From: Baruch Siach via buildroot <buildroot@buildroot.org>
To: Clement Ramirez <ramirez.clement3@gmail.com>
Cc: Romain Naour <romain.naour@gmail.com>, buildroot@buildroot.org
Subject: Re: [Buildroot] [PATCH] package/qemu: security bump version to 8.1.1
Date: Tue, 10 Oct 2023 10:47:38 +0300 [thread overview]
Message-ID: <874jiydiiq.fsf@tarshish> (raw)
In-Reply-To: <20231010070558.9791-1-ramirez.clement3@gmail.com>
Hi Clement,
On Tue, Oct 10 2023, Clement Ramirez wrote:
> Fixes the following CVEs :
> - CVE-2023-4135 (https://gitlab.com/qemu-project/qemu/-/commit/ecb1b7b082d3b7dceff0e486a114502fc52c0fdf)
> - CVE-2023-3354 (https://gitlab.com/qemu-project/qemu/-/commit/10be627d2b5ec2d6b3dce045144aa739eef678b4)
> - CVE-2023-3180 (https://gitlab.com/qemu-project/qemu/-/commit/9d38a8434721a6479fe03fb5afb150ca793d3980)
>
> The changes between 8.1.0 and 8.1.1 are only limited to bug fixes:
>
> 6bb4a8a47a (v8.1.1) Update version for 8.1.1 release
> 045fa84784 tpm: fix crash when FD >= 1024 and unnecessary errors due to EINTR
> 56270e5d3d meson: Fix targetos match for illumos and Solaris.
> 60da8301fe s390x/ap: fix missing subsystem reset registration
> 8b479229ff ui: fix crash when there are no active_console
> d4919bbcc2 virtio-gpu/win32: set the destroy function on load
> cae7dc1452 target/riscv: Allocate itrigger timers only once
> 7385e00665 target/riscv/pmp.c: respect mseccfg.RLB for pmpaddrX changes
> 1d4fb5815c target/riscv: fix satp_mode_finalize() when satp_mode.supported = 0
> b822207513 hw/riscv: virt: Fix riscv,pmu DT node path
> 2947da750e linux-user/riscv: Use abi type for target_ucontext
> 60a7f5c8fe hw/intc: Make rtc variable names consistent
> 566dac7127 hw/intc: Fix upper/lower mtime write calculation
> 8ae20123b6 target/riscv: Fix zfa fleq.d and fltq.d
> 6c24b6000b target/riscv: Fix page_check_range use in fault-only-first
> 987e90cfd2 target/riscv/cpu.c: add zmmul isa string
> b9f83298b9 hw/char/riscv_htif: Fix the console syscall on big endian hosts
> 3d6251f416 hw/char/riscv_htif: Fix printing of console characters on big endian hosts
> 9832a670b3 arm64: Restore trapless ptimer access
> df33ce9b6d virtio: Drop out of coroutine context in virtio_load()
> eeee989f72 qxl: don't assert() if device isn't yet initialized
> 93d4107937 hw/net/vmxnet3: Fix guest-triggerable assert()
> 6356785daa docs tests: Fix use of migrate_set_parameter
> 01bf87c8e3 qemu-options.hx: Rephrase the descriptions of the -hd* and -cdrom options
> 25ec23ab3f hw/i2c/aspeed: Fix TXBUF transmission start position error
> 9dc6f05cc8 hw/i2c/aspeed: Fix Tx count and Rx size error in buffer pool mode
> d5361580ac hw/ide/ahci: fix broken SError handling
> e8f5ca57e4 hw/ide/ahci: fix ahci_write_fis_sdb()
> 4448c345bc hw/ide/ahci: PxCI should not get cleared when ERR_STAT is set
> 4fbd5a5202 hw/ide/ahci: PxSACT and PxCI is cleared when PxCMD.ST is cleared
> 16cc9594d2 hw/ide/ahci: simplify and document PxCI handling
> 1efefd13ca hw/ide/ahci: write D2H FIS when processing NCQ command
> c2e0495e3c hw/ide/core: set ERR_STAT in unsupported command completion
> f64f1f8704 target/ppc: Fix LQ, STQ register-pair order for big-endian
> 9f54fef2c0 target/ppc: Flush inputs to zero with NJ in ppc_store_vscr
> 5358980d33 hw/ppc/e500: fix broken snapshot replay
> 6864f05cb1 ppc/vof: Fix missed fields in VOF cleanup
> 0175121c6c ui/dbus: Properly dispose touch/mouse dbus objects
> e975434d62 target/i386: raise FERR interrupt with iothread locked
> e5e77f256f linux-user: Adjust brk for load_bias
> 645b87f650 target/arm: properly document FEAT_CRC32
> 86d7b08d71 block-migration: Ensure we don't crash during migration cleanup
> 5691fbf440 softmmu: Assert data in bounds in iotlb_to_section
> 441106eebb docs/about/license: Update LICENSE URL
> 63188a00bb target/arm: Fix 64-bit SSRA
> 7012e20b2d target/arm: Fix SME ST1Q
> c8e381d672 accel/kvm: Specify default IPA size for arm64
> 34808d041c kvm: Introduce kvm_arch_get_default_type hook
> 01f6417f15 include/hw/virtio/virtio-gpu: Fix virtio-gpu with blob on big endian hosts
> 14a8213b75 target/s390x: Check reserved bits of VFMIN/VFMAX's M5
> c12eddbd48 target/s390x: Fix VSTL with a large length
> 880e82ed78 target/s390x: Use a 16-bit immediate in VREP
> 5980189e96 target/s390x: Fix the "ignored match" case in VSTRS
>
> Signed-off-by: Clement Ramirez <ramirez.clement3@gmail.com>
> ---
> package/qemu/qemu.hash | 2 +-
> package/qemu/qemu.mk | 6 +++++-
> 2 files changed, 6 insertions(+), 2 deletions(-)
>
> diff --git a/package/qemu/qemu.hash b/package/qemu/qemu.hash
> index 506afa8bf3..61e51a923f 100644
> --- a/package/qemu/qemu.hash
> +++ b/package/qemu/qemu.hash
> @@ -1,4 +1,4 @@
> # Locally computed, tarball verified with GPG signature
> -sha256 710c101198e334d4762eef65f649bc43fa8a5dd75303554b8acfec3eb25f0e55 qemu-8.1.0.tar.xz
> +sha256 37ce2ef5e500fb752f681117c68b45118303ea49a7e26bd54080ced54fab7def qemu-8.1.1.tar.xz
> sha256 6f04ae8364d0079a192b14635f4b1da294ce18724c034c39a6a41d1b09df6100 COPYING
> sha256 dc626520dcd53a22f727af3ee42c770e56c97a64fe3adb063799d8ab032fe551 COPYING.LIB
> diff --git a/package/qemu/qemu.mk b/package/qemu/qemu.mk
> index 6aaed32336..167ae007f0 100644
> --- a/package/qemu/qemu.mk
> +++ b/package/qemu/qemu.mk
> @@ -6,7 +6,7 @@
>
> # When updating the version, check whether the list of supported targets
> # needs to be updated.
> -QEMU_VERSION = 8.1.0
> +QEMU_VERSION = 8.1.1
> QEMU_SOURCE = qemu-$(QEMU_VERSION).tar.xz
> QEMU_SITE = https://download.qemu.org
> QEMU_LICENSE = GPL-2.0, LGPL-2.1, MIT, BSD-3-Clause, BSD-2-Clause, Others/BSD-1c
> @@ -16,6 +16,10 @@ QEMU_LICENSE_FILES = COPYING COPYING.LIB
> # individual source files.
> QEMU_CPE_ID_VENDOR = qemu
>
> +QEMU_IGNORE_CVES += CVE-2023-4135
> +QEMU_IGNORE_CVES += CVE-2023-3354
> +QEMU_IGNORE_CVES += CVE-2023-3180
Provided that these CVEs are fixed with this version bump, why do we
need to ignore them?
baruch
> +
> #-------------------------------------------------------------
>
> # The build system is now partly based on Meson.
--
~. .~ Tk Open Systems
=}------------------------------------------------ooO--U--Ooo------------{=
- baruch@tkos.co.il - tel: +972.52.368.4656, http://www.tkos.co.il -
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
next prev parent reply other threads:[~2023-10-10 7:49 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-10-10 7:05 [Buildroot] [PATCH] package/qemu: security bump version to 8.1.1 Clement Ramirez
2023-10-10 7:47 ` Baruch Siach via buildroot [this message]
2023-10-10 8:41 ` Clément Ramirez
2023-10-10 8:54 ` Baruch Siach via buildroot
2023-10-10 9:15 ` Clément Ramirez
2023-11-01 16:29 ` Thomas Petazzoni via buildroot
2023-11-02 9:37 ` Clément Ramirez
2023-11-02 9:47 ` Thomas Petazzoni via buildroot
2023-11-02 9:51 ` Clément Ramirez
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=874jiydiiq.fsf@tarshish \
--to=buildroot@buildroot.org \
--cc=baruch@tkos.co.il \
--cc=ramirez.clement3@gmail.com \
--cc=romain.naour@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox