From mboxrd@z Thu Jan  1 00:00:00 1970
From: Leo Famulari <leo@famulari.name>
Subject: qemu: Update to 2.5.1.1 [fixes CVE-2015-8558, CVE-2016-{3710, 3712}]
Date: Tue, 10 May 2016 03:43:13 -0400
Message-ID: <20160510074313.GA912@jasmine>
References: <20160510073544.11273.64305@vcs.savannah.gnu.org>
	<20160510073544.B8BAA220062@vcs.savannah.gnu.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:37699)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <leo@famulari.name>) id 1b02KL-0000UG-A3
	for guix-devel@gnu.org; Tue, 10 May 2016 03:43:34 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <leo@famulari.name>) id 1b02KF-0007zw-Ea
	for guix-devel@gnu.org; Tue, 10 May 2016 03:43:32 -0400
Received: from out5-smtp.messagingengine.com ([66.111.4.29]:46253)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <leo@famulari.name>) id 1b02KC-0007xr-Mz
	for guix-devel@gnu.org; Tue, 10 May 2016 03:43:27 -0400
Received: from localhost (c-73-188-17-148.hsd1.pa.comcast.net [73.188.17.148])
	by mail.messagingengine.com (Postfix) with ESMTPA id D3891680269
	for <guix-devel@gnu.org>; Tue, 10 May 2016 03:43:14 -0400 (EDT)
Content-Disposition: inline
In-Reply-To: <20160510073544.B8BAA220062@vcs.savannah.gnu.org>
List-Id: "Development of GNU Guix and the GNU System distribution."
	<guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-devel/>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
Sender: "Guix-devel" <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
To: guix-devel@gnu.org

On Tue, May 10, 2016 at 07:35:44AM +0000, Leo Famulari wrote:
> lfam pushed a commit to branch master
> in repository guix.
> 
> commit b6449e61262374581b342aa4920bd37f2292923e
> Author: Leo Famulari <leo@famulari.name>
> Date:   Mon May 9 20:48:36 2016 -0400
> 
>     gnu: qemu: Update to 2.5.1.1 [fixes CVE-2015-8558, CVE-2016-{3710, 3712}].
>     
>     * gnu/packages/qemu.scm (qemu): Update to 2.5.1.1.
>     [arguments]: Disable parallel tests.

QEMU has released 2.5.1.1 [0], which fixes these bugs:

* CVE-2015-8558
* CVE-2016-3710
* CVE-2016-3712
* an out of bounds write in 'cadence_uart' [1] 

I wasn't able to build it reliably on my x86_64 machine. Sometimes, it
would fail the test suite, and sometimes it would pass. It passed the
tests more reliably (--rounds=10) when parallel-tests are #f, so I made
that change.

[0]
https://lists.nongnu.org/archive/html/qemu-stable/2016-05/msg00008.html

[1]
http://git.qemu.org/?p=qemu.git;a=commit;h=5b7236f7256974d9c0286fa4837aa5e15ef5c629