| Message ID | 20231010070558.9791-1-ramirez.clement3@gmail.com |
|---|---|
| State | Superseded |
| Headers | show |
| Series | package/qemu: security bump version to 8.1.1 | expand |
Hi Clement, On Tue, Oct 10 2023, Clement Ramirez wrote: > Fixes the following CVEs : > - CVE-2023-4135 (https://gitlab.com/qemu-project/qemu/-/commit/ecb1b7b082d3b7dceff0e486a114502fc52c0fdf) > - CVE-2023-3354 (https://gitlab.com/qemu-project/qemu/-/commit/10be627d2b5ec2d6b3dce045144aa739eef678b4) > - CVE-2023-3180 (https://gitlab.com/qemu-project/qemu/-/commit/9d38a8434721a6479fe03fb5afb150ca793d3980) > > The changes between 8.1.0 and 8.1.1 are only limited to bug fixes: > > 6bb4a8a47a (v8.1.1) Update version for 8.1.1 release > 045fa84784 tpm: fix crash when FD >= 1024 and unnecessary errors due to EINTR > 56270e5d3d meson: Fix targetos match for illumos and Solaris. > 60da8301fe s390x/ap: fix missing subsystem reset registration > 8b479229ff ui: fix crash when there are no active_console > d4919bbcc2 virtio-gpu/win32: set the destroy function on load > cae7dc1452 target/riscv: Allocate itrigger timers only once > 7385e00665 target/riscv/pmp.c: respect mseccfg.RLB for pmpaddrX changes > 1d4fb5815c target/riscv: fix satp_mode_finalize() when satp_mode.supported = 0 > b822207513 hw/riscv: virt: Fix riscv,pmu DT node path > 2947da750e linux-user/riscv: Use abi type for target_ucontext > 60a7f5c8fe hw/intc: Make rtc variable names consistent > 566dac7127 hw/intc: Fix upper/lower mtime write calculation > 8ae20123b6 target/riscv: Fix zfa fleq.d and fltq.d > 6c24b6000b target/riscv: Fix page_check_range use in fault-only-first > 987e90cfd2 target/riscv/cpu.c: add zmmul isa string > b9f83298b9 hw/char/riscv_htif: Fix the console syscall on big endian hosts > 3d6251f416 hw/char/riscv_htif: Fix printing of console characters on big endian hosts > 9832a670b3 arm64: Restore trapless ptimer access > df33ce9b6d virtio: Drop out of coroutine context in virtio_load() > eeee989f72 qxl: don't assert() if device isn't yet initialized > 93d4107937 hw/net/vmxnet3: Fix guest-triggerable assert() > 6356785daa docs tests: Fix use of migrate_set_parameter > 01bf87c8e3 qemu-options.hx: Rephrase the descriptions of the -hd* and -cdrom options > 25ec23ab3f hw/i2c/aspeed: Fix TXBUF transmission start position error > 9dc6f05cc8 hw/i2c/aspeed: Fix Tx count and Rx size error in buffer pool mode > d5361580ac hw/ide/ahci: fix broken SError handling > e8f5ca57e4 hw/ide/ahci: fix ahci_write_fis_sdb() > 4448c345bc hw/ide/ahci: PxCI should not get cleared when ERR_STAT is set > 4fbd5a5202 hw/ide/ahci: PxSACT and PxCI is cleared when PxCMD.ST is cleared > 16cc9594d2 hw/ide/ahci: simplify and document PxCI handling > 1efefd13ca hw/ide/ahci: write D2H FIS when processing NCQ command > c2e0495e3c hw/ide/core: set ERR_STAT in unsupported command completion > f64f1f8704 target/ppc: Fix LQ, STQ register-pair order for big-endian > 9f54fef2c0 target/ppc: Flush inputs to zero with NJ in ppc_store_vscr > 5358980d33 hw/ppc/e500: fix broken snapshot replay > 6864f05cb1 ppc/vof: Fix missed fields in VOF cleanup > 0175121c6c ui/dbus: Properly dispose touch/mouse dbus objects > e975434d62 target/i386: raise FERR interrupt with iothread locked > e5e77f256f linux-user: Adjust brk for load_bias > 645b87f650 target/arm: properly document FEAT_CRC32 > 86d7b08d71 block-migration: Ensure we don't crash during migration cleanup > 5691fbf440 softmmu: Assert data in bounds in iotlb_to_section > 441106eebb docs/about/license: Update LICENSE URL > 63188a00bb target/arm: Fix 64-bit SSRA > 7012e20b2d target/arm: Fix SME ST1Q > c8e381d672 accel/kvm: Specify default IPA size for arm64 > 34808d041c kvm: Introduce kvm_arch_get_default_type hook > 01f6417f15 include/hw/virtio/virtio-gpu: Fix virtio-gpu with blob on big endian hosts > 14a8213b75 target/s390x: Check reserved bits of VFMIN/VFMAX's M5 > c12eddbd48 target/s390x: Fix VSTL with a large length > 880e82ed78 target/s390x: Use a 16-bit immediate in VREP > 5980189e96 target/s390x: Fix the "ignored match" case in VSTRS > > Signed-off-by: Clement Ramirez <ramirez.clement3@gmail.com> > --- > package/qemu/qemu.hash | 2 +- > package/qemu/qemu.mk | 6 +++++- > 2 files changed, 6 insertions(+), 2 deletions(-) > > diff --git a/package/qemu/qemu.hash b/package/qemu/qemu.hash > index 506afa8bf3..61e51a923f 100644 > --- a/package/qemu/qemu.hash > +++ b/package/qemu/qemu.hash > @@ -1,4 +1,4 @@ > # Locally computed, tarball verified with GPG signature > -sha256 710c101198e334d4762eef65f649bc43fa8a5dd75303554b8acfec3eb25f0e55 qemu-8.1.0.tar.xz > +sha256 37ce2ef5e500fb752f681117c68b45118303ea49a7e26bd54080ced54fab7def qemu-8.1.1.tar.xz > sha256 6f04ae8364d0079a192b14635f4b1da294ce18724c034c39a6a41d1b09df6100 COPYING > sha256 dc626520dcd53a22f727af3ee42c770e56c97a64fe3adb063799d8ab032fe551 COPYING.LIB > diff --git a/package/qemu/qemu.mk b/package/qemu/qemu.mk > index 6aaed32336..167ae007f0 100644 > --- a/package/qemu/qemu.mk > +++ b/package/qemu/qemu.mk > @@ -6,7 +6,7 @@ > > # When updating the version, check whether the list of supported targets > # needs to be updated. > -QEMU_VERSION = 8.1.0 > +QEMU_VERSION = 8.1.1 > QEMU_SOURCE = qemu-$(QEMU_VERSION).tar.xz > QEMU_SITE = https://download.qemu.org > QEMU_LICENSE = GPL-2.0, LGPL-2.1, MIT, BSD-3-Clause, BSD-2-Clause, Others/BSD-1c > @@ -16,6 +16,10 @@ QEMU_LICENSE_FILES = COPYING COPYING.LIB > # individual source files. > QEMU_CPE_ID_VENDOR = qemu > > +QEMU_IGNORE_CVES += CVE-2023-4135 > +QEMU_IGNORE_CVES += CVE-2023-3354 > +QEMU_IGNORE_CVES += CVE-2023-3180 Provided that these CVEs are fixed with this version bump, why do we need to ignore them? baruch > + > #------------------------------------------------------------- > > # The build system is now partly based on Meson.
Hi Baruch, > Provided that these CVEs are fixed with this version bump, why do we > need to ignore them? When I don't ignore the CVEs fixed with the version bump, the pkg-stats tool keeps displaying them. I think it's because the CPE database has no entries for the qemu 8.1.1 version and therefore does not know which CVEs are fixed in this specific version. Clément
Hi Clément, On Tue, Oct 10 2023, Clément Ramirez wrote: >> Provided that these CVEs are fixed with this version bump, why do we >> need to ignore them? > > When I don't ignore the CVEs fixed with the version bump, the > pkg-stats tool keeps displaying them. > I think it's because the CPE database has no entries for the qemu 8.1.1 version > and therefore does not know which CVEs are fixed in this specific version. This is something that should be fixed in the CPE database. In the mean time there should be a comment that explains why we ignore these CVEs even though they do not actually affect the current package version. baruch
Hi Baruch, > This is something that should be fixed in the CPE database. > > In the mean time there should be a comment that explains why we ignore > these CVEs even though they do not actually affect the current package > version. I will try to find a way to add an entry in the CPE database, and add a comment to explain why we are ignoring these CVEs. Thanks for your feedbacks, Clément
Hello Clément, Always happy to see some patches from you on Buildroot! :-) On Tue, 10 Oct 2023 11:15:13 +0200 Clément Ramirez <ramirez.clement3@gmail.com> wrote: > I will try to find a way to add an entry in the CPE database, and add a > comment to explain why we are ignoring these CVEs. In the end, did you send an e-mail to the NVD maintainers about this? You actually don't need to look for how to add an entry in the CPE database. Just drop an e-mail to the NVD maintainers, giving for each CVE some clear evidence that there were fixed in 8.1.1, and ask them to update the CVE entries. They will automatically take care of adding the CPE entry, and update the CVE information. Let me know if you want some help to achieve this. Thanks! Thomas
Hi Thomas ! > Always happy to see some patches from you on Buildroot! :-) Yes but I need to keep going > > I will try to find a way to add an entry in the CPE database, and add a > > comment to explain why we are ignoring these CVEs. > > In the end, did you send an e-mail to the NVD maintainers about this? I tried to figured out how to add an entry in the CPE database indeed, and found some tools to do it. But I wasn't sure what information i should fill in, so i ended not sending anything. > You actually don't need to look for how to add an entry in the CPE > database. Just drop an e-mail to the NVD maintainers, giving for each > CVE some clear evidence that there were fixed in 8.1.1, and ask them to > update the CVE entries. They will automatically take care of adding the > CPE entry, and update the CVE information. That will be very nice, and simpler than generating an XML entry as described on the CPE submission web page ([0]). I will try to email them today and I keep you updated if I encountered some problems to do it. [0] https://cpe.mitre.org/dictionary/#process Thank you again for your help ! Clément
Hello Clément, On Thu, 2 Nov 2023 10:37:36 +0100 Clément Ramirez <ramirez.clement3@gmail.com> wrote: > That will be very nice, and simpler than generating an XML entry as described > on the CPE submission web page ([0]). > I will try to email them today and I keep you updated if I encountered > some problems to do it. For reference, here is an e-mail I sent to them, and following which they did fix the CVE database. ===================================================================== From: Thomas Petazzoni <thomas.petazzoni@bootlin.com> To: nvd@nist.gov Cc: "buildroot@buildroot.org" <buildroot@buildroot.org> Subject: CVE-2021-4034 version range fix Date: Sat, 2 Sep 2023 19:34:34 +0200 Organization: Bootlin Message-ID: <20230902193434.4865dbd4@windsurf> Dear NVD maintainers, CVE-2021-4034 is marked in the NVD database as affecting all versions of the polkit project due to the following "Configuration 1": cpe:2.3:a:polkit_project:polkit:*:*:*:*:*:*:*:* However, as indicated in https://nvd.nist.gov/vuln/detail/CVE-2021-4034, this issue has been fixed in the upstream polkit project as of commit https://gitlab.freedesktop.org/polkit/polkit/-/commit/a2bf5c9c83b6ae46cbd5c779d3055bff81ded683. In turn, this commit is integrated in polkit since version 121: polkit$ git tag --contains a2bf5c9c83b6ae46cbd5c779d3055bff81ded683 121 122 123 So, the "Configuration 1" should be fixed to indicate that only versions < 121 are affected. Could this be addressed in your NVD database? Best regards, Thomas Petazzoni ===================================================================== Best regards, Thomas
That will help me a lot, Thanks ! Le jeu. 2 nov. 2023 à 10:47, Thomas Petazzoni <thomas.petazzoni@bootlin.com> a écrit : > > Hello Clément, > > On Thu, 2 Nov 2023 10:37:36 +0100 > Clément Ramirez <ramirez.clement3@gmail.com> wrote: > > > That will be very nice, and simpler than generating an XML entry as described > > on the CPE submission web page ([0]). > > I will try to email them today and I keep you updated if I encountered > > some problems to do it. > > For reference, here is an e-mail I sent to them, and following which > they did fix the CVE database. > > ===================================================================== > From: Thomas Petazzoni <thomas.petazzoni@bootlin.com> > To: nvd@nist.gov > Cc: "buildroot@buildroot.org" <buildroot@buildroot.org> > Subject: CVE-2021-4034 version range fix > Date: Sat, 2 Sep 2023 19:34:34 +0200 > Organization: Bootlin > Message-ID: <20230902193434.4865dbd4@windsurf> > > Dear NVD maintainers, > > CVE-2021-4034 is marked in the NVD database as affecting all versions > of the polkit project due to the following "Configuration 1": > > cpe:2.3:a:polkit_project:polkit:*:*:*:*:*:*:*:* > > However, as indicated in > https://nvd.nist.gov/vuln/detail/CVE-2021-4034, this issue has been > fixed in the upstream polkit project as of commit > https://gitlab.freedesktop.org/polkit/polkit/-/commit/a2bf5c9c83b6ae46cbd5c779d3055bff81ded683. > > In turn, this commit is integrated in polkit since version 121: > > polkit$ git tag --contains a2bf5c9c83b6ae46cbd5c779d3055bff81ded683 > 121 > 122 > 123 > > So, the "Configuration 1" should be fixed to indicate that only > versions < 121 are affected. Could this be addressed in your NVD > database? > > Best regards, > > Thomas Petazzoni > ===================================================================== > > Best regards, > > Thomas > -- > Thomas Petazzoni, co-owner and CEO, Bootlin > Embedded Linux and Kernel engineering and training > https://bootlin.com
diff --git a/package/qemu/qemu.hash b/package/qemu/qemu.hash index 506afa8bf3..61e51a923f 100644 --- a/package/qemu/qemu.hash +++ b/package/qemu/qemu.hash @@ -1,4 +1,4 @@ # Locally computed, tarball verified with GPG signature -sha256 710c101198e334d4762eef65f649bc43fa8a5dd75303554b8acfec3eb25f0e55 qemu-8.1.0.tar.xz +sha256 37ce2ef5e500fb752f681117c68b45118303ea49a7e26bd54080ced54fab7def qemu-8.1.1.tar.xz sha256 6f04ae8364d0079a192b14635f4b1da294ce18724c034c39a6a41d1b09df6100 COPYING sha256 dc626520dcd53a22f727af3ee42c770e56c97a64fe3adb063799d8ab032fe551 COPYING.LIB diff --git a/package/qemu/qemu.mk b/package/qemu/qemu.mk index 6aaed32336..167ae007f0 100644 --- a/package/qemu/qemu.mk +++ b/package/qemu/qemu.mk @@ -6,7 +6,7 @@ # When updating the version, check whether the list of supported targets # needs to be updated. -QEMU_VERSION = 8.1.0 +QEMU_VERSION = 8.1.1 QEMU_SOURCE = qemu-$(QEMU_VERSION).tar.xz QEMU_SITE = https://download.qemu.org QEMU_LICENSE = GPL-2.0, LGPL-2.1, MIT, BSD-3-Clause, BSD-2-Clause, Others/BSD-1c @@ -16,6 +16,10 @@ QEMU_LICENSE_FILES = COPYING COPYING.LIB # individual source files. QEMU_CPE_ID_VENDOR = qemu +QEMU_IGNORE_CVES += CVE-2023-4135 +QEMU_IGNORE_CVES += CVE-2023-3354 +QEMU_IGNORE_CVES += CVE-2023-3180 + #------------------------------------------------------------- # The build system is now partly based on Meson.
Fixes the following CVEs : - CVE-2023-4135 (https://gitlab.com/qemu-project/qemu/-/commit/ecb1b7b082d3b7dceff0e486a114502fc52c0fdf) - CVE-2023-3354 (https://gitlab.com/qemu-project/qemu/-/commit/10be627d2b5ec2d6b3dce045144aa739eef678b4) - CVE-2023-3180 (https://gitlab.com/qemu-project/qemu/-/commit/9d38a8434721a6479fe03fb5afb150ca793d3980) The changes between 8.1.0 and 8.1.1 are only limited to bug fixes: 6bb4a8a47a (v8.1.1) Update version for 8.1.1 release 045fa84784 tpm: fix crash when FD >= 1024 and unnecessary errors due to EINTR 56270e5d3d meson: Fix targetos match for illumos and Solaris. 60da8301fe s390x/ap: fix missing subsystem reset registration 8b479229ff ui: fix crash when there are no active_console d4919bbcc2 virtio-gpu/win32: set the destroy function on load cae7dc1452 target/riscv: Allocate itrigger timers only once 7385e00665 target/riscv/pmp.c: respect mseccfg.RLB for pmpaddrX changes 1d4fb5815c target/riscv: fix satp_mode_finalize() when satp_mode.supported = 0 b822207513 hw/riscv: virt: Fix riscv,pmu DT node path 2947da750e linux-user/riscv: Use abi type for target_ucontext 60a7f5c8fe hw/intc: Make rtc variable names consistent 566dac7127 hw/intc: Fix upper/lower mtime write calculation 8ae20123b6 target/riscv: Fix zfa fleq.d and fltq.d 6c24b6000b target/riscv: Fix page_check_range use in fault-only-first 987e90cfd2 target/riscv/cpu.c: add zmmul isa string b9f83298b9 hw/char/riscv_htif: Fix the console syscall on big endian hosts 3d6251f416 hw/char/riscv_htif: Fix printing of console characters on big endian hosts 9832a670b3 arm64: Restore trapless ptimer access df33ce9b6d virtio: Drop out of coroutine context in virtio_load() eeee989f72 qxl: don't assert() if device isn't yet initialized 93d4107937 hw/net/vmxnet3: Fix guest-triggerable assert() 6356785daa docs tests: Fix use of migrate_set_parameter 01bf87c8e3 qemu-options.hx: Rephrase the descriptions of the -hd* and -cdrom options 25ec23ab3f hw/i2c/aspeed: Fix TXBUF transmission start position error 9dc6f05cc8 hw/i2c/aspeed: Fix Tx count and Rx size error in buffer pool mode d5361580ac hw/ide/ahci: fix broken SError handling e8f5ca57e4 hw/ide/ahci: fix ahci_write_fis_sdb() 4448c345bc hw/ide/ahci: PxCI should not get cleared when ERR_STAT is set 4fbd5a5202 hw/ide/ahci: PxSACT and PxCI is cleared when PxCMD.ST is cleared 16cc9594d2 hw/ide/ahci: simplify and document PxCI handling 1efefd13ca hw/ide/ahci: write D2H FIS when processing NCQ command c2e0495e3c hw/ide/core: set ERR_STAT in unsupported command completion f64f1f8704 target/ppc: Fix LQ, STQ register-pair order for big-endian 9f54fef2c0 target/ppc: Flush inputs to zero with NJ in ppc_store_vscr 5358980d33 hw/ppc/e500: fix broken snapshot replay 6864f05cb1 ppc/vof: Fix missed fields in VOF cleanup 0175121c6c ui/dbus: Properly dispose touch/mouse dbus objects e975434d62 target/i386: raise FERR interrupt with iothread locked e5e77f256f linux-user: Adjust brk for load_bias 645b87f650 target/arm: properly document FEAT_CRC32 86d7b08d71 block-migration: Ensure we don't crash during migration cleanup 5691fbf440 softmmu: Assert data in bounds in iotlb_to_section 441106eebb docs/about/license: Update LICENSE URL 63188a00bb target/arm: Fix 64-bit SSRA 7012e20b2d target/arm: Fix SME ST1Q c8e381d672 accel/kvm: Specify default IPA size for arm64 34808d041c kvm: Introduce kvm_arch_get_default_type hook 01f6417f15 include/hw/virtio/virtio-gpu: Fix virtio-gpu with blob on big endian hosts 14a8213b75 target/s390x: Check reserved bits of VFMIN/VFMAX's M5 c12eddbd48 target/s390x: Fix VSTL with a large length 880e82ed78 target/s390x: Use a 16-bit immediate in VREP 5980189e96 target/s390x: Fix the "ignored match" case in VSTRS Signed-off-by: Clement Ramirez <ramirez.clement3@gmail.com> --- package/qemu/qemu.hash | 2 +- package/qemu/qemu.mk | 6 +++++- 2 files changed, 6 insertions(+), 2 deletions(-)