[23.11] qemu: add patches for CVE-2024-3446, CVE-2024-3447, CVE-2024-3567

[risicle]

Description of changes

https://nvd.nist.gov/vuln/detail/CVE-2024-3446
https://nvd.nist.gov/vuln/detail/CVE-2024-3447
https://nvd.nist.gov/vuln/detail/CVE-2024-3567

These fixes were backported as a block to the 8.2.x series intermingled with a number of related issues, so I thought it better not to try and label them separately.

The 8.1.x branch not having been touched for 3 months, I think it's unlikely we'll see another 8.1.x release covering this.

Unstable will address these with the 9.0.x bump.

Things done

• Built on platform(s)
  • x86_64-linux
  • aarch64-linux
  • x86_64-darwin
  • aarch64-darwin
• For non-Linux: Is sandboxing enabled in nix.conf? (See Nix manual)
  • sandbox = relaxed
  • sandbox = true
• Tested, as applicable:
  • NixOS test(s) (look inside nixos/tests)
  • and/or package tests
  • or, for functions and "core" functionality, tests in lib/tests or pkgs/test
  • made sure NixOS tests are linked to the relevant packages
• Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
• Tested basic functionality of all binary files (usually in ./result/bin/)
• 24.05 Release Notes (or backporting 23.05 and 23.11 Release notes)
  • (Package updates) Added a release notes entry if the change is major or breaking
  • (Module updates) Added a release notes entry if the change is significant
  • (Module addition) Added a release notes entry if adding a new NixOS module
• Fits CONTRIBUTING.md.

---

Add a 👍 reaction to pull requests you find important.

[LeSuisse]

Changes look good to me, nixpkgs-review happy on Linux aarch64. I played a bit with it but it would be nice if a more experienced qemu user/package maintainer could take a look.

Result of nixpkgs-review pr 307248 run on aarch64-linux 1

11 packages marked as broken and skipped:

• guestfs-tools
• qemu_xen
• qemu_xen-light
• qemu_xen-light.ga
• qemu_xen.ga
• qemu_xen_4_15
• qemu_xen_4_15-light
• qemu_xen_4_15-light.ga
• qemu_xen_4_15.ga
• solo5
• solo5.debug

38 packages built:

• alpine-make-vm-image
• cloud-init
• cloud-init.dist
• cloud-utils
• cloud-utils.guest
• colima
• cot (python311Packages.cot)
• cot.dist (python311Packages.cot.dist)
• diffoscope
• diffoscope.dist
• diffoscope.man
• gnome.gnome-boxes
• incus
• libguestfs
• lima
• lima-bin
• lxd
• mkosi-full
• mkosi-full.dist
• out-of-tree
• python310Packages.cot
• python310Packages.cot.dist
• python310Packages.guestfs
• python310Packages.guestfs.dist
• python311Packages.guestfs
• python311Packages.guestfs.dist
• qemu
• qemu-utils
• qemu.ga
• qemu_full
• qemu_full.ga
• qemu_kvm
• qemu_kvm.ga
• qemu_test
• qemu_test.ga
• qtemu
• vagrant
• zpool-auto-expand-partitions