diff --git a/0001-target-i386-define-md-clear-bit.patch b/0001-target-i386-define-md-clear-bit.patch
deleted file mode 100644
index eb26334..0000000
--- a/0001-target-i386-define-md-clear-bit.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-From de8cb5ded43603937e0e7c341fcd7521822328a6 Mon Sep 17 00:00:00 2001
-From: Paolo Bonzini <pbonzini@redhat.com>
-Date: Sat, 2 Mar 2019 00:07:10 +0100
-Subject: [PATCH] target/i386: define md-clear bit
-
-md-clear is a new CPUID bit which is set when microcode provides the
-mechanism to invoke a flush of various exploitable CPU buffers by invoking
-the VERW instruction.
-
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-(cherry-picked from a private commit)
----
- target/i386/cpu.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/target/i386/cpu.c b/target/i386/cpu.c
-index d6bb57d210..4ea78a4939 100644
---- a/target/i386/cpu.c
-+++ b/target/i386/cpu.c
-@@ -1076,7 +1076,7 @@ static FeatureWordInfo feature_word_info[FEATURE_WORDS] = {
- .feat_names = {
- NULL, NULL, "avx512-4vnniw", "avx512-4fmaps",
- NULL, NULL, NULL, NULL,
-- NULL, NULL, NULL, NULL,
-+ NULL, NULL, "md-clear", NULL,
- NULL, NULL, NULL, NULL,
- NULL, NULL, NULL, NULL,
- NULL, NULL, NULL, NULL,
---
-2.21.0
-
diff --git a/0002-target-i386-define-md-clear-bit.patch b/0002-target-i386-define-md-clear-bit.patch
new file mode 100644
index 0000000..57289e4
--- /dev/null
+++ b/0002-target-i386-define-md-clear-bit.patch
@@ -0,0 +1,29 @@
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Wed, 15 May 2019 15:10:10 +0100
+Subject: [PATCH] target/i386: define md-clear bit
+
+md-clear is a new CPUID bit which is set when microcode provides the
+mechanism to invoke a flush of various exploitable CPU buffers by invoking
+the VERW instruction.
+
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Message-Id: <20190515141011.5315-2-berrange@redhat.com>
+Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
+(cherry picked from commit b2ae52101fca7f9547ac2f388085dbc58f8fe1c0)
+---
+ target/i386/cpu.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/target/i386/cpu.c b/target/i386/cpu.c
+index d6bb57d210..4ea78a4939 100644
+--- a/target/i386/cpu.c
++++ b/target/i386/cpu.c
+@@ -1076,7 +1076,7 @@ static FeatureWordInfo feature_word_info[FEATURE_WORDS] = {
+ .feat_names = {
+ NULL, NULL, "avx512-4vnniw", "avx512-4fmaps",
+ NULL, NULL, NULL, NULL,
+- NULL, NULL, NULL, NULL,
++ NULL, NULL, "md-clear", NULL,
+ NULL, NULL, NULL, NULL,
+ NULL, NULL, NULL, NULL,
+ NULL, NULL, NULL, NULL,
diff --git a/0003-qxl-check-release-info-object.patch b/0003-qxl-check-release-info-object.patch
new file mode 100644
index 0000000..d561406
--- /dev/null
+++ b/0003-qxl-check-release-info-object.patch
@@ -0,0 +1,31 @@
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Thu, 25 Apr 2019 12:05:34 +0530
+Subject: [PATCH] qxl: check release info object
+
+When releasing spice resources in release_resource() routine,
+if release info object 'ext.info' is null, it leads to null
+pointer dereference. Add check to avoid it.
+
+Reported-by: Bugs SysSec <bugs-syssec@rub.de>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Message-id: 20190425063534.32747-1-ppandit@redhat.com
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+(cherry picked from commit d52680fc932efb8a2f334cc6993e705ed1e31e99)
+---
+ hw/display/qxl.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/hw/display/qxl.c b/hw/display/qxl.c
+index c8ce5781e0..632923add2 100644
+--- a/hw/display/qxl.c
++++ b/hw/display/qxl.c
+@@ -777,6 +777,9 @@ static void interface_release_resource(QXLInstance *sin,
+ QXLReleaseRing *ring;
+ uint64_t *item, id;
+
++ if (!ext.info) {
++ return;
++ }
+ if (ext.group_id == MEMSLOT_GROUP_HOST) {
+ /* host group -> vga mode update request */
+ QXLCommandExt *cmdext = (void *)(intptr_t)(ext.info->id);
diff --git a/0004-target-ppc-Fix-lxvw4x-lxvh8x-and-lxvb16x.patch b/0004-target-ppc-Fix-lxvw4x-lxvh8x-and-lxvb16x.patch
new file mode 100644
index 0000000..e3cdb99
--- /dev/null
+++ b/0004-target-ppc-Fix-lxvw4x-lxvh8x-and-lxvb16x.patch
@@ -0,0 +1,77 @@
+From: Anton Blanchard <anton@ozlabs.org>
+Date: Fri, 24 May 2019 07:53:45 +0100
+Subject: [PATCH] target/ppc: Fix lxvw4x, lxvh8x and lxvb16x
+
+During the conversion these instructions were incorrectly treated as
+stores. We need to use set_cpu_vsr* and not get_cpu_vsr*.
+
+Fixes: 8b3b2d75c7c0 ("introduce get_cpu_vsr{l,h}() and set_cpu_vsr{l,h}() helpers for VSR register access")
+Signed-off-by: Anton Blanchard <anton@ozlabs.org>
+Reviewed-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
+Tested-by: Greg Kurz <groug@kaod.org>
+Reviewed-by: Greg Kurz <groug@kaod.org>
+Message-Id: <20190524065345.25591-1-mark.cave-ayland@ilande.co.uk>
+Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
+(cherry picked from commit 2a1224359008e23b051b7b45be4789afa0269f8c)
+---
+ target/ppc/translate/vsx-impl.inc.c | 13 +++++++------
+ 1 file changed, 7 insertions(+), 6 deletions(-)
+
+diff --git a/target/ppc/translate/vsx-impl.inc.c b/target/ppc/translate/vsx-impl.inc.c
+index 489b2436e4..1df688cc32 100644
+--- a/target/ppc/translate/vsx-impl.inc.c
++++ b/target/ppc/translate/vsx-impl.inc.c
+@@ -102,8 +102,7 @@ static void gen_lxvw4x(DisasContext *ctx)
+ }
+ xth = tcg_temp_new_i64();
+ xtl = tcg_temp_new_i64();
+- get_cpu_vsrh(xth, xT(ctx->opcode));
+- get_cpu_vsrl(xtl, xT(ctx->opcode));
++
+ gen_set_access_type(ctx, ACCESS_INT);
+ EA = tcg_temp_new();
+
+@@ -126,6 +125,8 @@ static void gen_lxvw4x(DisasContext *ctx)
+ tcg_gen_addi_tl(EA, EA, 8);
+ tcg_gen_qemu_ld_i64(xtl, EA, ctx->mem_idx, MO_BEQ);
+ }
++ set_cpu_vsrh(xT(ctx->opcode), xth);
++ set_cpu_vsrl(xT(ctx->opcode), xtl);
+ tcg_temp_free(EA);
+ tcg_temp_free_i64(xth);
+ tcg_temp_free_i64(xtl);
+@@ -185,8 +186,6 @@ static void gen_lxvh8x(DisasContext *ctx)
+ }
+ xth = tcg_temp_new_i64();
+ xtl = tcg_temp_new_i64();
+- get_cpu_vsrh(xth, xT(ctx->opcode));
+- get_cpu_vsrl(xtl, xT(ctx->opcode));
+ gen_set_access_type(ctx, ACCESS_INT);
+
+ EA = tcg_temp_new();
+@@ -197,6 +196,8 @@ static void gen_lxvh8x(DisasContext *ctx)
+ if (ctx->le_mode) {
+ gen_bswap16x8(xth, xtl, xth, xtl);
+ }
++ set_cpu_vsrh(xT(ctx->opcode), xth);
++ set_cpu_vsrl(xT(ctx->opcode), xtl);
+ tcg_temp_free(EA);
+ tcg_temp_free_i64(xth);
+ tcg_temp_free_i64(xtl);
+@@ -214,14 +215,14 @@ static void gen_lxvb16x(DisasContext *ctx)
+ }
+ xth = tcg_temp_new_i64();
+ xtl = tcg_temp_new_i64();
+- get_cpu_vsrh(xth, xT(ctx->opcode));
+- get_cpu_vsrl(xtl, xT(ctx->opcode));
+ gen_set_access_type(ctx, ACCESS_INT);
+ EA = tcg_temp_new();
+ gen_addr_reg_index(ctx, EA);
+ tcg_gen_qemu_ld_i64(xth, EA, ctx->mem_idx, MO_BEQ);
+ tcg_gen_addi_tl(EA, EA, 8);
+ tcg_gen_qemu_ld_i64(xtl, EA, ctx->mem_idx, MO_BEQ);
++ set_cpu_vsrh(xT(ctx->opcode), xth);
++ set_cpu_vsrl(xT(ctx->opcode), xtl);
+ tcg_temp_free(EA);
+ tcg_temp_free_i64(xth);
+ tcg_temp_free_i64(xtl);
diff --git a/0005-NOT-UPSTREAM-Build-fix-with-latest-kernel.patch b/0005-NOT-UPSTREAM-Build-fix-with-latest-kernel.patch
new file mode 100644
index 0000000..4a6e49a
--- /dev/null
+++ b/0005-NOT-UPSTREAM-Build-fix-with-latest-kernel.patch
@@ -0,0 +1,23 @@
+From: Cole Robinson <crobinso@redhat.com>
+Date: Thu, 20 Jun 2019 17:20:13 -0400
+Subject: [PATCH] NOT UPSTREAM: Build fix with latest kernel
+
+From here: https://lkml.org/lkml/2019/6/3/988
+
+Signed-off-by: Cole Robinson <crobinso@redhat.com>
+---
+ linux-user/syscall.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/linux-user/syscall.c b/linux-user/syscall.c
+index 96cd4bf86d..c7625858eb 100644
+--- a/linux-user/syscall.c
++++ b/linux-user/syscall.c
+@@ -34,6 +34,7 @@
+ #include <sys/resource.h>
+ #include <sys/swap.h>
+ #include <linux/capability.h>
++#include <linux/sockios.h>
+ #include <sched.h>
+ #include <sys/timex.h>
+ #include <sys/socket.h>
diff --git a/qemu.spec b/qemu.spec
index b95d9ed..ffd08b9 100644
--- a/qemu.spec
+++ b/qemu.spec
@@ -148,7 +148,7 @@
Summary: QEMU is a FAST! processor emulator
Name: qemu
Version: 4.0.0
-Release: 3%{?rcrel}%{?dist}
+Release: 4%{?rcrel}%{?dist}
Epoch: 2
License: GPLv2 and BSD and MIT and CC-BY
URL: http://www.qemu.org/
@@ -176,10 +176,16 @@ Source21: 95-kvm-ppc64-memlock.conf
# Not upstream: temporary workaround until kernel supports lands for nested
# VMX migration
Patch0001: 0001-Revert-target-i386-kvm-add-VMX-migration-blocker.patch
-
-
# CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091
-Patch1001: 0001-target-i386-define-md-clear-bit.patch
+Patch0002: 0002-target-i386-define-md-clear-bit.patch
+# CVE-2019-12155: qxl: null pointer dereference while releasing spice
+# resources (bz #1712727, bz #1712670)
+Patch0003: 0003-qxl-check-release-info-object.patch
+# qemu-4.0.0-2.fc31 ppc64le: rpm hash calculation buggy (bz #1715017)
+Patch0004: 0004-target-ppc-Fix-lxvw4x-lxvh8x-and-lxvb16x.patch
+# Fix rawhide build (bz #1718926)
+# Not upstream, might be a kernel fix
+Patch0005: 0005-NOT-UPSTREAM-Build-fix-with-latest-kernel.patch
# documentation deps
BuildRequires: texinfo
@@ -1737,6 +1743,14 @@ getent passwd qemu >/dev/null || \
%changelog
+* Thu Jun 20 2019 Cole Robinson <crobinso@redhat.com> - 2:4.0.0-4
+- CVE-2019-12155: qxl: null pointer dereference while releasing spice
+ resources (bz #1712727, bz #1712670)
+- qemu-4.0.0-2.fc31 ppc64le: rpm hash calculation buggy (bz #1715017)
+- Fix rawhide build (bz #1718926)
+- Link against libslirp (bz #1712980)
+- Add vgabios-ramfb.bin and vgabios-bochs-display.bin (bz #1721445)
+
* Tue May 14 2019 Daniel P. Berrangé <berrange@redhat.com> - 2:4.0.0-2
- Define md-clear CPUID bit
- Resolves: rhbz #1710002 (CVE-2018-12126), rhbz #1710004 (CVE-2018-12127),