diff options
author | Sona Sarmadi <sona.sarmadi@enea.com> | 2017-08-29 10:29:30 +0200 |
---|---|---|
committer | Adrian Dudau <adrian.dudau@enea.com> | 2017-08-29 13:32:58 +0200 |
commit | 7da6ebdca2d6b30dd6240db73b0c7605c310a4f1 (patch) | |
tree | 2a0e79f8fb004022275d9b6f52ac7ace27ec1910 /recipes-devtools | |
parent | 534a1c7f012e2099ce83bcab35c25cd587c9f3af (diff) | |
download | meta-nfv-access-common-7da6ebdca2d6b30dd6240db73b0c7605c310a4f1.tar.gz |
qemu: CVE-2017-8309
Qemu built with the Audio subsystem support is vulnerable to
a host memory leakage issue. It could occur if a guest user
was to repeatedly start and stop audio capture.
A privileged user inside guest could use this flaw to exhaust host memory,
resulting in DoS.
Reference:
==========
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-8309
Upstream patch:
https://lists.gnu.org/archive/html/qemu-devel/2017-04/msg05587.html
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
Diffstat (limited to 'recipes-devtools')
-rw-r--r-- | recipes-devtools/qemu/qemu/CVE-2017-8309.patch | 42 | ||||
-rw-r--r-- | recipes-devtools/qemu/qemu_%.bbappend | 1 |
2 files changed, 43 insertions, 0 deletions
diff --git a/recipes-devtools/qemu/qemu/CVE-2017-8309.patch b/recipes-devtools/qemu/qemu/CVE-2017-8309.patch new file mode 100644 index 0000000..812e64b --- /dev/null +++ b/recipes-devtools/qemu/qemu/CVE-2017-8309.patch | |||
@@ -0,0 +1,42 @@ | |||
1 | From 3268a845f41253fb55852a8429c32b50f36f349a Mon Sep 17 00:00:00 2001 | ||
2 | From: Gerd Hoffmann <kraxel@redhat.com> | ||
3 | Date: Fri, 28 Apr 2017 09:56:12 +0200 | ||
4 | Subject: [PATCH] audio: release capture buffers | ||
5 | |||
6 | AUD_add_capture() allocates two buffers which are never released. | ||
7 | Add the missing calls to AUD_del_capture(). | ||
8 | |||
9 | Impact: Allows vnc clients to exhaust host memory by repeatedly | ||
10 | starting and stopping audio capture. | ||
11 | |||
12 | Fixes: CVE-2017-8309 | ||
13 | |||
14 | CVE-2017-8309 | ||
15 | Upstream-Status: Backport [backport from master, v2.10.0-rc0~214^2~27] | ||
16 | |||
17 | Cc: P J P <ppandit@redhat.com> | ||
18 | Cc: Huawei PSIRT <PSIRT@huawei.com> | ||
19 | Reported-by: "Jiangxin (hunter, SCC)" <jiangxin1@huawei.com> | ||
20 | Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> | ||
21 | Reviewed-by: Prasad J Pandit <pjp@fedoraproject.org> | ||
22 | Message-id: 20170428075612.9997-1-kraxel@redhat.com | ||
23 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
24 | --- | ||
25 | audio/audio.c | 2 ++ | ||
26 | 1 file changed, 2 insertions(+) | ||
27 | |||
28 | diff --git a/audio/audio.c b/audio/audio.c | ||
29 | index c8898d8..beafed2 100644 | ||
30 | --- a/audio/audio.c | ||
31 | +++ b/audio/audio.c | ||
32 | @@ -2028,6 +2028,8 @@ void AUD_del_capture (CaptureVoiceOut *cap, void *cb_opaque) | ||
33 | sw = sw1; | ||
34 | } | ||
35 | QLIST_REMOVE (cap, entries); | ||
36 | + g_free (cap->hw.mix_buf); | ||
37 | + g_free (cap->buf); | ||
38 | g_free (cap); | ||
39 | } | ||
40 | return; | ||
41 | -- | ||
42 | 1.9.1 | ||
diff --git a/recipes-devtools/qemu/qemu_%.bbappend b/recipes-devtools/qemu/qemu_%.bbappend index 8db32c5..3ebff2d 100644 --- a/recipes-devtools/qemu/qemu_%.bbappend +++ b/recipes-devtools/qemu/qemu_%.bbappend | |||
@@ -5,4 +5,5 @@ SRC_URI += "file://0001-CVE-2017-2620.patch \ | |||
5 | file://0002-CVE-2017-2620.patch \ | 5 | file://0002-CVE-2017-2620.patch \ |
6 | file://CVE-2017-7471.patch \ | 6 | file://CVE-2017-7471.patch \ |
7 | file://CVE-2017-6505.patch \ | 7 | file://CVE-2017-6505.patch \ |
8 | file://CVE-2017-8309.patch \ | ||
8 | " | 9 | " |