Re: [Qemu-stable] [Qemu-devel] [ANNOUNCE] QEMU 2.3.1 Stable released

[Sona Sarmadi]

Hi Michael,

> I am pleased to announce that the QEMU v2.3.1 stable release is now available
> at:
> 
>   http://wiki.qemu.org/download/qemu-2.3.1.tar.bz2
> 
> v2.3.1 is now tagged in the official qemu.git repository, and the stable-2.3
> branch has been updated accordingly:
> 
>   http://git.qemu.org/?p=qemu.git;a=shortlog;h=refs/heads/stable-2.3
> 
> In addition to the normal array of general bug fixes, this release includes a
> significant number of security fixes/hardening for a broad range of 
> subsystems,
> including rtl8139 NIC emulation, Spice/Cirrus/vmware VGA emulation, i8254
> PIT emulation, and IDE/SCSI/FDC emulation. See commit/change logs for more
> details.
> 
> Users of QEMU 2.3.0 should upgrade to 2.3.1 or 2.4.0 (which also contains
> above fixes) accordingly.


Some of these security fixes are valid for older branches as well, e.g. 
stable-2.1
and stable-2.2 branches? Are you going to update these branches as well? 
I have backported however some of these in my local branch, should I upstream 
them?


Thanks
//Sona

> CHANGELOG:
> 
> dfa83a6: Update version for 2.3.1 release (Michael Roth)
> 35a616e: qemu-char: handle EINTR for TCP character devices (Paolo Bonzini)
> 35c30d3: rtl8139: check TCP Data Offset field (CVE-2015-5165) (Stefan
> Hajnoczi)
> f4c861f: rtl8139: skip offload on short TCP header (CVE-2015-5165) (Stefan
> Hajnoczi)
> b7a197c: rtl8139: check IP Total Length field (CVE-2015-5165) (Stefan 
> Hajnoczi)
> 8561109: rtl8139: check IP Header Length field (CVE-2015-5165) (Stefan
> Hajnoczi)
> ce4f451: rtl8139: skip offload on short Ethernet/IP header (CVE-2015-5165)
> (Stefan Hajnoczi)
> 6722c12: rtl8139: drop tautologous if (ip) {...} statement (CVE-2015-5165)
> (Stefan Hajnoczi)
> 8dd45dc: rtl8139: avoid nested ifs in IP header parsing (CVE-2015-5165) 
> (Stefan
> Hajnoczi)
> e750591: tcg/mips: fix add2 (Aurelien Jarno)
> f9c0ae2: tcg/mips: fix TLB loading for BE host with 32-bit guests (Aurelien
> Jarno)
> c8bd74d: Fix release_drive on unplugged devices (pci_piix3_xen_ide_unplug)
> (Stefano Stabellini)
> d155769: ide: Clear DRQ after handling all expected accesses (Kevin Wolf)
> 86d6fe4: ide/atapi: Fix START STOP UNIT command completion (Kevin Wolf)
> 9634e45: ide: Check array bounds before writing to io_buffer (CVE-2015-5154)
> (Kevin Wolf)
> 0dc545e: block: qemu-iotests - add check for multiplication overflow in vpc 
> (Jeff
> Cody)
> 358f0ee: block: vpc - prevent overflow if max_table_entries >= 0x40000000
> (Jeff Cody)
> 961c74a: scsi: fix buffer overflow in scsi_req_parse_cdb (CVE-2015-5158)
> (Paolo Bonzini)
> 98fe91e: vfio/pci: Fix bootindex (Alex Williamson)
> 46addaa: virtio-net: unbreak any layout (Jason Wang)
> 5a45687: vfio/pci: Fix RTL8168 NIC quirks (Alex Williamson)
> 87740ce: mips/kvm: Sign extend registers written to KVM (James Hogan)
> 8df2a9a: mips/kvm: Fix Big endian 32-bit register access (James Hogan)
> c5c71e8: block: Initialize local_err in bdrv_append_temp_snapshot (Fam
> Zheng)
> 2060efa: Fix irq route entries exceeding KVM_MAX_IRQ_ROUTES (马文霜)
> 8d64975: target-ppc: fix hugepage support when using memory-backend-file
> (Michael Roth)
> 9b4420a: spapr_vty: lookup should only return valid VTY objects (David Gibson)
> 99c3468: s390x/ipl: Fix boot if no bootindex was specified (Christian
> Borntraeger)
> 1c17e8c: block/nfs: limit maximum readahead size to 1MB (Peter Lieven)
> ffd060d: iotests: add QMP event waiting queue (John Snow)
> e4fb4be: iotests: Use event_wait in wait_ready (Fam Zheng)
> edc0a65: qemu-iotests: Add test case for mirror with unmap (Fam Zheng)
> c62f6c8: qemu-iotests: Make block job methods common (Fam Zheng)
> 3d8b7ae: block: Fix dirty bitmap in bdrv_co_discard (Fam Zheng)
> 27ed14c: mirror: Do zero write on target if sectors not allocated (Fam Zheng)
> 6a45a1b: qmp: Add optional bool "unmap" to drive-mirror (Fam Zheng)
> 6cacd26: block: Add bdrv_get_block_status_above (Fam Zheng)
> e8248a5: virtio-ccw: complete handling of guest-initiated resets (Cornelia
> Huck)
> 81cb0a5: vhost: correctly pass error to caller in vhost_dev_enable_notifiers()
> (Jason Wang)
> 6130c46: hw/core: rebase sysbus_get_fw_dev_path() to g_strdup_printf()
> (Laszlo Ersek)
> 49ef542: i8254: fix out-of-bounds memory access in pit_ioport_read() (Petr
> Matousek)
> c270245: spice-display: fix segfault in qemu_spice_create_update (Gerd
> Hoffmann)
> 9272707: sdl2: fix crash in handle_windowevent() when restoring the screen
> size (Alberto Garcia)
> c759f1a: vmdk: Use vmdk_find_index_in_cluster everywhere (Fam Zheng)
> 714b544: vmdk: Fix index_in_cluster calculation in vmdk_co_get_block_status
> (Fam Zheng)
> e7e0838: iotests: qcow2 COW with minimal L2 cache size (Max Reitz)
> c631ee6: qcow2: Set MIN_L2_CACHE_SIZE to 2 (Max Reitz)
> b153c8d: kbd: add brazil kbd keys to x11 evdev map (Gerd Hoffmann)
> f450482: kbd: add brazil kbd keys to qemu (Gerd Hoffmann)
> ae0fa48: qga/commands-posix: Fix bug in guest-fstrim (Justin Ossevoort)
> bb3a1da: hw/acpi/aml-build: Fix memory leak (Shannon Zhao)
> b48a391: qemu-iotests: Test unaligned sub-block zero write (Fam Zheng)
> cc883fe: block: Fix NULL deference for unaligned write if qiov is NULL (Fam
> Zheng)
> 4072585: Revert "block: Fix unaligned zero write" (Michael Roth)
> 959fad0: fdc: force the fifo access to be in bounds of the allocated buffer 
> (Petr
> Matousek)
> a4bb522: target-arm: Avoid buffer overrun on UNPREDICTABLE ldrd/strd (Peter
> Maydell)
> cf6c213: virtio-net: fix the upper bound when trying to delete queues (Jason
> Wang)
> cf32978: usb: fix usb-net segfault (Michal Kazior)
> ad9c167: qcow2: Flush pending discards before allocating cluster (Kevin Wolf)
> d8e231f: vmdk: Fix overflow if l1_size is 0x20000000 (Fam Zheng)
> 53cd79c: vmdk: Fix next_cluster_sector for compressed write (Fam Zheng)
> 3dd15f3: nbd/trivial: fix type cast for ioctl (Bogdan Purcareata)
> 4c59860: Strip brackets from vnc host (Ján Tomko)
> b575af0: block/iscsi: do not forget to logout from target (Peter Lieven)
> d3b5978: bt-sdp: fix broken uuids power-of-2 calculation (Stefan Hajnoczi)