Fetch recent CVE and packaging fixes
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| qemu (Ubuntu) |
Fix Released
|
Critical
|
Unassigned | ||
Bug Description
[Impact]
* Two CVE fixes from upstream and a bunch of packaging fixes from Debian
* The only big change is in binfmt which was discussed in detail in
https:/
[Test Case]
* Full virt regression tests were run before the upload.
Details are in the linked Merge Proposals.
[Regression Potential]
* The external spice-ui is already in the code but non functional, so
adding the related .so files can't regress it from dysfunctional to less
than that :-). It has no impact to other areas of qemu (only when the
new arg is used).
* placing the svg correctly has no drawback I can think of
* the Multi-Arch change also seems safe to me.
* the binfmt registration changes are the only ones with a potential
regression if it turns out to not work. But it follows the guidance of
the binfmt owner (cjwatson) and therefore should be much better by
relying on binfmt itself then coding it in qemu itself.
[Other Info]
* This isn't technically an SRU, but I have learned that filling these
templates helps the release Team to accept changes while in 20.04 Freeze
time.
---
I was made aware by mdeslaur about CVE-2020-10702 and CVE-2020-11102.
While checking for those I also realized that we should pick a few more (cherry picks only to not violate Feature Freeze).
This also includes some long term discussions/fixes that I have driven myself or tracked with Debian. Adding those would make Focal better so lets add those fixes before 20.04 release.
Related branches
- Rafael David Tinoco (community): Approve
- Canonical Server: Pending requested
- Canonical Server packageset reviewers: Pending requested
-
Diff: 606 lines (+418/-48)11 files modifieddebian/binfmt-install (+46/-37)
debian/changelog (+19/-0)
debian/control (+1/-1)
debian/control-in (+1/-1)
debian/patches/arm-fix-PAuth-sbox-functions-CVE-2020-10702.patch (+48/-0)
debian/patches/net-tulip-check-frame-size-and-r-w-data-length-CVE-2020-11102.patch (+145/-0)
debian/patches/series (+4/-0)
debian/patches/ubuntu/lp-1871830-module-increase-dirs-array-size-by-one.patch (+38/-0)
debian/patches/ubuntu/lp-1872107-kvm-Reallocate-dirty_bmap-when-we-change-a-slot.patch (+103/-0)
debian/qemu-system-data.install (+1/-1)
debian/rules (+12/-8)
CVE References
| Christian Ehrhardt (paelzer) wrote | #1 |
| Christian Ehrhardt (paelzer) wrote | #2 |
| Changed in qemu (Ubuntu): | |
| importance: | Undecided → Critical |
| status: | New → In Progress |
| description: | updated |
| Launchpad Janitor (janitor) wrote | #3 |
| Changed in qemu (Ubuntu): | |
| status: | In Progress → Fix Released |
This will also complete the partial remote spice (which is a bug to be half-way added not a new feature)