NetBSD Problem Report #51742

From www@NetBSD.org  Mon Dec 26 04:33:54 2016
Return-Path: <www@NetBSD.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(Client CN "mail.netbsd.org", Issuer "Postmaster NetBSD.org" (verified OK))
	by mollari.NetBSD.org (Postfix) with ESMTPS id C455F7A266
	for <gnats-bugs@gnats.NetBSD.org>; Mon, 26 Dec 2016 04:33:54 +0000 (UTC)
Message-Id: <20161226043353.D98727A33D@mollari.NetBSD.org>
Date: Mon, 26 Dec 2016 04:33:53 +0000 (UTC)
From: venture37@geeklan.co.uk
Reply-To: venture37@geeklan.co.uk
To: gnats-bugs@NetBSD.org
Subject: emulators/unicorn ships with an old release of Qemu which it builds against
X-Send-Pr-Version: www-1.0

>Number:         51742
>Category:       pkg
>Synopsis:       emulators/unicorn ships with an old release of Qemu which it builds against
>Confidential:   no
>Severity:       serious
>Priority:       low
>Responsible:    pkg-manager
>State:          closed
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Mon Dec 26 04:35:00 +0000 2016
>Closed-Date:    Mon Feb 27 07:46:09 +0000 2017
>Last-Modified:  Mon Feb 27 07:46:09 +0000 2017
>Originator:     Sevan Janiyan
>Release:        pkgsrc-current
>Organization:
>Environment:
>Description:
unicorn ships with its own copy of Qemu 2.2.1 from March 2015 which is most certainly vulnerable in one way or another. An ideal project to adapt for buildlink??
>How-To-Repeat:

>Fix:

>Release-Note:

>Audit-Trail:
From: Kamil Rytarowski <n54@gmx.com>
To: gnats-bugs@NetBSD.org
Cc: 
Subject: Re: pkg/51742: emulators/unicorn ships with an old release of Qemu
 which it builds against
Date: Mon, 26 Dec 2016 05:40:07 +0100

 This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
 --BScgBnVx3ttvU9IxkjmkXAoR0HxhcMeL9
 Content-Type: multipart/mixed; boundary="s4VoFI0jXEoSoNrKkbT1uo3GQ7nHJkQwD";
  protected-headers="v1"
 From: Kamil Rytarowski <n54@gmx.com>
 To: gnats-bugs@NetBSD.org
 Message-ID: <fdd58eff-11fa-c52c-c6d8-d1018e8d9c16@gmx.com>
 Subject: Re: pkg/51742: emulators/unicorn ships with an old release of Qemu
  which it builds against
 References: <pr-pkg-51742@gnats.netbsd.org>
  <20161226043353.D98727A33D@mollari.NetBSD.org>
  <20161226043500.AAC047A342@mollari.NetBSD.org>
 In-Reply-To: <20161226043500.AAC047A342@mollari.NetBSD.org>

 --s4VoFI0jXEoSoNrKkbT1uo3GQ7nHJkQwD
 Content-Type: text/plain; charset=windows-1252
 Content-Transfer-Encoding: quoted-printable

 unicorn runs a subset of qemu, restricted to emulating cpu instructions
 for given input

 "An ideal project to adapt for buildlink??" This is unclear to me.


 --s4VoFI0jXEoSoNrKkbT1uo3GQ7nHJkQwD--

 --BScgBnVx3ttvU9IxkjmkXAoR0HxhcMeL9
 Content-Type: application/pgp-signature; name="signature.asc"
 Content-Description: OpenPGP digital signature
 Content-Disposition: attachment; filename="signature.asc"

 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2

 iQIcBAEBCAAGBQJYYJ8wAAoJEEuzCOmwLnZss6kP/jBQmziVlu0H1cQMEw8/3ZA8
 P3lTnHWRaoiB3Jd0I98XLu10FdX6gRC2XjF80s2xExf5aqbbyFV+plQBFGY2evlz
 CNOgopUxZlj1GddU/C8iwMHC6PaPPxaBQmZrrDj91e6DhVUfMzirki9dsFbjSzOM
 qMMGAwImlfkFCl2A2YaYS7EmjaCQ97acpxlXiiGBUVm3PI6idB/qFNYQ1jyMJn4X
 Ar5IfhXU/YtZTGquCcHn4FK8VbIgdjDf08PsR+kKQrdQBf7U1nE/F3rOLB6k6ht1
 OaWJ5EdIQwn6GQyFzDvSFcMrKqwxu26HHipiqSxxjmDKZZ9T2olC0nS/qon0hKdt
 TpMDZvuPpQIh9atOXkELqvz67HKHOyVExPFceI0q9oC4ao41aJaIb7uV0ZyvH19M
 jD0EzG747mZWpIb31J4Nb3pPcTWVXM5wXTBA7qngV4GPgr4XMlzoH8BKoqUzijmv
 ADNWVVnZuv6xQLq4XwcsXzUbXHoQkywIooDTQwHdURnh94sLqniGI7I0mbw0pOJs
 aTtasxJuGPfvnINai1adMz1GmHYzzNWO+mSNErQe5FH/4xwNy4FDI7VqYos8F81v
 +NN7AP0Vw7cON4/6qkJQAQ34HsjuTSdnKuIawxN0tYCR3LythyXA/S2Wpwhtl7+P
 MYO2+oepq3Gkl8coTa8J
 =x3Vf
 -----END PGP SIGNATURE-----

 --BScgBnVx3ttvU9IxkjmkXAoR0HxhcMeL9--

From: Sevan Janiyan <venture37@geeklan.co.uk>
To: gnats-bugs@NetBSD.org
Cc: 
Subject: Re: pkg/51742: emulators/unicorn ships with an old release of Qemu
 which it builds against
Date: Mon, 26 Dec 2016 20:10:21 +0000

 On 26/12/2016 04:40, Kamil Rytarowski wrote:
 >  unicorn runs a subset of qemu, restricted to emulating cpu instructions
 >  for given input
 >  
 >  "An ideal project to adapt for buildlink??" This is unclear to me.

 Don't use the bundled subset of qemu, switch out for the version we
 package. I was thinking when it comes to auditing, the task becomes
 easier rather than having to delve in once more to see if the bundled
 version of qemu has the issue.


 Sevan

From: Kamil Rytarowski <n54@gmx.com>
To: gnats-bugs@NetBSD.org
Cc: 
Subject: Re: pkg/51742: emulators/unicorn ships with an old release of Qemu
 which it builds against
Date: Tue, 27 Dec 2016 01:19:24 +0100

 This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
 --A3SXjvUNX3IB1VMH5sBWfGX0UhDG0LaaS
 Content-Type: multipart/mixed; boundary="17cUtrAGoW76B7D6c4hD2cFdRGrQgm9oA";
  protected-headers="v1"
 From: Kamil Rytarowski <n54@gmx.com>
 To: gnats-bugs@NetBSD.org
 Message-ID: <54903af4-5ca7-4c5c-aa49-dc7a73d0e88b@gmx.com>
 Subject: Re: pkg/51742: emulators/unicorn ships with an old release of Qemu
  which it builds against
 References: <pr-pkg-51742@gnats.netbsd.org>
  <20161226043353.D98727A33D@mollari.NetBSD.org>
  <20161226220002.3259C7A34F@mollari.NetBSD.org>
 In-Reply-To: <20161226220002.3259C7A34F@mollari.NetBSD.org>

 --17cUtrAGoW76B7D6c4hD2cFdRGrQgm9oA
 Content-Type: text/plain; charset=windows-1252
 Content-Transfer-Encoding: quoted-printable

 On 26.12.2016 23:00, Sevan Janiyan wrote:
 > The following reply was made to PR pkg/51742; it has been noted by GNAT=
 S.
 >=20
 > From: Sevan Janiyan <venture37@geeklan.co.uk>
 > To: gnats-bugs@NetBSD.org
 > Cc:=20
 > Subject: Re: pkg/51742: emulators/unicorn ships with an old release of =
 Qemu
 >  which it builds against
 > Date: Mon, 26 Dec 2016 20:10:21 +0000
 >=20
 >  On 26/12/2016 04:40, Kamil Rytarowski wrote:
 >  >  unicorn runs a subset of qemu, restricted to emulating cpu instruct=
 ions
 >  >  for given input
 >  > =20
 >  >  "An ideal project to adapt for buildlink??" This is unclear to me.
 > =20
 >  Don't use the bundled subset of qemu, switch out for the version we
 >  package. I was thinking when it comes to auditing, the task becomes
 >  easier rather than having to delve in once more to see if the bundled
 >  version of qemu has the issue.
 > =20
 > =20
 >  Sevan
 > =20
 >=20

 This is a modified version of qemu internal libraries and routines.

 This PR should be filed upstream.


 --17cUtrAGoW76B7D6c4hD2cFdRGrQgm9oA--

 --A3SXjvUNX3IB1VMH5sBWfGX0UhDG0LaaS
 Content-Type: application/pgp-signature; name="signature.asc"
 Content-Description: OpenPGP digital signature
 Content-Disposition: attachment; filename="signature.asc"

 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2

 iQIcBAEBCAAGBQJYYbOTAAoJEEuzCOmwLnZsKOsQAKe3+lkw+8GZTL3Mbo7psqzo
 T6TgOzbqMSepuQ5bHRUsD/SMZxaa8PNNdoz62eGn3h8TQzuDCQQq0bRbePFKMZUT
 P9NTVnw0bjbP4riXRVtUIRrwZl3MDa7fgTQmv5XgKWUE6SYk445jTj9IF4p2yHKi
 oZ5NA3sIgRNFJ67XcQvTDdgX8BNVk+rpVK4iUNj+fmWJS5CH0whE5B2loqsZAUBs
 bvbkpp4gDhp8zhvB7CvU3UDAKd5SopTWSCVGxFhE97DMurrcWUXnzaYMF+WFbmhk
 aUMIgaAQwhCxqxUBRKmgR6bdaYsQGZnXFMxHYeSQ5PajHl1OcDc6Nzz/5vP70Kc4
 eAkR0MJwRoW3ux1lrziXVeTtcbLzspPnSd6q1ik7MSyZcmxrdV0PORFKI4vMM8Hn
 vThm+WKczAEAA0jXWrs/Ryej9fXnD69yJSQ6W+GpdfP1VEYbl/9hc7vNkbcf+qbV
 eMfJI6AS9yUBKCjuGcLgK46nr8GDHXvzRmiCNEGtMO6NGSrUJYpVQG2iUHXPZFxx
 Y8qqJWNti1f5eZIB0LglWFa0l5yJ5yOnnBNb8QTOr/7q32wxa7q56VRD+5dPObmC
 Jg3D3ytIk3kgk+6L5R+gbFAB4cIWc7lz9g0Neh/JgGYecYVeaR683LmTBvyLo6AZ
 XrGWyBspJP5JQB04s9fH
 =vnzv
 -----END PGP SIGNATURE-----

 --A3SXjvUNX3IB1VMH5sBWfGX0UhDG0LaaS--

State-Changed-From-To: open->closed
State-Changed-By: kamil@NetBSD.org
State-Changed-When: Mon, 27 Feb 2017 08:46:09 +0100
State-Changed-Why:
unicorn engine is a qemu fork with a limited subset of its original functions (and set of new addons)
it will not be linked against the original qemu
this bug is not applicable for unicorn, if there are security issues it should be applied separately to unicorn


>Unformatted:

NetBSD Home
NetBSD PR Database Search

(Contact us) $NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2014 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.