Accepting request 721319 from Virtualization

OBS-URL: https://build.opensuse.org/request/show/721319
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/qemu?expand=0&rev=159

0043-target-i386-define-md-clear-bit.patch

@@ -1,21 +1,21 @@
 From: Paolo Bonzini <pbonzini@redhat.com>
-Date: Fri, 1 Mar 2019 21:40:52 +0100
+Date: Wed, 15 May 2019 15:10:10 +0100
 Subject: target/i386: define md-clear bit
 
 md-clear is a new CPUID bit which is set when microcode provides the
 mechanism to invoke a flush of various exploitable CPU buffers by invoking
-the VERW instruction.  Add the new feature, and pass it down to
-Hypervisor.framework guests.
+the VERW instruction.
 
 Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Message-Id: <20190515141011.5315-2-berrange@redhat.com>
+Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
+(cherry picked from commit b2ae52101fca7f9547ac2f388085dbc58f8fe1c0)
 [BR: BSC#1111331 CVE-2018-12126 CVE-2018-12127 CVE-2018-12130
 CVE-2019-11091]
 Signed-off-by: Bruce Rogers <brogers@suse.com>
 ---
- target/i386/cpu.c           | 2 +-
- target/i386/cpu.h           | 1 +
- target/i386/hvf/x86_cpuid.c | 3 ++-
- 3 files changed, 4 insertions(+), 2 deletions(-)
+ target/i386/cpu.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/target/i386/cpu.c b/target/i386/cpu.c
 index d6bb57d210..4ea78a4939 100644
@@ -30,29 +30,3 @@ index d6bb57d210..4ea78a4939 100644
              NULL, NULL, NULL, NULL,
              NULL, NULL, NULL, NULL,
              NULL, NULL, NULL, NULL,
-diff --git a/target/i386/cpu.h b/target/i386/cpu.h
-index 572290c3d6..d3bd0943ec 100644
---- a/target/i386/cpu.h
-+++ b/target/i386/cpu.h
-@@ -694,6 +694,7 @@ typedef uint32_t FeatureWordArray[FEATURE_WORDS];
- 
- #define CPUID_7_0_EDX_AVX512_4VNNIW (1U << 2) /* AVX512 Neural Network Instructions */
- #define CPUID_7_0_EDX_AVX512_4FMAPS (1U << 3) /* AVX512 Multiply Accumulation Single Precision */
-+#define CPUID_7_0_EDX_MD_CLEAR      (1U << 10) /* Microarchitectural Data Clear */
- #define CPUID_7_0_EDX_SPEC_CTRL     (1U << 26) /* Speculation Control */
- #define CPUID_7_0_EDX_ARCH_CAPABILITIES (1U << 29)  /*Arch Capabilities*/
- #define CPUID_7_0_EDX_SPEC_CTRL_SSBD  (1U << 31) /* Speculative Store Bypass Disable */
-diff --git a/target/i386/hvf/x86_cpuid.c b/target/i386/hvf/x86_cpuid.c
-index 4d957fe896..b453552fb4 100644
---- a/target/i386/hvf/x86_cpuid.c
-+++ b/target/i386/hvf/x86_cpuid.c
-@@ -90,7 +90,8 @@ uint32_t hvf_get_supported_cpuid(uint32_t func, uint32_t idx,
-             }
- 
-             ecx &= CPUID_7_0_ECX_AVX512BMI | CPUID_7_0_ECX_AVX512_VPOPCNTDQ;
--            edx &= CPUID_7_0_EDX_AVX512_4VNNIW | CPUID_7_0_EDX_AVX512_4FMAPS;
-+            edx &= CPUID_7_0_EDX_AVX512_4VNNIW | CPUID_7_0_EDX_AVX512_4FMAPS | \
-+                   CPUID_7_0_EDX_MD_CLEAR;
-         } else {
-             ebx = 0;
-             ecx = 0;

0049-qxl-check-release-info-object.patch

@@ -0,0 +1,33 @@
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Thu, 25 Apr 2019 12:05:34 +0530
+Subject: qxl: check release info object
+
+When releasing spice resources in release_resource() routine,
+if release info object 'ext.info' is null, it leads to null
+pointer dereference. Add check to avoid it.
+
+Reported-by: Bugs SysSec <bugs-syssec@rub.de>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Message-id: 20190425063534.32747-1-ppandit@redhat.com
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+(cherry picked from commit d52680fc932efb8a2f334cc6993e705ed1e31e99)
+[LY: BSC#1135902 CVE-2019-12155]
+Signed-off-by: Liang Yan <lyan@suse.com>
+---
+ hw/display/qxl.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/hw/display/qxl.c b/hw/display/qxl.c
+index 5c38e6e906..3880a7410b 100644
+--- a/hw/display/qxl.c
++++ b/hw/display/qxl.c
+@@ -768,6 +768,9 @@ static void interface_release_resource(QXLInstance *sin,
+     uint32_t prod;
+     uint64_t id;
+ 
++    if (!ext.info) {
++        return;
++    }
+     if (ext.group_id == MEMSLOT_GROUP_HOST) {
+         /* host group -> vga mode update request */
+         QXLCommandExt *cmdext = (void *)(intptr_t)(ext.info->id);

0050-qemu-bridge-helper-restrict-interfa.patch

@@ -0,0 +1,48 @@
+From: Liang Yan <lyan@suse.com>
+Date: Thu, 25 Jul 2019 13:28:26 -0400
+Subject: qemu-bridge-helper: restrict interface name
+
+The interface names in qemu-bridge-helper are defined to be
+of size IFNAMSIZ(=16), including the terminating null('\0') byte.
+The same is applied to interface names read from 'bridge.conf'
+file to form ACLs rules. If user supplied '--br=bridge' name
+is not restricted to the same length, it could lead to ACL bypass
+issue. Restrict bridge name to IFNAMSIZ, including null byte.
+
+Reported-by: Riccardo Schirone <rschiron@redhat.com>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+[LY: BSC#1140402 CVE-2019-13164]
+Signed-off-by: Liang Yan <lyan@suse.com>
+---
+ qemu-bridge-helper.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/qemu-bridge-helper.c b/qemu-bridge-helper.c
+index cafe2bf27b..8ae6104ec4 100644
+--- a/qemu-bridge-helper.c
++++ b/qemu-bridge-helper.c
+@@ -109,6 +109,13 @@ static int parse_acl_file(const char *filename, ACLList *acl_list)
+         }
+         *argend = 0;
+ 
++        if (!g_str_equal(cmd, "include") && strlen(arg) >= IFNAMSIZ) {
++            fprintf(stderr, "name `%s' too long: %zu\n", arg, strlen(arg));
++            fclose(f);
++            errno = EINVAL;
++            return -1;
++        }
++
+         if (strcmp(cmd, "deny") == 0) {
+             acl_rule = calloc(1, sizeof(*acl_rule));
+             if (!acl_rule) {
+@@ -264,6 +271,10 @@ int main(int argc, char **argv)
+             return EXIT_FAILURE;
+         }
+     }
++    if (strlen(bridge) >= IFNAMSIZ) {
++        fprintf(stderr, "name `%s' too long: %zu\n", bridge, strlen(bridge));
++        return EXIT_FAILURE;
++    }
+ 
+     if (bridge == NULL || unixfd == -1) {
+         usage();

0051-linux-user-fix-to-handle-variably-s.patch

@@ -0,0 +1,334 @@
+From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
+Date: Thu, 18 Jul 2019 15:06:41 +0200
+Subject: linux-user: fix to handle variably sized SIOCGSTAMP with new kernels
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The SIOCGSTAMP symbol was previously defined in the
+asm-generic/sockios.h header file. QEMU sees that header
+indirectly via sys/socket.h
+
+In linux kernel commit 0768e17073dc527ccd18ed5f96ce85f9985e9115
+the asm-generic/sockios.h header no longer defines SIOCGSTAMP.
+Instead it provides only SIOCGSTAMP_OLD, which only uses a
+32-bit time_t on 32-bit architectures.
+
+The linux/sockios.h header then defines SIOCGSTAMP using
+either SIOCGSTAMP_OLD or SIOCGSTAMP_NEW as appropriate. If
+SIOCGSTAMP_NEW is used, then the tv_sec field is 64-bit even
+on 32-bit architectures
+
+To cope with this we must now convert the old and new type from
+the target to the host one.
+
+Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
+Signed-off-by: Laurent Vivier <laurent@vivier.eu>
+Reviewed-by: Arnd Bergmann <arnd@arndb.de>
+Message-Id: <20190718130641.15294-1-laurent@vivier.eu>
+Signed-off-by: Laurent Vivier <laurent@vivier.eu>
+(cherry picked from commit 6d5d5dde9adb5acb32e6b8e3dfbf47fff0f308d2)
+Signed-off-by: Bruce Rogers <brogers@suse.com>
+---
+ linux-user/ioctls.h        |  21 +++++-
+ linux-user/syscall.c       | 140 +++++++++++++++++++++++++++++--------
+ linux-user/syscall_defs.h  |  31 +++++++-
+ linux-user/syscall_types.h |   6 --
+ 4 files changed, 160 insertions(+), 38 deletions(-)
+
+diff --git a/linux-user/ioctls.h b/linux-user/ioctls.h
+index ae8951625f..e6a27ad9d6 100644
+--- a/linux-user/ioctls.h
++++ b/linux-user/ioctls.h
+@@ -219,8 +219,25 @@
+   IOCTL(SIOCGRARP, IOC_R, MK_PTR(MK_STRUCT(STRUCT_arpreq)))
+   IOCTL(SIOCGIWNAME, IOC_W | IOC_R, MK_PTR(MK_STRUCT(STRUCT_char_ifreq)))
+   IOCTL(SIOCGPGRP, IOC_R, MK_PTR(TYPE_INT)) /* pid_t */
+-  IOCTL(SIOCGSTAMP, IOC_R, MK_PTR(MK_STRUCT(STRUCT_timeval)))
+-  IOCTL(SIOCGSTAMPNS, IOC_R, MK_PTR(MK_STRUCT(STRUCT_timespec)))
++
++  /*
++   * We can't use IOCTL_SPECIAL() because it will set
++   * host_cmd to XXX_OLD and XXX_NEW and these macros
++   * are not defined with kernel prior to 5.2.
++   * We must set host_cmd to the same value as in target_cmd
++   * otherwise the consistency check in syscall_init()
++   * will trigger an error.
++   * host_cmd is ignored by the do_ioctl_XXX() helpers.
++   * FIXME: create a macro to define this kind of entry
++   */
++  { TARGET_SIOCGSTAMP_OLD, TARGET_SIOCGSTAMP_OLD,
++    "SIOCGSTAMP_OLD", IOC_R, do_ioctl_SIOCGSTAMP },
++  { TARGET_SIOCGSTAMPNS_OLD, TARGET_SIOCGSTAMPNS_OLD,
++    "SIOCGSTAMPNS_OLD", IOC_R, do_ioctl_SIOCGSTAMPNS },
++  { TARGET_SIOCGSTAMP_NEW, TARGET_SIOCGSTAMP_NEW,
++    "SIOCGSTAMP_NEW", IOC_R, do_ioctl_SIOCGSTAMP },
++  { TARGET_SIOCGSTAMPNS_NEW, TARGET_SIOCGSTAMPNS_NEW,
++    "SIOCGSTAMPNS_NEW", IOC_R, do_ioctl_SIOCGSTAMPNS },
+ 
+   IOCTL(RNDGETENTCNT, IOC_R, MK_PTR(TYPE_INT))
+   IOCTL(RNDADDTOENTCNT, IOC_W, MK_PTR(TYPE_INT))
+diff --git a/linux-user/syscall.c b/linux-user/syscall.c
+index ed1c76e304..4e94bf6ecf 100644
+--- a/linux-user/syscall.c
++++ b/linux-user/syscall.c
+@@ -37,6 +37,7 @@
+ #include <sched.h>
+ #include <sys/timex.h>
+ #include <sys/socket.h>
++#include <linux/sockios.h>
+ #include <sys/un.h>
+ #include <sys/uio.h>
+ #include <poll.h>
+@@ -1139,8 +1140,9 @@ static inline abi_long copy_from_user_timeval(struct timeval *tv,
+ {
+     struct target_timeval *target_tv;
+ 
+-    if (!lock_user_struct(VERIFY_READ, target_tv, target_tv_addr, 1))
++    if (!lock_user_struct(VERIFY_READ, target_tv, target_tv_addr, 1)) {
+         return -TARGET_EFAULT;
++    }
+ 
+     __get_user(tv->tv_sec, &target_tv->tv_sec);
+     __get_user(tv->tv_usec, &target_tv->tv_usec);
+@@ -1155,8 +1157,26 @@ static inline abi_long copy_to_user_timeval(abi_ulong target_tv_addr,
+ {
+     struct target_timeval *target_tv;
+ 
+-    if (!lock_user_struct(VERIFY_WRITE, target_tv, target_tv_addr, 0))
++    if (!lock_user_struct(VERIFY_WRITE, target_tv, target_tv_addr, 0)) {
++        return -TARGET_EFAULT;
++    }
++
++    __put_user(tv->tv_sec, &target_tv->tv_sec);
++    __put_user(tv->tv_usec, &target_tv->tv_usec);
++
++    unlock_user_struct(target_tv, target_tv_addr, 1);
++
++    return 0;
++}
++
++static inline abi_long copy_to_user_timeval64(abi_ulong target_tv_addr,
++                                             const struct timeval *tv)
++{
++    struct target__kernel_sock_timeval *target_tv;
++
++    if (!lock_user_struct(VERIFY_WRITE, target_tv, target_tv_addr, 0)) {
+         return -TARGET_EFAULT;
++    }
+ 
+     __put_user(tv->tv_sec, &target_tv->tv_sec);
+     __put_user(tv->tv_usec, &target_tv->tv_usec);
+@@ -1166,6 +1186,48 @@ static inline abi_long copy_to_user_timeval(abi_ulong target_tv_addr,
+     return 0;
+ }
+ 
++static inline abi_long target_to_host_timespec(struct timespec *host_ts,
++                                               abi_ulong target_addr)
++{
++    struct target_timespec *target_ts;
++
++    if (!lock_user_struct(VERIFY_READ, target_ts, target_addr, 1)) {
++        return -TARGET_EFAULT;
++    }
++    __get_user(host_ts->tv_sec, &target_ts->tv_sec);
++    __get_user(host_ts->tv_nsec, &target_ts->tv_nsec);
++    unlock_user_struct(target_ts, target_addr, 0);
++    return 0;
++}
++
++static inline abi_long host_to_target_timespec(abi_ulong target_addr,
++                                               struct timespec *host_ts)
++{
++    struct target_timespec *target_ts;
++
++    if (!lock_user_struct(VERIFY_WRITE, target_ts, target_addr, 0)) {
++        return -TARGET_EFAULT;
++    }
++    __put_user(host_ts->tv_sec, &target_ts->tv_sec);
++    __put_user(host_ts->tv_nsec, &target_ts->tv_nsec);
++    unlock_user_struct(target_ts, target_addr, 1);
++    return 0;
++}
++
++static inline abi_long host_to_target_timespec64(abi_ulong target_addr,
++                                                 struct timespec *host_ts)
++{
++    struct target__kernel_timespec *target_ts;
++
++    if (!lock_user_struct(VERIFY_WRITE, target_ts, target_addr, 0)) {
++        return -TARGET_EFAULT;
++    }
++    __put_user(host_ts->tv_sec, &target_ts->tv_sec);
++    __put_user(host_ts->tv_nsec, &target_ts->tv_nsec);
++    unlock_user_struct(target_ts, target_addr, 1);
++    return 0;
++}
++
+ static inline abi_long copy_from_user_timezone(struct timezone *tz,
+                                                abi_ulong target_tz_addr)
+ {
+@@ -4790,6 +4852,54 @@ static abi_long do_ioctl_kdsigaccept(const IOCTLEntry *ie, uint8_t *buf_temp,
+     return get_errno(safe_ioctl(fd, ie->host_cmd, sig));
+ }
+ 
++static abi_long do_ioctl_SIOCGSTAMP(const IOCTLEntry *ie, uint8_t *buf_temp,
++                                    int fd, int cmd, abi_long arg)
++{
++    struct timeval tv;
++    abi_long ret;
++
++    ret = get_errno(safe_ioctl(fd, SIOCGSTAMP, &tv));
++    if (is_error(ret)) {
++        return ret;
++    }
++
++    if (cmd == (int)TARGET_SIOCGSTAMP_OLD) {
++        if (copy_to_user_timeval(arg, &tv)) {
++            return -TARGET_EFAULT;
++        }
++    } else {
++        if (copy_to_user_timeval64(arg, &tv)) {
++            return -TARGET_EFAULT;
++        }
++    }
++
++    return ret;
++}
++
++static abi_long do_ioctl_SIOCGSTAMPNS(const IOCTLEntry *ie, uint8_t *buf_temp,
++                                      int fd, int cmd, abi_long arg)
++{
++    struct timespec ts;
++    abi_long ret;
++
++    ret = get_errno(safe_ioctl(fd, SIOCGSTAMPNS, &ts));
++    if (is_error(ret)) {
++        return ret;
++    }
++
++    if (cmd == (int)TARGET_SIOCGSTAMPNS_OLD) {
++        if (host_to_target_timespec(arg, &ts)) {
++            return -TARGET_EFAULT;
++        }
++    } else{
++        if (host_to_target_timespec64(arg, &ts)) {
++            return -TARGET_EFAULT;
++        }
++    }
++
++    return ret;
++}
++
+ #ifdef TIOCGPTPEER
+ static abi_long do_ioctl_tiocgptpeer(const IOCTLEntry *ie, uint8_t *buf_temp,
+                                      int fd, int cmd, abi_long arg)
+@@ -6180,32 +6290,6 @@ static inline abi_long target_ftruncate64(void *cpu_env, abi_long arg1,
+ }
+ #endif
+ 
+-static inline abi_long target_to_host_timespec(struct timespec *host_ts,
+-                                               abi_ulong target_addr)
+-{
+-    struct target_timespec *target_ts;
+-
+-    if (!lock_user_struct(VERIFY_READ, target_ts, target_addr, 1))
+-        return -TARGET_EFAULT;
+-    __get_user(host_ts->tv_sec, &target_ts->tv_sec);
+-    __get_user(host_ts->tv_nsec, &target_ts->tv_nsec);
+-    unlock_user_struct(target_ts, target_addr, 0);
+-    return 0;
+-}
+-
+-static inline abi_long host_to_target_timespec(abi_ulong target_addr,
+-                                               struct timespec *host_ts)
+-{
+-    struct target_timespec *target_ts;
+-
+-    if (!lock_user_struct(VERIFY_WRITE, target_ts, target_addr, 0))
+-        return -TARGET_EFAULT;
+-    __put_user(host_ts->tv_sec, &target_ts->tv_sec);
+-    __put_user(host_ts->tv_nsec, &target_ts->tv_nsec);
+-    unlock_user_struct(target_ts, target_addr, 1);
+-    return 0;
+-}
+-
+ static inline abi_long target_to_host_itimerspec(struct itimerspec *host_itspec,
+                                                  abi_ulong target_addr)
+ {
+diff --git a/linux-user/syscall_defs.h b/linux-user/syscall_defs.h
+index 12c8407144..cfb3eeec07 100644
+--- a/linux-user/syscall_defs.h
++++ b/linux-user/syscall_defs.h
+@@ -208,16 +208,34 @@ struct target_linger {
+     abi_int l_linger;       /* How long to linger for       */
+ };
+ 
++#if defined(TARGET_SPARC64) && !defined(TARGET_ABI32)
++struct target_timeval {
++    abi_long tv_sec;
++    abi_int tv_usec;
++};
++#define target__kernel_sock_timeval target_timeval
++#else
+ struct target_timeval {
+     abi_long tv_sec;
+     abi_long tv_usec;
+ };
+ 
++struct target__kernel_sock_timeval {
++    abi_llong tv_sec;
++    abi_llong tv_usec;
++};
++#endif
++
+ struct target_timespec {
+     abi_long tv_sec;
+     abi_long tv_nsec;
+ };
+ 
++struct target__kernel_timespec {
++    abi_llong tv_sec;
++    abi_llong tv_nsec;
++};
++
+ struct target_timezone {
+     abi_int tz_minuteswest;
+     abi_int tz_dsttime;
+@@ -743,8 +761,17 @@ struct target_pollfd {
+ #define TARGET_SIOCATMARK      0x8905
+ #define TARGET_SIOCGPGRP       0x8904
+ #endif
+-#define TARGET_SIOCGSTAMP      0x8906          /* Get stamp (timeval) */
+-#define TARGET_SIOCGSTAMPNS    0x8907          /* Get stamp (timespec) */
++
++#if defined(TARGET_SH4)
++#define TARGET_SIOCGSTAMP_OLD   TARGET_IOR('s', 100, struct target_timeval)
++#define TARGET_SIOCGSTAMPNS_OLD TARGET_IOR('s', 101, struct target_timespec)
++#else
++#define TARGET_SIOCGSTAMP_OLD   0x8906
++#define TARGET_SIOCGSTAMPNS_OLD 0x8907
++#endif
++
++#define TARGET_SIOCGSTAMP_NEW   TARGET_IOR(0x89, 0x06, abi_llong[2])
++#define TARGET_SIOCGSTAMPNS_NEW TARGET_IOR(0x89, 0x07, abi_llong[2])
+ 
+ /* Networking ioctls */
+ #define TARGET_SIOCADDRT       0x890B          /* add routing table entry */
+diff --git a/linux-user/syscall_types.h b/linux-user/syscall_types.h
+index b98a23b0f1..4e36983826 100644
+--- a/linux-user/syscall_types.h
++++ b/linux-user/syscall_types.h
+@@ -14,12 +14,6 @@ STRUCT(serial_icounter_struct,
+ STRUCT(sockaddr,
+        TYPE_SHORT, MK_ARRAY(TYPE_CHAR, 14))
+ 
+-STRUCT(timeval,
+-       MK_ARRAY(TYPE_LONG, 2))
+-
+-STRUCT(timespec,
+-       MK_ARRAY(TYPE_LONG, 2))
+-
+ STRUCT(rtentry,
+        TYPE_ULONG, MK_STRUCT(STRUCT_sockaddr), MK_STRUCT(STRUCT_sockaddr), MK_STRUCT(STRUCT_sockaddr),
+        TYPE_SHORT, TYPE_SHORT, TYPE_ULONG, TYPE_PTRVOID, TYPE_SHORT, TYPE_PTRVOID,

keycodemapdb-make-keycode-gen-output-reproducible.patch

@@ -0,0 +1,23 @@
+--- a/tools/keymap-gen	2019-08-05 21:56:01.731846467 +0200
++++ b/tools/keymap-gen	2019-08-05 22:00:14.563720016 +0200
+@@ -20,6 +20,7 @@
+     sys.path.append(os.path.join(os.path.dirname(__file__), "../thirdparty"))
+     import argparse
+ import hashlib
++import os
+ import time
+ import sys
+ 
+@@ -317,7 +318,11 @@
+         raise NotImplementedError()
+ 
+     def generate_header(self, database, args):
+-        today = time.strftime("%Y-%m-%d %H:%M")
++        sde = os.getenv("SOURCE_DATE_EPOCH")
++        if sde:
++            today = time.strftime("%Y-%m-%d %H:%M", time.gmtime(int(sde)))
++        else:
++            today = time.strftime("%Y-%m-%d %H:%M")
+         self._boilerplate([
+             "This file is auto-generated from keymaps.csv on %s" % today,
+             "Database checksum sha256(%s)" % database.mapchecksum,

qemu-linux-user.changes

@@ -1,4 +1,20 @@
 -------------------------------------------------------------------
+Tue Aug  6 14:45:37 UTC 2019 - Bruce Rogers <brogers@suse.com>
+
+- Adjust to a v5.2 linux kernel change regarding SIOCGSTAMP
+  0051-linux-user-fix-to-handle-variably-s.patch
+- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-4.0
+
+-------------------------------------------------------------------
+Thu Jul 25 20:51:24 UTC 2019 - Liang Yan <lyan@suse.com>
+
+- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-4.0
+* Patches added:
+  0049-qxl-check-release-info-object.patch
+  0050-qemu-bridge-helper-restrict-interfa.patch
+* Patches changed:
+  0043-target-i386-define-md-clear-bit.patch
+-------------------------------------------------------------------
 Wed May 29 16:03:58 UTC 2019 - Bruce Rogers <brogers@suse.com>
 
 - Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-4.0

qemu-linux-user.spec

@@ -82,6 +82,9 @@ Patch0045:      0045-kbd-state-fix-autorepeat-handling.patch
 Patch0046:      0046-target-ppc-ensure-we-get-null-termi.patch
 Patch0047:      0047-configure-only-populate-roms-if-sof.patch
 Patch0048:      0048-pc-bios-s390-ccw-net-avoid-warning-.patch
+Patch0049:      0049-qxl-check-release-info-object.patch
+Patch0050:      0050-qemu-bridge-helper-restrict-interfa.patch
+Patch0051:      0051-linux-user-fix-to-handle-variably-s.patch
 # Please do not add QEMU patches manually here.
 # Run update_git.sh to regenerate this queue.
 ExcludeArch:    s390
@@ -160,6 +163,9 @@ syscall layer occurs on the native hardware and operating system.
 %patch0046 -p1
 %patch0047 -p1
 %patch0048 -p1
+%patch0049 -p1
+%patch0050 -p1
+%patch0051 -p1
 
 %build
 %define _lto_cflags %{nil}

qemu-testsuite.changes

@@ -1,3 +1,34 @@
+-------------------------------------------------------------------
+Tue Aug  6 14:45:35 UTC 2019 - Bruce Rogers <brogers@suse.com>
+
+- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-4.0
+* Patches added:
+  0051-linux-user-fix-to-handle-variably-s.patch
+
+-------------------------------------------------------------------
+Mon Aug  5 20:03:11 UTC 2019 - Stefan Brüns <stefan.bruens@rwth-aachen.de>
+
+- Make keycode-gen output reproducible (use SOURCE_DATE_EPOCH timestamp)
+  keycodemapdb-make-keycode-gen-output-reproducible.patch
+
+-------------------------------------------------------------------
+Thu Jul 25 20:51:23 UTC 2019 - Liang Yan <lyan@suse.com>
+
+- Security fix for null pointer dereference while releasing spice resources
+  (CVE-2019-12155, bsc#1135902)
+  0049-qxl-check-release-info-object.patch
+- Security fix for qemu-bridge-helper ACL can be bypassed when names are too long
+  (CVE-2019-13164, bsc#1140402)
+  0050-qemu-bridge-helper-restrict-interfa.patch
+- Replace patch 0043 with an upstream version
+  0043-target-i386-define-md-clear-bit.patch
+- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-4.0
+
+-------------------------------------------------------------------
+Tue Jun 11 09:47:44 UTC 2019 - Christian Goll <cgoll@suse.com>
+
+- fixed regression for ksm.service was (bsc#1112646) 
+
 -------------------------------------------------------------------
 Mon Jun 10 16:41:24 UTC 2019 - Bruce Rogers <brogers@suse.com>
 

qemu-testsuite.spec

@@ -192,6 +192,9 @@ Patch0045:      0045-kbd-state-fix-autorepeat-handling.patch
 Patch0046:      0046-target-ppc-ensure-we-get-null-termi.patch
 Patch0047:      0047-configure-only-populate-roms-if-sof.patch
 Patch0048:      0048-pc-bios-s390-ccw-net-avoid-warning-.patch
+Patch0049:      0049-qxl-check-release-info-object.patch
+Patch0050:      0050-qemu-bridge-helper-restrict-interfa.patch
+Patch0051:      0051-linux-user-fix-to-handle-variably-s.patch
 # Please do not add QEMU patches manually here.
 # Run update_git.sh to regenerate this queue.
 
@@ -217,6 +220,7 @@ Patch1301:      sgabios-fix-cross-build.patch
 Patch1500:      skiboot-gcc9-compat.patch
 
 # keycodemapdb - path: ui/keycodemapdb (patch range 1600-1699) (Currently no patches)
+Patch1600:      keycodemapdb-make-keycode-gen-output-reproducible.patch
 
 # openBIOS - path: roms/openbios (patch range 1700-1799) (Currently no patches)
 
@@ -1009,6 +1013,9 @@ This package provides a service file for starting and stopping KSM.
 %patch0046 -p1
 %patch0047 -p1
 %patch0048 -p1
+%patch0049 -p1
+%patch0050 -p1
+%patch0051 -p1
 
 pushd roms/seabios
 %patch1100 -p1
@@ -1043,6 +1050,7 @@ pushd roms/skiboot
 popd
 
 pushd ui/keycodemapdb
+%patch1600 -p1
 popd
 
 pushd roms/openbios

qemu.changes

@@ -1,3 +1,29 @@
+-------------------------------------------------------------------
+Tue Aug  6 14:45:35 UTC 2019 - Bruce Rogers <brogers@suse.com>
+
+- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-4.0
+* Patches added:
+  0051-linux-user-fix-to-handle-variably-s.patch
+
+-------------------------------------------------------------------
+Mon Aug  5 20:03:11 UTC 2019 - Stefan Brüns <stefan.bruens@rwth-aachen.de>
+
+- Make keycode-gen output reproducible (use SOURCE_DATE_EPOCH timestamp)
+  keycodemapdb-make-keycode-gen-output-reproducible.patch
+
+-------------------------------------------------------------------
+Thu Jul 25 20:51:23 UTC 2019 - Liang Yan <lyan@suse.com>
+
+- Security fix for null pointer dereference while releasing spice resources
+  (CVE-2019-12155, bsc#1135902)
+  0049-qxl-check-release-info-object.patch
+- Security fix for qemu-bridge-helper ACL can be bypassed when names are too long
+  (CVE-2019-13164, bsc#1140402)
+  0050-qemu-bridge-helper-restrict-interfa.patch
+- Replace patch 0043 with an upstream version
+  0043-target-i386-define-md-clear-bit.patch
+- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-4.0
+
 -------------------------------------------------------------------
 Tue Jun 11 09:47:44 UTC 2019 - Christian Goll <cgoll@suse.com>
 

qemu.spec

@@ -192,6 +192,9 @@ Patch0045:      0045-kbd-state-fix-autorepeat-handling.patch
 Patch0046:      0046-target-ppc-ensure-we-get-null-termi.patch
 Patch0047:      0047-configure-only-populate-roms-if-sof.patch
 Patch0048:      0048-pc-bios-s390-ccw-net-avoid-warning-.patch
+Patch0049:      0049-qxl-check-release-info-object.patch
+Patch0050:      0050-qemu-bridge-helper-restrict-interfa.patch
+Patch0051:      0051-linux-user-fix-to-handle-variably-s.patch
 # Please do not add QEMU patches manually here.
 # Run update_git.sh to regenerate this queue.
 
@@ -217,6 +220,7 @@ Patch1301:      sgabios-fix-cross-build.patch
 Patch1500:      skiboot-gcc9-compat.patch
 
 # keycodemapdb - path: ui/keycodemapdb (patch range 1600-1699) (Currently no patches)
+Patch1600:      keycodemapdb-make-keycode-gen-output-reproducible.patch
 
 # openBIOS - path: roms/openbios (patch range 1700-1799) (Currently no patches)
 
@@ -1009,6 +1013,9 @@ This package provides a service file for starting and stopping KSM.
 %patch0046 -p1
 %patch0047 -p1
 %patch0048 -p1
+%patch0049 -p1
+%patch0050 -p1
+%patch0051 -p1
 
 pushd roms/seabios
 %patch1100 -p1
@@ -1043,6 +1050,7 @@ pushd roms/skiboot
 popd
 
 pushd ui/keycodemapdb
+%patch1600 -p1
 popd
 
 pushd roms/openbios

qemu.spec.in

@@ -167,6 +167,7 @@ Patch1301:      sgabios-fix-cross-build.patch
 Patch1500:      skiboot-gcc9-compat.patch
 
 # keycodemapdb - path: ui/keycodemapdb (patch range 1600-1699) (Currently no patches)
+Patch1600:      keycodemapdb-make-keycode-gen-output-reproducible.patch
 
 # openBIOS - path: roms/openbios (patch range 1700-1799) (Currently no patches)
 
@@ -946,6 +947,7 @@ pushd roms/skiboot
 popd
 
 pushd ui/keycodemapdb
+%patch1600 -p1
 popd
 
 pushd roms/openbios