Ubuntu
qemu-kvm package

Merge lp:~brightbox/ubuntu/maverick/qemu-kvm/qemu-kvm.fix-697197 into lp:ubuntu/maverick/qemu-kvm

  1. Maverick (10.10)
  2. qemu-kvm.fix-697197
  3. Merge into maverick
Proposed by Neil Wilson
Status: Needs review
Proposed branch: lp:~brightbox/ubuntu/maverick/qemu-kvm/qemu-kvm.fix-697197
Merge into: lp:ubuntu/maverick/qemu-kvm
Diff against target: 109 lines (+72/-1)
5 files modified
debian/changelog (+19/-0)
debian/control (+1/-1)
debian/patches/697197-fix-vnc-password-semantics.patch (+17/-0)
debian/patches/caps-lock-key-up-event.patch (+33/-0)
debian/patches/series (+2/-0)
To merge this branch: bzr merge lp:~brightbox/ubuntu/maverick/qemu-kvm/qemu-kvm.fix-697197
Reviewer Review Type Date Requested Status
Dustin Kirkland  Approve
Review via email: mp+47820@code.launchpad.net

Description of the change

Security fix for CVE 2011-0011

To post a comment you must log in.
Revision history for this message
Dustin Kirkland  (kirkland) wrote :

Looks good, thanks for doing this, Neil.

I'm going to update it just slightly, as this debdiff will need to go through the security queue, since there's an associated CVE. I'll prep that upload and the security team will sponsor it into maverick-security.

I'll get it uploaded to natty now.

The last thing I need you to do is to email your patch to the qemu-devel mailing list. The maintainers do not accept patches solely attached to bugs in Launchpad. Their processes require that you email the patch to the mailing list. Sorry for the run-around. Cheers!

review: Approve
Reply
Revision history for this message
Neil Wilson (neil-aldur) wrote :

Dustin,

I've been following the discussion on the qemu development list and
they are going for a complete rewrite of the associated functions to
get rid of the overloaded behaviour. There's an ongoing discussion
with the RedHat boys about it.

Additionally I think this patch needs to go into Lucid as well.

On 11 February 2011 15:39, Dustin Kirkland <email address hidden> wrote:
> Review: Approve
> Looks good, thanks for doing this, Neil.
>
> I'm going to update it just slightly, as this debdiff will need to go through the security queue, since there's an associated CVE.  I'll prep that upload and the security team will sponsor it into maverick-security.
>
> I'll get it uploaded to natty now.
>
> The last thing I need you to do is to email your patch to the qemu-devel mailing list.  The maintainers do not accept patches solely attached to bugs in Launchpad.  Their processes require that you email the patch to the mailing list.  Sorry for the run-around.  Cheers!
> --
> https://code.launchpad.net/~brightbox/ubuntu/maverick/qemu-kvm/qemu-kvm.fix-697197/+merge/47820
> Your team Brightbox is subscribed to branch lp:~brightbox/ubuntu/maverick/qemu-kvm/qemu-kvm.fix-697197.
>

--
Neil Wilson

Reply
Revision history for this message
Dustin Kirkland  (kirkland) wrote :

On Fri, Feb 11, 2011 at 9:49 AM, Neil Wilson <email address hidden> wrote:
> I've been following the discussion on the qemu development list and
> they are going for a complete rewrite of the associated functions to
> get rid of the overloaded behaviour. There's an ongoing discussion
> with the RedHat boys about it.
>
> Additionally I think this patch needs to go into Lucid as well.

Thanks, I ported the debdiff for lucid-security too.

I can't follow the qemu-devel list in detail any more. Would you mind
just dropping me a note once they get their fixes for this issue in
git HEAD?

Cheers,
Dustin

Reply
Revision history for this message
Neil Wilson (neil-aldur) wrote :

On 11 February 2011 16:07, Dustin Kirkland <email address hidden> wrote:

> Thanks, I ported the debdiff for lucid-security too.
>
> I can't follow the qemu-devel list in detail any more.  Would you mind
> just dropping me a note once they get their fixes for this issue in
> git HEAD?
>
> Cheers,
> Dustin

Will do.

It may take some time to resolve - a few differences of opinion to
iron out as ever.

--
Neil Wilson

Reply

Unmerged revisions

97. By Neil Wilson

Add patch description.

96. By Neil Wilson

* SECURITY UPDATE: Setting VNC password to empty string silently
  disables all authentication (LP: #697197)
  - debian/patches/697197-fix-vnc-password-semantics.patch: Reverses the
  change introduced in Qemu by git commit 52c18be9
  CVE: 2011-0011

95. By Benjamin Drung

Add caps-lock-key-up-event.patch to enable normal up/down events for
Caps-Lock and Num-Lock keys by setting SDL_DISABLE_LOCK_KEYS (which
requires SDL > 1.2.14). This fixes handling of capslock when capslock is
mapped to something else in host system. (LP: #427612)

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'debian/changelog'
2--- debian/changelog 2010-09-30 12:04:45 +0000
3+++ debian/changelog 2011-01-28 16:03:09 +0000
4@@ -1,3 +1,22 @@
5+qemu-kvm (0.12.5+noroms-0ubuntu7.2) maverick; urgency=low
6+
7+ * SECURITY UPDATE: Setting VNC password to empty string silently
8+ disables all authentication (LP: #697197)
9+ - debian/patches/697197-fix-vnc-password-semantics.patch: Reverses the
10+ change introduced in Qemu by git commit 52c18be9
11+ CVE: 2011-0011
12+
13+ -- Neil Wilson <neil@aldur.co.uk> Fri, 28 Jan 2011 15:30:44 +0000
14+
15+qemu-kvm (0.12.5+noroms-0ubuntu7.1) maverick-proposed; urgency=low
16+
17+ * Add caps-lock-key-up-event.patch to enable normal up/down events for
18+ Caps-Lock and Num-Lock keys by setting SDL_DISABLE_LOCK_KEYS (which
19+ requires SDL > 1.2.14). This fixes handling of capslock when capslock is
20+ mapped to something else in host system. (LP: #427612)
21+
22+ -- Benjamin Drung <bdrung@ubuntu.com> Wed, 24 Nov 2010 15:35:10 +0100
23+
24 qemu-kvm (0.12.5+noroms-0ubuntu7) maverick; urgency=low
25
26 * Resurrect arm-host-fix-compiler-warning patch, applied in
27
28=== modified file 'debian/control'
29--- debian/control 2010-08-24 09:56:34 +0000
30+++ debian/control 2011-01-28 16:03:09 +0000
31@@ -3,7 +3,7 @@
32 Priority: optional
33 Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
34 Build-Depends: debhelper (>= 7), pkg-config, quilt (>= 0.40),
35- bzip2, uuid-dev, zlib1g-dev, libsdl1.2-dev, libasound2-dev, libcurl4-gnutls-dev, libgnutls-dev,
36+ bzip2, uuid-dev, zlib1g-dev, libsdl1.2-dev (>= 1.2.14), libasound2-dev, libcurl4-gnutls-dev, libgnutls-dev,
37 libncurses5-dev, libpci-dev, libpulse-dev, libaio-dev, nasm, texi2html, bcc, iasl,
38 device-tree-compiler [powerpc], sysv-rc (>= 2.86.ds1-14.1ubuntu2), libx11-dev, libsasl2-dev
39 Standards-Version: 3.8.3
40
41=== added file 'debian/patches/697197-fix-vnc-password-semantics.patch'
42--- debian/patches/697197-fix-vnc-password-semantics.patch 1970-01-01 00:00:00 +0000
43+++ debian/patches/697197-fix-vnc-password-semantics.patch 2011-01-28 16:03:09 +0000
44@@ -0,0 +1,17 @@
45+## Description: Stop 'change password' switching off VNC authentication
46+## Origin/Author: Neil Wilson <neil@aldur.co.uk>
47+## Bug: http://launchpad.net/bugs/697197
48+--- a/vnc.c
49++++ b/vnc.c
50+@@ -2461,11 +2461,6 @@
51+ if (password && password[0]) {
52+ if (!(vs->password = qemu_strdup(password)))
53+ return -1;
54+- if (vs->auth == VNC_AUTH_NONE) {
55+- vs->auth = VNC_AUTH_VNC;
56+- }
57+- } else {
58+- vs->auth = VNC_AUTH_NONE;
59+ }
60+
61+ return 0;
62
63=== added file 'debian/patches/caps-lock-key-up-event.patch'
64--- debian/patches/caps-lock-key-up-event.patch 1970-01-01 00:00:00 +0000
65+++ debian/patches/caps-lock-key-up-event.patch 2011-01-28 16:03:09 +0000
66@@ -0,0 +1,33 @@
67+Description: Enable normal up/down events for Caps-Lock and Num-Lock keys
68+ by setting SDL_DISABLE_LOCK_KEYS (which requires SDL > 1.2.14). This fixes
69+ handling of capslock when capslock is mapped to something else in host system.
70+Author: Benjamin Drung <bdrung@ubuntu.com>
71+Bug-Ubuntu: https://launchpad.net/bugs/427612
72+
73+--- a/sdl.c 2010-02-26 16:26:00 +0000
74++++ b/sdl.c 2010-11-24 21:17:18 +0000
75+@@ -388,12 +388,6 @@
76+ else
77+ modifiers_state[keycode] = 1;
78+ break;
79+- case 0x45: /* num lock */
80+- case 0x3a: /* caps lock */
81+- /* SDL does not send the key up event, so we generate it */
82+- kbd_put_keycode(keycode);
83+- kbd_put_keycode(keycode | 0x80);
84+- return;
85+ }
86+
87+ /* now send the key code */
88+@@ -848,6 +842,10 @@
89+ if (no_frame)
90+ gui_noframe = 1;
91+
92++ // Enable normal up/down events for Caps-Lock and Num-Lock keys.
93++ // This requires SDL >= 1.2.14
94++ setenv("SDL_DISABLE_LOCK_KEYS", "1", 1);
95++
96+ flags = SDL_INIT_VIDEO | SDL_INIT_NOPARACHUTE;
97+ if (SDL_Init (flags)) {
98+ fprintf(stderr, "Could not initialize SDL - exiting\n");
99+
100
101=== modified file 'debian/patches/series'
102--- debian/patches/series 2010-09-29 14:26:38 +0000
103+++ debian/patches/series 2011-01-28 16:03:09 +0000
104@@ -8,3 +8,5 @@
105 check-for-invalid-initrd-file.patch
106 fix-CMOS-info-for-drives-defined-with--device.patch
107 arm-host-fix-compiler-warning.patch
108+caps-lock-key-up-event.patch
109+697197-fix-vnc-password-semantics.patch

Subscribers

People subscribed via source and target branches