From 6bafe64a20228a8e1986a0d4bdec087c4ae4ba1f Mon Sep 17 00:00:00 2001
From: Franz Pletz <fpletz@fnordicwalking.de>
Date: Wed, 22 Feb 2017 09:06:49 +0100
Subject: [PATCH] qemu: apply patches for multiple CVEs

Fixes:

  * CVE-2017-2615
  * CVE-2017-5667
  * CVE-2017-5898
  * CVE-2017-5931
  * CVE-2017-5973

We are vulnerable to even more CVEs but those are either not severe like
memory leaks in obscure situations or upstream hasn't acknowledged the
patch yet.

cc #23072
---
 .../virtualization/qemu/default.nix           | 32 +++++++++++++++++++
 1 file changed, 32 insertions(+)

diff --git a/pkgs/applications/virtualization/qemu/default.nix b/pkgs/applications/virtualization/qemu/default.nix
index d7910eb938f..b201e229931 100644
--- a/pkgs/applications/virtualization/qemu/default.nix
+++ b/pkgs/applications/virtualization/qemu/default.nix
@@ -51,7 +51,39 @@ stdenv.mkDerivation rec {
 
   patches = [
     ./no-etc-install.patch
+
+    (fetchurl {
+      name = "CVE-2017-2615.patch";
+      url = "http://git.qemu-project.org/?p=qemu.git;a=patch;h=62d4c6bd5263bb8413a06c80144fc678df6dfb64";
+      sha256 = "0miph2x4d474issa44hmc542zxmkc7lsr4ncb7pwarq6j7v52l8h";
+    })
+
+    (fetchurl {
+      name = "CVE-2017-5667.patch";
+      url = "http://git.qemu-project.org/?p=qemu.git;a=patch;h=42922105beb14c2fc58185ea022b9f72fb5465e9";
+      sha256 = "049vq70is3fj9bf4ysfj3s44iz93qhyqn6xijck32w1x6yyzqyx4";
+     })
+
+    (fetchurl {
+      name = "CVE-2017-5898.patch";
+      url = "http://git.qemu-project.org/?p=qemu.git;a=patch;h=c7dfbf322595ded4e70b626bf83158a9f3807c6a";
+      sha256 = "1y2j0qw04s8fl0cs8i619y08kj75lxn3c0y19g710fzpk3rq8dvn";
+     })
+
+    (fetchurl {
+      name = "CVE-2017-5931.patch";
+      url = "http://git.qemu-project.org/?p=qemu.git;a=patch;h=a08aaff811fb194950f79711d2afe5a892ae03a4";
+      sha256 = "0hlih9jhbb1mb174hvxs7pf7lgcs7s9g705ri9rliw7wrhqdpja5";
+     })
+
+    (fetchurl {
+      name = "CVE-2017-5973.patch";
+      url = "http://git.qemu-project.org/?p=qemu.git;a=patch;h=f89b60f6e5fee3923bedf80e82b4e5efc1bb156b";
+      sha256 = "06niyighjxb4p5z2as3mqfmrwrzn4sq47j7raipbq9gnda7x9sw6";
+     })
+
   ] ++ optional nixosTestRunner ./force-uid0-on-9p.patch;
+
   hardeningDisable = [ "stackprotector" ];
 
   configureFlags =