~paelzer/ubuntu/+source/qemu:lp-1830243-secure-boot-toleration-disco

Last commit made on 2019-07-04
Get this branch:
git clone -b lp-1830243-secure-boot-toleration-disco https://git.launchpad.net/~paelzer/ubuntu/+source/qemu
Only Christian Ehrhardt  can upload to this branch. If you are Christian Ehrhardt  please log in for upload directions.

Branch merges

Branch information

Name:
lp-1830243-secure-boot-toleration-disco
Repository:
lp:~paelzer/ubuntu/+source/qemu

Recent commits

7104ddc... by Christian Ehrhardt  on 2019-07-04

changelog: tolerate guests with secure boot loaders (LP: #1830243)

Signed-off-by: Christian Ehrhardt <email address hidden>

e50b9a7... by Christian Ehrhardt  on 2019-07-04

d/p/ubuntu/lp-1830243-s390-bios-Skip-bootmap-signature-entries.patch: tolerate guests with secure boot loaders (LP: #1830243)

Signed-off-by: Christian Ehrhardt <email address hidden>

aa0fbdd... by Christian Ehrhardt  on 2019-05-28

Import patches-unapplied version 1:3.1+dfsg-2ubuntu3.2 to ubuntu/disco-proposed

Imported using git-ubuntu import.

Changelog parent: b818da7a1a0dfa55c0f4edf0be10394fe4d7f3f8

New changelog entries:
  * d/p/ubuntu/define-ubuntu-machine-types.patch: fix wily machine type being
    broken since 2.11 due to 2.3/2.4 version mismatch in its definition to
    fix migrations from old machines (LP: #1829868).
  * d/p/ubuntu/lp-1830704-s390x-cpumodel-ignore-csske-for-expansion.patch
    toleration for future machines (LP: #1830704
  * d/control-in, d/control: add versioned dependencies to libseccomp 2.4 as
    any rebuild against 2.4 as it is in proposed right now will otherwise
    crash (LP: #1830859).

b818da7... by Steve Beattie on 2019-05-08

Import patches-unapplied version 1:3.1+dfsg-2ubuntu3.1 to ubuntu/disco-security

Imported using git-ubuntu import.

Changelog parent: 032438c45a3f371ce4a34082ccff34928914bf81

New changelog entries:
  * SECURITY UPDATE: Add support for exposing md-clear functionality
    to guests
    - d/p/ubuntu/enable-md-clear.patch
    - d/p/ubuntu/enable-md-no.patch
    - CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091
  * SECURITY UPDATE: heap overflow when loading device tree blob
    - d/p/ubuntu/CVE-2018-20815.patch: specify how large the buffer to
      copy the device tree blob into is.
    - CVE-2018-20815
  * SECURITY UPDATE: device driver denial of service via NULL pointer
    dereference
    - d/p/ubuntu/CVE-2019-5008.patch: Define skeleton 'power_mem_read'
      routine
    - CVE-2019-5008
  * SECURITY UPDATE: information leak in SLiRP
    - d/p/ubuntu/CVE-2019-9824.patch: check sscanf result when
      emulating ident.
    - CVE-2019-9824

032438c... by Christian Ehrhardt  on 2019-03-18

Import patches-unapplied version 1:3.1+dfsg-2ubuntu3 to ubuntu/disco-proposed

Imported using git-ubuntu import.

Changelog parent: 994adb63a9522a7c30da2f0568193bd51ce9fa9d

New changelog entries:
  * qemu-guest-agent: fix path of fsfreeze-hook (LP: #1820291)
    - d/qemu-guest-agent.install: use correct path for fsfreeze-hook
    - d/qemu-guest-agent.pre{rm|inst}/.postrm: special handling for
      mv_conffile since the new path is a directory in the old package
      version which can not be handled by mv_conffile.
  * i2c-ddc-fix-oob-read-CVE-2019-3812.patch fixes
    OOB read in hw/i2c/i2c-ddc.c which allows for memory disclosure.
    Closes: #922635 (Thanks to Gerd Hoffmann and Michael Tokarev)
    CVE-2019-3812

994adb6... by Christian Ehrhardt  on 2019-02-19

Import patches-unapplied version 1:3.1+dfsg-2ubuntu2 to ubuntu/disco-proposed

Imported using git-ubuntu import.

Changelog parent: cab537364b05118ea9d17ad3c98aacfeb701e390

New changelog entries:
  * disable pvrdma - besides several security holes there are many other
    bugs there as well, and the amount of patches applied upstream after
    3.1 release is large (Closes, or actuallymakes unimportant again)
    - CVE-2018-20123
    - CVE-2018-20124
    - CVE-2018-20125
    - CVE-2018-20126
    - CVE-2018-20191
    - CVE-2018-20216
  * scsi-generic-avoid-possible-oob-access-to-r-buf-CVE-2019-6501.patch
    - CVE-2019-6501
  * slirp-check-data-length-while-emulating-ident-function-CVE-2019-6778.patch
    - CVE-2019-6778

cab5373... by Christian Ehrhardt  on 2019-01-08

Import patches-unapplied version 1:3.1+dfsg-2ubuntu1 to ubuntu/disco-proposed

Imported using git-ubuntu import.

Changelog parent: 24fe7dca8d1fc8422cac77a475c49e3a43a7fc78

New changelog entries:
  * Merge with Debian testing, Among many other things this fixes LP Bugs:
    LP: #1806104 - fix misleading page size error on ppc64el
    LP: #1782205 - SnowRidge enabled new ISAs
    LP: #1786956 - upgrade to qemu >= 3.0
    LP: #1809083 - Backward migration to Xenial on ppc64el
    LP: #1803315 - s390x Huge page enablement
    LP: #1657409 - enable virglrenderer
    Remaining Changes:
    - qemu-kvm to systemd unit
      - d/qemu-kvm-init: script for QEMU KVM preparation modules, ksm,
        hugepages and architecture specifics
      - d/qemu-kvm.service: systemd unit to call qemu-kvm-init
      - d/qemu-system-common.install: install systemd unit and helper script
      - d/qemu-system-common.maintscript: clean old sysv and upstart scripts
      - d/qemu-system-common.qemu-kvm.default: defaults for
        /etc/default/qemu-kvm
      - d/rules: install /etc/default/qemu-kvm
    - Enable nesting by default
      - d/qemu-system-x86.modprobe: set nested=1 module option on intel.
        (is default on amd)
      - d/qemu-system-x86.postinst: re-load kvm_intel.ko if it was loaded
        without nested=1
      - d/p/ubuntu/expose-vmx_qemu64cpu.patch: expose nested kvm by default
        in qemu64 cpu type.
      - d/p/ubuntu/enable-svm-by-default.patch: Enable nested svm by default
        in qemu64 on amd
      - d/qemu-system-x86.README.Debian: document intention of nested being
        default is comfort, not full support
    - Distribution specific machine type (LP: 1304107 1621042 1776189 1761372)
      - d/p/ubuntu/define-ubuntu-machine-types.patch: define distro machine
        types
      - d/qemu-system-x86.NEWS Info on fixed machine type defintions
        for host-phys-bits=true (LP: 1776189)
      - add an info about -hpb machine type in debian/qemu-system-x86.NEWS
      - d/p/ubuntu/lp-1761372-*: provide pseries-bionic-2.11-sxxm type as
        convenience with all meltdown/spectre workarounds enabled by default.
        (LP: 1761372).
    - improved dependencies
      - Make qemu-system-common depend on qemu-block-extra
      - Make qemu-utils depend on qemu-block-extra
      - let qemu-utils recommend sharutils
    - s390x support
      - Create qemu-system-s390x package
      - Enable numa support for s390x
    - arch aware kvm wrappers
    - d/control: update VCS links (updated to match latest Ubuntu)
    - qemu-guest-agent: freeze-hook fixes (LP: 1484990)
      - d/qemu-guest-agent.install: provide /etc/qemu/fsfreeze-hook
      - d/qemu-guest-agent.dirs: provide /etc/qemu/fsfreeze-hook.d
    - d/control-in: enable RDMA support in qemu (LP: 1692476)
        - enable RDMA config option
        - add libibumad-dev build-dep
    - tolerate ipxe size change on migrations to >=18.04 (LP: 1713490)
      - d/p/ubuntu/pre-bionic-256k-ipxe-efi-roms.patch: old machine types
        reference 256k path
      - d/control-in: depend on ipxe-qemu-256k-compat-efi-roms to be able to
        handle incoming migrations from former releases.
    - d/control-in: Disable capstone disassembler library support (universe)
  * Added Changes:
    - d/p/ubuntu/define-ubuntu-machine-types.patch: update machine type changes
      for qemu 3.1 in the Ubuntu Disco release
    - d/p/ubuntu/lp-1759509-* fix waking up VMs from dompmsuspend (LP: #1759509)
    - Move s390x roms to a new qemu-system-data-s390x
      - d/qemu-system-data.install: install s390x roms as architecture:all in
        qemu-system-data
      - d/rules: build s390-ccw.img with upstream Makefile
      - d/rules: build s390x-netboot.img with upstream Makefile
      - d/p/ubuntu/lp-1790901-partial-SLOF-for-s390x-netboot.patch: bring back
        some SLOF bits stripped in DFSG to be able to build s390x-netboot roms
        As that hack to build s390-ccw.img rom can't build s390x-netboot.img
        replace it with a build-indep using the upstream makefiles.
        This is less prone to miss future changes/fixes that are done to the
        makefiles
      - d/control-in: add breaks/replaces for moving s390x roms from
        qemu-system-s390x to qemu-system-data
    - remove /dev/kvm permission handling (moved to systemd 239-6) (#892945)
      [From not yet uploaded Debian branch]
    - d/p/debianize-qemu-guest-service.patch: fix path of qemu-ga
      (Closes: #918378)
    - d/rules: fix qemu-kvm service for debhelper compat >=12
    - d/p/ubuntu/Revert-target-i386-kvm-add-VMX-migration-blocker.patch:
      avoid misdetection of simplified nesting blocking all migrations
    - d/p/ubuntu/lp-1812384-s390x-Return-specification-exception-for-
      unimplement.patch: properly return archicture defined exception
      on bad subcodes of diag 308 (LP: #1812384)
  * Dropped Changes:
    - Include s390-ccw.img firmware (old style native build)
    - d/rules enable install s390x-netboot.img (old style native build)
    - libvirt/qemu user/group support
      - qemu-system-common.postinst: remove acl placed by udev, and add udevadm
        trigger.
        [ Droppable since logind properly sets ACLs now ]
      - qemu-system-common.preinst: add kvm group if needed
        [ Droppable because systemd/udev take care of it since 239-6]
    - d/p/guest-agent-freeze-hook-skip-dpkg-artifacts.patch of qemu-guest-agent
      freeze-hook fixes (LP: 1484990)
      [upstream]
    - d/p/ubuntu/CVE-2018-3639/* update for qemu 2.12 using the final patches
      merged upstream
      [upstream]
    - d/p/ubuntu/CVE-2018-11806-slirp-correct-size.patch: slirp: correct size
      computation while concatenating mbuf.
      CVE-2018-11806
      [upstream]
    - d/p/ubuntu/lp-1781526-powerpc64-align-memory-THP.patch: align to 2MB
      for powerpc64 to speed up translation (LP: 1781526)
      [upstream]
    - d/p/ubuntu/lp-1780773-s390x-cpumodels-add-z14-Model-ZR1.patch: Add
      cpu model for z14 ZR1 (LP: 1780773).
      [upstream]
    - Mark qemu-system-data foreign to be able to install it e.g. on i386
      (Closes: 903562)
      [in Debian]
    - d/control-in: qemu-keymaps is provided by qemu-system-data now (from yet
      unreleased Debian version)
      [in Debian]
    - d/p/lp-1755912-qxl-fix-local-renderer-crash.patch: Fix an issue triggered
      by migrations with UI frontends or frequent guest resolution changes
      (LP #1755912)
      [upstream]
    - d//ubuntu/target-ppc-extend-eieio-for-POWER9.patch: Backport to
      extend eieio for POWER9 emulation (LP: 1787408).
      [upstream]
    - d/p/ubuntu/lp-1789551-seccomp-set-the-seccomp-filter-to-all-threads.patch:
      ensure that the seccomp blacklist is applied to all threads (LP: 1789551)
      [upstream]
    - improve s390x spectre mitigation with etoken facility (LP: 1790457)
      [upstream]
    - Update pxe netboot images for KVM s390x to qemu 3.0 level (LP: 1790901)
      [upstream]
    - d/control-in: our addition of a qemu-system-s390x package needs to follow
      the split of qemu-system-data by adding a dependency to it (LP: 1798084)
      [in Debian]
    - debian/patches/ubuntu/lp1787405-*: Support guest dedicated Crypto
      Adapters on s390x (LP: 1787405)
      [upstream]
    - enable opengl for vfio-MDEV support (LP: 1804766)
      [in Debian]
    - SECURITY UPDATE: integer overflow in NE2000 NIC emulation
      [upstream]
    - SECURITY UPDATE: integer overflow via crafted QMP command
      [upstream]
    - SECURITY UPDATE: OOB heap buffer r/w access in NVM Express Controller
      [upstream]
    - SECURITY UPDATE: buffer overflow in rtl8139
      [upstream]
    - SECURITY UPDATE: buffer overflow in pcnet
      [upstream]
    - SECURITY UPDATE: DoS via large packet sizes
      [upstream]
    - SECURITY UPDATE: DoS in lsi53c895a
      [upstream]
    - SECURITY UPDATE: Out-of-bounds r/w stack access in ppc64
      [upstream]
    - SECURITY UPDATE: race condition in 9p
      [upstream]

24fe7dc... by Michael Tokarev <email address hidden> on 2018-12-21

Import patches-unapplied version 1:3.1+dfsg-2 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 5240fe8443f6b29287f9a651f541183a420ad731

New changelog entries:
  * d/rules: split arch and indep builds
  * enable s390x cross-compiler and build s390-ccw.img (Closes: #684909)
  * build x86 optionrom in qemu-system-data (was in seabios/debian/)
  * qemu-system-data: Multi-Arch: allowed=>foreign (Closes: #903562)
  * fix Replaces: version for qemu-system-common (Closes: #916279)
  * add simple udev rules file for systemd guest agent (Closes: #916674)
  * usb-mtp-use-O_NOFOLLOW-and-O_CLOEXEC-CVE-2018-16872.patch
    Race condition in usb_mtp implementation (Closes: #916397)
  * bt-use-size_t-type-for-length-parameters-instead-of-int-CVE-2018-19665.patch
    Memory corruption in bluetooth subsystem (Closes: #916278)
  * hw_usb-fix-mistaken-de-initialization-of-CCID-state.patch (Closes: #917007)
  * bump debhelper compat to 12 (>>11)
  * d/rules: use dh_missing instead of dh_install --list-missing (compat=12)
  * use dh_installsystemd for guest agent (Closes: #916625)
  * mention closing by 3.1: Closes: #912655, CVE-2018-16847
  * mention closing by 2.10:
    Closes: #849798, CVE-2016-10028
    Closes: CVE-2017-9060
    Closes: CVE-2017-8284

5240fe8... by Michael Tokarev <email address hidden> on 2018-12-02

Import patches-unapplied version 1:3.1+dfsg-1 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 773dee283927af48f3f2a1fab2dac5de63914d32

New changelog entries:
  * new upstream release (3.1)
  * Security bugs fixed by upstream:
    Closes: #910431, CVE-2018-10839:
     integer overflow leads to buffer overflow issue
    Closes: #911468, CVE-2018-17962
     pcnet: integer overflow leads to buffer overflow
    Closes: #911469, CVE-2018-17963
     net: ignore packets with large size
    Closes: #908682, CVE-2018-3639
     qemu should be able to pass the ssbd cpu flag
    Closes: #901017, CVE-2018-11806
     m_cat in slirp/mbuf.c in Qemu has a heap-based buffer overflow
     via incoming fragmented datagrams
    Closes: #902725, CVE-2018-12617
     qmp_guest_file_read in qemu-ga has an integer overflow
    Closes: #907500, CVE-2018-15746
     qemu-seccomp might allow local OS guest users to cause a denial of service
    Closes: #915884, CVE-2018-16867
     dev-mtp: path traversal in usb_mtp_write_data of the MTP
    Closes: #911499, CVE-2018-17958
     Buffer Overflow in rtl8139_do_receive in hw/net/rtl8139.c
     because an incorrect integer data type is used
    Closes: #911470, CVE-2018-18438
     integer overflows because IOReadHandler and its associated functions
     use a signed integer data type for a size value
    Closes: #912535, CVE-2018-18849
     lsi53c895a: OOB msg buffer access leads to DoS
    Closes: #914604, CVE-2018-18954
     pnv_lpc_do_eccb function in hw/ppc/pnv_lpc.c in Qemu before 3.1
     allows out-of-bounds write or read access to PowerNV memory
    Closes: #914599, CVE-2018-19364
     Use-after-free due to race condition while updating fid path
    Closes: #914727, CVE-2018-19489
     9pfs: crash due to race condition in renaming files
  * remove patches which were applied upstream
  * add new manpage qemu-cpu-models.7
  * qemu-system-ppcemb is gone, use qemu-system-ppc[64]
  * do-not-link-everything-with-xen.patch (trivial)
  * get-orig-source: handle 3.x and 4.x, and remove roms again, as
    upstream wants us to use separate source packages for that stuff
  * move generated data from qemu-system-data back to qemu-system-common
  * d/control: enable spice on arm64 (Closes: #902501)
    (probably should enable on all)
  * d/control: change git@salsa urls to https
  * add qemu-guest-agent.service (Closes: #795486)
  * enable opengl support and virglrenderer (Closes: #813658)
  * simplify d/rules just a little bit
  * build-depend on libudev-dev, for qga

773dee2... by Michael Tokarev <email address hidden> on 2018-06-01

Import patches-unapplied version 1:2.12+dfsg-3 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 092c0eb4ee7d0645db2c09230dacd538775a2456

New changelog entries:
  * make qemu-system-foo depending
    on qemu-system-data >>ver~, not >>ver
    (Closes: #900585)
  * do not build qemu-system-gui on hppa
  * use dh_lintian for lintian overrides
  * update VCS fields to point to salsa.debian.org