From: Baruch Siach via buildroot <buildroot@buildroot.org>
To: Clement Ramirez <ramirez.clement3@gmail.com>
Cc: Romain Naour <romain.naour@gmail.com>, buildroot@buildroot.org
Subject: Re: [Buildroot] [PATCH] package/qemu: security bump version to 8.1.1
Date: Tue, 10 Oct 2023 10:47:38 +0300 [thread overview]
Message-ID: <874jiydiiq.fsf@tarshish> (raw)
In-Reply-To: <20231010070558.9791-1-ramirez.clement3@gmail.com>
Hi Clement,
On Tue, Oct 10 2023, Clement Ramirez wrote:
> Fixes the following CVEs :
> - CVE-2023-4135 (https://gitlab.com/qemu-project/qemu/-/commit/ecb1b7b082d3b7dceff0e486a114502fc52c0fdf)
> - CVE-2023-3354 (https://gitlab.com/qemu-project/qemu/-/commit/10be627d2b5ec2d6b3dce045144aa739eef678b4)
> - CVE-2023-3180 (https://gitlab.com/qemu-project/qemu/-/commit/9d38a8434721a6479fe03fb5afb150ca793d3980)
>
> The changes between 8.1.0 and 8.1.1 are only limited to bug fixes:
>
> 6bb4a8a47a (v8.1.1) Update version for 8.1.1 release
> 045fa84784 tpm: fix crash when FD >= 1024 and unnecessary errors due to EINTR
> 56270e5d3d meson: Fix targetos match for illumos and Solaris.
> 60da8301fe s390x/ap: fix missing subsystem reset registration
> 8b479229ff ui: fix crash when there are no active_console
> d4919bbcc2 virtio-gpu/win32: set the destroy function on load
> cae7dc1452 target/riscv: Allocate itrigger timers only once
> 7385e00665 target/riscv/pmp.c: respect mseccfg.RLB for pmpaddrX changes
> 1d4fb5815c target/riscv: fix satp_mode_finalize() when satp_mode.supported = 0
> b822207513 hw/riscv: virt: Fix riscv,pmu DT node path
> 2947da750e linux-user/riscv: Use abi type for target_ucontext
> 60a7f5c8fe hw/intc: Make rtc variable names consistent
> 566dac7127 hw/intc: Fix upper/lower mtime write calculation
> 8ae20123b6 target/riscv: Fix zfa fleq.d and fltq.d
> 6c24b6000b target/riscv: Fix page_check_range use in fault-only-first
> 987e90cfd2 target/riscv/cpu.c: add zmmul isa string
> b9f83298b9 hw/char/riscv_htif: Fix the console syscall on big endian hosts
> 3d6251f416 hw/char/riscv_htif: Fix printing of console characters on big endian hosts
> 9832a670b3 arm64: Restore trapless ptimer access
> df33ce9b6d virtio: Drop out of coroutine context in virtio_load()
> eeee989f72 qxl: don't assert() if device isn't yet initialized
> 93d4107937 hw/net/vmxnet3: Fix guest-triggerable assert()
> 6356785daa docs tests: Fix use of migrate_set_parameter
> 01bf87c8e3 qemu-options.hx: Rephrase the descriptions of the -hd* and -cdrom options
> 25ec23ab3f hw/i2c/aspeed: Fix TXBUF transmission start position error
> 9dc6f05cc8 hw/i2c/aspeed: Fix Tx count and Rx size error in buffer pool mode
> d5361580ac hw/ide/ahci: fix broken SError handling
> e8f5ca57e4 hw/ide/ahci: fix ahci_write_fis_sdb()
> 4448c345bc hw/ide/ahci: PxCI should not get cleared when ERR_STAT is set
> 4fbd5a5202 hw/ide/ahci: PxSACT and PxCI is cleared when PxCMD.ST is cleared
> 16cc9594d2 hw/ide/ahci: simplify and document PxCI handling
> 1efefd13ca hw/ide/ahci: write D2H FIS when processing NCQ command
> c2e0495e3c hw/ide/core: set ERR_STAT in unsupported command completion
> f64f1f8704 target/ppc: Fix LQ, STQ register-pair order for big-endian
> 9f54fef2c0 target/ppc: Flush inputs to zero with NJ in ppc_store_vscr
> 5358980d33 hw/ppc/e500: fix broken snapshot replay
> 6864f05cb1 ppc/vof: Fix missed fields in VOF cleanup
> 0175121c6c ui/dbus: Properly dispose touch/mouse dbus objects
> e975434d62 target/i386: raise FERR interrupt with iothread locked
> e5e77f256f linux-user: Adjust brk for load_bias
> 645b87f650 target/arm: properly document FEAT_CRC32
> 86d7b08d71 block-migration: Ensure we don't crash during migration cleanup
> 5691fbf440 softmmu: Assert data in bounds in iotlb_to_section
> 441106eebb docs/about/license: Update LICENSE URL
> 63188a00bb target/arm: Fix 64-bit SSRA
> 7012e20b2d target/arm: Fix SME ST1Q
> c8e381d672 accel/kvm: Specify default IPA size for arm64
> 34808d041c kvm: Introduce kvm_arch_get_default_type hook
> 01f6417f15 include/hw/virtio/virtio-gpu: Fix virtio-gpu with blob on big endian hosts
> 14a8213b75 target/s390x: Check reserved bits of VFMIN/VFMAX's M5
> c12eddbd48 target/s390x: Fix VSTL with a large length
> 880e82ed78 target/s390x: Use a 16-bit immediate in VREP
> 5980189e96 target/s390x: Fix the "ignored match" case in VSTRS
>
> Signed-off-by: Clement Ramirez <ramirez.clement3@gmail.com>
> ---
> package/qemu/qemu.hash | 2 +-
> package/qemu/qemu.mk | 6 +++++-
> 2 files changed, 6 insertions(+), 2 deletions(-)
>
> diff --git a/package/qemu/qemu.hash b/package/qemu/qemu.hash
> index 506afa8bf3..61e51a923f 100644
> --- a/package/qemu/qemu.hash
> +++ b/package/qemu/qemu.hash
> @@ -1,4 +1,4 @@
> # Locally computed, tarball verified with GPG signature
> -sha256 710c101198e334d4762eef65f649bc43fa8a5dd75303554b8acfec3eb25f0e55 qemu-8.1.0.tar.xz
> +sha256 37ce2ef5e500fb752f681117c68b45118303ea49a7e26bd54080ced54fab7def qemu-8.1.1.tar.xz
> sha256 6f04ae8364d0079a192b14635f4b1da294ce18724c034c39a6a41d1b09df6100 COPYING
> sha256 dc626520dcd53a22f727af3ee42c770e56c97a64fe3adb063799d8ab032fe551 COPYING.LIB
> diff --git a/package/qemu/qemu.mk b/package/qemu/qemu.mk
> index 6aaed32336..167ae007f0 100644
> --- a/package/qemu/qemu.mk
> +++ b/package/qemu/qemu.mk
> @@ -6,7 +6,7 @@
>
> # When updating the version, check whether the list of supported targets
> # needs to be updated.
> -QEMU_VERSION = 8.1.0
> +QEMU_VERSION = 8.1.1
> QEMU_SOURCE = qemu-$(QEMU_VERSION).tar.xz
> QEMU_SITE = https://download.qemu.org
> QEMU_LICENSE = GPL-2.0, LGPL-2.1, MIT, BSD-3-Clause, BSD-2-Clause, Others/BSD-1c
> @@ -16,6 +16,10 @@ QEMU_LICENSE_FILES = COPYING COPYING.LIB
> # individual source files.
> QEMU_CPE_ID_VENDOR = qemu
>
> +QEMU_IGNORE_CVES += CVE-2023-4135
> +QEMU_IGNORE_CVES += CVE-2023-3354
> +QEMU_IGNORE_CVES += CVE-2023-3180
Provided that these CVEs are fixed with this version bump, why do we
need to ignore them?
baruch
> +
> #-------------------------------------------------------------
>
> # The build system is now partly based on Meson.
--
~. .~ Tk Open Systems
=}------------------------------------------------ooO--U--Ooo------------{=
- baruch@tkos.co.il - tel: +972.52.368.4656, http://www.tkos.co.il -
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
next prev parent reply other threads:[~2023-10-10 7:49 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-10-10 7:05 [Buildroot] [PATCH] package/qemu: security bump version to 8.1.1 Clement Ramirez
2023-10-10 7:47 ` Baruch Siach via buildroot [this message]
2023-10-10 8:41 ` Clément Ramirez
2023-10-10 8:54 ` Baruch Siach via buildroot
2023-10-10 9:15 ` Clément Ramirez
2023-11-01 16:29 ` Thomas Petazzoni via buildroot
2023-11-02 9:37 ` Clément Ramirez
2023-11-02 9:47 ` Thomas Petazzoni via buildroot
2023-11-02 9:51 ` Clément Ramirez
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=874jiydiiq.fsf@tarshish \
--to=buildroot@buildroot.org \
--cc=baruch@tkos.co.il \
--cc=ramirez.clement3@gmail.com \
--cc=romain.naour@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.