OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/xen?expand=0&rev=34

2007-11-19 17:19:02 +00:00 · 2007-11-19 17:19:02 +00:00 · 61e5c542fb
commit 61e5c542fb
parent 8749f77d2e
9 changed files with 840 additions and 9 deletions
--- a/15434-irq-permissions.patch
+++ b/15434-irq-permissions.patch
@ -0,0 +1,20 @@
+# HG changeset patch
+# User Keir Fraser <keir@xensource.com>
+# Date 1183059350 -3600
+# Node ID b377a102f0eb1b75ec76cf230ee8f259ed01c528
+# Parent  a5360bf1866892498f4fda9fb86f96035143221d
+xend: Fix irq-permissions setting during domain creation.
+Signed-off-by: Keir Fraser <keir@xensource.com>
+
+diff -r a5360bf18668 -r b377a102f0eb tools/python/xen/xend/server/irqif.py
+--- a/tools/python/xen/xend/server/irqif.py	Thu Jun 28 18:40:20 2007 +0100
+++ b/tools/python/xen/xend/server/irqif.py	Thu Jun 28 20:35:50 2007 +0100
+@@ -61,7 +61,7 @@ class IRQController(DevController):
+        
+         pirq = get_param('irq')
+ 
+-        rc = xc.domain_irq_permission(dom          = self.getDomid(),
+        rc = xc.domain_irq_permission(domid        = self.getDomid(),
+                                       pirq         = pirq,
+                                       allow_access = True)
+ 
--- a/16157-xenmon-security.patch
+++ b/16157-xenmon-security.patch
@ -0,0 +1,46 @@
+# HG changeset patch
+# User Keir Fraser <keir@xensource.com>
+# Date 1193128003 -3600
+# Node ID b28ae5f00553ea053bd4e4576634d8ea49e77bc3
+# Parent  118a21c66fd53a08d7191159e5b2888f8d9e4ad2
+xenmon: Fix security vulnerability CVE-2007-3919.
+
+The xenbaked daemon and xenmon utility communicate via a mmap'ed
+shared file. Since this file is located in /tmp, unprivileged users
+can cause arbitrary files to be truncated by creating a symlink from
+the well-known /tmp filename to e.g., /etc/passwd.
+
+The fix is to place the shared file in a directory to which only root
+should have access (in this case /var/run/).
+
+This bug was reported, and the fix suggested, by Steve Kemp
+<skx@debian.org>. Thanks!
+
+Signed-off-by: Keir Fraser <keir@xensource.com>
+
+Index: xen-3.1-testing/tools/xenmon/xenbaked.c
+===================================================================
+--- xen-3.1-testing.orig/tools/xenmon/xenbaked.c
+++ xen-3.1-testing/tools/xenmon/xenbaked.c
+@@ -593,7 +593,7 @@ error_t cmd_parser(int key, char *arg, s
+     return 0;
+ }
+ 
+-#define SHARED_MEM_FILE "/tmp/xenq-shm"
+#define SHARED_MEM_FILE "/var/run/xenq-shm"
+ void alloc_qos_data(int ncpu)
+ {
+     int i, n, pgsize, off=0;
+Index: xen-3.1-testing/tools/xenmon/xenmon.py
+===================================================================
+--- xen-3.1-testing.orig/tools/xenmon/xenmon.py
+++ xen-3.1-testing/tools/xenmon/xenmon.py
+@@ -46,7 +46,7 @@ ST_QDATA = "%dQ" % (6*NDOMAINS + 4)
+ QOS_DATA_SIZE = struct.calcsize(ST_QDATA)*NSAMPLES + struct.calcsize(ST_DOM_INFO)*NDOMAINS + struct.calcsize("4i")
+ 
+ # location of mmaped file, hard coded right now
+-SHM_FILE = "/tmp/xenq-shm"
+SHM_FILE = "/var/run/xenq-shm"
+ 
+ # format strings
+ TOTALS = 15*' ' + "%6.2f%%" + 35*' ' + "%6.2f%%"
--- a/domUloader.py
+++ b/domUloader.py
@ -44,6 +44,9 @@ verbose = False
 dryrun = False
 tmpdir = '/var/lib/xen/tmp'
 in_args = ''
+# kpartx, left to its own devices, does not consistently pick the
+# same partition separator.  Explicitly specify it.
+kpartx_args = '-p -part'

 # Helper functions

@ -77,12 +80,14 @@ class Wholedisk:
    "Class representing a whole disk that may have partitions"
    def __init__(self, vdev, pdev):
        "c'tor: set up"
+        # Initialize object; will not raise:
        self.ldev = None
        self.vdev = vdev
        self.pdev = pdev
        self.mapped = 0
        self.partitions = []
        self.pcount = 0
+        # Finish initialization; may raise:
        self.is_blk = (S_ISBLK(os.stat(pdev)[ST_MODE]))
        self.pcount = self.scanpartitions()

@ -150,7 +155,7 @@ class Wholedisk:
        self.loopsetup()
        # TODO: We could use fdisk -l instead and look at the type of
        #  partitions; this way we could also detect LVM and support it.
-        fd = os.popen("kpartx -l '%s'" % self.physdev())
+        fd = os.popen("kpartx %s -l '%s'" % (kpartx_args, self.physdev()))
        pcount = 0
        for line in fd.readlines():
            line = line.strip()
@ -179,8 +184,8 @@ class Wholedisk:
        if not self.mapped:
            self.loopsetup()
            if self.pcount:
-                verbose_print("kpartx -a '%s'" % self.physdev())
-                fd = os.popen("kpartx -a '%s'" % self.physdev())
+                verbose_print("kpartx %s -a '%s'" % (kpartx_args, self.physdev()))
+                fd = os.popen("kpartx %s -a '%s'" % (kpartx_args, self.physdev()))
                fd.close()
        self.mapped += 1
    
@ -194,8 +199,8 @@ class Wholedisk:
        self.mapped -= 1
        if not self.mapped:
            if self.pcount:
-                verbose_print("kpartx -d '%s'" % self.physdev())
-                fd = os.popen("kpartx -d '%s'" % self.physdev())
+                verbose_print("kpartx %s -d '%s'" % (kpartx_args, self.physdev()))
+                fd = os.popen("kpartx %s -d '%s'" % (kpartx_args, self.physdev()))
                fd.close()
            self.loopclean()

--- a/fix-ioemu-vnc-shift-key.patch
+++ b/fix-ioemu-vnc-shift-key.patch
@ -0,0 +1,547 @@
+Index: xen-3.0.4-testing/tools/ioemu/keymaps.c
+===================================================================
+--- xen-3.0.4-testing.orig/tools/ioemu/keymaps.c	2006-12-14 14:49:55.000000000 -0700
+++ xen-3.0.4-testing/tools/ioemu/keymaps.c	2007-09-14 08:31:29.000000000 -0600
+@@ -32,19 +32,50 @@
+     return 0;
+ }
+ 
+struct key_range {
+    int start;
+    int end;
+    struct key_range *next;
+};
+
+ #define MAX_NORMAL_KEYCODE 512
+ #define MAX_EXTRA_COUNT 256
+ typedef struct {
+     uint16_t keysym2keycode[MAX_NORMAL_KEYCODE];
+-    int keysym2numlock[MAX_NORMAL_KEYCODE];
+     struct {
+ 	int keysym;
+-	int numlock;
+ 	uint16_t keycode;
+     } keysym2keycode_extra[MAX_EXTRA_COUNT];
+     int extra_count;
+    struct key_range *keypad_range;
+    struct key_range *numlock_range;
+    struct key_range *shift_range;
+ } kbd_layout_t;
+ 
+static void add_to_key_range(struct key_range **krp, int code) {
+    struct key_range *kr;
+    for (kr = *krp; kr; kr = kr->next) {
+	if (code >= kr->start && code <= kr->end)
+	    break;
+	if (code == kr->start - 1) {
+	    kr->start--;
+	    break;
+	}
+	if (code == kr->end + 1) {
+	    kr->end++;
+	    break;
+	}
+    }
+    if (kr == NULL) {
+	kr = qemu_mallocz(sizeof(*kr));
+	if (kr) {
+	    kr->start = kr->end = code;
+	    kr->next = *krp;
+	    *krp = kr;
+	}
+    }
+}
+
+ static kbd_layout_t *parse_keyboard_layout(const char *language,
+ 					   kbd_layout_t * k)
+ {
+@@ -52,8 +83,6 @@
+     char file_name[1024];
+     char line[1024];
+     int len;
+-    int *keycode2numlock;
+-    int i;
+ 
+     snprintf(file_name, sizeof(file_name),
+              "%s/keymaps/%s", bios_dir, language);
+@@ -67,15 +96,6 @@
+ 		"Could not read keymap file: '%s'\n", file_name);
+ 	return 0;
+     }
+-
+-    /* Allocate a temporary map tracking which keycodes change when numlock is
+-       set.  Keycodes are 16 bit, so 65536 is safe. */
+-    keycode2numlock = malloc(65536 * sizeof(int));
+-    if (!keycode2numlock) {
+-        perror("Could not read keymap file");
+-	return 0;
+-    }
+-
+     for(;;) {
+ 	if (fgets(line, 1024, f) == NULL)
+             break;
+@@ -99,19 +119,25 @@
+ 		if (keysym == 0) {
+                     //		    fprintf(stderr, "Warning: unknown keysym %s\n", line);
+ 		} else {
+-		    char *rest = end_of_keysym + 1;
+-		    int keycode = strtol(rest, &rest, 0);
+-		    int numlock = (rest != NULL &&
+-		                   strstr(rest, "numlock") != NULL);
+-
+-                    keycode2numlock[keycode] = numlock;
+		    const char *rest = end_of_keysym + 1;
+		    char *rest2;
+		    int keycode = strtol(rest, &rest2, 0);
+
+		    if (rest && strstr(rest, "numlock")) {
+			add_to_key_range(&k->keypad_range, keycode);
+			add_to_key_range(&k->numlock_range, keysym);
+			fprintf(stderr, "keypad keysym %04x keycode %d\n", keysym, keycode);
+		    }
+		    if (rest && strstr(rest, "shift")) {
+			add_to_key_range(&k->shift_range, keysym);
+			fprintf(stderr, "shift keysym %04x keycode %d\n", keysym, keycode);
+		    }
+ 
+ 		    /* if(keycode&0x80)
+ 		       keycode=(keycode<<8)^0x80e0; */
+ 		    if (keysym < MAX_NORMAL_KEYCODE) {
+ 			//fprintf(stderr,"Setting keysym %s (%d) to %d\n",line,keysym,keycode);
+ 			k->keysym2keycode[keysym] = keycode;
+-			k->keysym2numlock[keysym] = numlock;
+ 		    } else {
+ 			if (k->extra_count >= MAX_EXTRA_COUNT) {
+ 			    fprintf(stderr,
+@@ -126,8 +152,6 @@
+ 				keysym = keysym;
+ 			    k->keysym2keycode_extra[k->extra_count].
+ 				keycode = keycode;
+-			    k->keysym2keycode_extra[k->extra_count].
+-				numlock = numlock;
+ 			    k->extra_count++;
+ 			}
+ 		    }
+@@ -136,22 +160,6 @@
+ 	}
+     }
+     fclose(f);
+-
+-    for (i = 0; i < MAX_NORMAL_KEYCODE; i++) {
+-        if (k->keysym2numlock[i] != 1) {
+-            k->keysym2numlock[i] = -keycode2numlock[k->keysym2keycode[i]];
+-        }
+-    }
+-
+-    for (i = 0; i < k->extra_count; i++) {
+-        if (k->keysym2keycode_extra[i].numlock != 1) {
+-            k->keysym2keycode_extra[i].numlock =
+-                -keycode2numlock[k->keysym2keycode_extra[i].keycode];
+-        }
+-    }
+-
+-    free(keycode2numlock);
+-
+     return k;
+ }
+ 
+@@ -181,24 +189,35 @@
+     return 0;
+ }
+ 
+-/**
+- * Returns 1 if the given keysym requires numlock to be pressed, -1 if it
+- * requires it to be cleared, and 0 otherwise.
+- */
+-static int keysym2numlock(void *kbd_layout, int keysym)
+static int keycodeIsKeypad(void *kbd_layout, int keycode)
+ {
+     kbd_layout_t *k = kbd_layout;
+-    if (keysym < MAX_NORMAL_KEYCODE) {
+-	return k->keysym2numlock[keysym];
+-    } else {
+-	int i;
+-#ifdef XK_ISO_Left_Tab
+-	if (keysym == XK_ISO_Left_Tab)
+-	    keysym = XK_Tab;
+-#endif
+-	for (i = 0; i < k->extra_count; i++)
+-	    if (k->keysym2keycode_extra[i].keysym == keysym)
+-		return k->keysym2keycode_extra[i].numlock;
+-    }
+    struct key_range *kr;
+
+    for (kr = k->keypad_range; kr; kr = kr->next)
+	if (keycode >= kr->start && keycode <= kr->end)
+	    return 1;
+    return 0;
+}
+
+static int keysymIsNumlock(void *kbd_layout, int keysym)
+{
+    kbd_layout_t *k = kbd_layout;
+    struct key_range *kr;
+
+    for (kr = k->numlock_range; kr; kr = kr->next)
+	if (keysym >= kr->start && keysym <= kr->end)
+	    return 1;
+    return 0;
+}
+
+static int keysymIsShift(void *kbd_layout, int keysym)
+{
+    kbd_layout_t *k = kbd_layout;
+    struct key_range *kr;
+
+    for (kr = k->shift_range; kr; kr = kr->next)
+	if (keysym >= kr->start && keysym <= kr->end)
+	    return 1;
+     return 0;
+ }
+Index: xen-3.0.4-testing/tools/ioemu/vnc.c
+===================================================================
+--- xen-3.0.4-testing.orig/tools/ioemu/vnc.c	2007-09-14 08:30:01.000000000 -0600
+++ xen-3.0.4-testing/tools/ioemu/vnc.c	2007-09-14 09:23:48.000000000 -0600
+@@ -46,10 +46,6 @@
+ #include "keymaps.c"
+ #include "d3des.h"
+ 
+-#define XK_MISCELLANY
+-#define XK_LATIN1
+-#include <X11/keysymdef.h>
+-
+ typedef struct Buffer
+ {
+     size_t capacity;
+@@ -113,9 +109,8 @@
+     int visible_w;
+     int visible_h;
+ 
+-    int ctl_keys;               /* Ctrl+Alt starts calibration */
+-    int shift_keys;             /* Shift / CapsLock keys */
+-    int numlock;
+    /* input */
+    uint8_t modifiers_state[256];
+ };
+ 
+ #define DIRTY_PIXEL_BITS 64
+@@ -855,133 +850,209 @@
+     }
+ }
+ 
+-static void press_key(VncState *vs, int keycode)
+static void reset_keys(VncState *vs)
+{
+    int i;
+    for(i = 0; i < 256; i++) {
+        if (vs->modifiers_state[i]) {
+            if (i & 0x80)
+                kbd_put_keycode(0xe0);
+            kbd_put_keycode(i | 0x80);
+            vs->modifiers_state[i] = 0;
+        }
+    }
+}
+
+static void press_key(VncState *vs, int keysym)
+{
+    kbd_put_keycode(keysym2scancode(vs->kbd_layout, keysym) & 0x7f);
+    kbd_put_keycode(keysym2scancode(vs->kbd_layout, keysym) | 0x80);
+}
+
+static void press_key_shift_down(VncState *vs, int down, int keycode)
+ {
+-    kbd_put_keycode(keysym2scancode(vs->kbd_layout, keycode) & 0x7f);
+-    kbd_put_keycode(keysym2scancode(vs->kbd_layout, keycode) | 0x80);
+    if (down)
+        kbd_put_keycode(0x2a & 0x7f);
+
+    if (keycode & 0x80)
+        kbd_put_keycode(0xe0);
+    if (down)
+        kbd_put_keycode(keycode & 0x7f);
+    else
+        kbd_put_keycode(keycode | 0x80);
+
+    if (!down)
+        kbd_put_keycode(0x2a | 0x80);
+}
+
+static void press_key_shift_up(VncState *vs, int down, int keycode)
+{
+    if (down) {
+        if (vs->modifiers_state[0x2a])
+            kbd_put_keycode(0x2a | 0x80);
+        if (vs->modifiers_state[0x36])
+            kbd_put_keycode(0x36 | 0x80);
+    }
+
+    if (keycode & 0x80)
+        kbd_put_keycode(0xe0);
+    if (down)
+        kbd_put_keycode(keycode & 0x7f);
+    else
+        kbd_put_keycode(keycode | 0x80);
+
+    if (!down) {
+        if (vs->modifiers_state[0x2a])
+            kbd_put_keycode(0x2a & 0x7f);
+        if (vs->modifiers_state[0x36])
+            kbd_put_keycode(0x36 & 0x7f);
+    }
+ }
+ 
+ static void do_key_event(VncState *vs, int down, uint32_t sym)
+ {
+-    sym &= 0xFFFF;
+    int keycode;
+    int shift_keys = 0;
+    int shift = 0;
+ 
+     if (is_graphic_console()) {
+-	int keycode;
+-	int numlock;
+        if (sym >= 'A' && sym <= 'Z') {
+            sym = sym - 'A' + 'a';
+            shift = 1;
+        }
+        else {
+            shift = keysymIsShift(vs->kbd_layout, sym & 0xFFFF);
+        }
+    }
+    shift_keys = vs->modifiers_state[0x2a] | vs->modifiers_state[0x36];
+ 
+-	keycode = keysym2scancode(vs->kbd_layout, sym);
+-	numlock = keysym2numlock(vs->kbd_layout, sym);
+    keycode = keysym2scancode(vs->kbd_layout, sym & 0xFFFF);
+    if (keycode == 0) {
+        fprintf(stderr, "Key lost : keysym=0x%x(%d)\n", sym, sym);
+        return;
+    }
+ 
+    /* QEMU console switch */
+    switch(keycode) {
+    case 0x2a:                          /* Left Shift */
+    case 0x36:                          /* Right Shift */
+    case 0x1d:                          /* Left CTRL */
+    case 0x9d:                          /* Right CTRL */
+    case 0x38:                          /* Left ALT */
+    case 0xb8:                          /* Right ALT */
+        if (down) {
+            vs->modifiers_state[keycode] = 1;
+            kbd_put_keycode(keycode & 0x7f);
+        }
+        else {
+            vs->modifiers_state[keycode] = 0;
+            kbd_put_keycode(keycode | 0x80);
+        }
+        return;
+    case 0x02 ... 0x0a: /* '1' to '9' keys */
+        if (down && vs->modifiers_state[0x1d] && vs->modifiers_state[0x38]) {
+            /* Reset the modifiers sent to the current console */
+            reset_keys(vs);
+            console_select(keycode - 0x02);
+            return;
+        }
+        break;
+    case 0x45:			/* NumLock */
+	if (down) {
+            kbd_put_keycode(keycode & 0x7f);
+        }
+        else {
+	    vs->modifiers_state[keycode] ^= 1;
+            kbd_put_keycode(keycode | 0x80);
+        }
+	return;
+    }
+
+    if (keycodeIsKeypad(vs->kbd_layout, keycode)) {
+         /* If the numlock state needs to change then simulate an additional
+            keypress before sending this one.  This will happen if the user
+            toggles numlock away from the VNC window.
+         */
+-	if (numlock == 1) {
+-	    if (!vs->numlock) {
+-		vs->numlock = 1;
+-		press_key(vs, XK_Num_Lock);
+-	    }
+-	}
+-	else if (numlock == -1) {
+-	    if (vs->numlock) {
+-		vs->numlock = 0;
+-		press_key(vs, XK_Num_Lock);
+        if (keysymIsNumlock(vs->kbd_layout, sym & 0xFFFF)) {
+	    if (!vs->modifiers_state[0x45]) {
+		vs->modifiers_state[0x45] = 1;
+		press_key(vs, 0xff7f);
+ 	    }
+-        }
+-
+-	if (keycode & 0x80)
+-	    kbd_put_keycode(0xe0);
+-	if (down)
+-	    kbd_put_keycode(keycode & 0x7f);
+-	else
+-	    kbd_put_keycode(keycode | 0x80);
+-    } else if (down) {
+-	int qemu_keysym = 0;
+-
+-	if (sym <= 128) { /* normal ascii */
+-	    int shifted = vs->shift_keys == 1 || vs->shift_keys == 2;
+-	    qemu_keysym = sym;
+-	    if (sym >= 'a' && sym <= 'z' && shifted)
+-	        qemu_keysym -= 'a' - 'A';
+ 	} else {
+-	    switch (sym) {
+-	    case XK_Up: qemu_keysym = QEMU_KEY_UP; break;
+-	    case XK_Down: qemu_keysym = QEMU_KEY_DOWN; break;
+-	    case XK_Left: qemu_keysym = QEMU_KEY_LEFT; break;
+-	    case XK_Right: qemu_keysym = QEMU_KEY_RIGHT; break;
+-	    case XK_Home: qemu_keysym = QEMU_KEY_HOME; break;
+-	    case XK_End: qemu_keysym = QEMU_KEY_END; break;
+-	    case XK_Page_Up: qemu_keysym = QEMU_KEY_PAGEUP; break;
+-	    case XK_Page_Down: qemu_keysym = QEMU_KEY_PAGEDOWN; break;
+-	    case XK_BackSpace: qemu_keysym = QEMU_KEY_BACKSPACE; break;
+-	    case XK_Delete: qemu_keysym = QEMU_KEY_DELETE; break;
+-	    case XK_Return:
+-	    case XK_Linefeed: qemu_keysym = sym; break;
+-	    default: break;
+	    if (vs->modifiers_state[0x45]) {
+		vs->modifiers_state[0x45] = 0;
+		press_key(vs, 0xff7f);
+ 	    }
+-	}
+-	if (qemu_keysym != 0)
+-	    kbd_put_keysym(qemu_keysym);
+        }
+     }
+ 
+-    if (down) {
+-	switch (sym) {
+-	case XK_Control_L:
+-	    vs->ctl_keys |= 1;
+-	    break;
+-
+-	case XK_Alt_L:
+-	    vs->ctl_keys |= 2;
+-	    break;
+-
+-	case XK_Shift_L:
+-	    vs->shift_keys |= 1;
+-	    break;
+    if (is_graphic_console()) {
+        /*  If the shift state needs to change then simulate an additional
+            keypress before sending this one.
+        */
+        if (shift && !shift_keys) {
+            press_key_shift_down(vs, down, keycode);
+            return;
+        }
+        else if (!shift && shift_keys) {
+            press_key_shift_up(vs, down, keycode);
+            return;
+        }
+ 
+-	default:
+-	    break;
+-	}
+        if (keycode & 0x80)
+            kbd_put_keycode(0xe0);
+        if (down)
+            kbd_put_keycode(keycode & 0x7f);
+        else
+            kbd_put_keycode(keycode | 0x80);
+     } else {
+-	switch (sym) {
+-	case XK_Control_L:
+-	    vs->ctl_keys &= ~1;
+-	    break;
+-
+-	case XK_Alt_L:
+-	    vs->ctl_keys &= ~2;
+-	    break;
+-
+-	case XK_Shift_L:
+-	    vs->shift_keys &= ~1;
+-	    break;
+-
+-	case XK_Caps_Lock:
+-	    vs->shift_keys ^= 2;
+-	    break;
+-
+-	case XK_Num_Lock:
+-	    vs->numlock = !vs->numlock;
+-	    break;
+-
+-	case XK_1 ... XK_9:
+-	    if ((vs->ctl_keys & 3) != 3)
+-		break;
+-
+-	    console_select(sym - XK_1);
+-	    if (is_graphic_console()) {
+-		/* tell the vga console to redisplay itself */
+-		vga_hw_invalidate();
+-		vnc_dpy_update(vs->ds, 0, 0, vs->ds->width, vs->ds->height);
+-	    }
+-	    break;
+-	}
+        /* QEMU console emulation */
+        if (down) {
+            switch (keycode) {
+            case 0x2a:                          /* Left Shift */
+            case 0x36:                          /* Right Shift */
+            case 0x1d:                          /* Left CTRL */
+            case 0x9d:                          /* Right CTRL */
+            case 0x38:                          /* Left ALT */
+            case 0xb8:                          /* Right ALT */
+                break;
+            case 0xc8:
+                kbd_put_keysym(QEMU_KEY_UP);
+                break;
+            case 0xd0:
+                kbd_put_keysym(QEMU_KEY_DOWN);
+                break;
+            case 0xcb:
+                kbd_put_keysym(QEMU_KEY_LEFT);
+                break;
+            case 0xcd:
+                kbd_put_keysym(QEMU_KEY_RIGHT);
+                break;
+            case 0xd3:
+                kbd_put_keysym(QEMU_KEY_DELETE);
+                break;
+            case 0xc7:
+                kbd_put_keysym(QEMU_KEY_HOME);
+                break;
+            case 0xcf:
+                kbd_put_keysym(QEMU_KEY_END);
+                break;
+            case 0xc9:
+                kbd_put_keysym(QEMU_KEY_PAGEUP);
+                break;
+            case 0xd1:
+                kbd_put_keysym(QEMU_KEY_PAGEDOWN);
+                break;
+            default:
+                kbd_put_keysym(sym);
+                break;
+            }
+        }
+     }
+ }
+ 
+ static void key_event(VncState *vs, int down, uint32_t sym)
+ {
+-    if (sym >= 'A' && sym <= 'Z')
+-	sym = sym - 'A' + 'a';
+     do_key_event(vs, down, sym);
+ }
+ 
+@@ -1385,7 +1456,6 @@
+     vs->lsock = -1;
+     vs->csock = -1;
+     vs->depth = 4;
+-    vs->numlock = 0;
+ 
+     vs->ds = ds;
+ 
--- a/fix-vncfb-shift-key.patch
+++ b/fix-vncfb-shift-key.patch
@ -0,0 +1,142 @@
+Index: xen-3.1-testing/tools/xenfb/vncfb.c
+===================================================================
+--- xen-3.1-testing.orig/tools/xenfb/vncfb.c	2007-05-17 09:51:10.000000000 -0600
+++ xen-3.1-testing/tools/xenfb/vncfb.c	2007-09-14 11:59:57.000000000 -0600
+@@ -55,12 +55,47 @@
+ unsigned char keycode_table[512];
+ 
+ static void *kbd_layout;
+uint8_t modifiers_state[256];
+ 
+ static int btnmap[] = {
+ 	BTN_LEFT, BTN_MIDDLE, BTN_RIGHT, BTN_SIDE,
+ 	BTN_EXTRA, BTN_FORWARD, BTN_BACK, BTN_TASK
+ };
+ 
+static void press_key_shift_down(struct xenfb* xenfb, int down, int scancode)
+{
+	if (down)
+		xenfb_send_key(xenfb, 1, keycode_table[0x2a]);
+
+	if (xenfb_send_key(xenfb, down, keycode_table[scancode]) < 0)
+		fprintf(stderr, "Key %d %s lost (%s)\n",
+			scancode, "down", strerror(errno));
+
+	if (!down)
+		xenfb_send_key(xenfb, 0, keycode_table[0x2a]);
+}
+
+static void press_key_shift_up(struct xenfb* xenfb, int down, int scancode)
+{
+	if (down) {
+		if (modifiers_state[0x2a])
+			xenfb_send_key(xenfb, 0, keycode_table[0x2a]);
+		if (modifiers_state[0x36])
+			xenfb_send_key(xenfb, 0, keycode_table[0x36]);
+	}
+
+	if (xenfb_send_key(xenfb, down, keycode_table[scancode]) < 0)
+		fprintf(stderr, "Key %d %s lost (%s)\n",
+			scancode, "down", strerror(errno));
+
+	if (!down) {
+		if (modifiers_state[0x2a])
+			xenfb_send_key(xenfb, 1, keycode_table[0x2a]);
+		if (modifiers_state[0x36])
+			xenfb_send_key(xenfb, 1, keycode_table[0x36]);
+	}
+}
+
+ static void on_kbd_event(rfbBool down, rfbKeySym keycode, rfbClientPtr cl)
+ {
+ 	/*
+@@ -75,14 +110,75 @@
+ 	rfbScreenInfoPtr server = cl->screen;
+ 	struct xenfb *xenfb = server->screenData;
+ 	int scancode;
+	int shift = 0;
+	int shift_keys = 0;
+ 
+-	if (keycode >= 'A' && keycode <= 'Z')
+	if (keycode >= 'A' && keycode <= 'Z') {
+ 		keycode += 'a' - 'A';
+		shift = 1;
+	}
+	else {
+		shift = keysymIsShift(kbd_layout, keycode);
+	}
+	shift_keys = modifiers_state[0x2a] | modifiers_state[0x36];
+ 
+-	scancode = keycode_table[keysym2scancode(kbd_layout, keycode)];
+	scancode = keysym2scancode(kbd_layout, keycode);
+ 	if (scancode == 0)
+ 		return;
+-	if (xenfb_send_key(xenfb, down, scancode) < 0)
+
+	switch(scancode) {
+	case 0x2a:			/* Left Shift */
+	case 0x36:			/* Right Shift */
+	case 0x1d:			/* Left CTRL */
+	case 0x9d:			/* Right CTRL */
+	case 0x38:			/* Left ALT */
+	case 0xb8:			/* Right ALT */
+		if (down)
+			modifiers_state[scancode] = 1;
+		else
+			modifiers_state[scancode] = 0;
+		xenfb_send_key(xenfb, down, keycode_table[scancode]);
+		return;
+	case 0x45:			/* NumLock */
+		if (!down)
+			modifiers_state[scancode] ^= 1;
+		xenfb_send_key(xenfb, down, keycode_table[scancode]);
+		return;
+	}
+
+	if (keycodeIsKeypad(kbd_layout, scancode)) {
+	/* If the numlock state needs to change then simulate an additional
+	   keypress before sending this one.  This will happen if the user
+	   toggles numlock away from the VNC window.
+	*/
+		if (keysymIsNumlock(kbd_layout, keycode)) {
+			if (!modifiers_state[0x45]) {
+				modifiers_state[0x45] = 1;
+				xenfb_send_key(xenfb, 1, keycode_table[0x45]);
+				xenfb_send_key(xenfb, 0, keycode_table[0x45]);
+			}
+		} else {
+			if (modifiers_state[0x45]) {
+				modifiers_state[0x45] = 0;
+				xenfb_send_key(xenfb, 1, keycode_table[0x45]);
+				xenfb_send_key(xenfb, 0, keycode_table[0x45]);
+			}
+		}
+	}
+
+	/* If the shift state needs to change then simulate an additional
+	   keypress before sending this one.
+	*/
+	if (shift && !shift_keys) {
+		press_key_shift_down(xenfb, down, scancode);
+		return;
+	}
+	else if (!shift && shift_keys) {
+		press_key_shift_up(xenfb, down, scancode);
+		return;
+	}
+
+	if (xenfb_send_key(xenfb, down, keycode_table[scancode]) < 0)
+ 		fprintf(stderr, "Key %d %s lost (%s)\n",
+ 			scancode, down ? "down" : "up",
+ 			strerror(errno));
+@@ -314,6 +410,10 @@
+ 			atkbd_set2_keycode[atkbd_unxlate_table[i] | 0x80];
+ 	}
+ 
+	for (i = 0; i < 256; i++ ) {
+		modifiers_state[i] = 0;
+	}
+
+ 	fake_argv[2] = portstr;
+ 
+         if (title != NULL)
--- a/usercopy-gcc43-fix.patch
+++ b/usercopy-gcc43-fix.patch
@ -0,0 +1,22 @@
+Index: xen-3.1-testing/xen/arch/x86/usercopy.c
+===================================================================
+--- xen-3.1-testing.orig/xen/arch/x86/usercopy.c
+++ xen-3.1-testing/xen/arch/x86/usercopy.c
+@@ -41,7 +41,7 @@ unsigned long __copy_to_user_ll(void __u
+ 		"	"__FIXUP_WORD" 0b,3b\n"
+ 		"	"__FIXUP_WORD" 1b,2b\n"
+ 		".previous"
+-		: "=&c"(__n), "=&D" (__d0), "=&S" (__d1), "=r"(__d2)
+		: "=&c"(__n), "=&D" (__d0), "=&S" (__d1), "=&r"(__d2)
+ 		: "3"(__n), "0"(__n), "1"(to), "2"(from)
+ 		: "memory");
+ 	return (unsigned)__n;
+@@ -85,7 +85,7 @@ __copy_from_user_ll(void *to, const void
+ 		"	"__FIXUP_WORD" 0b,3b\n"
+ 		"	"__FIXUP_WORD" 1b,6b\n"
+ 		".previous"
+-		: "=&c"(__n), "=&D" (__d0), "=&S" (__d1), "=r"(__d2)
+		: "=&c"(__n), "=&D" (__d0), "=&S" (__d1), "=&r"(__d2)
+ 		: "3"(__n), "0"(__n), "1"(to), "2"(from)
+ 		: "memory");
+ 	return (unsigned)__n;
--- a/x86-page-cacheability.patch
+++ b/x86-page-cacheability.patch
@ -165,7 +165,18 @@ Index: xen-3.1-testing/xen/arch/x86/mm.c
         return 0;
     }
 
-@@ -624,9 +702,9 @@ get_page_from_l1e(
+@@ -624,15 +702,20 @@ get_page_from_l1e(
+             return 1;
+ 
+         d = dom_io;
+        /* For now ignore cacheability attributes on MMIO pages - Linux'
+         * ACPI code maps all memory cacheable (thus relying on MTRRs being
+         * set correctly), which conflicts with most other subsystems using
+         * uncacheable mappings. */
+        flags = (flags & ~PAGE_CACHE_ATTRS) | _PAGE_RW;
+     }
+ 
+     /* Foreign mappings into guests in shadow external mode don't
      * contribute to writeable mapping refcounts.  (This allows the
      * qemu-dm helper process in dom0 to map the domain's memory without
      * messing up the count of "real" writable mappings.) */
--- a/xen.changes
+++ b/xen.changes
@ -1,3 +1,24 @@
+-------------------------------------------------------------------
+Mon Nov  5 09:38:14 MST 2007 - jfehlig@novell.com
+
+- Added upstream c/s 15434 to allow access to serial devices.
+  Bug #338486.
+
+-------------------------------------------------------------------
+Thu Nov  1 13:17:46 MDT 2007 - carnold@novell.com
+
+- 334445: xenbaked: Fix security vulnerability CVE-2007-3919.
+
+-------------------------------------------------------------------
+Thu Nov  1 11:30:35 MDT 2007 - carnold@novell.com
+
+- #310279: Kernel Panic while booting Xen
+
+-------------------------------------------------------------------
+Tue Oct  2 17:05:28 MDT 2007 - ccoffing@novell.com
+
+- #286859: Fix booting from SAN
+
 -------------------------------------------------------------------
 Thu Sep 13 11:26:33 MDT 2007 - ccoffing@novell.com

--- a/xen.spec
+++ b/xen.spec
@ -34,7 +34,7 @@ BuildRequires:  glibc-32bit glibc-devel-32bit
 BuildRequires:  kernel-source kernel-syms module-init-tools xorg-x11
 %endif
 Version:        3.1.0_15042
-Release:        45
+Release:        69
 License:        GPL v2 only
 Group:          System/Kernel
 AutoReqProv:    on
@ -112,6 +112,8 @@ Patch51:        15716_dev_detach.patch
 Patch52:        fix_15716.patch
 Patch53:        hvm_vnc.diff
 Patch54:        xend_mem_leak.diff
+Patch55:        16157-xenmon-security.patch
+Patch56:        15434-irq-permissions.patch
 # Our patches
 Patch100:       xen-config.diff
 Patch101:       xend-config.diff
@ -160,6 +162,9 @@ Patch154:       pci-passthru-reboot-fix.patch
 Patch155:       keymap_nl-be.patch
 Patch156:       svm-cr8-performance.diff
 Patch157:       xend-reboot.diff
+Patch158:       fix-ioemu-vnc-shift-key.patch
+Patch159:       fix-vncfb-shift-key.patch
+Patch160:       usercopy-gcc43-fix.patch
 # Patches from Jan
 Patch200:       inval-sh-ldt.patch
 Patch201:       32on64-cpuid.patch
@ -360,7 +365,6 @@ Summary:        Xen Virtualization: Control tools for domain U
 Group:          System/Kernel
 Conflicts:      xen-tools
 AutoReqProv:    on
- 

 %description tools-domU
 Xen is a virtual machine monitor for x86 that supports execution of
@ -618,6 +622,8 @@ Authors:
 %patch52 -p1
 %patch53 -p1
 %patch54 -p1
+%patch55 -p1
+%patch56 -p1
 %patch100 -p1
 %patch101 -p1
 %patch102 -p1
@ -665,6 +671,9 @@ Authors:
 %patch155 -p1
 %patch156 -p1
 %patch157 -p1
+%patch158 -p1
+%patch159 -p1
+%patch160 -p1
 %patch200 -p1
 %patch201 -p1
 %patch202 -p1
@ -1004,8 +1013,16 @@ rm -f  $RPM_BUILD_ROOT/%pysite/*.egg-info

 %postun libs
 /sbin/ldconfig
-
 %changelog
+* Mon Nov 05 2007 - jfehlig@novell.com
+- Added upstream c/s 15434 to allow access to serial devices.
+  Bug #338486.
+* Thu Nov 01 2007 - carnold@novell.com
+- 334445: xenbaked: Fix security vulnerability CVE-2007-3919.
+* Thu Nov 01 2007 - carnold@novell.com
+- #310279: Kernel Panic while booting Xen
+* Tue Oct 02 2007 - ccoffing@novell.com
+- #286859: Fix booting from SAN
 * Thu Sep 13 2007 - ccoffing@novell.com
 - #310338: Fix "No such file or directory" in network-multinet
 * Wed Sep 12 2007 - jfehlig@novell.com