diff --git a/0001-qemu-Set-QEMU_AUDIO_DRV-none-with-nographic.patch b/0001-qemu-Set-QEMU_AUDIO_DRV-none-with-nographic.patch
index 68c4968..496ff08 100644
--- a/0001-qemu-Set-QEMU_AUDIO_DRV-none-with-nographic.patch
+++ b/0001-qemu-Set-QEMU_AUDIO_DRV-none-with-nographic.patch
@@ -1,7 +1,7 @@
-From cc80f2dc06d46cb32a5cd6d12c6c47ddf64e72b6 Mon Sep 17 00:00:00 2001
+From 0f30e63c7d763278204f99e10ba47b08457f1d41 Mon Sep 17 00:00:00 2001
From: Cole Robinson <crobinso@redhat.com>
Date: Mon, 2 Sep 2013 11:23:59 +0100
-Subject: [PATCH 1/8] qemu: Set QEMU_AUDIO_DRV=none with -nographic
+Subject: [PATCH] qemu: Set QEMU_AUDIO_DRV=none with -nographic
On my machine, a guest fails to boot if it has a sound card, but not
graphical device/display is configured, because pulseaudio fails to
@@ -3568,6 +3568,3 @@ index 29cf9c3..26038a0 100644
/usr/bin/qemu -S -M pc -m 214 -smp 1 -nographic -monitor \
unix:/tmp/test-monitor,server,nowait -no-acpi -boot c -usb -hda \
/dev/HostVG/QEMUGuest1 -net none -serial none -parallel none
---
-1.8.3.1
-
diff --git a/0002-domain_conf-Add-default-memballoon-in-PostParse-call.patch b/0002-domain_conf-Add-default-memballoon-in-PostParse-call.patch
index 8d5a98c..941ae8f 100644
--- a/0002-domain_conf-Add-default-memballoon-in-PostParse-call.patch
+++ b/0002-domain_conf-Add-default-memballoon-in-PostParse-call.patch
@@ -1,8 +1,7 @@
-From 79c38961565eb2d352f101cbd6806314894614cb Mon Sep 17 00:00:00 2001
+From 1bab38008dbfb16329e73b419fd9871e6f15990c Mon Sep 17 00:00:00 2001
From: Cole Robinson <crobinso@redhat.com>
Date: Fri, 30 Aug 2013 12:41:30 -0400
-Subject: [PATCH 2/8] domain_conf: Add default memballoon in PostParse
- callbacks
+Subject: [PATCH] domain_conf: Add default memballoon in PostParse callbacks
This should be a no-op change for now.
---
@@ -76,6 +75,3 @@ index cb64de6..6cb4f4f 100644
return 0;
}
---
-1.8.3.1
-
diff --git a/0003-qemu-Don-t-add-default-memballoon-device-on-ARM.patch b/0003-qemu-Don-t-add-default-memballoon-device-on-ARM.patch
index f41c9ee..b20b418 100644
--- a/0003-qemu-Don-t-add-default-memballoon-device-on-ARM.patch
+++ b/0003-qemu-Don-t-add-default-memballoon-device-on-ARM.patch
@@ -1,7 +1,7 @@
-From 5ed47b89c6cb59c9ec5169bcc99a67e9a75fb2af Mon Sep 17 00:00:00 2001
+From d85bc1315cc00800ed6d4a1baeda9a91c34e52c4 Mon Sep 17 00:00:00 2001
From: Cole Robinson <crobinso@redhat.com>
Date: Fri, 30 Aug 2013 12:41:31 -0400
-Subject: [PATCH 3/8] qemu: Don't add default memballoon device on ARM
+Subject: [PATCH] qemu: Don't add default memballoon device on ARM
And add test cases for a basic working ARM guest.
---
@@ -189,6 +189,3 @@ index fac83b2..92433ef 100644
if (virTestGetDebug()) {
char *caps_str;
---
-1.8.3.1
-
diff --git a/0004-qemu-Fix-specifying-char-devs-for-ARM.patch b/0004-qemu-Fix-specifying-char-devs-for-ARM.patch
index cd9c4e9..a7660d8 100644
--- a/0004-qemu-Fix-specifying-char-devs-for-ARM.patch
+++ b/0004-qemu-Fix-specifying-char-devs-for-ARM.patch
@@ -1,7 +1,7 @@
-From 20f2f4c07d8e8d4373094473114ae16909fe4005 Mon Sep 17 00:00:00 2001
+From c72361536b151a2b9bd839bd528671bafbd5dee2 Mon Sep 17 00:00:00 2001
From: Cole Robinson <crobinso@redhat.com>
Date: Fri, 30 Aug 2013 12:41:32 -0400
-Subject: [PATCH 4/8] qemu: Fix specifying char devs for ARM
+Subject: [PATCH] qemu: Fix specifying char devs for ARM
QEMU ARM boards don't give us any way to explicitly wire in
a -chardev, so use the old style -serial options.
@@ -154,6 +154,3 @@ index dfe8142..abe0060 100644
if ((logfd = qemuDomainOpenLog(driver, vm, pos)) < 0)
return -1;
---
-1.8.3.1
-
diff --git a/0005-qemu-Don-t-try-to-allocate-PCI-addresses-for-ARM.patch b/0005-qemu-Don-t-try-to-allocate-PCI-addresses-for-ARM.patch
index 69ab3fa..e90071f 100644
--- a/0005-qemu-Don-t-try-to-allocate-PCI-addresses-for-ARM.patch
+++ b/0005-qemu-Don-t-try-to-allocate-PCI-addresses-for-ARM.patch
@@ -1,7 +1,7 @@
-From 5772cbdfb807842685d05665f285745ca79acc89 Mon Sep 17 00:00:00 2001
+From c8e47add2fe77905523f6112ceb6b844337f6d3f Mon Sep 17 00:00:00 2001
From: Cole Robinson <crobinso@redhat.com>
Date: Fri, 30 Aug 2013 12:41:33 -0400
-Subject: [PATCH 5/8] qemu: Don't try to allocate PCI addresses for ARM
+Subject: [PATCH] qemu: Don't try to allocate PCI addresses for ARM
---
src/qemu/qemu_command.c | 16 ++++++++++++++--
@@ -41,6 +41,3 @@ index a8e532c..87345c7 100644
}
if (obj && obj->privateData) {
---
-1.8.3.1
-
diff --git a/0006-domain_conf-Add-disk-bus-sd-wire-it-up-for-qemu.patch b/0006-domain_conf-Add-disk-bus-sd-wire-it-up-for-qemu.patch
index 9a1703a..e5ba752 100644
--- a/0006-domain_conf-Add-disk-bus-sd-wire-it-up-for-qemu.patch
+++ b/0006-domain_conf-Add-disk-bus-sd-wire-it-up-for-qemu.patch
@@ -1,7 +1,7 @@
-From 019eccdb20e824aabb12da3699664ba2625ef4b4 Mon Sep 17 00:00:00 2001
+From e534a73a71655d45a0b0af98b4b9b9176d701fb3 Mon Sep 17 00:00:00 2001
From: Cole Robinson <crobinso@redhat.com>
Date: Fri, 30 Aug 2013 12:41:34 -0400
-Subject: [PATCH 6/8] domain_conf: Add disk bus=sd, wire it up for qemu
+Subject: [PATCH] domain_conf: Add disk bus=sd, wire it up for qemu
This corresponds to '-sd' and '-drive if=sd' on the qemu command line.
Needed for many ARM boards which don't provide any other way to
@@ -144,6 +144,3 @@ index 87345c7..6733709 100644
ignore_value(VIR_STRDUP(def->dst, "sda"));
} else if (def->bus == VIR_DOMAIN_DISK_BUS_VIRTIO) {
ignore_value(VIR_STRDUP(def->dst, "vda"));
---
-1.8.3.1
-
diff --git a/0007-qemu-Fix-networking-for-ARM-guests.patch b/0007-qemu-Fix-networking-for-ARM-guests.patch
index 197ea92..cc9b8af 100644
--- a/0007-qemu-Fix-networking-for-ARM-guests.patch
+++ b/0007-qemu-Fix-networking-for-ARM-guests.patch
@@ -1,7 +1,7 @@
-From 7a73b81f1021c76d02fe54f927cd033fe949590f Mon Sep 17 00:00:00 2001
+From b09ab6961b8dd60691839f0b1a5f259925819425 Mon Sep 17 00:00:00 2001
From: Cole Robinson <crobinso@redhat.com>
Date: Fri, 30 Aug 2013 12:41:35 -0400
-Subject: [PATCH 7/8] qemu: Fix networking for ARM guests
+Subject: [PATCH] qemu: Fix networking for ARM guests
Similar to the chardev bit, ARM boards depend on the old style '-net nic'
for actually instantiating net devices. But we can't block out
@@ -204,6 +204,3 @@ index cb6106f..6ecabbf 100644
virObjectUnref(driver.config);
virObjectUnref(driver.caps);
---
-1.8.3.1
-
diff --git a/0008-qemu-Support-virtio-mmio-transport-for-virtio-on-ARM.patch b/0008-qemu-Support-virtio-mmio-transport-for-virtio-on-ARM.patch
index d113b25..f60a794 100644
--- a/0008-qemu-Support-virtio-mmio-transport-for-virtio-on-ARM.patch
+++ b/0008-qemu-Support-virtio-mmio-transport-for-virtio-on-ARM.patch
@@ -1,7 +1,7 @@
-From 1ec41110747764f89f522e9e010326944da8d96d Mon Sep 17 00:00:00 2001
+From cddd76962c2a0fcbb8c80240d234b7d0d657324d Mon Sep 17 00:00:00 2001
From: Cole Robinson <crobinso@redhat.com>
Date: Fri, 30 Aug 2013 12:41:36 -0400
-Subject: [PATCH 8/8] qemu: Support virtio-mmio transport for virtio on ARM
+Subject: [PATCH] qemu: Support virtio-mmio transport for virtio on ARM
Starting with qemu 1.6, the qemu-system-arm vexpress-a9 model has a
hardcoded virtio-mmio transport which enables attaching all virtio
@@ -446,6 +446,3 @@ index 6ecabbf..ae8cc3b 100644
virObjectUnref(driver.config);
virObjectUnref(driver.caps);
---
-1.8.3.1
-
diff --git a/0101-virFileNBDDeviceAssociate-Avoid-use-of-uninitialized.patch b/0101-virFileNBDDeviceAssociate-Avoid-use-of-uninitialized.patch
new file mode 100644
index 0000000..5e8edf9
--- /dev/null
+++ b/0101-virFileNBDDeviceAssociate-Avoid-use-of-uninitialized.patch
@@ -0,0 +1,26 @@
+From 580025d7a58ee4c07312d33aa78186dbe7e0d9ee Mon Sep 17 00:00:00 2001
+From: Michal Privoznik <mprivozn@redhat.com>
+Date: Tue, 3 Sep 2013 18:56:06 +0200
+Subject: [PATCH] virFileNBDDeviceAssociate: Avoid use of uninitialized
+ variable
+
+The @qemunbd variable can be used uninitialized.
+
+(cherry picked from commit 2dba0323ff0cec31bdcea9dd3b2428af297401f2)
+---
+ src/util/virfile.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/util/virfile.c b/src/util/virfile.c
+index 2b07ac9..7af0843 100644
+--- a/src/util/virfile.c
++++ b/src/util/virfile.c
+@@ -732,7 +732,7 @@ int virFileNBDDeviceAssociate(const char *file,
+ char **dev)
+ {
+ char *nbddev;
+- char *qemunbd;
++ char *qemunbd = NULL;
+ virCommandPtr cmd = NULL;
+ int ret = -1;
+ const char *fmtstr = NULL;
diff --git a/0102-Fix-AM_LDFLAGS-typo.patch b/0102-Fix-AM_LDFLAGS-typo.patch
new file mode 100644
index 0000000..5bc3be1
--- /dev/null
+++ b/0102-Fix-AM_LDFLAGS-typo.patch
@@ -0,0 +1,23 @@
+From a0ed55a9ab7c90723490363febabd27fa59877c8 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Guido=20G=C3=BCnther?= <agx@sigxcpu.org>
+Date: Sun, 1 Sep 2013 09:53:03 +0200
+Subject: [PATCH] Fix AM_LDFLAGS typo (cherry picked from commit
+ fe502de3bcdd76a0d256206111945ca7e4f4388a)
+
+---
+ src/Makefile.am | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/Makefile.am b/src/Makefile.am
+index 636bcbc..19dfb81 100644
+--- a/src/Makefile.am
++++ b/src/Makefile.am
+@@ -1455,7 +1455,7 @@ libvirt_driver_nwfilter_la_CFLAGS = \
+ -I$(top_srcdir)/src/access \
+ -I$(top_srcdir)/src/conf \
+ $(AM_CFLAGS)
+-libvirt_driver_nwfilter_la_LDFLAGS = $(LD_AMFLAGS)
++libvirt_driver_nwfilter_la_LDFLAGS = $(AM_LDFLAGS)
+ libvirt_driver_nwfilter_la_LIBADD = $(LIBPCAP_LIBS) $(LIBNL_LIBS) $(DBUS_LIBS)
+ if WITH_DRIVER_MODULES
+ libvirt_driver_nwfilter_la_LIBADD += ../gnulib/lib/libgnu.la
diff --git a/0103-Pass-AM_LDFLAGS-to-driver-modules-too.patch b/0103-Pass-AM_LDFLAGS-to-driver-modules-too.patch
new file mode 100644
index 0000000..c014fe2
--- /dev/null
+++ b/0103-Pass-AM_LDFLAGS-to-driver-modules-too.patch
@@ -0,0 +1,88 @@
+From bd4e7f927fcc2edcba29e441973389ad845d648c Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Guido=20G=C3=BCnther?= <agx@sigxcpu.org>
+Date: Sun, 1 Sep 2013 08:50:58 +0200
+Subject: [PATCH] Pass AM_LDFLAGS to driver modules too
+
+This gives us a RO got, otherwise Debian's lintian complains:
+
+W: libvirt-bin: hardening-no-relro usr/lib/libvirt/connection-driver/libvirt_driver_qemu.so
+W: libvirt-bin: hardening-no-relro usr/lib/libvirt/connection-driver/libvirt_driver_storage.so
+W: libvirt-bin: hardening-no-relro usr/lib/libvirt/connection-driver/libvirt_driver_uml.so
+W: libvirt-bin: hardening-no-relro usr/lib/libvirt/connection-driver/libvirt_driver_vbox.so
+W: libvirt-bin: hardening-no-relro usr/lib/libvirt/connection-driver/libvirt_driver_xen.so
+W: libvirt-bin: hardening-no-relro usr/lib/libvirt/connection-driver/libvirt_driver_nwfilter.so
+W: libvirt-bin: hardening-no-relro usr/lib/libvirt/connection-driver/libvirt_driver_storage.so
+W: libvirt-bin: hardening-no-relro usr/lib/libvirt/connection-driver/libvirt_driver_uml.so
+W: libvirt-sanlock: hardening-no-relro usr/lib/libvirt/lock-driver/sanlock.so
+(cherry picked from commit f1f0e53b0814aab3c093f1219da95c0f836cdf4a)
+---
+ src/Makefile.am | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/src/Makefile.am b/src/Makefile.am
+index 19dfb81..097682c 100644
+--- a/src/Makefile.am
++++ b/src/Makefile.am
+@@ -1000,7 +1000,7 @@ libvirt_driver_xen_la_LIBADD = libvirt_driver_xen_impl.la
+ if WITH_DRIVER_MODULES
+ mod_LTLIBRARIES += libvirt_driver_xen.la
+ libvirt_driver_xen_la_LIBADD += ../gnulib/lib/libgnu.la
+-libvirt_driver_xen_la_LDFLAGS = -module -avoid-version
++libvirt_driver_xen_la_LDFLAGS = -module -avoid-version $(AM_LDFLAGS)
+ else
+ noinst_LTLIBRARIES += libvirt_driver_xen.la
+ # Stateful, so linked to daemon instead
+@@ -1050,7 +1050,7 @@ libvirt_driver_vbox_la_LIBADD = libvirt_driver_vbox_impl.la
+ if WITH_DRIVER_MODULES
+ mod_LTLIBRARIES += libvirt_driver_vbox.la
+ libvirt_driver_vbox_la_LIBADD += ../gnulib/lib/libgnu.la
+-libvirt_driver_vbox_la_LDFLAGS = -module -avoid-version
++libvirt_driver_vbox_la_LDFLAGS = -module -avoid-version $(AM_LDFLAGS)
+ else
+ noinst_LTLIBRARIES += libvirt_driver_vbox.la
+ # GPLv2-only license requries that it be linked into
+@@ -1083,7 +1083,7 @@ libvirt_driver_libxl_la_LIBADD = libvirt_driver_libxl_impl.la
+ if WITH_DRIVER_MODULES
+ mod_LTLIBRARIES += libvirt_driver_libxl.la
+ libvirt_driver_libxl_la_LIBADD += ../gnulib/lib/libgnu.la
+-libvirt_driver_libxl_la_LDFLAGS = -module -avoid-version
++libvirt_driver_libxl_la_LDFLAGS = -module -avoid-version $(AM_LDFLAGS)
+ else
+ noinst_LTLIBRARIES += libvirt_driver_libxl.la
+ # Stateful, so linked to daemon instead
+@@ -1108,7 +1108,7 @@ libvirt_driver_qemu_la_LIBADD = libvirt_driver_qemu_impl.la
+ if WITH_DRIVER_MODULES
+ mod_LTLIBRARIES += libvirt_driver_qemu.la
+ libvirt_driver_qemu_la_LIBADD += ../gnulib/lib/libgnu.la
+-libvirt_driver_qemu_la_LDFLAGS = -module -avoid-version
++libvirt_driver_qemu_la_LDFLAGS = -module -avoid-version $(AM_LDFLAGS)
+ else
+ noinst_LTLIBRARIES += libvirt_driver_qemu.la
+ # Stateful, so linked to daemon instead
+@@ -1184,7 +1184,7 @@ libvirt_driver_uml_la_LIBADD = libvirt_driver_uml_impl.la
+ if WITH_DRIVER_MODULES
+ mod_LTLIBRARIES += libvirt_driver_uml.la
+ libvirt_driver_uml_la_LIBADD += ../gnulib/lib/libgnu.la
+-libvirt_driver_uml_la_LDFLAGS = -module -avoid-version
++libvirt_driver_uml_la_LDFLAGS = -module -avoid-version $(AM_LDFLAGS)
+ else
+ noinst_LTLIBRARIES += libvirt_driver_uml.la
+ # Stateful, so linked to daemon instead
+@@ -1361,7 +1361,7 @@ libvirt_driver_storage_la_LIBADD = libvirt_driver_storage_impl.la
+ if WITH_DRIVER_MODULES
+ mod_LTLIBRARIES += libvirt_driver_storage.la
+ libvirt_driver_storage_la_LIBADD += ../gnulib/lib/libgnu.la
+-libvirt_driver_storage_la_LDFLAGS = -module -avoid-version
++libvirt_driver_storage_la_LDFLAGS = -module -avoid-version $(AM_LDFLAGS)
+ else
+ noinst_LTLIBRARIES += libvirt_driver_storage.la
+ # Stateful, so linked to daemon instead
+@@ -2114,7 +2114,7 @@ if WITH_SANLOCK
+ lockdriver_LTLIBRARIES += sanlock.la
+ sanlock_la_SOURCES = $(LOCK_DRIVER_SANLOCK_SOURCES)
+ sanlock_la_CFLAGS = -I$(top_srcdir)/src/conf $(AM_CFLAGS)
+-sanlock_la_LDFLAGS = -module -avoid-version
++sanlock_la_LDFLAGS = -module -avoid-version $(AM_LDFLAGS)
+ sanlock_la_LIBADD = -lsanlock_client \
+ ../gnulib/lib/libgnu.la
+
diff --git a/0104-build-fix-build-with-latest-rawhide-kernel-headers.patch b/0104-build-fix-build-with-latest-rawhide-kernel-headers.patch
new file mode 100644
index 0000000..3ebb3c7
--- /dev/null
+++ b/0104-build-fix-build-with-latest-rawhide-kernel-headers.patch
@@ -0,0 +1,125 @@
+From bcba68498f698dedfdc83687c72e0e6dd7dc0e96 Mon Sep 17 00:00:00 2001
+From: Eric Blake <eblake@redhat.com>
+Date: Fri, 13 Sep 2013 10:11:26 -0600
+Subject: [PATCH] build: fix build with latest rawhide kernel headers
+
+Bother those kernel developers. In the latest rawhide, kernel
+and glibc have now been unified so that <netinet/in.h> and
+<linux/in6.h> no longer clash; but <linux/if_bridge.h> is still
+not self-contained. Because of the latest header change, the
+build is failing with:
+
+checking for linux/param.h... no
+configure: error: You must install kernel-headers in order to compile libvirt with QEMU or LXC support
+
+with details:
+
+In file included from conftest.c:561:0:
+/usr/include/linux/in6.h:71:18: error: field 'flr_dst' has incomplete type
+ struct in6_addr flr_dst;
+
+We need a workaround to avoid our workaround :)
+
+* configure.ac (NETINET_LINUX_WORKAROUND): New test.
+* src/util/virnetdevbridge.c (includes): Use it.
+
+Signed-off-by: Eric Blake <eblake@redhat.com>
+(cherry picked from commit e62e0094dcd0ca1484491a9cc62919473b647f11)
+---
+ configure.ac | 39 +++++++++++++++++++++++++++++----------
+ src/util/virnetdevbridge.c | 24 ++++++++++++++----------
+ 2 files changed, 43 insertions(+), 20 deletions(-)
+
+diff --git a/configure.ac b/configure.ac
+index f853e03..1956717 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -1003,18 +1003,37 @@ dnl check for kernel headers required by src/bridge.c
+ dnl
+ if test "$with_linux" = "yes"; then
+ if test "$with_qemu" = "yes" || test "$with_lxc" = "yes" ; then
++ # Various kernel versions have headers that are not self-standing, but
++ # yet are incompatible with the corresponding glibc headers. In order
++ # to guarantee compilation across a wide range of versions (from RHEL 5
++ # to rawhide), we first have to probe whether glibc and kernel can be
++ # used in tandem; and if not, provide workarounds that ensure that
++ # ABI-compatible IPv6 types are present for use by the kernel headers.
++ # These probes mirror the usage in virnetdevbridge.c
++ AC_CACHE_CHECK(
++ [whether <linux/*.h> and <netinet/*.h> headers are compatible],
++ [lv_cv_netinet_linux_compatible],
++ [AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
++ #include <netinet/in.h>
++ #include <linux/in6.h>
++ ]])],
++ [lv_cv_netinet_linux_compatible=yes],
++ [lv_cv_netinet_linux_compatible=no])])
++ if test "x$lv_cv_netinet_linux_compatible" != xyes; then
++ AC_DEFINE([NETINET_LINUX_WORKAROUND], [1],
++ [define to 1 if Linux kernel headers require a workaround to avoid
++ compilation errors when mixed with glibc netinet headers])
++ fi
+ AC_CHECK_HEADERS([linux/param.h linux/sockios.h linux/if_bridge.h linux/if_tun.h],,
+ [AC_MSG_ERROR([You must install kernel-headers in order to compile libvirt with QEMU or LXC support])],
+- [[/* The kernel folks broke their headers when used with particular
+- * glibc versions; although the structs are ABI compatible, the
+- * C type system doesn't like struct redefinitions. We work around
+- * the problem here in the same manner as in virnetdevbridge.c. */
+- #include <netinet/in.h>
+- #define in6_addr in6_addr_
+- #define sockaddr_in6 sockaddr_in6_
+- #define ipv6_mreq ipv6_mreq_
+- #define in6addr_any in6addr_any_
+- #define in6addr_loopback in6addr_loopback_
++ [[#include <netinet/in.h>
++ #if NETINET_LINUX_WORKAROUND
++ # define in6_addr in6_addr_
++ # define sockaddr_in6 sockaddr_in6_
++ # define ipv6_mreq ipv6_mreq_
++ # define in6addr_any in6addr_any_
++ # define in6addr_loopback in6addr_loopback_
++ #endif
+ #include <linux/in6.h>
+ ]])
+ fi
+diff --git a/src/util/virnetdevbridge.c b/src/util/virnetdevbridge.c
+index e4daa27..1a3740a 100644
+--- a/src/util/virnetdevbridge.c
++++ b/src/util/virnetdevbridge.c
+@@ -39,22 +39,26 @@
+ #ifdef __linux__
+ # include <linux/sockios.h>
+ # include <linux/param.h> /* HZ */
++# if NETINET_LINUX_WORKAROUND
+ /* Depending on the version of kernel vs. glibc, there may be a collision
+ * between <net/in.h> and kernel IPv6 structures. The different types
+ * are ABI compatible, but choke the C type system; work around it by
+ * using temporary redefinitions. */
+-# define in6_addr in6_addr_
+-# define sockaddr_in6 sockaddr_in6_
+-# define ipv6_mreq ipv6_mreq_
+-# define in6addr_any in6addr_any_
+-# define in6addr_loopback in6addr_loopback_
++# define in6_addr in6_addr_
++# define sockaddr_in6 sockaddr_in6_
++# define ipv6_mreq ipv6_mreq_
++# define in6addr_any in6addr_any_
++# define in6addr_loopback in6addr_loopback_
++# endif
+ # include <linux/in6.h>
+ # include <linux/if_bridge.h> /* SYSFS_BRIDGE_ATTR */
+-# undef in6_addr
+-# undef sockaddr_in6
+-# undef ipv6_mreq
+-# undef in6addr_any
+-# undef in6addr_loopback
++# if NETINET_LINUX_WORKAROUND
++# undef in6_addr
++# undef sockaddr_in6
++# undef ipv6_mreq
++# undef in6addr_any
++# undef in6addr_loopback
++# endif
+
+ # define JIFFIES_TO_MS(j) (((j)*1000)/HZ)
+ # define MS_TO_JIFFIES(ms) (((ms)*HZ)/1000)
diff --git a/0105-Also-store-user-group-ID-values-in-virIdentity.patch b/0105-Also-store-user-group-ID-values-in-virIdentity.patch
new file mode 100644
index 0000000..464648d
--- /dev/null
+++ b/0105-Also-store-user-group-ID-values-in-virIdentity.patch
@@ -0,0 +1,154 @@
+From 2fb7c4d202da975a1498fd205cc3e1bc49595d3c Mon Sep 17 00:00:00 2001
+From: "Daniel P. Berrange" <berrange@redhat.com>
+Date: Thu, 22 Aug 2013 16:00:01 +0100
+Subject: [PATCH] Also store user & group ID values in virIdentity
+
+Future improvements to the polkit code will require access to
+the numeric user ID, not merely user name.
+
+Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
+(cherry picked from commit db7a5688c05f3fd60d9d2b74c72427eb9ee9c176)
+---
+ src/rpc/virnetserverclient.c | 18 ++++++++++++++++++
+ src/util/viridentity.c | 23 +++++++++++++++++++----
+ src/util/viridentity.h | 2 ++
+ 3 files changed, 39 insertions(+), 4 deletions(-)
+
+diff --git a/src/rpc/virnetserverclient.c b/src/rpc/virnetserverclient.c
+index 83d5cf1..19c4100 100644
+--- a/src/rpc/virnetserverclient.c
++++ b/src/rpc/virnetserverclient.c
+@@ -652,7 +652,9 @@ virNetServerClientCreateIdentity(virNetServerClientPtr client)
+ char *processid = NULL;
+ char *processtime = NULL;
+ char *username = NULL;
++ char *userid = NULL;
+ char *groupname = NULL;
++ char *groupid = NULL;
+ #if WITH_SASL
+ char *saslname = NULL;
+ #endif
+@@ -672,8 +674,12 @@ virNetServerClientCreateIdentity(virNetServerClientPtr client)
+
+ if (!(username = virGetUserName(uid)))
+ goto cleanup;
++ if (virAsprintf(&userid, "%d", (int)uid) < 0)
++ goto cleanup;
+ if (!(groupname = virGetGroupName(gid)))
+ goto cleanup;
++ if (virAsprintf(&userid, "%d", (int)gid) < 0)
++ goto cleanup;
+ if (virAsprintf(&processid, "%llu",
+ (unsigned long long)pid) < 0)
+ goto cleanup;
+@@ -710,11 +716,21 @@ virNetServerClientCreateIdentity(virNetServerClientPtr client)
+ VIR_IDENTITY_ATTR_UNIX_USER_NAME,
+ username) < 0)
+ goto error;
++ if (userid &&
++ virIdentitySetAttr(ret,
++ VIR_IDENTITY_ATTR_UNIX_USER_ID,
++ userid) < 0)
++ goto error;
+ if (groupname &&
+ virIdentitySetAttr(ret,
+ VIR_IDENTITY_ATTR_UNIX_GROUP_NAME,
+ groupname) < 0)
+ goto error;
++ if (groupid &&
++ virIdentitySetAttr(ret,
++ VIR_IDENTITY_ATTR_UNIX_GROUP_ID,
++ groupid) < 0)
++ goto error;
+ if (processid &&
+ virIdentitySetAttr(ret,
+ VIR_IDENTITY_ATTR_UNIX_PROCESS_ID,
+@@ -745,7 +761,9 @@ virNetServerClientCreateIdentity(virNetServerClientPtr client)
+
+ cleanup:
+ VIR_FREE(username);
++ VIR_FREE(userid);
+ VIR_FREE(groupname);
++ VIR_FREE(groupid);
+ VIR_FREE(processid);
+ VIR_FREE(processtime);
+ VIR_FREE(seccontext);
+diff --git a/src/util/viridentity.c b/src/util/viridentity.c
+index 781f660..03c375b 100644
+--- a/src/util/viridentity.c
++++ b/src/util/viridentity.c
+@@ -133,7 +133,9 @@ int virIdentitySetCurrent(virIdentityPtr ident)
+ virIdentityPtr virIdentityGetSystem(void)
+ {
+ char *username = NULL;
++ char *userid = NULL;
+ char *groupname = NULL;
++ char *groupid = NULL;
+ char *seccontext = NULL;
+ virIdentityPtr ret = NULL;
+ #if WITH_SELINUX
+@@ -147,8 +149,13 @@ virIdentityPtr virIdentityGetSystem(void)
+
+ if (!(username = virGetUserName(getuid())))
+ goto cleanup;
++ if (virAsprintf(&userid, "%d", (int)getuid()) < 0)
++ goto cleanup;
++
+ if (!(groupname = virGetGroupName(getgid())))
+ goto cleanup;
++ if (virAsprintf(&groupid, "%d", (int)getgid()) < 0)
++ goto cleanup;
+
+ #if WITH_SELINUX
+ if (getcon(&con) < 0) {
+@@ -166,16 +173,22 @@ virIdentityPtr virIdentityGetSystem(void)
+ if (!(ret = virIdentityNew()))
+ goto cleanup;
+
+- if (username &&
+- virIdentitySetAttr(ret,
++ if (virIdentitySetAttr(ret,
+ VIR_IDENTITY_ATTR_UNIX_USER_NAME,
+ username) < 0)
+ goto error;
+- if (groupname &&
+- virIdentitySetAttr(ret,
++ if (virIdentitySetAttr(ret,
++ VIR_IDENTITY_ATTR_UNIX_USER_ID,
++ userid) < 0)
++ goto error;
++ if (virIdentitySetAttr(ret,
+ VIR_IDENTITY_ATTR_UNIX_GROUP_NAME,
+ groupname) < 0)
+ goto error;
++ if (virIdentitySetAttr(ret,
++ VIR_IDENTITY_ATTR_UNIX_GROUP_ID,
++ groupid) < 0)
++ goto error;
+ if (seccontext &&
+ virIdentitySetAttr(ret,
+ VIR_IDENTITY_ATTR_SELINUX_CONTEXT,
+@@ -188,7 +201,9 @@ virIdentityPtr virIdentityGetSystem(void)
+
+ cleanup:
+ VIR_FREE(username);
++ VIR_FREE(userid);
+ VIR_FREE(groupname);
++ VIR_FREE(groupid);
+ VIR_FREE(seccontext);
+ VIR_FREE(processid);
+ return ret;
+diff --git a/src/util/viridentity.h b/src/util/viridentity.h
+index 4bae8d6..a240c2d 100644
+--- a/src/util/viridentity.h
++++ b/src/util/viridentity.h
+@@ -29,7 +29,9 @@ typedef virIdentity *virIdentityPtr;
+
+ typedef enum {
+ VIR_IDENTITY_ATTR_UNIX_USER_NAME,
++ VIR_IDENTITY_ATTR_UNIX_USER_ID,
+ VIR_IDENTITY_ATTR_UNIX_GROUP_NAME,
++ VIR_IDENTITY_ATTR_UNIX_GROUP_ID,
+ VIR_IDENTITY_ATTR_UNIX_PROCESS_ID,
+ VIR_IDENTITY_ATTR_UNIX_PROCESS_TIME,
+ VIR_IDENTITY_ATTR_SASL_USER_NAME,
diff --git a/0106-Ensure-system-identity-includes-process-start-time.patch b/0106-Ensure-system-identity-includes-process-start-time.patch
new file mode 100644
index 0000000..522c422
--- /dev/null
+++ b/0106-Ensure-system-identity-includes-process-start-time.patch
@@ -0,0 +1,68 @@
+From fe544fd4c18d6982e652a1d5cd016816c609b72c Mon Sep 17 00:00:00 2001
+From: "Daniel P. Berrange" <berrange@redhat.com>
+Date: Wed, 28 Aug 2013 15:22:05 +0100
+Subject: [PATCH] Ensure system identity includes process start time
+
+The polkit access driver will want to use the process start
+time field. This was already set for network identities, but
+not for the system identity.
+
+Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
+(cherry picked from commit e65667c0c6e016d42abea077e31628ae43f57b74)
+---
+ src/util/viridentity.c | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+diff --git a/src/util/viridentity.c b/src/util/viridentity.c
+index 03c375b..f681f85 100644
+--- a/src/util/viridentity.c
++++ b/src/util/viridentity.c
+@@ -35,6 +35,7 @@
+ #include "virthread.h"
+ #include "virutil.h"
+ #include "virstring.h"
++#include "virprocess.h"
+
+ #define VIR_FROM_THIS VIR_FROM_IDENTITY
+
+@@ -142,11 +143,20 @@ virIdentityPtr virIdentityGetSystem(void)
+ security_context_t con;
+ #endif
+ char *processid = NULL;
++ unsigned long long timestamp;
++ char *processtime = NULL;
+
+ if (virAsprintf(&processid, "%llu",
+ (unsigned long long)getpid()) < 0)
+ goto cleanup;
+
++ if (virProcessGetStartTime(getpid(), ×tamp) < 0)
++ goto cleanup;
++
++ if (timestamp != 0 &&
++ virAsprintf(&processtime, "%llu", timestamp) < 0)
++ goto cleanup;
++
+ if (!(username = virGetUserName(getuid())))
+ goto cleanup;
+ if (virAsprintf(&userid, "%d", (int)getuid()) < 0)
+@@ -198,6 +208,11 @@ virIdentityPtr virIdentityGetSystem(void)
+ VIR_IDENTITY_ATTR_UNIX_PROCESS_ID,
+ processid) < 0)
+ goto error;
++ if (processtime &&
++ virIdentitySetAttr(ret,
++ VIR_IDENTITY_ATTR_UNIX_PROCESS_TIME,
++ processtime) < 0)
++ goto error;
+
+ cleanup:
+ VIR_FREE(username);
+@@ -206,6 +221,7 @@ cleanup:
+ VIR_FREE(groupid);
+ VIR_FREE(seccontext);
+ VIR_FREE(processid);
++ VIR_FREE(processtime);
+ return ret;
+
+ error:
diff --git a/0107-Add-support-for-using-3-arg-pkcheck-syntax-for-proce.patch b/0107-Add-support-for-using-3-arg-pkcheck-syntax-for-proce.patch
new file mode 100644
index 0000000..4fd9327
--- /dev/null
+++ b/0107-Add-support-for-using-3-arg-pkcheck-syntax-for-proce.patch
@@ -0,0 +1,178 @@
+From dcba8ce65b0ee9f18dca6ac4bdbb57f5cbcc75c6 Mon Sep 17 00:00:00 2001
+From: "Daniel P. Berrange" <berrange@redhat.com>
+Date: Wed, 28 Aug 2013 15:25:40 +0100
+Subject: [PATCH] Add support for using 3-arg pkcheck syntax for process
+ (CVE-2013-4311)
+
+With the existing pkcheck (pid, start time) tuple for identifying
+the process, there is a race condition, where a process can make
+a libvirt RPC call and in another thread exec a setuid application,
+causing it to change to effective UID 0. This in turn causes polkit
+to do its permission check based on the wrong UID.
+
+To address this, libvirt must get the UID the caller had at time
+of connect() (from SO_PEERCRED) and pass a (pid, start time, uid)
+triple to the pkcheck program.
+
+This fix requires that libvirt is re-built against a version of
+polkit that has the fix for its CVE-2013-4288, so that libvirt
+can see 'pkg-config --variable pkcheck_supports_uid polkit-gobject-1'
+
+Signed-off-by: Colin Walters <walters@redhat.com>
+Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
+(cherry picked from commit 922b7fda77b094dbf022d625238262ea05335666)
+---
+ configure.ac | 8 ++++++++
+ daemon/remote.c | 22 ++++++++++++++++++---
+ libvirt.spec.in | 3 +--
+ src/access/viraccessdriverpolkit.c | 40 +++++++++++++++++++++++++++++++++-----
+ 4 files changed, 63 insertions(+), 10 deletions(-)
+
+diff --git a/configure.ac b/configure.ac
+index 1956717..8baf6fa 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -1203,6 +1203,14 @@ if test "x$with_polkit" = "xyes" || test "x$with_polkit" = "xcheck"; then
+ AC_PATH_PROG([PKCHECK_PATH],[pkcheck], [], [/usr/sbin:$PATH])
+ if test "x$PKCHECK_PATH" != "x" ; then
+ AC_DEFINE_UNQUOTED([PKCHECK_PATH],["$PKCHECK_PATH"],[Location of pkcheck program])
++ AC_MSG_CHECKING([whether pkcheck supports uid value])
++ pkcheck_supports_uid=`$PKG_CONFIG --variable pkcheck_supports_uid polkit-gobject-1`
++ if test "x$pkcheck_supports_uid" = "xtrue"; then
++ AC_MSG_RESULT([yes])
++ AC_DEFINE_UNQUOTED([PKCHECK_SUPPORTS_UID], 1, [Pass uid to pkcheck])
++ else
++ AC_MSG_RESULT([no])
++ fi
+ AC_DEFINE_UNQUOTED([WITH_POLKIT], 1,
+ [use PolicyKit for UNIX socket access checks])
+ AC_DEFINE_UNQUOTED([WITH_POLKIT1], 1,
+diff --git a/daemon/remote.c b/daemon/remote.c
+index 6ace7af..b5395dd 100644
+--- a/daemon/remote.c
++++ b/daemon/remote.c
+@@ -2738,10 +2738,12 @@ remoteDispatchAuthPolkit(virNetServerPtr server ATTRIBUTE_UNUSED,
+ int status = -1;
+ char *ident = NULL;
+ bool authdismissed = 0;
++ bool supportsuid = false;
+ char *pkout = NULL;
+ struct daemonClientPrivate *priv =
+ virNetServerClientGetPrivateData(client);
+ virCommandPtr cmd = NULL;
++ static bool polkitInsecureWarned;
+
+ virMutexLock(&priv->lock);
+ action = virNetServerClientGetReadonly(client) ?
+@@ -2763,14 +2765,28 @@ remoteDispatchAuthPolkit(virNetServerPtr server ATTRIBUTE_UNUSED,
+ goto authfail;
+ }
+
++ if (timestamp == 0) {
++ VIR_WARN("Failing polkit auth due to missing client (pid=%lld) start time",
++ (long long)callerPid);
++ goto authfail;
++ }
++
+ VIR_INFO("Checking PID %lld running as %d",
+ (long long) callerPid, callerUid);
+
+ virCommandAddArg(cmd, "--process");
+- if (timestamp != 0) {
+- virCommandAddArgFormat(cmd, "%lld,%llu", (long long) callerPid, timestamp);
++# ifdef PKCHECK_SUPPORTS_UID
++ supportsuid = true;
++# endif
++ if (supportsuid) {
++ virCommandAddArgFormat(cmd, "%lld,%llu,%lu",
++ (long long) callerPid, timestamp, (unsigned long) callerUid);
+ } else {
+- virCommandAddArgFormat(cmd, "%lld", (long long) callerPid);
++ if (!polkitInsecureWarned) {
++ VIR_WARN("No support for caller UID with pkcheck. This deployment is known to be insecure.");
++ polkitInsecureWarned = true;
++ }
++ virCommandAddArgFormat(cmd, "%lld,%llu", (long long) callerPid, timestamp);
+ }
+ virCommandAddArg(cmd, "--allow-user-interaction");
+
+diff --git a/libvirt.spec.in b/libvirt.spec.in
+index e94901a..b9c8c91 100644
+--- a/libvirt.spec.in
++++ b/libvirt.spec.in
+@@ -508,8 +508,7 @@ BuildRequires: cyrus-sasl-devel
+ %endif
+ %if %{with_polkit}
+ %if 0%{?fedora} >= 12 || 0%{?rhel} >= 6
+-# Only need the binary, not -devel
+-BuildRequires: polkit >= 0.93
++BuildRequires: polkit-devel >= 0.93
+ %else
+ BuildRequires: PolicyKit-devel >= 0.6
+ %endif
+diff --git a/src/access/viraccessdriverpolkit.c b/src/access/viraccessdriverpolkit.c
+index 4c76e64..bb170b5 100644
+--- a/src/access/viraccessdriverpolkit.c
++++ b/src/access/viraccessdriverpolkit.c
+@@ -72,8 +72,12 @@ static char *
+ virAccessDriverPolkitFormatProcess(const char *actionid)
+ {
+ virIdentityPtr identity = virIdentityGetCurrent();
+- const char *process = NULL;
++ const char *callerPid = NULL;
++ const char *callerTime = NULL;
++ const char *callerUid = NULL;
+ char *ret = NULL;
++ bool supportsuid = false;
++ static bool polkitInsecureWarned;
+
+ if (!identity) {
+ virAccessError(VIR_ERR_ACCESS_DENIED,
+@@ -81,17 +85,43 @@ virAccessDriverPolkitFormatProcess(const char *actionid)
+ actionid);
+ return NULL;
+ }
+- if (virIdentityGetAttr(identity, VIR_IDENTITY_ATTR_UNIX_PROCESS_ID, &process) < 0)
++ if (virIdentityGetAttr(identity, VIR_IDENTITY_ATTR_UNIX_PROCESS_ID, &callerPid) < 0)
++ goto cleanup;
++ if (virIdentityGetAttr(identity, VIR_IDENTITY_ATTR_UNIX_PROCESS_TIME, &callerTime) < 0)
++ goto cleanup;
++ if (virIdentityGetAttr(identity, VIR_IDENTITY_ATTR_UNIX_USER_ID, &callerUid) < 0)
+ goto cleanup;
+
+- if (!process) {
++ if (!callerPid) {
+ virAccessError(VIR_ERR_INTERNAL_ERROR, "%s",
+ _("No UNIX process ID available"));
+ goto cleanup;
+ }
+-
+- if (VIR_STRDUP(ret, process) < 0)
++ if (!callerTime) {
++ virAccessError(VIR_ERR_INTERNAL_ERROR, "%s",
++ _("No UNIX process start time available"));
++ goto cleanup;
++ }
++ if (!callerUid) {
++ virAccessError(VIR_ERR_INTERNAL_ERROR, "%s",
++ _("No UNIX caller UID available"));
+ goto cleanup;
++ }
++
++#ifdef PKCHECK_SUPPORTS_UID
++ supportsuid = true;
++#endif
++ if (supportsuid) {
++ if (virAsprintf(&ret, "%s,%s,%s", callerPid, callerTime, callerUid) < 0)
++ goto cleanup;
++ } else {
++ if (!polkitInsecureWarned) {
++ VIR_WARN("No support for caller UID with pkcheck. This deployment is known to be insecure.");
++ polkitInsecureWarned = true;
++ }
++ if (virAsprintf(&ret, "%s,%s", callerPid, callerTime) < 0)
++ goto cleanup;
++ }
+
+ cleanup:
+ virObjectUnref(identity);
diff --git a/0108-Fix-crash-in-remoteDispatchDomainMemoryStats-CVE-201.patch b/0108-Fix-crash-in-remoteDispatchDomainMemoryStats-CVE-201.patch
new file mode 100644
index 0000000..909bfc4
--- /dev/null
+++ b/0108-Fix-crash-in-remoteDispatchDomainMemoryStats-CVE-201.patch
@@ -0,0 +1,38 @@
+From 3bee40f9bd3b3c11d782b79eb90f46087d3ab9be Mon Sep 17 00:00:00 2001
+From: "Daniel P. Berrange" <berrange@redhat.com>
+Date: Tue, 3 Sep 2013 16:52:06 +0100
+Subject: [PATCH] Fix crash in remoteDispatchDomainMemoryStats (CVE-2013-4296)
+
+The 'stats' variable was not initialized to NULL, so if some
+early validation of the RPC call fails, it is possible to jump
+to the 'cleanup' label and VIR_FREE an uninitialized pointer.
+This is a security flaw, since the API can be called from a
+readonly connection which can trigger the validation checks.
+
+This was introduced in release v0.9.1 onwards by
+
+ commit 158ba8730e44b7dd07a21ab90499996c5dec080a
+ Author: Daniel P. Berrange <berrange@redhat.com>
+ Date: Wed Apr 13 16:21:35 2011 +0100
+
+ Merge all returns paths from dispatcher into single path
+
+Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
+(cherry picked from commit e7f400a110e2e3673b96518170bfea0855dd82c0)
+---
+ daemon/remote.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/daemon/remote.c b/daemon/remote.c
+index b5395dd..afd9fb5 100644
+--- a/daemon/remote.c
++++ b/daemon/remote.c
+@@ -1146,7 +1146,7 @@ remoteDispatchDomainMemoryStats(virNetServerPtr server ATTRIBUTE_UNUSED,
+ remote_domain_memory_stats_ret *ret)
+ {
+ virDomainPtr dom = NULL;
+- struct _virDomainMemoryStat *stats;
++ struct _virDomainMemoryStat *stats = NULL;
+ int nr_stats;
+ size_t i;
+ int rv = -1;
diff --git a/0109-virsh-add-missing-async-option-in-opts_block_commit.patch b/0109-virsh-add-missing-async-option-in-opts_block_commit.patch
new file mode 100644
index 0000000..d6e8f4b
--- /dev/null
+++ b/0109-virsh-add-missing-async-option-in-opts_block_commit.patch
@@ -0,0 +1,59 @@
+From f19543baee399bf6b3d91da38fa0b7025f233dee Mon Sep 17 00:00:00 2001
+From: Simone Gotti <simone.gotti@gmail.com>
+Date: Thu, 19 Sep 2013 15:08:29 +0200
+Subject: [PATCH] virsh: add missing "async" option in opts_block_commit
+
+After commit 8aecd351266a66efa59b7f7be77bf66693d99ce0 it'll detect
+that a required option is not defined and it will assert and exit with:
+
+virsh.c:1364: vshCommandOpt: Assertion `valid->name' failed.
+
+Problem has been latent since commit ed23b106.
+
+Signed-off-by: Eric Blake <eblake@redhat.com>
+(cherry picked from commit fe64499dd14315b2d9d62cdf421bd3c97a46b7ac)
+---
+ tools/virsh-domain.c | 4 ++++
+ tools/virsh.pod | 7 +++++--
+ 2 files changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/tools/virsh-domain.c b/tools/virsh-domain.c
+index 568d61d..da6ab87 100644
+--- a/tools/virsh-domain.c
++++ b/tools/virsh-domain.c
+@@ -1544,6 +1544,10 @@ static const vshCmdOptDef opts_block_commit[] = {
+ .type = VSH_OT_INT,
+ .help = N_("with --wait, abort if copy exceeds timeout (in seconds)")
+ },
++ {.name = "async",
++ .type = VSH_OT_BOOL,
++ .help = N_("with --wait, don't wait for cancel to finish")
++ },
+ {.name = NULL}
+ };
+
+diff --git a/tools/virsh.pod b/tools/virsh.pod
+index 0ae5178..2864f3d 100644
+--- a/tools/virsh.pod
++++ b/tools/virsh.pod
+@@ -737,7 +737,7 @@ I<domif-setlink>) will accept the MAC address printed by this command.
+
+ =item B<blockcommit> I<domain> I<path> [I<bandwidth>]
+ {[I<base>] | [I<--shallow>]} [I<top>] [I<--delete>]
+-[I<--wait> [I<--verbose>] [I<--timeout> B<seconds>]]
++[I<--wait> [I<--verbose>] [I<--timeout> B<seconds>] [I<--async>]]
+
+ Reduce the length of a backing image chain, by committing changes at the
+ top of the chain (snapshot or delta files) into backing images. By
+@@ -756,7 +756,10 @@ operation can be checked with B<blockjob>. However, if I<--wait> is
+ specified, then this command will block until the operation completes,
+ or cancel the operation if the optional I<timeout> in seconds elapses
+ or SIGINT is sent (usually with C<Ctrl-C>). Using I<--verbose> along
+-with I<--wait> will produce periodic status updates.
++with I<--wait> will produce periodic status updates. If job cancellation
++is triggered, I<--async> will return control to the user as fast as
++possible, otherwise the command may continue to block a little while
++longer until the job is done cleaning up.
+
+ I<path> specifies fully-qualified path of the disk; it corresponds
+ to a unique target name (<target dev='name'/>) or source file (<source
diff --git a/0110-Fix-typo-in-identity-code-which-is-pre-requisite-for.patch b/0110-Fix-typo-in-identity-code-which-is-pre-requisite-for.patch
new file mode 100644
index 0000000..f163b6e
--- /dev/null
+++ b/0110-Fix-typo-in-identity-code-which-is-pre-requisite-for.patch
@@ -0,0 +1,38 @@
+From b4e1fb2febb00173b1489634262169554e8f6a1d Mon Sep 17 00:00:00 2001
+From: "Daniel P. Berrange" <berrange@redhat.com>
+Date: Mon, 23 Sep 2013 12:46:25 +0100
+Subject: [PATCH] Fix typo in identity code which is pre-requisite for
+ CVE-2013-4311
+
+The fix for CVE-2013-4311 had a pre-requisite enhancement
+to the identity code
+
+ commit db7a5688c05f3fd60d9d2b74c72427eb9ee9c176
+ Author: Daniel P. Berrange <berrange@redhat.com>
+ Date: Thu Aug 22 16:00:01 2013 +0100
+
+ Also store user & group ID values in virIdentity
+
+This had a typo which caused the group ID to overwrite the
+user ID string. This meant any checks using this would have
+the wrong ID value. This only affected the ACL code, not the
+initial polkit auth. It also leaked memory.
+
+Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
+---
+ src/rpc/virnetserverclient.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/rpc/virnetserverclient.c b/src/rpc/virnetserverclient.c
+index 19c4100..0b9ab52 100644
+--- a/src/rpc/virnetserverclient.c
++++ b/src/rpc/virnetserverclient.c
+@@ -678,7 +678,7 @@ virNetServerClientCreateIdentity(virNetServerClientPtr client)
+ goto cleanup;
+ if (!(groupname = virGetGroupName(gid)))
+ goto cleanup;
+- if (virAsprintf(&userid, "%d", (int)gid) < 0)
++ if (virAsprintf(&groupid, "%d", (int)gid) < 0)
+ goto cleanup;
+ if (virAsprintf(&processid, "%llu",
+ (unsigned long long)pid) < 0)
diff --git a/0111-Add-a-virNetSocketNewConnectSockFD-method.patch b/0111-Add-a-virNetSocketNewConnectSockFD-method.patch
new file mode 100644
index 0000000..7cf7f56
--- /dev/null
+++ b/0111-Add-a-virNetSocketNewConnectSockFD-method.patch
@@ -0,0 +1,69 @@
+From 9e7cec4d755341cfb4c27c16aa59b22135612f0e Mon Sep 17 00:00:00 2001
+From: "Daniel P. Berrange" <berrange@redhat.com>
+Date: Mon, 23 Sep 2013 12:46:26 +0100
+Subject: [PATCH] Add a virNetSocketNewConnectSockFD method
+
+To allow creation of a virNetSocketPtr instance from a pre-opened
+socketpair FD, add a virNetSocketNewConnectSockFD method.
+
+Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
+---
+ src/libvirt_private.syms | 1 +
+ src/rpc/virnetsocket.c | 18 ++++++++++++++++++
+ src/rpc/virnetsocket.h | 2 ++
+ 3 files changed, 21 insertions(+)
+
+diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
+index 35f0f1b..873d93d 100644
+--- a/src/libvirt_private.syms
++++ b/src/libvirt_private.syms
+@@ -1008,6 +1008,7 @@ virNetSocketLocalAddrString;
+ virNetSocketNewConnectCommand;
+ virNetSocketNewConnectExternal;
+ virNetSocketNewConnectLibSSH2;
++virNetSocketNewConnectSockFD;
+ virNetSocketNewConnectSSH;
+ virNetSocketNewConnectTCP;
+ virNetSocketNewConnectUNIX;
+diff --git a/src/rpc/virnetsocket.c b/src/rpc/virnetsocket.c
+index ae81512..b311aae 100644
+--- a/src/rpc/virnetsocket.c
++++ b/src/rpc/virnetsocket.c
+@@ -884,6 +884,24 @@ int virNetSocketNewConnectExternal(const char **cmdargv,
+ }
+
+
++int virNetSocketNewConnectSockFD(int sockfd,
++ virNetSocketPtr *retsock)
++{
++ virSocketAddr localAddr;
++
++ localAddr.len = sizeof(localAddr.data);
++ if (getsockname(sockfd, &localAddr.data.sa, &localAddr.len) < 0) {
++ virReportSystemError(errno, "%s", _("Unable to get local socket name"));
++ return -1;
++ }
++
++ if (!(*retsock = virNetSocketNew(&localAddr, NULL, true, sockfd, -1, -1)))
++ return -1;
++
++ return 0;
++}
++
++
+ virNetSocketPtr virNetSocketNewPostExecRestart(virJSONValuePtr object)
+ {
+ virSocketAddr localAddr;
+diff --git a/src/rpc/virnetsocket.h b/src/rpc/virnetsocket.h
+index ca9ae91..86bc2f6 100644
+--- a/src/rpc/virnetsocket.h
++++ b/src/rpc/virnetsocket.h
+@@ -97,6 +97,8 @@ int virNetSocketNewConnectLibSSH2(const char *host,
+ int virNetSocketNewConnectExternal(const char **cmdargv,
+ virNetSocketPtr *addr);
+
++int virNetSocketNewConnectSockFD(int sockfd,
++ virNetSocketPtr *retsock);
+
+ virNetSocketPtr virNetSocketNewPostExecRestart(virJSONValuePtr object);
+
diff --git a/0112-Add-test-case-for-virNetServerClient-object-identity.patch b/0112-Add-test-case-for-virNetServerClient-object-identity.patch
new file mode 100644
index 0000000..1b07c7e
--- /dev/null
+++ b/0112-Add-test-case-for-virNetServerClient-object-identity.patch
@@ -0,0 +1,305 @@
+From 7e1b75ca5d4127a86ff1eaa0dfe37b485eeb0a7a Mon Sep 17 00:00:00 2001
+From: "Daniel P. Berrange" <berrange@redhat.com>
+Date: Mon, 23 Sep 2013 12:46:27 +0100
+Subject: [PATCH] Add test case for virNetServerClient object identity code
+
+Start a test case for the virNetServerClient object, which
+initially checks the creation of a virIdentityPtr object.
+
+Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
+---
+ cfg.mk | 2 +-
+ tests/Makefile.am | 14 +++-
+ tests/virnetserverclientmock.c | 64 +++++++++++++++++
+ tests/virnetserverclienttest.c | 159 +++++++++++++++++++++++++++++++++++++++++
+ 4 files changed, 237 insertions(+), 2 deletions(-)
+ create mode 100644 tests/virnetserverclientmock.c
+ create mode 100644 tests/virnetserverclienttest.c
+
+diff --git a/cfg.mk b/cfg.mk
+index 9a9616c..7f817ef 100644
+--- a/cfg.mk
++++ b/cfg.mk
+@@ -939,7 +939,7 @@ exclude_file_name_regexp--sc_prohibit_asprintf = \
+ ^(bootstrap.conf$$|src/util/virstring\.[ch]$$|examples/domain-events/events-c/event-test\.c$$|tests/vircgroupmock\.c$$)
+
+ exclude_file_name_regexp--sc_prohibit_strdup = \
+- ^(docs/|examples/|python/|src/util/virstring\.c$$)
++ ^(docs/|examples/|python/|src/util/virstring\.c|tests/virnetserverclientmock.c$$)
+
+ exclude_file_name_regexp--sc_prohibit_close = \
+ (\.p[yl]$$|^docs/|^(src/util/virfile\.c|src/libvirt\.c|tests/vircgroupmock\.c)$$)
+diff --git a/tests/Makefile.am b/tests/Makefile.am
+index c800179..ae99b38 100644
+--- a/tests/Makefile.am
++++ b/tests/Makefile.am
+@@ -114,7 +114,7 @@ test_programs = virshtest sockettest \
+ nodeinfotest virbuftest \
+ commandtest seclabeltest \
+ virhashtest virnetmessagetest virnetsockettest \
+- viratomictest \
++ viratomictest virnetserverclienttest \
+ utiltest shunloadtest \
+ virtimetest viruritest virkeyfiletest \
+ virauthconfigtest \
+@@ -281,6 +281,7 @@ EXTRA_DIST += $(test_scripts)
+
+ test_libraries = libshunload.la \
+ libvirportallocatormock.la \
++ virnetserverclientmock.la \
+ vircgroupmock.la \
+ $(NULL)
+ if WITH_QEMU
+@@ -611,6 +612,17 @@ virnetsockettest_SOURCES = \
+ virnetsockettest.c testutils.h testutils.c
+ virnetsockettest_LDADD = $(LDADDS)
+
++virnetserverclienttest_SOURCES = \
++ virnetserverclienttest.c \
++ testutils.h testutils.c
++virnetserverclienttest_LDADD = $(LDADDS)
++
++virnetserverclientmock_la_SOURCES = \
++ virnetserverclientmock.c
++virnetserverclientmock_la_CFLAGS = $(AM_CFLAGS)
++virnetserverclientmock_la_LDFLAGS = -module -avoid-version \
++ -rpath /evil/libtool/hack/to/force/shared/lib/creation
++
+ if WITH_GNUTLS
+ virnettlscontexttest_SOURCES = \
+ virnettlscontexttest.c \
+diff --git a/tests/virnetserverclientmock.c b/tests/virnetserverclientmock.c
+new file mode 100644
+index 0000000..caef1e3
+--- /dev/null
++++ b/tests/virnetserverclientmock.c
+@@ -0,0 +1,64 @@
++/*
++ * Copyright (C) 2013 Red Hat, Inc.
++ *
++ * This library is free software; you can redistribute it and/or
++ * modify it under the terms of the GNU Lesser General Public
++ * License as published by the Free Software Foundation; either
++ * version 2.1 of the License, or (at your option) any later version.
++ *
++ * This library is distributed in the hope that it will be useful,
++ * but WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
++ * Lesser General Public License for more details.
++ *
++ * You should have received a copy of the GNU Lesser General Public
++ * License along with this library. If not, see
++ * <http://www.gnu.org/licenses/>.
++ *
++ * Author: Daniel P. Berrange <berrange@redhat.com>
++ */
++
++#include <config.h>
++
++#include "rpc/virnetsocket.h"
++#include "virutil.h"
++#include "internal.h"
++
++int virEventAddTimeout(int frequency ATTRIBUTE_UNUSED,
++ virEventTimeoutCallback cb ATTRIBUTE_UNUSED,
++ void *opaque ATTRIBUTE_UNUSED,
++ virFreeCallback ff ATTRIBUTE_UNUSED)
++{
++ return 0;
++}
++
++int virNetSocketGetUNIXIdentity(virNetSocketPtr sock ATTRIBUTE_UNUSED,
++ uid_t *uid,
++ gid_t *gid,
++ pid_t *pid,
++ unsigned long long *timestamp)
++{
++ *uid = 666;
++ *gid = 7337;
++ *pid = 42;
++ *timestamp = 12345678;
++ return 0;
++}
++
++char *virGetUserName(uid_t uid ATTRIBUTE_UNUSED)
++{
++ return strdup("astrochicken");
++}
++
++char *virGetGroupName(gid_t gid ATTRIBUTE_UNUSED)
++{
++ return strdup("fictionalusers");
++}
++
++int virNetSocketGetSELinuxContext(virNetSocketPtr sock ATTRIBUTE_UNUSED,
++ char **context)
++{
++ if (!(*context = strdup("foo_u:bar_r:wizz_t:s0-s0:c0.c1023")))
++ return -1;
++ return 0;
++}
+diff --git a/tests/virnetserverclienttest.c b/tests/virnetserverclienttest.c
+new file mode 100644
+index 0000000..1ddff3e
+--- /dev/null
++++ b/tests/virnetserverclienttest.c
+@@ -0,0 +1,159 @@
++/*
++ * Copyright (C) 2013 Red Hat, Inc.
++ *
++ * This library is free software; you can redistribute it and/or
++ * modify it under the terms of the GNU Lesser General Public
++ * License as published by the Free Software Foundation; either
++ * version 2.1 of the License, or (at your option) any later version.
++ *
++ * This library is distributed in the hope that it will be useful,
++ * but WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
++ * Lesser General Public License for more details.
++ *
++ * You should have received a copy of the GNU Lesser General Public
++ * License along with this library. If not, see
++ * <http://www.gnu.org/licenses/>.
++ *
++ * Author: Daniel P. Berrange <berrange@redhat.com>
++ */
++
++#include <config.h>
++
++#include "testutils.h"
++#include "virerror.h"
++#include "rpc/virnetserverclient.h"
++
++#define VIR_FROM_THIS VIR_FROM_RPC
++
++#ifdef HAVE_SOCKETPAIR
++static int testIdentity(const void *opaque ATTRIBUTE_UNUSED)
++{
++ int sv[2];
++ int ret = -1;
++ virNetSocketPtr sock = NULL;
++ virNetServerClientPtr client = NULL;
++ virIdentityPtr ident = NULL;
++ const char *gotUsername = NULL;
++ const char *gotUserID = NULL;
++ const char *gotGroupname = NULL;
++ const char *gotGroupID = NULL;
++ const char *gotSELinuxContext = NULL;
++
++ if (socketpair(PF_UNIX, SOCK_STREAM, 0, sv) < 0) {
++ virReportSystemError(errno, "%s",
++ "Cannot create socket pair");
++ return -1;
++ }
++
++ if (virNetSocketNewConnectSockFD(sv[0], &sock) < 0) {
++ virDispatchError(NULL);
++ goto cleanup;
++ }
++ sv[0] = -1;
++
++ if (!(client = virNetServerClientNew(sock, 0, false, 1,
++# ifdef WITH_GNUTLS
++ NULL,
++# endif
++ NULL, NULL, NULL, NULL))) {
++ virDispatchError(NULL);
++ goto cleanup;
++ }
++
++ if (!(ident = virNetServerClientGetIdentity(client))) {
++ fprintf(stderr, "Failed to create identity\n");
++ goto cleanup;
++ }
++
++ if (virIdentityGetAttr(ident,
++ VIR_IDENTITY_ATTR_UNIX_USER_NAME,
++ &gotUsername) < 0) {
++ fprintf(stderr, "Missing username in identity\n");
++ goto cleanup;
++ }
++ if (STRNEQ_NULLABLE("astrochicken", gotUsername)) {
++ fprintf(stderr, "Want username 'astrochicken' got '%s'\n",
++ NULLSTR(gotUsername));
++ goto cleanup;
++ }
++
++ if (virIdentityGetAttr(ident,
++ VIR_IDENTITY_ATTR_UNIX_USER_ID,
++ &gotUserID) < 0) {
++ fprintf(stderr, "Missing user ID in identity\n");
++ goto cleanup;
++ }
++ if (STRNEQ_NULLABLE("666", gotUserID)) {
++ fprintf(stderr, "Want username '666' got '%s'\n",
++ NULLSTR(gotUserID));
++ goto cleanup;
++ }
++
++ if (virIdentityGetAttr(ident,
++ VIR_IDENTITY_ATTR_UNIX_GROUP_NAME,
++ &gotGroupname) < 0) {
++ fprintf(stderr, "Missing groupname in identity\n");
++ goto cleanup;
++ }
++ if (STRNEQ_NULLABLE("fictionalusers", gotGroupname)) {
++ fprintf(stderr, "Want groupname 'fictionalusers' got '%s'\n",
++ NULLSTR(gotGroupname));
++ goto cleanup;
++ }
++
++ if (virIdentityGetAttr(ident,
++ VIR_IDENTITY_ATTR_UNIX_GROUP_ID,
++ &gotGroupID) < 0) {
++ fprintf(stderr, "Missing group ID in identity\n");
++ goto cleanup;
++ }
++ if (STRNEQ_NULLABLE("7337", gotGroupID)) {
++ fprintf(stderr, "Want groupname '7337' got '%s'\n",
++ NULLSTR(gotGroupID));
++ goto cleanup;
++ }
++
++ if (virIdentityGetAttr(ident,
++ VIR_IDENTITY_ATTR_SELINUX_CONTEXT,
++ &gotSELinuxContext) < 0) {
++ fprintf(stderr, "Missing SELinux context in identity\n");
++ goto cleanup;
++ }
++ if (STRNEQ_NULLABLE("foo_u:bar_r:wizz_t:s0-s0:c0.c1023", gotSELinuxContext)) {
++ fprintf(stderr, "Want groupname 'foo_u:bar_r:wizz_t:s0-s0:c0.c1023' got '%s'\n",
++ NULLSTR(gotGroupID));
++ goto cleanup;
++ }
++
++ ret = 0;
++ cleanup:
++ virObjectUnref(sock);
++ virObjectUnref(client);
++ virObjectUnref(ident);
++ VIR_FORCE_CLOSE(sv[0]);
++ VIR_FORCE_CLOSE(sv[1]);
++ return ret;
++}
++
++
++static int
++mymain(void)
++{
++ int ret = 0;
++
++
++ if (virtTestRun("Identity", 1,
++ testIdentity, NULL) < 0)
++ ret = -1;
++
++ return ret == 0 ? EXIT_SUCCESS : EXIT_FAILURE;
++}
++#else
++static int
++mymain(void)
++{
++ return AM_TEST_SKIP;
++}
++#endif
++VIRT_TEST_MAIN_PRELOAD(mymain, abs_builddir "/.libs/virnetserverclientmock.so")
diff --git a/libvirt.spec b/libvirt.spec
index 476ae1e..8087176 100644
--- a/libvirt.spec
+++ b/libvirt.spec
@@ -13,6 +13,9 @@
# touch configure.ac or Makefile.am.
%{!?enable_autotools:%define enable_autotools 0}
+# Drop after libvirt-1.1.3 is rebased
+%define enable_autotools 1
+
# A client only build will create a libvirt.so only containing
# the generic RPC driver, and test driver and no libvirtd
# Default to a full server + client build
@@ -366,7 +369,7 @@
Summary: Library providing a simple virtualization API
Name: libvirt
Version: 1.1.2
-Release: 2%{?dist}%{?extra_release}
+Release: 3%{?dist}%{?extra_release}
License: LGPLv2+
Group: Development/Libraries
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
@@ -387,6 +390,20 @@ Patch0006: 0006-domain_conf-Add-disk-bus-sd-wire-it-up-for-qemu.patch
Patch0007: 0007-qemu-Fix-networking-for-ARM-guests.patch
Patch0008: 0008-qemu-Support-virtio-mmio-transport-for-virtio-on-ARM.patch
+# Sync with v1.1.2-maint
+Patch0101: 0101-virFileNBDDeviceAssociate-Avoid-use-of-uninitialized.patch
+Patch0102: 0102-Fix-AM_LDFLAGS-typo.patch
+Patch0103: 0103-Pass-AM_LDFLAGS-to-driver-modules-too.patch
+Patch0104: 0104-build-fix-build-with-latest-rawhide-kernel-headers.patch
+Patch0105: 0105-Also-store-user-group-ID-values-in-virIdentity.patch
+Patch0106: 0106-Ensure-system-identity-includes-process-start-time.patch
+Patch0107: 0107-Add-support-for-using-3-arg-pkcheck-syntax-for-proce.patch
+Patch0108: 0108-Fix-crash-in-remoteDispatchDomainMemoryStats-CVE-201.patch
+Patch0109: 0109-virsh-add-missing-async-option-in-opts_block_commit.patch
+Patch0110: 0110-Fix-typo-in-identity-code-which-is-pre-requisite-for.patch
+Patch0111: 0111-Add-a-virNetSocketNewConnectSockFD-method.patch
+Patch0112: 0112-Add-test-case-for-virNetServerClient-object-identity.patch
+
%if %{with_libvirtd}
Requires: libvirt-daemon = %{version}-%{release}
%if %{with_network}
@@ -608,6 +625,7 @@ BuildRequires: audit-libs-devel
BuildRequires: systemtap-sdt-devel
%endif
+
%if %{with_storage_fs}
# For mount/umount in FS driver
BuildRequires: util-linux
@@ -1172,6 +1190,20 @@ of recent versions of Linux (and other OSes).
%patch0007 -p1
%patch0008 -p1
+# Sync with v1.1.2-maint
+%patch0101 -p1
+%patch0102 -p1
+%patch0103 -p1
+%patch0104 -p1
+%patch0105 -p1
+%patch0106 -p1
+%patch0107 -p1
+%patch0108 -p1
+%patch0109 -p1
+%patch0110 -p1
+%patch0111 -p1
+%patch0112 -p1
+
%build
%if ! %{with_xen}
%define _without_xen --without-xen
@@ -2125,6 +2157,14 @@ fi
%endif
%changelog
+* Mon Sep 23 2013 Cole Robinson <crobinso@redhat.com> - 1.1.2-3
+- Sync with v1.1.2-maint
+- Rebuild for libswan soname bump (bz #1009701)
+- CVE-2013-4311: Insecure polkit usage (bz #1009539, bz #1005332)
+- CVE-2013-4296: Invalid free memory stats (bz #1006173, bz #1009667)
+- CVE-2013-4297: Invalid free in NBDDeviceAssociate (bz #1006505, bz #1006511)
+- Fix virsh block-commit abort (bz #1010056)
+
* Wed Sep 18 2013 Daniel P. Berrange <berrange@redhat.com> - 1.1.2-2
- Rebuild for soname break in openswman package