Fix CVE-2023-50711: vmm-sys-util: out of bounds memory accesses (bsc#1218502, bsc#1218500)

OBS-URL: https://build.opensuse.org/package/show/Virtualization/virtiofsd?expand=0&rev=13
2024-01-30 17:28:52 +00:00 · 2024-01-30 17:28:52 +00:00 · cc7fbfac8b
commit cc7fbfac8b
parent f06c6c5948
7 changed files with 26 additions and 17 deletions
--- a/50-qemu-virtiofsd.json
+++ b/50-qemu-virtiofsd.json
@ -1,5 +0,0 @@
-{
-  "description": "QEMU virtiofsd vhost-user-fs",
-  "type": "fs",
-  "binary": "/usr/libexec/virtiofsd"
-}
--- a/5
+++ b/5
@ -3,10 +3,11 @@
    <param name="url">https://gitlab.com/virtio-fs/virtiofsd.git</param>
    <param name="scm">git</param>
    <param name="filename">virtiofsd</param>
-    <param name="revision">v1.7.2</param>
+    <param name="revision">v1.10.1</param>
    <param name="versionformat">@PARENT_TAG@</param>
    <param name="versionrewrite-pattern">[v]?([^\+]+)(.*)</param>
    <param name="versionrewrite-replacement">\1</param>
+    <param name="changesgenerate">enable</param>
  </service>

  <service name="set_version" mode="disabled"/>
@ -25,6 +26,6 @@
  <service name="cargo_vendor" mode="disabled">
    <param name="srcdir">virtiofsd</param>
    <param name="compression">xz</param>
-    <param name="update">false</param>
+    <param name="update">true</param>
  </service>
 </services>
--- a/vendor.tar.xz
+++ b/vendor.tar.xz
--- a/virtiofsd-1.10.1.tar.xz
+++ b/virtiofsd-1.10.1.tar.xz
--- a/virtiofsd-1.7.2.tar.xz
+++ b/virtiofsd-1.7.2.tar.xz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:64ac4febe3799b77ca74485478b1248ca42f453521b47bb746eaa3863e94342d
-size 95376
--- a/virtiofsd.changes
+++ b/virtiofsd.changes
@ -1,3 +1,17 @@
+-------------------------------------------------------------------
+Tue Jan 30 17:09:25 UTC 2024 - caleb.crane@suse.com
+
+- Fix CVE-2023-50711: vmm-sys-util: out of bounds memory accesses (bsc#1218502, bsc#1218500)
+- Update to version 1.10.1:
+  * Bump version to v1.10.1
+  * Fix mandatory user namespaces
+  * Don't drop supplemental groups in unprivileged user namespace
+  * Bump version to v1.10.0
+  * Update rust-vmm dependencies (bsc#1218500)
+  * Bump version to v1.9.0
+- Spec: switch to using the upstream virtio-fs config file for qemu
+- Spec: switch back to greedy cargo updates of vendored dependencies
+
 -------------------------------------------------------------------
 Thu Aug 31 20:28:08 UTC 2023 - Caleb Crane <caleb.crane@suse.com>

--- a/virtiofsd.spec
+++ b/virtiofsd.spec
@ -1,7 +1,7 @@
 #
 # spec file for package virtiofsd
 #
-# Copyright (c) 2023 SUSE LLC
+# Copyright (c) 2024 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -17,7 +17,7 @@


 Name:           virtiofsd
-Version:        1.7.2
+Version:        1.10.1
 Release:        0
 Summary:        vhost-user virtio-fs device backend written in Rust
 Group:          Development/Libraries/Rust
@ -26,7 +26,6 @@ URL:            https://gitlab.com/virtio-fs/virtiofsd
 Source0:        %{name}-%{version}.tar.xz
 Source1:        vendor.tar.xz
 Source2:        cargo_config
-Source3:        50-qemu-virtiofsd.json
 BuildRequires:  cargo-packaging
 BuildRequires:  libcap-ng-devel
 BuildRequires:  libseccomp-devel
@ -47,7 +46,7 @@ cp %{SOURCE2} .cargo/config
 %install
 mkdir -p %{buildroot}%{_libexecdir}
 install -D -p -m 0755 %{_builddir}/%{name}-%{version}/target/release/virtiofsd %{buildroot}%{_libexecdir}/virtiofsd
-install -D -p -m 0644 %{SOURCE3} %{buildroot}%{_datadir}/qemu/vhost-user/50-qemu-virtiofsd.json
+install -D -p -m 0644 %{_builddir}/%{name}-%{version}/50-virtiofsd.json %{buildroot}%{_datadir}/qemu/vhost-user/50-virtiofsd.json

 %check
 %{cargo_test}
@ -57,6 +56,6 @@ install -D -p -m 0644 %{SOURCE3} %{buildroot}%{_datadir}/qemu/vhost-user/50-qemu
 %{_libexecdir}/virtiofsd
 %dir %{_datadir}/qemu
 %dir %{_datadir}/qemu/vhost-user
-%{_datadir}/qemu/vhost-user/50-qemu-virtiofsd.json
+%{_datadir}/qemu/vhost-user/50-virtiofsd.json

 %changelog