The following changes since commit 9b9fbe8a4e9eec9072ee2697a6af59144442785f:

  Merge remote-tracking branch 'remotes/kraxel/tags/pull-ui-20170227-1' into staging (2017-02-27 19:19:46 +0000)

are available in the git repository at:

  https://github.com/gkurz/qemu.git tags/cve-2016-9602-for-upstream

for you to fetch changes up to c23d5f1d5bc0e23aeb845b1af8f996f16783ce98:

  9pfs: local: drop unused code (2017-02-28 11:21:15 +0100)

----------------------------------------------------------------
This pull request have all the fixes for CVE-2016-9602, so that it can
be easily picked up by downstreams, as suggested by Michel Tokarev.

----------------------------------------------------------------
Greg Kurz (28):
      9pfs: local: move xattr security ops to 9p-xattr.c
      9pfs: remove side-effects in local_init()
      9pfs: remove side-effects in local_open() and local_opendir()
      9pfs: introduce relative_openat_nofollow() helper
      9pfs: local: keep a file descriptor on the shared folder
      9pfs: local: open/opendir: don't follow symlinks
      9pfs: local: lgetxattr: don't follow symlinks
      9pfs: local: llistxattr: don't follow symlinks
      9pfs: local: lsetxattr: don't follow symlinks
      9pfs: local: lremovexattr: don't follow symlinks
      9pfs: local: unlinkat: don't follow symlinks
      9pfs: local: remove: don't follow symlinks
      9pfs: local: utimensat: don't follow symlinks
      9pfs: local: statfs: don't follow symlinks
      9pfs: local: truncate: don't follow symlinks
      9pfs: local: readlink: don't follow symlinks
      9pfs: local: lstat: don't follow symlinks
      9pfs: local: renameat: don't follow symlinks
      9pfs: local: rename: use renameat
      9pfs: local: improve error handling in link op
      9pfs: local: link: don't follow symlinks
      9pfs: local: chmod: don't follow symlinks
      9pfs: local: chown: don't follow symlinks
      9pfs: local: symlink: don't follow symlinks
      9pfs: local: mknod: don't follow symlinks
      9pfs: local: mkdir: don't follow symlinks
      9pfs: local: open2: don't follow symlinks
      9pfs: local: drop unused code

 hw/9pfs/9p-local.c      | 1023 ++++++++++++++++++++++++++---------------------
 hw/9pfs/9p-local.h      |   20 +
 hw/9pfs/9p-posix-acl.c  |   44 +-
 hw/9pfs/9p-util.c       |   69 ++++
 hw/9pfs/9p-util.h       |   54 +++
 hw/9pfs/9p-xattr-user.c |   24 +-
 hw/9pfs/9p-xattr.c      |  166 +++++++-
 hw/9pfs/9p-xattr.h      |   87 +---
 hw/9pfs/Makefile.objs   |    2 +-
 9 files changed, 893 insertions(+), 596 deletions(-)
 create mode 100644 hw/9pfs/9p-local.h
 create mode 100644 hw/9pfs/9p-util.c
 create mode 100644 hw/9pfs/9p-util.h
-- 
2.7.4

28.02.2017 13:30, Greg Kurz wrote:
> The following changes since commit 9b9fbe8a4e9eec9072ee2697a6af59144442785f:
> 
>   Merge remote-tracking branch 'remotes/kraxel/tags/pull-ui-20170227-1' into staging (2017-02-27 19:19:46 +0000)
> 
> are available in the git repository at:
> 
>   https://github.com/gkurz/qemu.git tags/cve-2016-9602-for-upstream
> 
> for you to fetch changes up to c23d5f1d5bc0e23aeb845b1af8f996f16783ce98:

Greg, did you forget to push maybe? There's no tag "cve-2016-9602-for-upstream"
and no object c23d5f1d5bc0e23aeb845b1af8f996f16783ce98.

Thanks,

/mjt

On Tue, 28 Feb 2017 17:02:44 +0300
Michael Tokarev <mjt@tls.msk.ru> wrote:

> 28.02.2017 13:30, Greg Kurz wrote:
> > The following changes since commit 9b9fbe8a4e9eec9072ee2697a6af59144442785f:
> > 
> >   Merge remote-tracking branch 'remotes/kraxel/tags/pull-ui-20170227-1' into staging (2017-02-27 19:19:46 +0000)
> > 
> > are available in the git repository at:
> > 
> >   https://github.com/gkurz/qemu.git tags/cve-2016-9602-for-upstream
> > 
> > for you to fetch changes up to c23d5f1d5bc0e23aeb845b1af8f996f16783ce98:  
> 
> Greg, did you forget to push maybe? There's no tag "cve-2016-9602-for-upstream"
> and no object c23d5f1d5bc0e23aeb845b1af8f996f16783ce98.
> 

I had pushed actually and...

https://github.com/gkurz/qemu/commits/cve-2016-9602-for-upstream

https://github.com/gkurz/qemu/commit/c23d5f1d5bc0e23aeb845b1af8f996f16783ce98

What's wrong ?

> Thanks,
> 
> /mjt

28.02.2017 17:22, Greg Kurz wrote:
> On Tue, 28 Feb 2017 17:02:44 +0300
> Michael Tokarev <mjt@tls.msk.ru> wrote:
> 
>> 28.02.2017 13:30, Greg Kurz wrote:
>>> The following changes since commit 9b9fbe8a4e9eec9072ee2697a6af59144442785f:
>>>
>>>   Merge remote-tracking branch 'remotes/kraxel/tags/pull-ui-20170227-1' into staging (2017-02-27 19:19:46 +0000)
>>>
>>> are available in the git repository at:
>>>
>>>   https://github.com/gkurz/qemu.git tags/cve-2016-9602-for-upstream
>>>
>>> for you to fetch changes up to c23d5f1d5bc0e23aeb845b1af8f996f16783ce98:  
>>
>> Greg, did you forget to push maybe? There's no tag "cve-2016-9602-for-upstream"
>> and no object c23d5f1d5bc0e23aeb845b1af8f996f16783ce98.
>>
> 
> I had pushed actually and...
> 
> https://github.com/gkurz/qemu/commits/cve-2016-9602-for-upstream
> https://github.com/gkurz/qemu/commit/c23d5f1d5bc0e23aeb845b1af8f996f16783ce98

Interesting. Perhaps I've never worked with github before.
It works when referring to particular commit like this.
but the tag isn't visible in github UI, and neither the
tag nor this commit ID is visible when cloning github
repository locally. I wonder where's that.

$ git remote -v | grep gkurz
gkurz	git://github.com/gkurz/qemu.git (fetch)
gkurz	git://github.com/gkurz/qemu.git (push)
$ git remote update gkurz
Fetching gkurz
$ git show c23d5f1d5bc0e23aeb845b1af8f996f16783ce98
fatal: bad object c23d5f1d5bc0e23aeb845b1af8f996f16783ce98
$ git show cve-2016-9602-for-upstream --
fatal: bad revision 'cve-2016-9602-for-upstream'

that's now.  I'll dig into that later, there's apparently
nothing wrong on your side, I'm sorry for the noise.

Thanks,

/mjt

On Tue, 28 Feb 2017 17:55:02 +0300
Michael Tokarev <mjt@tls.msk.ru> wrote:

> 28.02.2017 17:22, Greg Kurz wrote:
> > On Tue, 28 Feb 2017 17:02:44 +0300
> > Michael Tokarev <mjt@tls.msk.ru> wrote:
> >   
> >> 28.02.2017 13:30, Greg Kurz wrote:  
> >>> The following changes since commit 9b9fbe8a4e9eec9072ee2697a6af59144442785f:
> >>>
> >>>   Merge remote-tracking branch 'remotes/kraxel/tags/pull-ui-20170227-1' into staging (2017-02-27 19:19:46 +0000)
> >>>
> >>> are available in the git repository at:
> >>>
> >>>   https://github.com/gkurz/qemu.git tags/cve-2016-9602-for-upstream
> >>>
> >>> for you to fetch changes up to c23d5f1d5bc0e23aeb845b1af8f996f16783ce98:    
> >>
> >> Greg, did you forget to push maybe? There's no tag "cve-2016-9602-for-upstream"
> >> and no object c23d5f1d5bc0e23aeb845b1af8f996f16783ce98.
> >>  
> > 
> > I had pushed actually and...
> > 
> > https://github.com/gkurz/qemu/commits/cve-2016-9602-for-upstream
> > https://github.com/gkurz/qemu/commit/c23d5f1d5bc0e23aeb845b1af8f996f16783ce98  
> 
> Interesting. Perhaps I've never worked with github before.
> It works when referring to particular commit like this.
> but the tag isn't visible in github UI, and neither the
> tag nor this commit ID is visible when cloning github
> repository locally. I wonder where's that.
> 

Yeah I confirm that's the way it goes with github and I was pretty
surprised myself when I first realized that... but I must confess
I never tried to investigate.

> $ git remote -v | grep gkurz
> gkurz	git://github.com/gkurz/qemu.git (fetch)
> gkurz	git://github.com/gkurz/qemu.git (push)
> $ git remote update gkurz
> Fetching gkurz
> $ git show c23d5f1d5bc0e23aeb845b1af8f996f16783ce98
> fatal: bad object c23d5f1d5bc0e23aeb845b1af8f996f16783ce98
> $ git show cve-2016-9602-for-upstream --
> fatal: bad revision 'cve-2016-9602-for-upstream'
> 
> that's now.  I'll dig into that later, there's apparently
> nothing wrong on your side, I'm sorry for the noise.
> 

No problem. I've just verified I could merge these two pull
requests in a clean 'git clone' of master, and it works as
expected... phew! :)

Cheers.

--
Greg

> Thanks,
> 
> /mjt

On Tue, Feb 28, 2017 at 05:55:02PM +0300, Michael Tokarev wrote:
> 28.02.2017 17:22, Greg Kurz wrote:
> > On Tue, 28 Feb 2017 17:02:44 +0300
> > Michael Tokarev <mjt@tls.msk.ru> wrote:
> > 
> >> 28.02.2017 13:30, Greg Kurz wrote:
> >>> The following changes since commit 9b9fbe8a4e9eec9072ee2697a6af59144442785f:
> >>>
> >>>   Merge remote-tracking branch 'remotes/kraxel/tags/pull-ui-20170227-1' into staging (2017-02-27 19:19:46 +0000)
> >>>
> >>> are available in the git repository at:
> >>>
> >>>   https://github.com/gkurz/qemu.git tags/cve-2016-9602-for-upstream
> >>>
> >>> for you to fetch changes up to c23d5f1d5bc0e23aeb845b1af8f996f16783ce98:  
> >>
> >> Greg, did you forget to push maybe? There's no tag "cve-2016-9602-for-upstream"
> >> and no object c23d5f1d5bc0e23aeb845b1af8f996f16783ce98.
> >>
> > 
> > I had pushed actually and...
> > 
> > https://github.com/gkurz/qemu/commits/cve-2016-9602-for-upstream
> > https://github.com/gkurz/qemu/commit/c23d5f1d5bc0e23aeb845b1af8f996f16783ce98
> 
> Interesting. Perhaps I've never worked with github before.
> It works when referring to particular commit like this.
> but the tag isn't visible in github UI, and neither the
> tag nor this commit ID is visible when cloning github
> repository locally. I wonder where's that.

Did Greg perhaps push the tag, but not the branch the commits & tag were
on ?   IIUC, if you don't push any branch holding the code, then the
commits & tags are in the repo, but essentially orphaned and thus
invisible to the github UI navigation.


Regards,
Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://entangle-photo.org       -o-    http://search.cpan.org/~danberr/ :|

On Tue, Feb 28, 2017 at 9:55 AM, Michael Tokarev <mjt@tls.msk.ru> wrote:
>>
>> https://github.com/gkurz/qemu/commits/cve-2016-9602-for-upstream
>> https://github.com/gkurz/qemu/commit/c23d5f1d5bc0e23aeb845b1af8f996f16783ce98
>
> Interesting. Perhaps I've never worked with github before.
> It works when referring to particular commit like this.
> but the tag isn't visible in github UI, and neither the
> tag nor this commit ID is visible when cloning github
> repository locally. I wonder where's that.
>
> $ git remote -v | grep gkurz
> gkurz   git://github.com/gkurz/qemu.git (fetch)
> gkurz   git://github.com/gkurz/qemu.git (push)
> $ git remote update gkurz
> Fetching gkurz
> $ git show c23d5f1d5bc0e23aeb845b1af8f996f16783ce98
> fatal: bad object c23d5f1d5bc0e23aeb845b1af8f996f16783ce98
> $ git show cve-2016-9602-for-upstream --
> fatal: bad revision 'cve-2016-9602-for-upstream'
>
> that's now.  I'll dig into that later, there's apparently
> nothing wrong on your side, I'm sorry for the noise.
>

I think the answer is given here:
https://eddiemoya.com/2013/02/21/better-git-git-fetch-not-getting-tags/

You have to explicitly fetch the tags using 'git fetch -t gkurz' to
get the tags which are not direct references to a commit.

$ git remote update gkurz
Fetching gkurz
From https://github.com/gkurz/qemu
 * [new branch]            9p-attr-fixes         -> gkurz/9p-attr-fixes
 * [new branch]            9p-cleanup            -> gkurz/9p-cleanup
 * [new branch]            9p-fix                -> gkurz/9p-fix
 * [new branch]            9p-next               -> gkurz/9p-next
 * [new branch]            9p-proxy              -> gkurz/9p-proxy
 * [new branch]            9p-security           -> gkurz/9p-security
 * [new branch]            9p-symlink            -> gkurz/9p-symlink
 * [new branch]            9p-tests              -> gkurz/9p-tests
 * [new branch]            ppc-vcpu-dt-id-rework -> gkurz/ppc-vcpu-dt-id-rework

$ git fetch -t gkurz
remote: Counting objects: 155, done.
remote: Compressing objects: 100% (145/145), done.
remote: Total 155 (delta 126), reused 8 (delta 8), pack-reused 2
Receiving objects: 100% (155/155), 41.89 KiB | 0 bytes/s, done.
Resolving deltas: 100% (126/126), completed with 6 local objects.
From https://github.com/gkurz/qemu
 * [new tag]               cve-2016-9602-for-upstream ->
cve-2016-9602-for-upstream
 t [tag update]            for-upstream               -> for-upstream
 t [tag update]            for_anthony                -> for_anthony


Thanks,
--
Pranith

On 28 February 2017 at 10:30, Greg Kurz <groug@kaod.org> wrote:
> The following changes since commit 9b9fbe8a4e9eec9072ee2697a6af59144442785f:
>
>   Merge remote-tracking branch 'remotes/kraxel/tags/pull-ui-20170227-1' into staging (2017-02-27 19:19:46 +0000)
>
> are available in the git repository at:
>
>   https://github.com/gkurz/qemu.git tags/cve-2016-9602-for-upstream
>
> for you to fetch changes up to c23d5f1d5bc0e23aeb845b1af8f996f16783ce98:
>
>   9pfs: local: drop unused code (2017-02-28 11:21:15 +0100)
>
> ----------------------------------------------------------------
> This pull request have all the fixes for CVE-2016-9602, so that it can
> be easily picked up by downstreams, as suggested by Michel Tokarev.
>
> ----------------------------------------------------------------

Applied, thanks.

-- PMM