Merge pull request #594 from flyingcircusio/126583-secfix-qemu

Security: Update Qemu to 4.2.0
flyingcircusio · Jun 12, 2020 · 49de5cc · 49de5cc
2 parents 49a1269 + bcc61a9
commit 49de5cc
Show file tree

Hide file tree

Showing 4 changed files with 67 additions and 63 deletions.
diff --git a/pkgs/applications/virtualization/qemu/default.nix b/pkgs/applications/virtualization/qemu/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl, fetchpatch, python2, zlib, pkgconfig, glib
+{ stdenv, fetchurl, fetchpatch, python, zlib, pkgconfig, glib
 , ncurses, perl, pixman, vde2, alsaLib, texinfo, flex
 , bison, lzo, snappy, libaio, gnutls, nettle, curl
 , makeWrapper
@@ -15,7 +15,7 @@
 , usbredirSupport ? spiceSupport, usbredir
 , xenSupport ? false, xen
 , cephSupport ? false, ceph
-, openGLSupport ? sdlSupport, mesa_noglu, epoxy, libdrm
+, openGLSupport ? sdlSupport, mesa, epoxy, libdrm
 , virglSupport ? openGLSupport, virglrenderer
 , smbdSupport ? false, samba
 , hostCpuOnly ? false
@@ -35,21 +35,21 @@ let
 in
 
 stdenv.mkDerivation rec {
-  version = "3.1.0";
-  name = "qemu-"
-    + stdenv.lib.optionalString xenSupport "xen-"
-    + stdenv.lib.optionalString hostCpuOnly "host-cpu-only-"
-    + stdenv.lib.optionalString nixosTestRunner "for-vm-tests-"
-    + version;
+  version = "4.2.0";
+  pname = "qemu"
+    + stdenv.lib.optionalString xenSupport "-xen"
+    + stdenv.lib.optionalString hostCpuOnly "-host-cpu-only"
+    + stdenv.lib.optionalString nixosTestRunner "-for-vm-tests";
 
   src = fetchurl {
     url = "https://wiki.qemu.org/download/qemu-${version}.tar.bz2";
-    sha256 = "08frr1fdjx8qcfh3fafn10kibdwbvkqqvfl7hpqbm7i9dg4f1zlq";
+    sha256 = "1gczv8hn3wqci86css3mhzrppp3z8vppxw25l08j589k6bvz7x1w";
   };
 
+  nativeBuildInputs = [ python python.pkgs.sphinx pkgconfig flex bison ];
   buildInputs =
-    [ python2 zlib pkgconfig glib ncurses perl pixman
-      vde2 texinfo flex bison makeWrapper lzo snappy
+    [ zlib glib ncurses perl pixman
+      vde2 texinfo makeWrapper lzo snappy
       gnutls nettle curl
     ]
     ++ optionals stdenv.isDarwin [ CoreServices Cocoa Hypervisor rez setfile ]
@@ -65,7 +65,7 @@ stdenv.mkDerivation rec {
     ++ optionals stdenv.isLinux [ alsaLib libaio libcap_ng libcap attr ]
     ++ optionals xenSupport [ xen ]
     ++ optionals cephSupport [ ceph ]
-    ++ optionals openGLSupport [ mesa_noglu epoxy libdrm ]
+    ++ optionals openGLSupport [ mesa epoxy libdrm ]
     ++ optionals virglSupport [ virglrenderer ]
     ++ optionals smbdSupport [ samba ];
 
@@ -78,25 +78,44 @@ stdenv.mkDerivation rec {
     ./fix-qemu-ga.patch
     ./9p-ignore-noatime.patch
     (fetchpatch {
-      name = "CVE-2019-3812.patch";
-      url = "https://git.qemu.org/?p=qemu.git;a=patch;h=b05b267840515730dbf6753495d5b7bd8b04ad1c";
-      sha256 = "03a5vc5wvirbyi5r8kb2r4m2w6f1zmh9bqsr2psh4pblwar0nf55";
+      name = "CVE-2019-15890.patch";
+      url = "https://git.qemu.org/?p=libslirp.git;a=patch;h=c59279437eda91841b9d26079c70b8a540d41204";
+      sha256 = "1q2rc67mfdz034mk81z9bw105x9zad7n954sy3kq068b1svrf7iy";
+      stripLen = 1;
+      extraPrefix = "slirp/";
     })
+    # patches listed at: https://nvd.nist.gov/vuln/detail/CVE-2020-7039
     (fetchpatch {
-      url = "https://git.qemu.org/?p=qemu.git;a=patch;h=d52680fc932efb8a2f334cc6993e705ed1e31e99";
-      name = "CVE-2019-12155.patch";
-      sha256 = "0h2q71mcz3gvlrbfkqcgla74jdg73hvzcrwr4max2ckpxx8x9207";
+      name = "CVE-2020-7039-1.patch";
+      url = "https://git.qemu.org/?p=libslirp.git;a=patch;h=2655fffed7a9e765bcb4701dd876e9dab975f289";
+      sha256 = "1jh0k3lg3553c2x1kq1kl3967jabhba5gm584wjpmr5mjqk3lnz1";
+      stripLen = 1;
+      extraPrefix = "slirp/";
+      excludes = ["slirp/CHANGELOG.md"];
     })
     (fetchpatch {
-      url = "https://sources.debian.org/data/main/q/qemu/1:3.1+dfsg-8+deb10u2/debian/patches/slirp-fix-heap-overflow-in-ip_reass-on-big-packet-input-CVE-2019-14378.patch";
-      sha256 = "1yf7cw4ajiy9pwjfscxyfmmbawpk3rkd046y6fd6h4zpf4cc2fn5";
+      name = "CVE-2020-7039-2.patch";
+      url = "https://git.qemu.org/?p=libslirp.git;a=patch;h=82ebe9c370a0e2970fb5695aa19aa5214a6a1c80";
+      sha256 = "08ccxcmrhzknnzd1a1q2brszv3a7h02n26r73kpli10b0hn12r2l";
+      stripLen = 1;
+      extraPrefix = "slirp/";
     })
     (fetchpatch {
-      url = "https://sources.debian.org/data/main/q/qemu/1:3.1+dfsg-8+deb10u2/debian/patches/qemu-bridge-helper-restrict-interface-name-to-IFNAMSIZ-CVE-2019-13164.patch";
-      sha256 = "1ypcdlpg3nap0kg9xkrgrqw33j5ah4j7l4i2cp6d5ap8vrw9nn3l";
+      name = "CVE-2020-7039-3.patch";
+      url = "https://git.qemu.org/?p=libslirp.git;a=patch;h=ce131029d6d4a405cb7d3ac6716d03e58fb4a5d9";
+      sha256 = "18ypj9an2jmsmdn58853rbz42r10587h7cz5fdws2x4635778ibd";
+      stripLen = 1;
+      extraPrefix = "slirp/";
+    })
+    # patches listed at: https://nvd.nist.gov/vuln/detail/CVE-2020-7211
+    (fetchpatch {
+      name = "CVE-2020-7211.patch";
+      url = "https://git.qemu.org/?p=libslirp.git;a=patch;h=14ec36e107a8c9af7d0a80c3571fe39b291ff1d4";
+      sha256 = "1lc8zabqs580iqrsr5k7zwgkx6qjmja7apwfbc36lkvnrxwfzmrc";
+      stripLen = 1;
+      extraPrefix = "slirp/";
     })
   ] ++ optional nixosTestRunner ./force-uid0-on-9p.patch
-    ++ optional pulseSupport ./fix-hda-recording.patch
     ++ optionals stdenv.hostPlatform.isMusl [
     (fetchpatch {
       url = https://raw.githubusercontent.com/alpinelinux/aports/2bb133986e8fa90e2e76d53369f03861a87a74ef/main/qemu/xattr_size_max.patch;
@@ -125,6 +144,7 @@ stdenv.mkDerivation rec {
     [ "--audio-drv-list=${audio}"
       "--sysconfdir=/etc"
       "--localstatedir=/var"
+      "--enable-docs"
     ]
     # disable sysctl check on darwin.
     ++ optional stdenv.isDarwin "--cpu=x86_64"

diff --git a/pkgs/applications/virtualization/qemu/fix-hda-recording.patch b/pkgs/applications/virtualization/qemu/fix-hda-recording.patch
diff --git a/pkgs/applications/virtualization/qemu/no-etc-install.patch b/pkgs/applications/virtualization/qemu/no-etc-install.patch
@@ -1,10 +1,12 @@
+diff --git a/Makefile b/Makefile
 --- a/Makefile
 +++ b/Makefile
-@@ -597,7 +597,7 @@
+@@ -867,7 +867,7 @@ install-includedir:
+ 	$(INSTALL_DIR) "$(DESTDIR)$(includedir)"
 
-
--install: all $(if $(BUILD_DOCS),install-doc) install-datadir install-localstatedir
-+install: all $(if $(BUILD_DOCS),install-doc) install-datadir
+ install: all $(if $(BUILD_DOCS),install-doc) \
+-	install-datadir install-localstatedir install-includedir \
++	install-datadir install-includedir \
+ 	$(if $(INSTALL_BLOBS),$(edk2-decompressed)) \
+ 	recurse-install
  ifneq ($(TOOLS),)
-	$(call install-prog,$(subst qemu-ga,qemu-ga$(EXESUF),$(TOOLS)),$(DESTDIR)$(bindir))
- endif
diff --git a/pkgs/applications/virtualization/qemu/utils.nix b/pkgs/applications/virtualization/qemu/utils.nix
@@ -0,0 +1,16 @@
+{ stdenv, qemu }:
+
+stdenv.mkDerivation rec {
+  name = "qemu-utils-${version}";
+  version = qemu.version;
+
+  buildInputs = [ qemu ];
+  unpackPhase = "true";
+
+  installPhase = ''
+    mkdir -p "$out/bin"
+    cp "${qemu}/bin/qemu-img" "$out/bin/qemu-img"
+    cp "${qemu}/bin/qemu-io"  "$out/bin/qemu-io"
+    cp "${qemu}/bin/qemu-nbd" "$out/bin/qemu-nbd"
+  '';
+}