* Thu Jan 31 2019 Danilo Cesar Lemes de Paula <ddepaula@redhat.com> - 3.1.0-11.el8

- kvm-Fix-fsfreeze-hook-path-in-the-man-page.patch [bz#1644985] - kvm-json-Fix-handling-when-not-interpolating.patch [bz#1668244] - Resolves: bz#1644985 (The "fsfreeze-hook" script path shown by command "qemu-ga --help" or "man qemu-ga" is wrong - Fast Train) - Resolves: bz#1668244 (qemu-img: /var/tmp/v2vovl9951f8.qcow2: CURL: Error opening file: The requested URL returned error: 404 Not Found)
2019-01-31 20:40:05 +00:00 · 2019-01-31 20:40:05 +00:00 · 903966e69c
commit 903966e69c
parent d9dd3f8dd3
3 changed files with 187 additions and 1 deletions
--- a/kvm-Fix-fsfreeze-hook-path-in-the-man-page.patch
+++ b/kvm-Fix-fsfreeze-hook-path-in-the-man-page.patch
@ -0,0 +1,52 @@
+From cd667708de23ea78479cc68dd8ae4c9b429a4ec8 Mon Sep 17 00:00:00 2001
+From: Danilo de Paula <ddepaula@redhat.com>
+Date: Thu, 31 Jan 2019 00:16:44 +0000
+Subject: [PATCH 1/2] Fix fsfreeze-hook path in the man page.
+
+RH-Author: Danilo de Paula <ddepaula@redhat.com>
+Message-id: <20190131001644.6237-2-ddepaula@redhat.com>
+Patchwork-id: 84152
+O-Subject: [RHEL8/rhel + RHEL8/AV qemu-kvm PATCH 1/1] Fix fsfreeze-hook path in the man page.
+Bugzilla: 1644985
+RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
+RH-Acked-by: Thomas Huth <thuth@redhat.com>
+
+fsfreeze-hook final PATH is defined in redhat/qemu-kvm.spec.template
+since it's being copied in the install section.
+
+In that way, even with the configuration changes proposed by Marc
+in qemu-devel [1], the information would still be different.
+
+Wanting to avoid having to re-write some part of the building system
+including a new option, or use [1] and call ./configure again with --with-confsuffix=/qemu-ga,
+I decided to manually edit this directly in the file.
+
+To play safe, an alternative is to do this in the spec file with something like
+sed -i '/\/etc\/qemu\/fsfreeze-hook/,${s//\/etc\/qemu-ga\/fsfreeze-hook//;b};$q1' qemu-ga.texi
+In case the original file changes during a rebase, sed would fail and
+the problem could be detected. But I believe this would make maintaining this even harder.
+
+[1] http://lists.gnu.org/archive/html/qemu-devel/2018-11/msg05088.html
+
+Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
+---
+ qemu-ga.texi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/qemu-ga.texi b/qemu-ga.texi
+index 4c7a8fd..3105e30 100644
+--- a/qemu-ga.texi
+++ b/qemu-ga.texi
+@@ -58,7 +58,7 @@ file format).
+   Enable fsfreeze hook. Accepts an optional argument that specifies
+   script to run on freeze/thaw. Script will be called with
+   'freeze'/'thaw' arguments accordingly (default is
+-  @samp{/etc/qemu/fsfreeze-hook}). If using -F with an argument, do
+  @samp{/etc/qemu-ga/fsfreeze-hook}). If using -F with an argument, do
+   not follow -F with a space (for example:
+   @samp{-F/var/run/fsfreezehook.sh}).
+ 
+-- 
+1.8.3.1
+
--- a/kvm-json-Fix-handling-when-not-interpolating.patch
+++ b/kvm-json-Fix-handling-when-not-interpolating.patch
@ -0,0 +1,122 @@
+From ee704181e5f2dd1ebc6a2de0f9e750a11541cd47 Mon Sep 17 00:00:00 2001
+From: Markus Armbruster <armbru@redhat.com>
+Date: Thu, 31 Jan 2019 14:28:01 +0000
+Subject: [PATCH 2/2] json: Fix % handling when not interpolating
+
+RH-Author: Markus Armbruster <armbru@redhat.com>
+Message-id: <20190131142801.15268-2-armbru@redhat.com>
+Patchwork-id: 84158
+O-Subject: [RHEL-8.0/AV qemu-kvm PATCH 1/1] json: Fix % handling when not interpolating
+Bugzilla: 1668244
+RH-Acked-by: Richard Jones <rjones@redhat.com>
+RH-Acked-by: Daniel P. Berrange <berrange@redhat.com>
+RH-Acked-by: Danilo de Paula <ddepaula@redhat.com>
+
+From: Christophe Fergeau <cfergeau@redhat.com>
+
+Commit 8bca4613 added support for %% in json strings when interpolating,
+but in doing so broke handling of % when not interpolating.
+
+When parse_string() is fed a string token containing '%', it skips the
+'%' regardless of ctxt->ap, i.e. even it's not interpolating.  If the
+'%' is the string's last character, it fails an assertion.  Else, it
+"merely" swallows the '%'.
+
+Fix parse_string() to handle '%' specially only when interpolating.
+
+To gauge the bug's impact, let's review non-interpolating users of this
+parser, i.e. code passing NULL context to json_message_parser_init():
+
+* tests/check-qjson.c, tests/test-qobject-input-visitor.c,
+  tests/test-visitor-serialization.c
+
+  Plenty of tests, but we still failed to cover the buggy case.
+
+* monitor.c: QMP input
+
+* qga/main.c: QGA input
+
+* qobject_from_json():
+
+  - qobject-input-visitor.c: JSON command line option arguments of
+    -display and -blockdev
+
+    Reproducer: -blockdev '{"%"}'
+
+  - block.c: JSON pseudo-filenames starting with "json:"
+
+    Reproducer: https://bugzilla.redhat.com/show_bug.cgi?id=1668244#c3
+
+  - block/rbd.c: JSON key pairs
+
+    Pseudo-filenames starting with "rbd:".
+
+Command line, QMP and QGA input are trusted.
+
+Filenames are trusted when they come from command line, QMP or HMP.
+They are untrusted when they come from from image file headers.
+Example: QCOW2 backing file name.  Note that this is *not* the security
+boundary between host and guest.  It's the boundary between host and an
+image file from an untrusted source.
+
+Neither failing an assertion nor skipping a character in a filename of
+your choice looks exploitable.  Note that we don't support compiling
+with NDEBUG.
+
+Fixes: 8bca4613e6cddd948895b8db3def05950463495b
+Cc: qemu-stable@nongnu.org
+Signed-off-by: Christophe Fergeau <cfergeau@redhat.com>
+Message-Id: <20190102140535.11512-1-cfergeau@redhat.com>
+Reviewed-by: Eric Blake <eblake@redhat.com>
+Tested-by: Richard W.M. Jones <rjones@redhat.com>
+[Commit message extended to discuss impact]
+Signed-off-by: Markus Armbruster <armbru@redhat.com>
+(cherry picked from commit bbc0586ced6e9ffdfd29d89fcc917b3d90ac3938)
+
+Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
+---
+ qobject/json-parser.c | 10 ++++++----
+ tests/check-qjson.c   |  5 +++++
+ 2 files changed, 11 insertions(+), 4 deletions(-)
+
+diff --git a/qobject/json-parser.c b/qobject/json-parser.c
+index 5a840df..53e91cb 100644
+--- a/qobject/json-parser.c
+++ b/qobject/json-parser.c
+@@ -208,11 +208,13 @@ static QString *parse_string(JSONParserContext *ctxt, JSONToken *token)
+             }
+             break;
+         case '%':
+-            if (ctxt->ap && ptr[1] != '%') {
+-                parse_error(ctxt, token, "can't interpolate into string");
+-                goto out;
+            if (ctxt->ap) {
+                if (ptr[1] != '%') {
+                    parse_error(ctxt, token, "can't interpolate into string");
+                    goto out;
+                }
+                ptr++;
+             }
+-            ptr++;
+             /* fall through */
+         default:
+             cp = mod_utf8_codepoint(ptr, 6, &end);
+diff --git a/tests/check-qjson.c b/tests/check-qjson.c
+index d876a7a..fa2afcc 100644
+--- a/tests/check-qjson.c
+++ b/tests/check-qjson.c
+@@ -176,6 +176,11 @@ static void utf8_string(void)
+             "\xCE\xBA\xE1\xBD\xB9\xCF\x83\xCE\xBC\xCE\xB5",
+             "\\u03BA\\u1F79\\u03C3\\u03BC\\u03B5",
+         },
+            /* '%' character when not interpolating */
+        {
+            "100%",
+            "100%",
+        },
+         /* 2  Boundary condition test cases */
+         /* 2.1  First possible sequence of a certain length */
+         /*
+-- 
+1.8.3.1
+
--- a/qemu-kvm.spec
+++ b/qemu-kvm.spec
@ -68,7 +68,7 @@ Obsoletes: %1-rhev
 Summary: QEMU is a machine emulator and virtualizer
 Name: qemu-kvm
 Version: 3.1.0
-Release: 10%{?dist}
+Release: 11%{?dist}
 # Epoch because we pushed a qemu-1.0 package. AIUI this can't ever be dropped
 Epoch: 15
 License: GPLv2 and GPLv2+ and CC-BY
@ -172,6 +172,10 @@ Patch43: kvm-hw-s390x-Fix-bad-mask-in-time2tod.patch
 Patch44: kvm-throttle-groups-fix-restart-coroutine-iothread-race.patch
 # For bz#1655947 - qemu-kvm core dumped after unplug the device which was set io throttling parameters
 Patch45: kvm-iotests-add-238-for-throttling-tgm-unregister-iothre.patch
+# For bz#1644985 - The "fsfreeze-hook" script path shown by command "qemu-ga --help" or "man qemu-ga" is wrong - Fast Train
+Patch46: kvm-Fix-fsfreeze-hook-path-in-the-man-page.patch
+# For bz#1668244 - qemu-img: /var/tmp/v2vovl9951f8.qcow2: CURL: Error opening file: The requested URL returned error: 404 Not Found
+Patch47: kvm-json-Fix-handling-when-not-interpolating.patch

 BuildRequires: zlib-devel
 BuildRequires: glib2-devel
@ -1019,6 +1023,14 @@ useradd -r -u 107 -g qemu -G kvm -d / -s /sbin/nologin \


 %changelog
+* Thu Jan 31 2019 Danilo Cesar Lemes de Paula <ddepaula@redhat.com> - 3.1.0-11.el8
+- kvm-Fix-fsfreeze-hook-path-in-the-man-page.patch [bz#1644985]
+- kvm-json-Fix-handling-when-not-interpolating.patch [bz#1668244]
+- Resolves: bz#1644985
+  (The "fsfreeze-hook" script path shown by command "qemu-ga --help" or "man qemu-ga" is wrong - Fast Train)
+- Resolves: bz#1668244
+  (qemu-img: /var/tmp/v2vovl9951f8.qcow2: CURL: Error opening file: The requested URL returned error: 404 Not Found)
+
 * Tue Jan 29 2019 Danilo Cesar Lemes de Paula <ddepaula@redhat.com> - 3.1.0-10.el8
 - kvm-throttle-groups-fix-restart-coroutine-iothread-race.patch [bz#1655947]
 - kvm-iotests-add-238-for-throttling-tgm-unregister-iothre.patch [bz#1655947]