb2739c251e253996f  CVE-2014-8106.
 87165dd0fa774b8a61bd9d10c1929d43ddf7213790644e57433cf74c1fb66664  CVE-2014-9718.patch
 bcebf2169983511edde1a884cdbf11115ed5422cd971d815d60a0754c253c8a5  CVE-2015-1779.patch
 de69a47daf292fd0cc01c925a23c9fadbac0fb60c322bf89260cccceb47ca204  CVE-2015-3456.patch
+6bb3f4bb71716bdde8ff417b76ceb4cee336ae93a65b2ae1db15406f382c0299  CVE-2015-4037.patch
 d84e53a94584f37f3bd1b21f44077b5de0d07094c6729f26ae20ab1f7b9cc298  qemu-guest-agent.confd
 982fa8ba67c728405305e4cf5a36a41a780b3d1f388ebd6377e7964c271a1c92  qemu-guest-agent.initd
 37f666f1cdb7d8a62171de69b531681dcb0fba74236729dac8b6c019232eba84  80-kvm.rules"
@@ -266,6 +269,7 @@ afa6643a1a474a609f2c7446c3cf13cd89ecc3a6a0192ba967503a569512ad043f6e6fbaef1e5cc6
 4b0e6e3e335d1fc0b43740946cba423f663b5ac5076f03d65b0d2f19ef9fef2b1b6fadfd085a6828eb77f86d97161e2f8db32d001166fb0d55a8b5d141a13513  CVE-2014-9718.patch
 7b6c7ec5db298655ceb02ab977eec681e41c925e5f2e79d600197cbf6ec7a6088980f843c5b1d2488026ca921f7e6f8dd7f1b56b512d6d0cef0ac26dda3f3129  CVE-2015-1779.patch
 81485e26e30314b075a154cbce841fa3b803b70d8539a5ce00e57ec2020ab801d88c35631805811d003505dfd1909a5b70307fdbd8a192986f53143669465bd8  CVE-2015-3456.patch
+8dc68c2f511a28b0c1896b89922fab8e31dea4eefe18a69e6c068dd799cfc5a5a8b2ed8c3f5d17584932ddb9a2bf72d72fdaaf19c2129babf9a8e8f4ce150659  CVE-2015-4037.patch
 d90c034cae3f9097466854ed1a9f32ab4b02089fcdf7320e8f4da13b2b1ff65067233f48809911485e4431d7ec1a22448b934121bc9522a2dc489009e87e2b1f  qemu-guest-agent.confd
 761b4e2397569dae45ae3bb9e46e28746275297f629af9e9065525497fd26a48b65d8abcf4282727afd35309e338967acf6a1b14c3169577bdc16c1f42e618b3  qemu-guest-agent.initd
 9b7a89b20fcf737832cb7b4d5dc7d8301dd88169cbe5339eda69fbb51c2e537d8cb9ec7cf37600899e734209e63410d50d0821bce97e401421db39c294d97be2  80-kvm.rules"
diff --git a/main/qemu/CVE-2015-4037.patch b/main/qemu/CVE-2015-4037.patch
new file mode 100644
index 0000000000..fb36234531
--- /dev/null
+++ b/main/qemu/CVE-2015-4037.patch
@@ -0,0 +1,50 @@
+From: Michael Tokarev <mjt@tls.msk.ru>
+Date: Thu, 28 May 2015 14:12:26 +0300
+Subject: [PATCH] slirp: use less predictable directory name in /tmp for smb
+ config (CVE-2015-4037)
+
+In this version I used mkdtemp(3) which is:
+
+        _BSD_SOURCE
+        || /* Since glibc 2.10: */
+            (_POSIX_C_SOURCE >= 200809L || _XOPEN_SOURCE >= 700)
+
+(POSIX.1-2008), so should be available on systems we care about.
+
+While at it, reset the resulting directory name within smb structure
+on error so cleanup function wont try to remove directory which we
+failed to create.
+
+Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
+Reviewed-by: Markus Armbruster <armbru@redhat.com>
+(cherry picked from commit 8b8f1c7e9ddb2e88a144638f6527bf70e32343e3)
+---
+ net/slirp.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+diff --git a/net/slirp.c b/net/slirp.c
+index 9bbed74..3090c10 100644
+--- a/net/slirp.c
++++ b/net/slirp.c
+@@ -481,7 +481,6 @@ static void slirp_smb_cleanup(SlirpState *s)
+ static int slirp_smb(SlirpState* s, const char *exported_dir,
+                      struct in_addr vserver_addr)
+ {
+-    static int instance;
+     char smb_conf[128];
+     char smb_cmdline[128];
+     struct passwd *passwd;
+@@ -505,10 +504,10 @@ static int slirp_smb(SlirpState* s, const char *exported_dir,
+         return -1;
+     }
+ 
+-    snprintf(s->smb_dir, sizeof(s->smb_dir), "/tmp/qemu-smb.%ld-%d",
+-             (long)getpid(), instance++);
+-    if (mkdir(s->smb_dir, 0700) < 0) {
++    snprintf(s->smb_dir, sizeof(s->smb_dir), "/tmp/qemu-smb.XXXXXX");
++    if (!mkdtemp(s->smb_dir)) {
+         error_report("could not create samba server dir '%s'", s->smb_dir);
++        s->smb_dir[0] = 0;
+         return -1;
+     }
+     snprintf(smb_conf, sizeof(smb_conf), "%s/%s", s->smb_dir, "smb.conf");
author	Natanael Copa <ncopa@alpinelinux.org>	2015-07-08 07:58:45 +0000
committer	Natanael Copa <ncopa@alpinelinux.org>	2015-08-05 12:18:12 +0000
commit	a882568554dd0e1848d1891e7756d5d036ab516a (patch)
tree	694567452d81ea9224ec1632a10b543fb67a2079
parent	30e6eb8fa7fd4faaf222021010b41379f502a70d (diff)
download	aports-a882568554dd0e1848d1891e7756d5d036ab516a.tar.bz2 aports-a882568554dd0e1848d1891e7756d5d036ab516a.tar.xz