diff options
| author | spz <spz@pkgsrc.org> | 2015-03-13 09:43:41 +0000 |
|---|---|---|
| committer | spz <spz@pkgsrc.org> | 2015-03-13 09:43:41 +0000 |
| commit | b6f50a2da361da39a872558c3957f285bf513f0e (patch) | |
| tree | a4711a031a56df86af47e24265b22509a19adaf1 /sysutils/xentools42 | |
| parent | 3f1f7a446843dc7b67e86f5ee2a4af7244dec31f (diff) | |
| download | pkgsrc-b6f50a2da361da39a872558c3957f285bf513f0e.tar.gz | |
xsa119-4.2.patch from upstream:
From b6e327fde6c365086594e2b46edf435aa1671b1a Mon Sep 17 00:00:00 2001
From: Ian Campbell <ian.campbell@citrix.com>
Date: Fri, 20 Feb 2015 14:41:09 +0000
Subject: [PATCH] tools: libxl: Explicitly disable graphics backends on qemu
cmdline
By default qemu will try to create some sort of backend for the
emulated VGA device, either SDL or VNC.
However when the user specifies sdl=0 and vnc=0 in their configuration
libxl was not explicitly disabling either backend, which could lead to
one unexpectedly running.
If either sdl=1 or vnc=1 is configured then both before and after this
change only the backends which are explicitly enabled are configured,
i.e. this issue only occurs when all backends are supposed to have
been disabled.
This affects qemu-xen and qemu-xen-traditional differently.
If qemu-xen was compiled with SDL support then this would result in an
SDL window being opened if $DISPLAY is valid, or a failure to start
the guest if not. Passing "-display none" to qemu before any further
-sdl options disables this default behaviour and ensures that SDL is
only started if the libxl configuration demands it.
If qemu-xen was compiled without SDL support then qemu would instead
start a VNC server listening on ::1 (IPv6 localhost) or 127.0.0.1
(IPv4 localhost) with IPv6 preferred if available. Explicitly pass
"-vnc none" when vnc is not enabled in the libxl configuration to
remove this possibility.
qemu-xen-traditional would never start a vnc backend unless asked.
However by default it will start an SDL backend, the way to disable
this is to pass a -vnc option. In other words passing "-vnc none" will
disable both vnc and sdl by default. sdl can then be reenabled if
configured by subsequent use of the -sdl option.
Tested with both qemu-xen and qemu-xen-traditional built with SDL
support and:
xl cr # defaults
xl cr sdl=0 vnc=0
xl cr sdl=1 vnc=0
xl cr sdl=0 vnc=1
xl cr sdl=0 vnc=0 vga=\"none\"
xl cr sdl=0 vnc=0 nographic=1
with both valid and invalid $DISPLAY.
This is XSA-119.
Diffstat (limited to 'sysutils/xentools42')
| -rw-r--r-- | sysutils/xentools42/Makefile | 5 | ||||
| -rw-r--r-- | sysutils/xentools42/distinfo | 3 | ||||
| -rw-r--r-- | sysutils/xentools42/patches/patch-CVE-2015-2152 | 46 |
3 files changed, 50 insertions, 4 deletions
diff --git a/sysutils/xentools42/Makefile b/sysutils/xentools42/Makefile index 3a428b2e2ef..126dc9b6fe4 100644 --- a/sysutils/xentools42/Makefile +++ b/sysutils/xentools42/Makefile @@ -1,12 +1,11 @@ -# $NetBSD: Makefile,v 1.25 2015/01/20 14:24:37 jaapb Exp $ +# $NetBSD: Makefile,v 1.26 2015/03/13 09:43:41 spz Exp $ VERSION= 4.2.5 VERSION_IPXE= 1.0.0 DISTNAME= xen-${VERSION} PKGNAME= xentools42-${VERSION} -#PKGREVISION= 2 -PKGREVISION= 2 +PKGREVISION= 3 CATEGORIES= sysutils MASTER_SITES= http://bits.xensource.com/oss-xen/release/${VERSION}/ diff --git a/sysutils/xentools42/distinfo b/sysutils/xentools42/distinfo index 1eb34f9f44a..786d3919905 100644 --- a/sysutils/xentools42/distinfo +++ b/sysutils/xentools42/distinfo @@ -1,4 +1,4 @@ -$NetBSD: distinfo,v 1.14 2015/01/29 21:31:39 joerg Exp $ +$NetBSD: distinfo,v 1.15 2015/03/13 09:43:41 spz Exp $ SHA1 (ipxe-git-v1.0.0.tar.gz) = da052c8de5f3485fe0253c19cf52ed6d72528485 RMD160 (ipxe-git-v1.0.0.tar.gz) = dcd9b6eaafa1ce05c1ebf2a15f2f73ad7a8c5547 @@ -24,6 +24,7 @@ SHA1 (patch-.._docs_man_xl.pod.1) = 740ad6f53e113b755bc6b04abce4ec9ba08eb815 SHA1 (patch-.._docs_man_xlcpupool.cfg.pod.5) = a693a79a1f1c16548f62f7da1fa58fa28030990f SHA1 (patch-.._docs_man_xm.pod.1) = 975b7570da4bf9fd9cb79539fbd36b8dfbcbd571 SHA1 (patch-.._docs_man_xmdomain.cfg.pod.5) = 5563a72e203e789a86f4166c71ddb3fcff5215c6 +SHA1 (patch-CVE-2015-2152) = 676339abef9e79595f6c40de31ca740f8284c7a2 SHA1 (patch-Makefile) = 37fbcd6d2f0279d4c04c91085b0e7f5611a5b92a SHA1 (patch-Rules.mk) = 51a2804e9a2a509a428392c0eb11243884bb7f22 SHA1 (patch-blktap_drivers_Makefile) = 0906a5ec3a7450fc987b01289e2560e60966d00d diff --git a/sysutils/xentools42/patches/patch-CVE-2015-2152 b/sysutils/xentools42/patches/patch-CVE-2015-2152 new file mode 100644 index 00000000000..a3a48831cce --- /dev/null +++ b/sysutils/xentools42/patches/patch-CVE-2015-2152 @@ -0,0 +1,46 @@ +$NetBSD: patch-CVE-2015-2152,v 1.1 2015/03/13 09:43:41 spz Exp $ + +patch for XSA-119 aka CVE-2015-2152 from +http://xenbits.xen.org/xsa/xsa119-4.2.patch +fixing +HVM qemu unexpectedly enabling emulated VGA graphics backends + +--- libxl/libxl_dm.c.orig 2014-09-02 06:22:57.000000000 +0000 ++++ libxl/libxl_dm.c +@@ -147,7 +147,15 @@ static char ** libxl__build_device_model + if (libxl_defbool_val(vnc->findunused)) { + flexarray_append(dm_args, "-vncunused"); + } +- } ++ } else ++ /* ++ * VNC is not enabled by default by qemu-xen-traditional, ++ * however passing -vnc none causes SDL to not be ++ * (unexpectedly) enabled by default. This is overridden by ++ * explicitly passing -sdl below as required. ++ */ ++ flexarray_append_pair(dm_args, "-vnc", "none"); ++ + if (sdl) { + flexarray_append(dm_args, "-sdl"); + if (!libxl_defbool_val(sdl->opengl)) { +@@ -394,7 +402,18 @@ static char ** libxl__build_device_model + vncarg = libxl__sprintf(gc, "%s,to=99", vncarg); + } + flexarray_append(dm_args, vncarg); +- } ++ } else ++ /* ++ * Ensure that by default no vnc server is created. ++ */ ++ flexarray_append_pair(dm_args, "-vnc", "none"); ++ ++ /* ++ * Ensure that by default no display backend is created. Further ++ * options given below might then enable more. ++ */ ++ flexarray_append_pair(dm_args, "-display", "none"); ++ + if (sdl) { + flexarray_append(dm_args, "-sdl"); + /* XXX sdl->{display,xauthority} into $DISPLAY/$XAUTHORITY */ |