Fetch recent CVE and packaging fixes

Bug #1872937 reported by Christian Ehrhardt  on 2020-04-15
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
qemu (Ubuntu)
Critical
Unassigned

Bug Description

[Impact]

 * Two CVE fixes from upstream and a bunch of packaging fixes from Debian
 * The only big change is in binfmt which was discussed in detail in
   https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=866756

[Test Case]

 * Full virt regression tests were run before the upload.
   Details are in the linked Merge Proposals.

[Regression Potential]

 * The external spice-ui is already in the code but non functional, so
   adding the related .so files can't regress it from dysfunctional to less
   than that :-). It has no impact to other areas of qemu (only when the
   new arg is used).
 * placing the svg correctly has no drawback I can think of
 * the Multi-Arch change also seems safe to me.
 * the binfmt registration changes are the only ones with a potential
   regression if it turns out to not work. But it follows the guidance of
   the binfmt owner (cjwatson) and therefore should be much better by
   relying on binfmt itself then coding it in qemu itself.

[Other Info]

 * This isn't technically an SRU, but I have learned that filling these
   templates helps the release Team to accept changes while in 20.04 Freeze
   time.

---

I was made aware by mdeslaur about CVE-2020-10702 and CVE-2020-11102.

While checking for those I also realized that we should pick a few more (cherry picks only to not violate Feature Freeze).

This also includes some long term discussions/fixes that I have driven myself or tracked with Debian. Adding those would make Focal better so lets add those fixes before 20.04 release.

Related branches

CVE References

This will also complete the partial remote spice (which is a bug to be half-way added not a new feature)

The fix for binfmt is one of those long discussed/tracked one - taking it as it fixes existing functionality.

Not picking:
- openbios (feature freeze)
- slof (feature freeze)
- microvm (we have that already)

Changed in qemu (Ubuntu):
importance: Undecided → Critical
status: New → In Progress
description: updated
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package qemu - 1:4.2-3ubuntu5

---------------
qemu (1:4.2-3ubuntu5) focal; urgency=medium

  * d/p/ubuntu/lp-1871830-*: avoid crash when using QEMU_MODULE_DIR
    (LP: #1871830)
  * Security and packaging fixes (LP: #1872937)
    - arm-fix-PAuth-sbox-functions-CVE-2020-10702.patch
    - net-tulip-check-frame-size-and-r-w-data-length-CVE-2020-11102.patch
      CVE-2020-10702
      CVE-2020-11102
    - fix external spice UI
      + install ui-spice-app.so in qemu-system-common
      + install ui-spice-app.so only if built, spice is optional
    - switch binfmt registration to use update-binfmts --[un]import (#866756)
    - qemu-system-gui: Multi-Arch=same, not foreign (#956763)
    - qemu-system-data: s/highcolor/hicolor/ (#955741)
  * d/p/ubuntu/lp-1872107*: fix migration while rebooting guests (LP: #1872107)

 -- Christian Ehrhardt <email address hidden> Wed, 15 Apr 2020 11:26:44 +0200

Changed in qemu (Ubuntu):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers