nixpkgs-suyu/pkgs/applications/virtualization/qemu/default.nix

{ stdenv, fetchurl, fetchpatch, python2, zlib, pkgconfig, glib
, ncurses, perl, pixman, vde2, alsaLib, texinfo, flex
, bison, lzo, snappy, libaio, gnutls, nettle, curl
, makeWrapper
, attr, libcap, libcap_ng
, CoreServices, Cocoa, rez, setfile
, numaSupport ? stdenv.isLinux, numactl
, seccompSupport ? stdenv.isLinux, libseccomp
, pulseSupport ? !stdenv.isDarwin, libpulseaudio
, sdlSupport ? !stdenv.isDarwin, SDL
, vncSupport ? true, libjpeg, libpng
, spiceSupport ? !stdenv.isDarwin, spice, spice_protocol
, usbredirSupport ? spiceSupport, usbredir
, xenSupport ? false, xen
, x86Only ? false
, nixosTestRunner ? false
}:

with stdenv.lib;
let
  version = "2.8.1";
  audio = optionalString (hasSuffix "linux" stdenv.system) "alsa,"
    + optionalString pulseSupport "pa,"
    + optionalString sdlSupport "sdl,";
in

stdenv.mkDerivation rec {
  name = "qemu-"
    + stdenv.lib.optionalString xenSupport "xen-"
    + stdenv.lib.optionalString x86Only "x86-only-"
    + stdenv.lib.optionalString nixosTestRunner "for-vm-tests-"
    + version;

  src = fetchurl {
    url = "http://wiki.qemu.org/download/qemu-${version}.tar.bz2";
    sha256 = "1kdv8aa800rbsz9qnm4saw79vr052p83by21ryah68ics9z4r3h1";
  };

  buildInputs =
    [ python2 zlib pkgconfig glib ncurses perl pixman
      vde2 texinfo flex bison makeWrapper lzo snappy
      gnutls nettle curl
    ]
    ++ optionals stdenv.isDarwin [ CoreServices Cocoa rez setfile ]
    ++ optionals seccompSupport [ libseccomp ]
    ++ optionals numaSupport [ numactl ]
    ++ optionals pulseSupport [ libpulseaudio ]
    ++ optionals sdlSupport [ SDL ]
    ++ optionals vncSupport [ libjpeg libpng ]
    ++ optionals spiceSupport [ spice_protocol spice ]
    ++ optionals usbredirSupport [ usbredir ]
    ++ optionals stdenv.isLinux [ alsaLib libaio libcap_ng libcap attr ]
    ++ optionals xenSupport [ xen ];

  enableParallelBuilding = true;

  patches = let
    upstreamPatch = name: commit: sha256: fetchurl {
      name = "${name}.patch";
      url = "http://git.qemu-project.org/?p=qemu.git;a=patch;h=${commit}";
      inherit sha256;
    };
  in [
    ./no-etc-install.patch

    # bugfixes
    # xhci: fix event queue IRQ handling
    (upstreamPatch "qemu-fix-win7-xhci" "7da76e12cc5cc902dda4c168d8d608fd4e61cbc5"
      "0m1ggbxziy7vqz9007ypzg23cni8cc4db36wlnhxz0kdpq70c6x0")

    # xhci: only free completed transfers
    (upstreamPatch "qemu-xhci-free-completed-transfers" "f94d18d6c6df388fde196d3ab252f57e33843a8b"
      "0lk19qss6ky7cqnvis54742cr2z0vl8c64chhch0kp6n83hray9x")

    # security fixes from upstream
    # net: imx: limit buffer descriptor count
    (upstreamPatch "CVE-2016-7907" "81f17e0d435c3db3a3e67e0d32ebf9c98973211f"
      "0dzghbm3jmnyw34kd40a6akrr1cpizd9hdzqmhlc2ljab7pr1rcb")

    # watchdog: 6300esb: add exit function
    (upstreamPatch "CVE-2016-10155" "eb7a20a3616085d46aa6b4b4224e15587ec67e6e"
      "1xk00fyls0hdza11dyfrnzcn6gibmmcrwy7sxgp6iizp6wgzi3vw")

    # audio: ac97: add exit function
    (upstreamPatch "CVE-2017-5525" "12351a91da97b414eec8cdb09f1d9f41e535a401"
      "190b4aqr35p4lb3rjarknfi1ip1c9zizliqp1dd6frx4364y5yp2")

    # audio: es1370: add exit function
    (upstreamPatch "CVE-2017-5526" "069eb7b2b8fc47c7cb52e5a4af23ea98d939e3da"
      "05xgzd3zldk3x2vqpjag9z5ilhdkpkyh633fb5kvnz8scns6v86f")

    # serial: fix memory leak in serial exit
    (upstreamPatch "CVE-2017-5579" "8409dc884a201bf74b30a9d232b6bbdd00cb7e2b"
      "0lbcyhif1kdcy8my0bv8aqr2f421kmljcch3plrjzj9pgcm4sv83")

    # megasas: fix guest-triggered memory leak
    (upstreamPatch "CVE-2017-5856" "765a707000e838c30b18d712fe6cb3dd8e0435f3"
      "03pjkn8l8rp9ip5h5rm1dp0nrwd43nmgpwamz4z1vy3rli1z3yjw")

    # virtio-gpu: fix resource leak in virgl_cmd_resource_unref
    (upstreamPatch "CVE-2017-5857" "5e8e3c4c75c199aa1017db816fca02be2a9f8798"
      "1kz14rmxf049zl5m27apzpbvy8dk0g47n9gnwy0nm70g65rl1dh8")

    # usb: ccid: check ccid apdu length
    (upstreamPatch "CVE-2017-5898" "c7dfbf322595ded4e70b626bf83158a9f3807c6a"
      "1y2j0qw04s8fl0cs8i619y08kj75lxn3c0y19g710fzpk3rq8dvn")

    # xhci: apply limits to loops
    (upstreamPatch "CVE-2017-5973" "f89b60f6e5fee3923bedf80e82b4e5efc1bb156b"
      "06niyighjxb4p5z2as3mqfmrwrzn4sq47j7raipbq9gnda7x9sw6")

    # sd: sdhci: check transfer mode register in multi block transfer
    (upstreamPatch "CVE-2017-5987" "6e86d90352adf6cb08295255220295cf23c4286e"
      "09yfxf93cisx8rhm0h48ib1ibwfs420k5pqpz8dnz33nci9567jm")

  ] ++ optional nixosTestRunner ./force-uid0-on-9p.patch;

  hardeningDisable = [ "stackprotector" ];

  configureFlags =
    [ "--smbd=smbd" # use `smbd' from $PATH
      "--audio-drv-list=${audio}"
      "--sysconfdir=/etc"
      "--localstatedir=/var"
    ]
    ++ optional numaSupport "--enable-numa"
    ++ optional seccompSupport "--enable-seccomp"
    ++ optional spiceSupport "--enable-spice"
    ++ optional usbredirSupport "--enable-usb-redir"
    ++ optional x86Only "--target-list=i386-softmmu,x86_64-softmmu"
    ++ optional stdenv.isDarwin "--enable-cocoa"
    ++ optional stdenv.isLinux "--enable-linux-aio"
    ++ optional xenSupport "--enable-xen";

  postFixup =
    ''
      for exe in $out/bin/qemu-system-* ; do
        paxmark m $exe
      done
    '';

  postInstall =
    ''
      # Add a ‘qemu-kvm’ wrapper for compatibility/convenience.
      p="$out/bin/qemu-system-${if stdenv.system == "x86_64-linux" then "x86_64" else "i386"}"
      if [ -e "$p" ]; then
        makeWrapper "$p" $out/bin/qemu-kvm --add-flags "\$([ -e /dev/kvm ] && echo -enable-kvm)"
      fi
    '';

  meta = with stdenv.lib; {
    homepage = http://www.qemu.org/;
    description = "A generic and open source machine emulator and virtualizer";
    license = licenses.gpl2Plus;
    maintainers = with maintainers; [ viric eelco ];
    platforms = platforms.linux ++ platforms.darwin;
  };
}
-												qemu: use python2

											
										
										
											2016-11-14 16:35:11 +01:00
+								{ stdenv, fetchurl, fetchpatch, python2, zlib, pkgconfig, glib
-												qemu: 2.7 -> 2.8, drop 2.7

											
										
										
											2017-01-25 15:33:23 +01:00
+								, ncurses, perl, pixman, vde2, alsaLib, texinfo, flex
-												qemu: add curl to buildInputs

Enables support for accessing files over HTTP:

  qemu-system-x86_64 -drive media=cdrom,file=http://host/path.iso,readonly

Increases the closures size from 445 to 447 MiB.

											
										
										
											2016-11-23 13:01:32 +01:00
+								, bison, lzo, snappy, libaio, gnutls, nettle, curl
-												Revert "qemu: 2.2.2 -> 2.3.0"

This reverts commit 19c259161b987fcb5e1c3b7a87c746372ce017ee.

											
										
										
											2015-06-01 20:55:53 +02:00
+								, makeWrapper
-												qemu: compile with cocoa for darwin support

This uses the --enable-cocoa flag in qemu to build in Darwin.

											
										
										
											2016-02-29 01:22:06 +01:00
+								, attr, libcap, libcap_ng
 								, CoreServices, Cocoa, rez, setfile
 								, numaSupport ? stdenv.isLinux, numactl
 								, seccompSupport ? stdenv.isLinux, libseccomp
 								, pulseSupport ? !stdenv.isDarwin, libpulseaudio
 								, sdlSupport ? !stdenv.isDarwin, SDL
-												Revert "qemu: 2.2.2 -> 2.3.0"

This reverts commit 19c259161b987fcb5e1c3b7a87c746372ce017ee.

											
										
										
											2015-06-01 20:55:53 +02:00
+								, vncSupport ? true, libjpeg, libpng
-												qemu: separate usbredirSupport option out of spiceSupport option

											
										
										
											2016-09-05 20:37:03 +02:00
+								, spiceSupport ? !stdenv.isDarwin, spice, spice_protocol
 								, usbredirSupport ? spiceSupport, usbredir
-												qemu: add xen support

											
										
										
											2016-11-02 17:06:48 +01:00
+								, xenSupport ? false, xen
-												Revert "qemu: 2.2.2 -> 2.3.0"

This reverts commit 19c259161b987fcb5e1c3b7a87c746372ce017ee.

											
										
										
											2015-06-01 20:55:53 +02:00
+								, x86Only ? false
-												nixos/tests: Use a patched QEMU for testing

The reason to patch QEMU is that with latest Nix, tests like "printing"
or "misc" fail because they expect the store paths to be owned by uid 0
and gid 0.

Starting with NixOS/nix@5e51ffb1c265e16486fcdd888ce4a04db9e5552b, Nix
builds inside of a new user namespace. Unfortunately this also means
that bind-mounted store paths that are part of the derivation's inputs
are no longer owned by uid 0 and gid 0 but by uid 65534 and gid 65534.

This in turn causes things like sudo or cups to fail with errors about
insecure file permissions.

So in order to avoid that, let's make sure the VM always gets files
owned by uid 0 and gid 0 and does a no-op when doing a chmod on a store
path.

In addition, this adds a virtualisation.qemu.program option so that we
can make sure that we only use the patched version if we're *really*
running NixOS VM tests (that is, whenever we have imported
test-instrumentation.nix).

Tested against the "misc" and "printing" tests.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>

											
										
										
											2016-11-17 17:06:17 +01:00
+								, nixosTestRunner ? false
-												qemu: Merge stuff from qemu-kvm

											
										
										
											2013-07-04 17:44:44 +02:00
+								}:
-												qemu-1.3.1

Also, old qemu is unreferenced in nixos and nixpkgs tree, so remove it absent explicit need.

											
										
										
											2013-02-08 02:44:02 +01:00
-												qemu: 2.0.0 -> 2.2.0

Additionally, add support for more external features as well as more
sound system types.

											
										
										
											2014-08-28 20:21:23 +02:00
+								with stdenv.lib;
 								let
-												qemu: 2.8.0 -> 2.8.1

											
										
										
											2017-04-02 02:18:52 +02:00
+								  version = "2.8.1";
-												Revert "qemu: 2.2.2 -> 2.3.0"

This reverts commit 19c259161b987fcb5e1c3b7a87c746372ce017ee.

											
										
										
											2015-06-01 20:55:53 +02:00
+								  audio = optionalString (hasSuffix "linux" stdenv.system) "alsa,"
 								    + optionalString pulseSupport "pa,"
 								    + optionalString sdlSupport "sdl,";
-												qemu: 2.0.0 -> 2.2.0

Additionally, add support for more external features as well as more
sound system types.

											
										
										
											2014-08-28 20:21:23 +02:00
+								in
-												qemu-kvm: Disambiguate

											
										
										
											2013-07-31 14:50:42 +02:00
-												qemu-1.3.1

Also, old qemu is unreferenced in nixos and nixpkgs tree, so remove it absent explicit need.

											
										
										
											2013-02-08 02:44:02 +01:00
+								stdenv.mkDerivation rec {
-												qemu: 2.7 -> 2.8, drop 2.7

											
										
										
											2017-01-25 15:33:23 +01:00
+								  name = "qemu-"
-												qemu: add xen support

											
										
										
											2016-11-02 17:06:48 +01:00
+								    + stdenv.lib.optionalString xenSupport "xen-"
-												qemu-kvm: Mark the version for tests

(cherry picked from commit d58a4ec1ba77e390c53c09ba6198b78f8568d495)

											
										
										
											2016-12-15 13:40:33 +01:00
+								    + stdenv.lib.optionalString x86Only "x86-only-"
 								    + stdenv.lib.optionalString nixosTestRunner "for-vm-tests-"
 								    + version;
-												qemu-1.3.1

Also, old qemu is unreferenced in nixos and nixpkgs tree, so remove it absent explicit need.

											
										
										
											2013-02-08 02:44:02 +01:00
 								  src = fetchurl {
-												qemu: qemu-2.4.0-x86-only -> qemu-x86-only-2.4.0

											
										
										
											2015-09-17 12:44:17 +02:00
+								    url = "http://wiki.qemu.org/download/qemu-${version}.tar.bz2";
-												qemu: 2.8.0 -> 2.8.1

											
										
										
											2017-04-02 02:18:52 +02:00
+								    sha256 = "1kdv8aa800rbsz9qnm4saw79vr052p83by21ryah68ics9z4r3h1";
-												qemu-1.3.1

Also, old qemu is unreferenced in nixos and nixpkgs tree, so remove it absent explicit need.

											
										
										
											2013-02-08 02:44:02 +01:00
+								  };
-												Revert "qemu: 2.2.2 -> 2.3.0"

This reverts commit 19c259161b987fcb5e1c3b7a87c746372ce017ee.

											
										
										
											2015-06-01 20:55:53 +02:00
+								  buildInputs =
-												qemu: use python2

											
										
										
											2016-11-14 16:35:11 +01:00
+								    [ python2 zlib pkgconfig glib ncurses perl pixman
-												qemu: 2.7 -> 2.8, drop 2.7

											
										
										
											2017-01-25 15:33:23 +01:00
+								      vde2 texinfo flex bison makeWrapper lzo snappy
-												qemu: add curl to buildInputs

Enables support for accessing files over HTTP:

  qemu-system-x86_64 -drive media=cdrom,file=http://host/path.iso,readonly

Increases the closures size from 445 to 447 MiB.

											
										
										
											2016-11-23 13:01:32 +01:00
+								      gnutls nettle curl
-												Revert "qemu: 2.2.2 -> 2.3.0"

This reverts commit 19c259161b987fcb5e1c3b7a87c746372ce017ee.

											
										
										
											2015-06-01 20:55:53 +02:00
+								    ]
-												qemu: compile with cocoa for darwin support

This uses the --enable-cocoa flag in qemu to build in Darwin.

											
										
										
											2016-02-29 01:22:06 +01:00
+								    ++ optionals stdenv.isDarwin [ CoreServices Cocoa rez setfile ]
 								    ++ optionals seccompSupport [ libseccomp ]
 								    ++ optionals numaSupport [ numactl ]
-												Revert "qemu: 2.2.2 -> 2.3.0"

This reverts commit 19c259161b987fcb5e1c3b7a87c746372ce017ee.

											
										
										
											2015-06-01 20:55:53 +02:00
+								    ++ optionals pulseSupport [ libpulseaudio ]
 								    ++ optionals sdlSupport [ SDL ]
 								    ++ optionals vncSupport [ libjpeg libpng ]
-												qemu: separate usbredirSupport option out of spiceSupport option

											
										
										
											2016-09-05 20:37:03 +02:00
+								    ++ optionals spiceSupport [ spice_protocol spice ]
 								    ++ optionals usbredirSupport [ usbredir ]
-												qemu: add xen support

											
										
										
											2016-11-02 17:06:48 +01:00
+								    ++ optionals stdenv.isLinux [ alsaLib libaio libcap_ng libcap attr ]
 								    ++ optionals xenSupport [ xen ];
-												qemu-1.3.1

Also, old qemu is unreferenced in nixos and nixpkgs tree, so remove it absent explicit need.

											
										
										
											2013-02-08 02:44:02 +01:00
 								  enableParallelBuilding = true;
-												qemu: add patches for multiple CVEs

New upstream patch function and patches for fixing a bug in the patch for
CVE-2017-5667 and the following security issues:

  * CVE-2016-7907
  * CVE-2016-9602
  * CVE-2016-10155
  * CVE-2017-2620
  * CVE-2017-2630
  * CVE-2017-5525
  * CVE-2017-5526
  * CVE-2017-5579
  * CVE-2017-5856
  * CVE-2017-5857
  * CVE-2017-5987
  * CVE-2017-6058

											
										
										
											2017-03-11 08:04:43 +01:00
+								  patches = let
 								    upstreamPatch = name: commit: sha256: fetchurl {
 								      name = "${name}.patch";
 								      url = "http://git.qemu-project.org/?p=qemu.git;a=patch;h=${commit}";
 								      inherit sha256;
 								    };
 								  in [
-												qemu: patch security issues in 9pfs

CVE-2016-7116, others have no ID assigned, yet.
Fixes from 2.7 tree.

											
										
										
											2016-08-31 13:25:47 +02:00
+								    ./no-etc-install.patch
-												qemu: apply patches for multiple CVEs

Fixes:

  * CVE-2017-2615
  * CVE-2017-5667
  * CVE-2017-5898
  * CVE-2017-5931
  * CVE-2017-5973

We are vulnerable to even more CVEs but those are either not severe like
memory leaks in obscure situations or upstream hasn't acknowledged the
patch yet.

cc #23072

											
										
										
											2017-02-22 09:06:49 +01:00
-												qemu: add patches for multiple CVEs

New upstream patch function and patches for fixing a bug in the patch for
CVE-2017-5667 and the following security issues:

  * CVE-2016-7907
  * CVE-2016-9602
  * CVE-2016-10155
  * CVE-2017-2620
  * CVE-2017-2630
  * CVE-2017-5525
  * CVE-2017-5526
  * CVE-2017-5579
  * CVE-2017-5856
  * CVE-2017-5857
  * CVE-2017-5987
  * CVE-2017-6058

											
										
										
											2017-03-11 08:04:43 +01:00
+								    # bugfixes
-												qemu: 2.8.0 -> 2.8.1

											
										
										
											2017-04-02 02:18:52 +02:00
+								    # xhci: fix event queue IRQ handling
-												qemu: add patches for multiple CVEs

New upstream patch function and patches for fixing a bug in the patch for
CVE-2017-5667 and the following security issues:

  * CVE-2016-7907
  * CVE-2016-9602
  * CVE-2016-10155
  * CVE-2017-2620
  * CVE-2017-2630
  * CVE-2017-5525
  * CVE-2017-5526
  * CVE-2017-5579
  * CVE-2017-5856
  * CVE-2017-5857
  * CVE-2017-5987
  * CVE-2017-6058

											
										
										
											2017-03-11 08:04:43 +01:00
+								    (upstreamPatch "qemu-fix-win7-xhci" "7da76e12cc5cc902dda4c168d8d608fd4e61cbc5"
 								      "0m1ggbxziy7vqz9007ypzg23cni8cc4db36wlnhxz0kdpq70c6x0")
-												qemu: 2.8.0 -> 2.8.1

											
										
										
											2017-04-02 02:18:52 +02:00
+								    # xhci: only free completed transfers
-												qemu: add patches for multiple CVEs

New upstream patch function and patches for fixing a bug in the patch for
CVE-2017-5667 and the following security issues:

  * CVE-2016-7907
  * CVE-2016-9602
  * CVE-2016-10155
  * CVE-2017-2620
  * CVE-2017-2630
  * CVE-2017-5525
  * CVE-2017-5526
  * CVE-2017-5579
  * CVE-2017-5856
  * CVE-2017-5857
  * CVE-2017-5987
  * CVE-2017-6058

											
										
										
											2017-03-11 08:04:43 +01:00
+								    (upstreamPatch "qemu-xhci-free-completed-transfers" "f94d18d6c6df388fde196d3ab252f57e33843a8b"
 								      "0lk19qss6ky7cqnvis54742cr2z0vl8c64chhch0kp6n83hray9x")
 								    # security fixes from upstream
-												qemu: 2.8.0 -> 2.8.1

											
										
										
											2017-04-02 02:18:52 +02:00
+								    # net: imx: limit buffer descriptor count
-												qemu: add patches for multiple CVEs

New upstream patch function and patches for fixing a bug in the patch for
CVE-2017-5667 and the following security issues:

  * CVE-2016-7907
  * CVE-2016-9602
  * CVE-2016-10155
  * CVE-2017-2620
  * CVE-2017-2630
  * CVE-2017-5525
  * CVE-2017-5526
  * CVE-2017-5579
  * CVE-2017-5856
  * CVE-2017-5857
  * CVE-2017-5987
  * CVE-2017-6058

											
										
										
											2017-03-11 08:04:43 +01:00
+								    (upstreamPatch "CVE-2016-7907" "81f17e0d435c3db3a3e67e0d32ebf9c98973211f"
 								      "0dzghbm3jmnyw34kd40a6akrr1cpizd9hdzqmhlc2ljab7pr1rcb")
-												qemu: apply patches for multiple CVEs

Fixes:

  * CVE-2017-2615
  * CVE-2017-5667
  * CVE-2017-5898
  * CVE-2017-5931
  * CVE-2017-5973

We are vulnerable to even more CVEs but those are either not severe like
memory leaks in obscure situations or upstream hasn't acknowledged the
patch yet.

cc #23072

											
										
										
											2017-02-22 09:06:49 +01:00
-												qemu: 2.8.0 -> 2.8.1

											
										
										
											2017-04-02 02:18:52 +02:00
+								    # watchdog: 6300esb: add exit function
-												qemu: add patches for multiple CVEs

New upstream patch function and patches for fixing a bug in the patch for
CVE-2017-5667 and the following security issues:

  * CVE-2016-7907
  * CVE-2016-9602
  * CVE-2016-10155
  * CVE-2017-2620
  * CVE-2017-2630
  * CVE-2017-5525
  * CVE-2017-5526
  * CVE-2017-5579
  * CVE-2017-5856
  * CVE-2017-5857
  * CVE-2017-5987
  * CVE-2017-6058

											
										
										
											2017-03-11 08:04:43 +01:00
+								    (upstreamPatch "CVE-2016-10155" "eb7a20a3616085d46aa6b4b4224e15587ec67e6e"
 								      "1xk00fyls0hdza11dyfrnzcn6gibmmcrwy7sxgp6iizp6wgzi3vw")
-												qemu: 2.8.0 -> 2.8.1

											
										
										
											2017-04-02 02:18:52 +02:00
+								    # audio: ac97: add exit function
-												qemu: add patches for multiple CVEs

New upstream patch function and patches for fixing a bug in the patch for
CVE-2017-5667 and the following security issues:

  * CVE-2016-7907
  * CVE-2016-9602
  * CVE-2016-10155
  * CVE-2017-2620
  * CVE-2017-2630
  * CVE-2017-5525
  * CVE-2017-5526
  * CVE-2017-5579
  * CVE-2017-5856
  * CVE-2017-5857
  * CVE-2017-5987
  * CVE-2017-6058

											
										
										
											2017-03-11 08:04:43 +01:00
+								    (upstreamPatch "CVE-2017-5525" "12351a91da97b414eec8cdb09f1d9f41e535a401"
 								      "190b4aqr35p4lb3rjarknfi1ip1c9zizliqp1dd6frx4364y5yp2")
-												qemu: 2.8.0 -> 2.8.1

											
										
										
											2017-04-02 02:18:52 +02:00
+								    # audio: es1370: add exit function
-												qemu: add patches for multiple CVEs

New upstream patch function and patches for fixing a bug in the patch for
CVE-2017-5667 and the following security issues:

  * CVE-2016-7907
  * CVE-2016-9602
  * CVE-2016-10155
  * CVE-2017-2620
  * CVE-2017-2630
  * CVE-2017-5525
  * CVE-2017-5526
  * CVE-2017-5579
  * CVE-2017-5856
  * CVE-2017-5857
  * CVE-2017-5987
  * CVE-2017-6058

											
										
										
											2017-03-11 08:04:43 +01:00
+								    (upstreamPatch "CVE-2017-5526" "069eb7b2b8fc47c7cb52e5a4af23ea98d939e3da"
 								      "05xgzd3zldk3x2vqpjag9z5ilhdkpkyh633fb5kvnz8scns6v86f")
-												qemu: 2.8.0 -> 2.8.1

											
										
										
											2017-04-02 02:18:52 +02:00
+								    # serial: fix memory leak in serial exit
-												qemu: add patches for multiple CVEs

New upstream patch function and patches for fixing a bug in the patch for
CVE-2017-5667 and the following security issues:

  * CVE-2016-7907
  * CVE-2016-9602
  * CVE-2016-10155
  * CVE-2017-2620
  * CVE-2017-2630
  * CVE-2017-5525
  * CVE-2017-5526
  * CVE-2017-5579
  * CVE-2017-5856
  * CVE-2017-5857
  * CVE-2017-5987
  * CVE-2017-6058

											
										
										
											2017-03-11 08:04:43 +01:00
+								    (upstreamPatch "CVE-2017-5579" "8409dc884a201bf74b30a9d232b6bbdd00cb7e2b"
 								      "0lbcyhif1kdcy8my0bv8aqr2f421kmljcch3plrjzj9pgcm4sv83")
-												qemu: 2.8.0 -> 2.8.1

											
										
										
											2017-04-02 02:18:52 +02:00
+								    # megasas: fix guest-triggered memory leak
-												qemu: add patches for multiple CVEs

New upstream patch function and patches for fixing a bug in the patch for
CVE-2017-5667 and the following security issues:

  * CVE-2016-7907
  * CVE-2016-9602
  * CVE-2016-10155
  * CVE-2017-2620
  * CVE-2017-2630
  * CVE-2017-5525
  * CVE-2017-5526
  * CVE-2017-5579
  * CVE-2017-5856
  * CVE-2017-5857
  * CVE-2017-5987
  * CVE-2017-6058

											
										
										
											2017-03-11 08:04:43 +01:00
+								    (upstreamPatch "CVE-2017-5856" "765a707000e838c30b18d712fe6cb3dd8e0435f3"
 								      "03pjkn8l8rp9ip5h5rm1dp0nrwd43nmgpwamz4z1vy3rli1z3yjw")
-												qemu: 2.8.0 -> 2.8.1

											
										
										
											2017-04-02 02:18:52 +02:00
+								    # virtio-gpu: fix resource leak in virgl_cmd_resource_unref
-												qemu: add patches for multiple CVEs

New upstream patch function and patches for fixing a bug in the patch for
CVE-2017-5667 and the following security issues:

  * CVE-2016-7907
  * CVE-2016-9602
  * CVE-2016-10155
  * CVE-2017-2620
  * CVE-2017-2630
  * CVE-2017-5525
  * CVE-2017-5526
  * CVE-2017-5579
  * CVE-2017-5856
  * CVE-2017-5857
  * CVE-2017-5987
  * CVE-2017-6058

											
										
										
											2017-03-11 08:04:43 +01:00
+								    (upstreamPatch "CVE-2017-5857" "5e8e3c4c75c199aa1017db816fca02be2a9f8798"
 								      "1kz14rmxf049zl5m27apzpbvy8dk0g47n9gnwy0nm70g65rl1dh8")
-												qemu: 2.8.0 -> 2.8.1

											
										
										
											2017-04-02 02:18:52 +02:00
+								    # usb: ccid: check ccid apdu length
-												qemu: add patches for multiple CVEs

New upstream patch function and patches for fixing a bug in the patch for
CVE-2017-5667 and the following security issues:

  * CVE-2016-7907
  * CVE-2016-9602
  * CVE-2016-10155
  * CVE-2017-2620
  * CVE-2017-2630
  * CVE-2017-5525
  * CVE-2017-5526
  * CVE-2017-5579
  * CVE-2017-5856
  * CVE-2017-5857
  * CVE-2017-5987
  * CVE-2017-6058

											
										
										
											2017-03-11 08:04:43 +01:00
+								    (upstreamPatch "CVE-2017-5898" "c7dfbf322595ded4e70b626bf83158a9f3807c6a"
 								      "1y2j0qw04s8fl0cs8i619y08kj75lxn3c0y19g710fzpk3rq8dvn")
-												qemu: 2.8.0 -> 2.8.1

											
										
										
											2017-04-02 02:18:52 +02:00
+								    # xhci: apply limits to loops
-												qemu: add patches for multiple CVEs

New upstream patch function and patches for fixing a bug in the patch for
CVE-2017-5667 and the following security issues:

  * CVE-2016-7907
  * CVE-2016-9602
  * CVE-2016-10155
  * CVE-2017-2620
  * CVE-2017-2630
  * CVE-2017-5525
  * CVE-2017-5526
  * CVE-2017-5579
  * CVE-2017-5856
  * CVE-2017-5857
  * CVE-2017-5987
  * CVE-2017-6058

											
										
										
											2017-03-11 08:04:43 +01:00
+								    (upstreamPatch "CVE-2017-5973" "f89b60f6e5fee3923bedf80e82b4e5efc1bb156b"
 								      "06niyighjxb4p5z2as3mqfmrwrzn4sq47j7raipbq9gnda7x9sw6")
-												qemu: 2.8.0 -> 2.8.1

											
										
										
											2017-04-02 02:18:52 +02:00
+								    # sd: sdhci: check transfer mode register in multi block transfer
-												qemu: add patches for multiple CVEs

New upstream patch function and patches for fixing a bug in the patch for
CVE-2017-5667 and the following security issues:

  * CVE-2016-7907
  * CVE-2016-9602
  * CVE-2016-10155
  * CVE-2017-2620
  * CVE-2017-2630
  * CVE-2017-5525
  * CVE-2017-5526
  * CVE-2017-5579
  * CVE-2017-5856
  * CVE-2017-5857
  * CVE-2017-5987
  * CVE-2017-6058

											
										
										
											2017-03-11 08:04:43 +01:00
+								    (upstreamPatch "CVE-2017-5987" "6e86d90352adf6cb08295255220295cf23c4286e"
 								      "09yfxf93cisx8rhm0h48ib1ibwfs420k5pqpz8dnz33nci9567jm")
-												qemu: apply patches for multiple CVEs

Fixes:

  * CVE-2017-2615
  * CVE-2017-5667
  * CVE-2017-5898
  * CVE-2017-5931
  * CVE-2017-5973

We are vulnerable to even more CVEs but those are either not severe like
memory leaks in obscure situations or upstream hasn't acknowledged the
patch yet.

cc #23072

											
										
										
											2017-02-22 09:06:49 +01:00
-												qemu_test: Rebase force-uid0-on-9p.patch

This reverts commit 3a4e2376e444fd7664102af00a34c65b47e271ec.

The reverted commit caused the fix for CVE-2016-9602 not to be applied
for qemu_test because it conflicts with the force-uid0-on-9p.patch.

So with the rebase of the patch on top of the changes of the
CVE-2016-9602.patch, both patches no longer conflict with each other.

I've tested this with the "misc" NixOS test and it succeeds.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>

											
										
										
											2017-03-11 14:59:26 +01:00
+								  ] ++ optional nixosTestRunner ./force-uid0-on-9p.patch;
-												qemu: apply patches for multiple CVEs

Fixes:

  * CVE-2017-2615
  * CVE-2017-5667
  * CVE-2017-5898
  * CVE-2017-5931
  * CVE-2017-5973

We are vulnerable to even more CVEs but those are either not severe like
memory leaks in obscure situations or upstream hasn't acknowledged the
patch yet.

cc #23072

											
										
										
											2017-02-22 09:06:49 +01:00
-												qemu: 2.6.1 -> 2.7.0

											
										
										
											2016-09-25 21:40:47 +02:00
+								  hardeningDisable = [ "stackprotector" ];
-												Revert "qemu: 2.2.2 -> 2.3.0"

This reverts commit 19c259161b987fcb5e1c3b7a87c746372ce017ee.

											
										
										
											2015-06-01 20:55:53 +02:00
 								  configureFlags =
-												qemu: compile with cocoa for darwin support

This uses the --enable-cocoa flag in qemu to build in Darwin.

											
										
										
											2016-02-29 01:22:06 +01:00
+								    [ "--smbd=smbd" # use `smbd' from $PATH
-												Revert "qemu: 2.2.2 -> 2.3.0"

This reverts commit 19c259161b987fcb5e1c3b7a87c746372ce017ee.

											
										
										
											2015-06-01 20:55:53 +02:00
+								      "--audio-drv-list=${audio}"
 								      "--sysconfdir=/etc"
 								      "--localstatedir=/var"
 								    ]
-												qemu: compile with cocoa for darwin support

This uses the --enable-cocoa flag in qemu to build in Darwin.

											
										
										
											2016-02-29 01:22:06 +01:00
+								    ++ optional numaSupport "--enable-numa"
 								    ++ optional seccompSupport "--enable-seccomp"
-												Revert "qemu: 2.2.2 -> 2.3.0"

This reverts commit 19c259161b987fcb5e1c3b7a87c746372ce017ee.

											
										
										
											2015-06-01 20:55:53 +02:00
+								    ++ optional spiceSupport "--enable-spice"
-												qemu: separate usbredirSupport option out of spiceSupport option

											
										
										
											2016-09-05 20:37:03 +02:00
+								    ++ optional usbredirSupport "--enable-usb-redir"
-												Revert "qemu: 2.2.2 -> 2.3.0"

This reverts commit 19c259161b987fcb5e1c3b7a87c746372ce017ee.

											
										
										
											2015-06-01 20:55:53 +02:00
+								    ++ optional x86Only "--target-list=i386-softmmu,x86_64-softmmu"
-												qemu: compile with cocoa for darwin support

This uses the --enable-cocoa flag in qemu to build in Darwin.

											
										
										
											2016-02-29 01:22:06 +01:00
+								    ++ optional stdenv.isDarwin "--enable-cocoa"
-												qemu: add xen support

											
										
										
											2016-11-02 17:06:48 +01:00
+								    ++ optional stdenv.isLinux "--enable-linux-aio"
 								    ++ optional xenSupport "--enable-xen";
-												Revert "qemu: 2.2.2 -> 2.3.0"

This reverts commit 19c259161b987fcb5e1c3b7a87c746372ce017ee.

											
										
										
											2015-06-01 20:55:53 +02:00
-												qemu: apply PaX markings

											
										
										
											2016-04-08 01:45:53 +02:00
+								  postFixup =
 								    ''
 								      for exe in $out/bin/qemu-system-* ; do
 								        paxmark m $exe
 								      done
 								    '';
-												Revert "qemu: 2.2.2 -> 2.3.0"

This reverts commit 19c259161b987fcb5e1c3b7a87c746372ce017ee.

											
										
										
											2015-06-01 20:55:53 +02:00
+								  postInstall =
 								    ''
 								      # Add a ‘qemu-kvm’ wrapper for compatibility/convenience.
 								      p="$out/bin/qemu-system-${if stdenv.system == "x86_64-linux" then "x86_64" else "i386"}"
 								      if [ -e "$p" ]; then
 								        makeWrapper "$p" $out/bin/qemu-kvm --add-flags "\$([ -e /dev/kvm ] && echo -enable-kvm)"
 								      fi
 								    '';
-												qemu-kvm: Remove

But install a qemu-kvm wrapper in qemu.

											
										
										
											2013-07-31 14:31:04 +02:00
-												qemu: Update 1.5.2 -> 1.7.0

											
										
										
											2014-02-20 21:02:55 +01:00
+								  meta = with stdenv.lib; {
-												qemu: Update to 1.5.1

											
										
										
											2013-07-04 16:52:43 +02:00
+								    homepage = http://www.qemu.org/;
 								    description = "A generic and open source machine emulator and virtualizer";
-												qemu: Update 1.5.2 -> 1.7.0

											
										
										
											2014-02-20 21:02:55 +01:00
+								    license = licenses.gpl2Plus;
-												Unmaintain a bunch of packages

											
										
										
											2015-07-01 14:11:05 +02:00
+								    maintainers = with maintainers; [ viric eelco ];
-												qemu: compile with cocoa for darwin support

This uses the --enable-cocoa flag in qemu to build in Darwin.

											
										
										
											2016-02-29 01:22:06 +01:00
+								    platforms = platforms.linux ++ platforms.darwin;
-												qemu-1.3.1

Also, old qemu is unreferenced in nixos and nixpkgs tree, so remove it absent explicit need.

											
										
										
											2013-02-08 02:44:02 +01:00
+								  };
 								}