This bug was fixed in the package qemu - 1:5.1+dfsg-4ubuntu1 --------------- qemu (1:5.1+dfsg-4ubuntu1) hirsute; urgency=medium * Merge with Debian testing, remaining changes: Fixes qemu-arm-static Assertion `guest_base != 0' failed (LP: #1897854) - qemu-kvm to systemd unit - d/qemu-kvm-init: script for QEMU KVM preparation modules, ksm, hugepages and architecture specifics - d/qemu-system-common.qemu-kvm.service: systemd unit to call qemu-kvm-init - d/qemu-system-common.install: install helper script - d/qemu-system-common.qemu-kvm.default: defaults for /etc/default/qemu-kvm - d/rules: call dh_installinit and dh_installsystemd for qemu-kvm - Distribution specific machine type (LP: 1304107 1621042) - d/p/ubuntu/define-ubuntu-machine-types.patch: define distro machine types - d/qemu-system-x86.NEWS Info on fixed machine type definitions for host-phys-bits=true (LP: 1776189) - add an info about -hpb machine type in debian/qemu-system-x86.NEWS - provide pseries-bionic-2.11-sxxm type as convenience with all meltdown/spectre workarounds enabled by default. (LP: 1761372). - ubuntu-q35 alias added to auto-select the most recent q35 ubuntu type - Enable nesting by default - d/p/ubuntu/enable-svm-by-default.patch: Enable nested svm by default in qemu64 on amd [ No more strictly needed, but required for backward compatibility ] - improved dependencies - Make qemu-system-common depend on qemu-block-extra - Make qemu-utils depend on qemu-block-extra - let qemu-utils recommend sharutils - tolerate ipxe size change on migrations to >=18.04 (LP: 1713490) - d/p/ubuntu/pre-bionic-256k-ipxe-efi-roms.patch: old machine types reference 256k path - d/control-in: depend on ipxe-qemu-256k-compat-efi-roms to be able to handle incoming migrations from former releases. - d/control-in: Disable capstone disassembler library support (universe) - d/qemu-system-x86.README.Debian: add info about updated nesting changes - d/control*, d/rules: disable xen by default, but provide universe package qemu-system-x86-xen as alternative [includes compat links changes of 5.0-5ubuntu4] - allow qemu to load old modules post upgrade (LP 1847361) - d/qemu-block-extra.*.in, d/qemu-system-gui.*.in: save shared objects on upgrade - d/rules: generate maintainer scripts matching package version on build - d/rules: enable --enable-module-upgrades where --enable-modules is set - d/control: regenerate debian/control out of control-in * Dropped changes [in Debian or no more needed] - d/control-in: disable pmem on ppc64 as it is currently considered experimental on that architecture (pmdk v1.8-1) - d/rules: makefile definitions can't be recursive - sys_systems for s390x - d/rules: report config log from the correct subdir - d/control-in: disable rbd support unavailable on riscv (LP: 1872931) - Pick further changes for groovy from debian/master since 5.0-5 - ati-vga-check-mm_index-before-recursive-call-CVE-2020-13800.patch - revert-memory-accept-mismatching-sizes-in-memory_region_access_...patch - exec-set-map-length-to-zero-when-returning-NULL-CVE-2020-13659.patch - megasas-use-unsigned-type-for-reply_queue_head-and-check-index...patch - megasas-use-unsigned-type-for-positive-numeric-fields.patch - megasas-fix-possible-out-of-bounds-array-access.patch - nbd-server-avoid-long-error-message-assertions-CVE-2020-10761.patch - es1370-check-total-frame-count-against-current-...-CVE-2020-13361.patch - a few patches from the stable series: - fix-tulip-breakage.patch - 9p-lock-directory-streams-with-a-CoMutex.patch Prevent deadlocks in 9pfs readdir code - net-do-not-include-a-newline-in-the-id-of-nic-device.patch Fix newline accidentally sneaked into id string of a nic - qemu-nbd-close-inherited-stderr.patch - virtio-balloon-fix-free-page-hinting-check-on-unreal.patch - virtio-balloon-fix-free-page-hinting-without-an-iothread.patch - virtio-balloon-unref-the-iothread-when-unrealizing.patch - acpi-tmr-allow-2-byte-reads.patch - reapply CVE-2020-13253 fixes from upstream - linux-user-refactor-ipc-syscall-and-support-of-semtimedop.patch - linux-user-add-netlink-RTM_SETLINK-command.patch - d/control: since qemu-system-data now contains module(s), it can't be multi-arch. Ditto for qemu-block-extra. - qemu-system-foo: depend on exact version of qemu-system-data, due to the latter having modules - acpi-allow-accessing-acpi-cnt-register-by-byte.patch' This is another incarnation of the recent bugfix which actually enabled memory access constraints, like #964247 - acpi-accept-byte-and-word-access-to-core-ACPI-registers.patch this replace acpi-allow-accessing-acpi-cnt-register-by-byte.patch and acpi-tmr-allow-2-byte-reads.patch, a more complete fix - xhci-fix-valid.max_access_size-to-access-address-registers.patch fix one more incarnation of the breakage after the CVE-2020-13754 fix - do not install outdated (0.12 and before) Changelog - xgmac-fix-buffer-overflow-in-xgmac_enet_send-CVE-2020-15863.patch ARM-only XGMAC NIC, possible buffer overflow during packet transmission Closes: CVE-2020-15863 - sm501 OOB read/write due to integer overflow in sm501_2d_operation() - riscv-allow-64-bit-access-to-SiFive-CLINT.patch another fix for revert-memory-accept-.. CVE-2020-13754 - seabios-hppa-fno-ipa-sra.patch fix ftbfs with gcc-10 - d/control-in: build-dep libcap is no more needed - arch aware kvm wrappers [upstream now automatically enables KVM if available and called with kvm* name, provides KVM as before but with auto-fallback to tcg. Former behavior of KVM-or-die can be achieved via -machine accel=kvm ] * Dropped changes [upstream now] - d/p/u/usb-fix-setup_len-init-CVE-2020-14364.patch: sanity check usb setup_len - d/p/u/lp-1887930-*: Enable Channel Path Handling for vfio-ccw (LP 1887930) - d/p/u/lp-1894942-*: fix virtio-ccw host/guest notification (LP 1894942) - d/p/ubuntu/lp-1887935-vfio-ccw-allow-non-prefetch-ORBs.patch: fix boot from vfio-ccw (LP 1887935) - fix qemu-user-static initialization to allow executing systemd (LP 1890881) - fix assertion failue in net_tx_pkt_add_raw_fragment (LP 1891187) - d/p/ubuntu/lp-1883984-target-s390x-Fix-SQXBR.patch: avoid crash on SQXBR (LP 1883984) - d/p/lp-1890154-*: fix -no-reboot on s390x secure boot (LP 1890154) - d/p/ubuntu/lp-1887763-*: fix TCG sizing that OOMed many small CI environments (LP 1887763) - d/p/ubuntu/lp-1835546-*: backport the s390x protvirt feature (LP 1835546) - debian/patches/ubuntu/lp-1878973-*: fix assert in qemu-guest-agent that crashes it on shutdown (LP 1878973) - update d/p/ubuntu/lp-1835546-* to the final versions - d/p/ubuntu/virtio-net-fix-rsc_ext-compat-handling.patch: fix FTBFS in groovy * Added Changes: - update ubuntu machine types for hirsute@5.1 - d/control: regenerated from d/control-in - d/control, d/rules: build with gcc-9 on armhf as workaround until resolved in gcc-10 (LP: 1890435) qemu (1:5.1+dfsg-4) unstable; urgency=high * mention closing of CVE-2020-16092 by 5.1 * usb-fix-setup_len-init-CVE-2020-14364.patch Closes: #968947, CVE-2020-14364 (OOB r/w access in USB emulation) qemu (1:5.1+dfsg-3) unstable; urgency=medium * fix one more issue in last upload. This is what happens when you do "obvious" stuff in a hurry without proper testing.. qemu (1:5.1+dfsg-2) unstable; urgency=medium * fix brown-paper bag bug in last upload qemu (1:5.1+dfsg-1) unstable; urgency=medium * hw-display-qxl.so depends on spice so install it only if it is built just like ui-spice-app * note #931046 for libfdt qemu (1:5.1+dfsg-0exp1) experimental; urgency=medium * new upstream release 5.1.0. Make source DFSG-clean again Closes: #968088 Closes: CVE-2020-16092 (net_tx_pkt_add_raw_fragment in e1000e & vmxnet3) * remove all patches which are applied upstream * do not install non-existing doc/qemu/*-ref.* * qemu-pr-helper is now in /usr/lib/qemu not /usr/bin * virtfs-proxy-helper is in /usr/lib/qemu now, not /usr/bin * new architecture: qemu-system-avr * refresh d/get-orig-source.sh * d/get-orig-source.sh: report already removed files in dfsg-clean * install common modules in qemu-system-common * lintian tag renamed: shared-lib-without-dependency-information to shared-library-lacks-prerequisites qemu (1:5.0-14) unstable; urgency=high * this is a bugfix release before breaking toys with the new upstream * riscv-allow-64-bit-access-to-SiFive-CLINT.patch (another fix for revert-memory-accept-..-CVE-2020-13754) * install /usr/lib/*/qemu/ui-curses.so in qemu-system-common Closes: #966517 qemu (1:5.0-13) unstable; urgency=medium * seabios-hppa-fno-ipa-sra.patch fix ftbfs with gcc-10 qemu (1:5.0-12) unstable; urgency=medium * acpi-accept-byte-and-word-access-to-core-ACPI-registers.patch this replace cpi-allow-accessing-acpi-cnt-register-by-byte.patch and acpi-tmr-allow-2-byte-reads.patch, a more complete fix * xhci-fix-valid.max_access_size-to-access-address-registers.patch fix one more incarnation of the breakage after the CVE-2020-13754 fix * do not install outdated (0.12 and before) Changelog (Closes: #965381) * xgmac-fix-buffer-overflow-in-xgmac_enet_send-CVE-2020-15863.patch ARM-only XGMAC NIC, possible buffer overflow during packet transmission Closes: CVE-2020-15863 * sm501 OOB read/write due to integer overflow in sm501_2d_operation() List of patches: sm501-convert-printf-abort-to-qemu_log_mask.patch sm501-shorten-long-variable-names-in-sm501_2d_operation.patch sm501-use-BIT-macro-to-shorten-constant.patch sm501-clean-up-local-variables-in-sm501_2d_operation.patch sm501-replace-hand-written-implementation-with-pixman-CVE-2020-12829.patch Closes: #961451, CVE-2020-12829 qemu (1:5.0-11) unstable; urgency=high * d/control-in: only enable opengl (libdrm&Co) on linux * d/control-in: spice: drop versioned deps (even jessie version is enough), drop libspice-protocol-dev (automatically pulled by libspice-server-dev), and build on more architectures * change from debhelper versioned dependency to debhelper-compat (=12) * acpi-allow-accessing-acpi-cnt-register-by-byte.patch' (Closes: #964793) This is another incarnation of the recent bugfix which actually enabled memory access constraints, like #964247 Urgency = high due to this issue. qemu (1:5.0-10) unstable; urgency=medium * fix the wrong $(if) construct for s390x kvm link (FTBFS on s390x) * use the same $(if) construct to simplify #ifdeffery qemu (1:5.0-9) unstable; urgency=medium * move kvm executable/script from qemu-kvm to qemu-system-foo, make it multi-arch, and remove qemu-kvm package * remove libcacard leftovers from d/.gitignore * linux-user-refactor-ipc-syscall-and-support-of-semtimedop.patch (Closes: #965109) * linux-user-add-netlink-RTM_SETLINK-command.patch (Closes: #964289) * libudev is linux-specific, do not build-depend on it on kfreebsd and others * install virtiofsd in d/rules (!sparc64) instead of d/qemu-system-common.install (fixes FTBFS on sparc64) * confirm -static-pie not working today still * d/control: since qemu-system-data now contains module(s), it can't be multi-arch. Ditto for qemu-block-extra. * qemu-system-foo: depend on exact version of qemu-system-data, due to the latter having modules * build all modules since there are modules anyway, no need to hack them in d/rules * fix spelling in a patch name/subject inlast upload * d/rules: do not use dh_install and dh_movefiles for individual pkgs, open-code mkdir+cp/mv, b/c dh_install acts on all files listed in d/foo.install too, in addition to given on command-line * remove trailing whitespace from d/changelog qemu (1:5.0-8) unstable; urgency=medium * d/control: rdma is linux-only, do not enable it on kfreebsd & hurd * add comment about virtiofsd conditional to d/qemu-system-common.install Now qemu FTBFS on sparc64 since virtiofsd is not built due to missing seccomp onn that platform, we should either make virtiofsd conditional (!sparc64) or fix seccomp on sparc64 and build-depend on it * openbios-use-source_date_epoch-in-makefile.patch (Closes: #963466) * seabios-hppa-use-consistant-date-and-remove-hostname.patch (Closes: #963467) * slof-remove-user-and-host-from-release-version.patch (Closes: #963472) * slof-ensure-ld-is-called-with-C-locale.patch (Closes: #963470) * update previous changelog, mention #945997 * reapply CVE-2020-13253 fixed from upstream: sdcard-simplify-realize-a-bit.patch (preparation for the next patch) sdcard-dont-allow-invalid-SD-card-sizes.patch (half part of CVE-2020-13253) sdcard-update-coding-style-to-make-checkpatch-happy.patch (preparational) sdcard-dont-switch-to-ReceivingData-if-address-is-in..-CVE-2020-13253.patch Closes: #961297, CVE-2020-13253 qemu (1:5.0-7) unstable; urgency=medium * Revert "d/rules: report config log from the correct subdir - base build" * Revert "d/rules: report config log from the correct subdir - microvm build" * acpi-tmr-allow-2-byte-reads.patch (Closes: #964247) * remove sdcard-dont-switch-to-ReceivingData-if-add...-CVE-2020-13253.patch - upstream decided to fix it differently (Reopens: #961297, CVE-2020-13253) * explicitly specify --enable-tools on hppa and do the same trick with --enable-tcg-interpreter --enable-tools on a few other unsupported arches (Closes: #964372, #945997) qemu (1:5.0-6) unstable; urgency=medium [ Christian Ehrhardt ] * d/control-in: disable pmem on ppc64 as it is currently considered experimental on that architecture * d/rules: makefile definitions can't be recursive - sys_systems for s390x * d/rules: report config log from the correct subdir - base build * d/rules: report config log from the correct subdir - microvm build * d/control-in: disable rbd support unavailable on riscv * fix assert in qemu guest agent that crashes on shutdown (LP: #1878973) * d/control-in: build-dep libcap is no more needed * d/rules: update -spice compat (Ubuntu only) [ Michael Tokarev ] * save block modules on upgrades (LP: #1847361) After upgrade a still running qemu of a former version can't load the new modules e.g. for extended storage support. Qemu 5.0 has the code to allow defining a path that it will load these modules from. * ati-vga-check-mm_index-before-recursive-call-CVE-2020-13800.patch Closes: CVE-2020-13800, ati-vga allows guest OS users to trigger infinite recursion via a crafted mm_index value during ati_mm_read or ati_mm_write call. * revert-memory-accept-mismatching-sizes-in-memory_region_access_valid...patch Closes: CVE-2020-13754, possible OOB memory accesses in a bunch of qemu devices which uses min_access_size and max_access_size Memory API fields. Also closes: CVE-2020-13791 * exec-set-map-length-to-zero-when-returning-NULL-CVE-2020-13659.patch CVE-2020-13659: address_space_map in exec.c can trigger a NULL pointer dereference related to BounceBuffer * megasas-use-unsigned-type-for-reply_queue_head-and-check-index...patch Closes: #961887, CVE-2020-13362, megasas_lookup_frame in hw/scsi/megasas.c has an OOB read via a crafted reply_queue_head field from a guest OS user * megasas-use-unsigned-type-for-positive-numeric-fields.patch fix other possible cases like in CVE-2020-13362 (#961887) * megasas-fix-possible-out-of-bounds-array-access.patch Some tracepoints use a guest-controlled value as an index into the mfi_frame_desc[] array. Thus a malicious guest could cause a very low impact OOB errors here * nbd-server-avoid-long-error-message-assertions-CVE-2020-10761.patch Closes: CVE-2020-10761, An assertion failure issue in the QEMU NBD Server. This flaw occurs when an nbd-client sends a spec-compliant request that is near the boundary of maximum permitted request length. A remote nbd-client could use this flaw to crash the qemu-nbd server resulting in a DoS. * es1370-check-total-frame-count-against-current-frame-CVE-2020-13361.patch Closes: CVE-2020-13361, es1370_transfer_audio in hw/audio/es1370.c does not properly validate the frame count, which allows guest OS users to trigger an out-of-bounds access during an es1370_write() operation * sdcard-dont-switch-to-ReceivingData-if-address-is-in...-CVE-2020-13253.patch CVE-2020-13253: sd_wp_addr in hw/sd/sd.c in QEMU 4.2.0 uses an unvalidated address, which leads to an out-of-bounds read during sdhci_write() operations. A guest OS user can crash the QEMU process. And a preparational patch, sdcard-update-coding-style-to-make-checkpatch-happy.patch * a few patches from the stable series: - fix-tulip-breakage.patch The tulip network driver in a qemu-system-hppa emulation is broken in the sense that bigger network packages aren't received any longer and thus even running e.g. "apt update" inside the VM fails. Fix this. - 9p-lock-directory-streams-with-a-CoMutex.patch Prevent deadlocks in 9pfs readdir code - net-do-not-include-a-newline-in-the-id-of-nic-device.patch Fix newline accidentally sneaked into id string of a nic - qemu-nbd-close-inherited-stderr.patch - virtio-balloon-fix-free-page-hinting-check-on-unreal.patch - virtio-balloon-fix-free-page-hinting-without-an-iothread.patch - virtio-balloon-unref-the-iothread-when-unrealizing.patch [ Aurelien Jarno ] * Remove myself from maintainers -- Christian Ehrhardt