[Pkg-libvirt-commits] [libvirt] 03/03: Drop patches applied upstream
Guido Guenther
agx at moszumanska.debian.org
Fri Jan 19 17:40:39 UTC 2018
This is an automated email from the git hooks/post-receive script.
agx pushed a commit to branch debian/sid
in repository libvirt.
commit bcb7ca360a7c0b86efbaef6a7c6cc9a0c6dd5ab7
Author: Guido Günther <agx at sigxcpu.org>
Date: Fri Jan 19 18:18:33 2018 +0100
Drop patches applied upstream
Allow-libvirt-to-kill-unconfined-domains.patch
Drop qemu-avoid-denial-of-service-reading-from-QEMU-monitor-CV.patch
---
.../Allow-libvirt-to-kill-unconfined-domains.patch | 26 ------------
.../debian/apparmor_profiles_local_include.patch | 4 +-
...l-of-service-reading-from-QEMU-monitor-CV.patch | 49 ----------------------
debian/patches/series | 2 -
4 files changed, 2 insertions(+), 79 deletions(-)
diff --git a/debian/patches/Allow-libvirt-to-kill-unconfined-domains.patch b/debian/patches/Allow-libvirt-to-kill-unconfined-domains.patch
deleted file mode 100644
index 6af677c..0000000
--- a/debian/patches/Allow-libvirt-to-kill-unconfined-domains.patch
+++ /dev/null
@@ -1,26 +0,0 @@
-From: intrigeri <intrigeri+libvirt at boum.org>
-Date: Mon, 15 Jan 2018 09:29:47 +0100
-Subject: Allow libvirt to kill unconfined domains
-
-On startup libvirtd runs a number of QEMU processes unconfined such as:
-
- /usr/bin/qemu-system-x86_64 -S -no-user-config -nodefaults -nographic -machine none,accel=kvm:tcg -qmp unix:/var/lib/libvirt/qemu/capabilities.monitor.sock,server,nowait -pidfile /var/lib/libvirt/qemu/capabilities.pidfile -daemonize
-
-libvirtd needs to be allowed to kill these processes, otherwise they
-remain running.
----
- examples/apparmor/usr.sbin.libvirtd | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/examples/apparmor/usr.sbin.libvirtd b/examples/apparmor/usr.sbin.libvirtd
-index bd7796c..4d220c2 100644
---- a/examples/apparmor/usr.sbin.libvirtd
-+++ b/examples/apparmor/usr.sbin.libvirtd
-@@ -63,6 +63,7 @@
-
- signal (send) peer=/usr/sbin/dnsmasq,
- signal (read, send) peer=libvirt-*,
-+ signal (send) set=("kill") peer=unconfined,
-
- # Very lenient profile for libvirtd since we want to first focus on confining
- # the guests. Guests will have a very restricted profile.
diff --git a/debian/patches/debian/apparmor_profiles_local_include.patch b/debian/patches/debian/apparmor_profiles_local_include.patch
index f6f98e4..dd575d3 100644
--- a/debian/patches/debian/apparmor_profiles_local_include.patch
+++ b/debian/patches/debian/apparmor_profiles_local_include.patch
@@ -20,10 +20,10 @@ index 6869685..f806e3c 100644
#include <local/usr.lib.libvirt.virt-aa-helper>
}
diff --git a/examples/apparmor/usr.sbin.libvirtd b/examples/apparmor/usr.sbin.libvirtd
-index a1083b0..bd7796c 100644
+index 0ddec3f..4d220c2 100644
--- a/examples/apparmor/usr.sbin.libvirtd
+++ b/examples/apparmor/usr.sbin.libvirtd
-@@ -117,4 +117,7 @@
+@@ -118,4 +118,7 @@
/usr/{lib,lib64,lib/qemu,libexec}/qemu-bridge-helper rmix,
}
diff --git a/debian/patches/qemu-avoid-denial-of-service-reading-from-QEMU-monitor-CV.patch b/debian/patches/qemu-avoid-denial-of-service-reading-from-QEMU-monitor-CV.patch
deleted file mode 100644
index 0fefb3e..0000000
--- a/debian/patches/qemu-avoid-denial-of-service-reading-from-QEMU-monitor-CV.patch
+++ /dev/null
@@ -1,49 +0,0 @@
-From: "Daniel P. Berrange" <berrange at redhat.com>
-Date: Tue, 16 Jan 2018 17:00:11 +0000
-Subject: qemu: avoid denial of service reading from QEMU monitor
- (CVE-2018-5748)
-
-We read from QEMU until seeing a \r\n pair to indicate a completed reply
-or event. To avoid memory denial-of-service though, we must have a size
-limit on amount of data we buffer. 10 MB is large enough that it ought
-to cope with normal QEMU replies, and small enough that we're not
-consuming unreasonable mem.
-
-Signed-off-by: Daniel P. Berrange <berrange at redhat.com>
----
- src/qemu/qemu_monitor.c | 15 +++++++++++++++
- 1 file changed, 15 insertions(+)
-
-diff --git a/src/qemu/qemu_monitor.c b/src/qemu/qemu_monitor.c
-index 046caf0..85c7d68 100644
---- a/src/qemu/qemu_monitor.c
-+++ b/src/qemu/qemu_monitor.c
-@@ -55,6 +55,15 @@ VIR_LOG_INIT("qemu.qemu_monitor");
- #define DEBUG_IO 0
- #define DEBUG_RAW_IO 0
-
-+/* We read from QEMU until seeing a \r\n pair to indicate a
-+ * completed reply or event. To avoid memory denial-of-service
-+ * though, we must have a size limit on amount of data we
-+ * buffer. 10 MB is large enough that it ought to cope with
-+ * normal QEMU replies, and small enough that we're not
-+ * consuming unreasonable mem.
-+ */
-+#define QEMU_MONITOR_MAX_RESPONSE (10 * 1024 * 1024)
-+
- struct _qemuMonitor {
- virObjectLockable parent;
-
-@@ -575,6 +584,12 @@ qemuMonitorIORead(qemuMonitorPtr mon)
- int ret = 0;
-
- if (avail < 1024) {
-+ if (mon->bufferLength >= QEMU_MONITOR_MAX_RESPONSE) {
-+ virReportSystemError(ERANGE,
-+ _("No complete monitor response found in %d bytes"),
-+ QEMU_MONITOR_MAX_RESPONSE);
-+ return -1;
-+ }
- if (VIR_REALLOC_N(mon->buffer,
- mon->bufferLength + 1024) < 0)
- return -1;
diff --git a/debian/patches/series b/debian/patches/series
index 29cd189..e3c8210 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -17,6 +17,4 @@ debian/apparmor_profiles_local_include.patch
Set-defaults-for-zfs-tools.patch
Pass-GPG_TTY-env-var-to-the-ssh-binary.patch
apparmor-Allow-virt-aa-helper-to-access-the-name-service-.patch
-Allow-libvirt-to-kill-unconfined-domains.patch
apparmor-allow-libvirt-to-send-term-signal-to-unconfined.patch
-qemu-avoid-denial-of-service-reading-from-QEMU-monitor-CV.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-libvirt/libvirt.git
More information about the Pkg-libvirt-commits
mailing list