Fri Mar 13 10:27:49 2015 UTC ()
xsa119-unstable.patch from upstream:

By default qemu will try to create some sort of backend for the
emulated VGA device, either SDL or VNC.

However when the user specifies sdl=0 and vnc=0 in their configuration
libxl was not explicitly disabling either backend, which could lead to
one unexpectedly running.

If either sdl=1 or vnc=1 is configured then both before and after this
change only the backends which are explicitly enabled are configured,
i.e. this issue only occurs when all backends are supposed to have
been disabled.

This affects qemu-xen and qemu-xen-traditional differently.

If qemu-xen was compiled with SDL support then this would result in an
SDL window being opened if $DISPLAY is valid, or a failure to start
the guest if not. Passing "-display none" to qemu before any further
-sdl options disables this default behaviour and ensures that SDL is
only started if the libxl configuration demands it.

If qemu-xen was compiled without SDL support then qemu would instead
start a VNC server listening on ::1 (IPv6 localhost) or 127.0.0.1
(IPv4 localhost) with IPv6 preferred if available. Explicitly pass
"-vnc none" when vnc is not enabled in the libxl configuration to
remove this possibility.

qemu-xen-traditional would never start a vnc backend unless asked.
However by default it will start an SDL backend, the way to disable
this is to pass a -vnc option. In other words passing "-vnc none" will
disable both vnc and sdl by default. sdl can then be reenabled if
configured by subsequent use of the -sdl option.

Tested with both qemu-xen and qemu-xen-traditional built with SDL
support and:
        xl cr # defaults
        xl cr sdl=0 vnc=0
        xl cr sdl=1 vnc=0
        xl cr sdl=0 vnc=1
        xl cr sdl=0 vnc=0 vga=\"none\"
        xl cr sdl=0 vnc=0 nographic=1
with both valid and invalid $DISPLAY.

This is XSA-119.


(spz)
diff -r1.4 -r1.5 pkgsrc/sysutils/xentools45/Makefile
diff -r1.4 -r1.5 pkgsrc/sysutils/xentools45/distinfo
diff -r0 -r1.1 pkgsrc/sysutils/xentools45/patches/patch-CVE-2015-2152
cvs diff -r1.4 -r1.5 pkgsrc/sysutils/xentools45/Attic/Makefile (expand / switch to unified diff)

--- pkgsrc/sysutils/xentools45/Attic/Makefile 2015/01/29 21:33:47 1.4
+++ pkgsrc/sysutils/xentools45/Attic/Makefile 2015/03/13 10:27:48 1.5
@@ -1,21 +1,21 @@ @@ -1,21 +1,21 @@
1# $NetBSD: Makefile,v 1.4 2015/01/29 21:33:47 joerg Exp $ 1# $NetBSD: Makefile,v 1.5 2015/03/13 10:27:48 spz Exp $
2 2
3VERSION= 4.5.0 3VERSION= 4.5.0
4VERSION_IPXE= 9a93db3f0947484e30e753bbd61a10b17336e20e 4VERSION_IPXE= 9a93db3f0947484e30e753bbd61a10b17336e20e
5 5
6DISTNAME= xen-${VERSION} 6DISTNAME= xen-${VERSION}
7PKGNAME= xentools45-${VERSION} 7PKGNAME= xentools45-${VERSION}
8PKGREVISION= 1 8PKGREVISION= 2
9CATEGORIES= sysutils 9CATEGORIES= sysutils
10MASTER_SITES= http://bits.xensource.com/oss-xen/release/${VERSION}/ 10MASTER_SITES= http://bits.xensource.com/oss-xen/release/${VERSION}/
11 11
12DISTFILES= ${DISTNAME}.tar.gz 12DISTFILES= ${DISTNAME}.tar.gz
13DISTFILES+= ipxe-git-${VERSION_IPXE}.tar.gz 13DISTFILES+= ipxe-git-${VERSION_IPXE}.tar.gz
14SITES.ipxe-git-${VERSION_IPXE}.tar.gz += http://xenbits.xensource.com/xen-extfiles/ 14SITES.ipxe-git-${VERSION_IPXE}.tar.gz += http://xenbits.xensource.com/xen-extfiles/
15 15
16MAINTAINER= pkgsrc-users@NetBSD.org 16MAINTAINER= pkgsrc-users@NetBSD.org
17HOMEPAGE= http://xen.org/ 17HOMEPAGE= http://xen.org/
18COMMENT= Userland Tools for Xen 4.5.x 18COMMENT= Userland Tools for Xen 4.5.x
19LICENSE= gnu-gpl-v2 19LICENSE= gnu-gpl-v2
20 20
21# XXX add version check: Xen requires dev86 >= 0.16.14 21# XXX add version check: Xen requires dev86 >= 0.16.14
cvs diff -r1.4 -r1.5 pkgsrc/sysutils/xentools45/Attic/distinfo (expand / switch to unified diff)

--- pkgsrc/sysutils/xentools45/Attic/distinfo 2015/01/29 21:33:47 1.4
+++ pkgsrc/sysutils/xentools45/Attic/distinfo 2015/03/13 10:27:48 1.5
@@ -1,30 +1,31 @@ @@ -1,30 +1,31 @@
1$NetBSD: distinfo,v 1.4 2015/01/29 21:33:47 joerg Exp $ 1$NetBSD: distinfo,v 1.5 2015/03/13 10:27:48 spz Exp $
2 2
3SHA1 (ipxe-git-9a93db3f0947484e30e753bbd61a10b17336e20e.tar.gz) = fecadf952821e830ce1a1d19655288eef8488f88 3SHA1 (ipxe-git-9a93db3f0947484e30e753bbd61a10b17336e20e.tar.gz) = fecadf952821e830ce1a1d19655288eef8488f88
4RMD160 (ipxe-git-9a93db3f0947484e30e753bbd61a10b17336e20e.tar.gz) = 539bfa12db7054228250d6dd380bbf96c1a040f8 4RMD160 (ipxe-git-9a93db3f0947484e30e753bbd61a10b17336e20e.tar.gz) = 539bfa12db7054228250d6dd380bbf96c1a040f8
5Size (ipxe-git-9a93db3f0947484e30e753bbd61a10b17336e20e.tar.gz) = 2867999 bytes 5Size (ipxe-git-9a93db3f0947484e30e753bbd61a10b17336e20e.tar.gz) = 2867999 bytes
6SHA1 (xen-4.5.0.tar.gz) = c4aab5fb366496ad1edc7fe0a935a0d604335637 6SHA1 (xen-4.5.0.tar.gz) = c4aab5fb366496ad1edc7fe0a935a0d604335637
7RMD160 (xen-4.5.0.tar.gz) = e35ba0cb484492c1a289218eb9bf53b57dbd3a45 7RMD160 (xen-4.5.0.tar.gz) = e35ba0cb484492c1a289218eb9bf53b57dbd3a45
8Size (xen-4.5.0.tar.gz) = 18404933 bytes 8Size (xen-4.5.0.tar.gz) = 18404933 bytes
9SHA1 (patch-.._.._ipxe_src_core_settings.c) = 9e053e5e9936f49c46af0d59382a67d5f28cb39d 9SHA1 (patch-.._.._ipxe_src_core_settings.c) = 9e053e5e9936f49c46af0d59382a67d5f28cb39d
10SHA1 (patch-.._.._ipxe_src_interface_efi_efi_snp.c) = 7cd8a2d2dbeff55624b5d3461d22cd8331221762 10SHA1 (patch-.._.._ipxe_src_interface_efi_efi_snp.c) = 7cd8a2d2dbeff55624b5d3461d22cd8331221762
11SHA1 (patch-.._.._ipxe_src_net_fcels.c) = 7c13c87af5e38233f8b867503789f536394e7005 11SHA1 (patch-.._.._ipxe_src_net_fcels.c) = 7c13c87af5e38233f8b867503789f536394e7005
12SHA1 (patch-.._.._ipxe_src_net_tls.c) = c36b812c4c9a3aa7309219dfad2f7a24ba818e59 12SHA1 (patch-.._.._ipxe_src_net_tls.c) = c36b812c4c9a3aa7309219dfad2f7a24ba818e59
13SHA1 (patch-.._Config.mk) = 36a8942a9fc0f7d601c9b5f7fd1332db99f9ac4b 13SHA1 (patch-.._Config.mk) = 36a8942a9fc0f7d601c9b5f7fd1332db99f9ac4b
14SHA1 (patch-.._docs_man_xl.cfg.pod.5) = e2058495b6fe85af338e22560d46996d36aeedab 14SHA1 (patch-.._docs_man_xl.cfg.pod.5) = e2058495b6fe85af338e22560d46996d36aeedab
15SHA1 (patch-.._docs_man_xl.conf.pod.5) = 015da24a45388468d56f1ecfa60f6acf07bdfef8 15SHA1 (patch-.._docs_man_xl.conf.pod.5) = 015da24a45388468d56f1ecfa60f6acf07bdfef8
16SHA1 (patch-.._docs_man_xl.pod.1) = b194f2c5608c6f0e80a4abd8655808cf91355cd5 16SHA1 (patch-.._docs_man_xl.pod.1) = b194f2c5608c6f0e80a4abd8655808cf91355cd5
17SHA1 (patch-.._docs_man_xlcpupool.cfg.pod.5) = b44813af965e4d9d0d51c18b22d286736a4663b2 17SHA1 (patch-.._docs_man_xlcpupool.cfg.pod.5) = b44813af965e4d9d0d51c18b22d286736a4663b2
 18SHA1 (patch-CVE-2015-2152) = 5a1cabf330b3a1bd902adf2b33dd5c4c32b8ab9d
18SHA1 (patch-Makefile) = 5d5b9678ed9764275ee95f49d24e8538a0e8a01c 19SHA1 (patch-Makefile) = 5d5b9678ed9764275ee95f49d24e8538a0e8a01c
19SHA1 (patch-Rules.mk) = e0dc4234c35dc2d78afad4a90b0af829a6a10b50 20SHA1 (patch-Rules.mk) = e0dc4234c35dc2d78afad4a90b0af829a6a10b50
20SHA1 (patch-blktap_drivers_Makefile) = 7cc53b2a0dea1694a969046ab8542271ca63f9e7 21SHA1 (patch-blktap_drivers_Makefile) = 7cc53b2a0dea1694a969046ab8542271ca63f9e7
21SHA1 (patch-configure) = d1a1b9c9e00dd79bb872190282006201510ce2c1 22SHA1 (patch-configure) = d1a1b9c9e00dd79bb872190282006201510ce2c1
22SHA1 (patch-examples_Makefile) = 5fe7bb876d254cf0c4f774ed0f08dcaea5b355ff 23SHA1 (patch-examples_Makefile) = 5fe7bb876d254cf0c4f774ed0f08dcaea5b355ff
23SHA1 (patch-firmware_etherboot_Makefile) = f55e14948b7191e533a82b8fc3575f1052f23c45 24SHA1 (patch-firmware_etherboot_Makefile) = f55e14948b7191e533a82b8fc3575f1052f23c45
24SHA1 (patch-firmware_etherboot_patches_series) = 2fa1342c78094c6dd5d60a07c236c4a1c0599fc4 25SHA1 (patch-firmware_etherboot_patches_series) = 2fa1342c78094c6dd5d60a07c236c4a1c0599fc4
25SHA1 (patch-firmware_hvmloader_Makefile) = bc5e81ddfc5e95887c2af4bb32eced9c5748b3c6 26SHA1 (patch-firmware_hvmloader_Makefile) = bc5e81ddfc5e95887c2af4bb32eced9c5748b3c6
26SHA1 (patch-hotplug_NetBSD_Makefile) = 5afbf8dc910c93fcc0904ba09164a441704e31a2 27SHA1 (patch-hotplug_NetBSD_Makefile) = 5afbf8dc910c93fcc0904ba09164a441704e31a2
27SHA1 (patch-hotplug_NetBSD_vif-bridge) = ac4cc7446715330b504b8cce8cbd47c8035cf33c 28SHA1 (patch-hotplug_NetBSD_vif-bridge) = ac4cc7446715330b504b8cce8cbd47c8035cf33c
28SHA1 (patch-hotplug_NetBSD_vif-ip) = ed23b0c16d87bd05230399d921e28860c5857b01 29SHA1 (patch-hotplug_NetBSD_vif-ip) = ed23b0c16d87bd05230399d921e28860c5857b01
29SHA1 (patch-hotplug_common_Makefile) = 1c8af96a3d0d1d5e9c168b1eb75fabb3e2164a19 30SHA1 (patch-hotplug_common_Makefile) = 1c8af96a3d0d1d5e9c168b1eb75fabb3e2164a19
30SHA1 (patch-include_xen-sys_NetBSD_gntdev.h) = b1f60f46e606b7591d68d98655d1cb29df977c14 31SHA1 (patch-include_xen-sys_NetBSD_gntdev.h) = b1f60f46e606b7591d68d98655d1cb29df977c14
File Added: pkgsrc/sysutils/xentools45/patches/Attic/patch-CVE-2015-2152
$NetBSD: patch-CVE-2015-2152,v 1.1 2015/03/13 10:27:49 spz Exp $

xsa119-unstable.patch from upstream.
XSA-119 is "HVM qemu unexpectedly enabling emulated VGA graphics backends"

--- libxl/libxl_dm.c.orig	2015-01-12 16:53:24.000000000 +0000
+++ libxl/libxl_dm.c
@@ -180,7 +180,14 @@ static char ** libxl__build_device_model
         if (libxl_defbool_val(vnc->findunused)) {
             flexarray_append(dm_args, "-vncunused");
         }
-    }
+    } else
+        /*
+         * VNC is not enabled by default by qemu-xen-traditional,
+         * however passing -vnc none causes SDL to not be
+         * (unexpectedly) enabled by default. This is overridden by
+         * explicitly passing -sdl below as required.
+         */
+        flexarray_append_pair(dm_args, "-vnc", "none");
 
     if (sdl) {
         flexarray_append(dm_args, "-sdl");
@@ -513,7 +520,17 @@ static char ** libxl__build_device_model
         }
 
         flexarray_append(dm_args, vncarg);
-    }
+    } else
+        /*
+         * Ensure that by default no vnc server is created.
+         */
+        flexarray_append_pair(dm_args, "-vnc", "none");
+
+    /*
+     * Ensure that by default no display backend is created. Further
+     * options given below might then enable more.
+     */
+    flexarray_append_pair(dm_args, "-display", "none");
 
     if (sdl) {
         flexarray_append(dm_args, "-sdl");