qemu: Security fixes CVE-2018-20815 CVE-2019-9824

Source: qemu.org MR: 98623 Type: Security Fix Disposition: Backport from qemu.org ChangeID: 03b3f28e5860ef1cb9f58dce89f252bd7ed59f37 Description: Fixes both CVE-2018-20815 and CVE-2019-9824 (From OE-Core rev: 5c45cd09fb29d4a1ebda6153a25f16e312049c44) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Armin Kuster <akuster@mvista.com> 2019-07-01 17:30:37 -0700
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2019-07-27 18:05:18 +0100
commit: e2f3997a84d0d700b0570a0f5d6f17ceffd955c4 (patch)
tree: be18f12e4296eeb0eae4e70799281c8653be3693 /meta/recipes-devtools/qemu/qemu/CVE-2019-9824.patch
parent: 45e662b445970d6f57b8787c0c61b903cdfaa238 (diff)
download: poky-e2f3997a84d0d700b0570a0f5d6f17ceffd955c4.tar.gz
1 files changed, 47 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2019-9824.patch b/meta/recipes-devtools/qemu/qemu/CVE-2019-9824.patch
new file mode 100644
index 0000000000..7f8300672b
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2019-9824.patch
@@ -0,0 +1,47 @@
+From d3222975c7d6cda9e25809dea05241188457b113 Mon Sep 17 00:00:00 2001
+From: William Bowling <will@wbowling.info>
+Date: Fri, 1 Mar 2019 21:45:56 +0000
+Subject: [PATCH 1/1] slirp: check sscanf result when emulating ident
+MIME-Version: 1.0
+Content-Type: text/plain; charset=utf8
+Content-Transfer-Encoding: 8bit
+When emulating ident in tcp_emu, if the strchr checks passed but the
+sscanf check failed, two uninitialized variables would be copied and
+sent in the reply, so move this code inside the if(sscanf()) clause.
+Signed-off-by: William Bowling <will@wbowling.info>
+Cc: qemu-stable@nongnu.org
+Cc: secalert@redhat.com
+Message-Id: <1551476756-25749-1-git-send-email-will@wbowling.info>
+Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
+Reviewed-by: Philippe Mathieu-DaudÃ© <philmd@redhat.com>
+Upstream-Status: Backport
+https://git.qemu.org/?p=qemu.git;a=commitdiff;h=d3222975c7d6cda9e25809dea05241188457b113;hp=6c419a1e06c21c4568d5a12a9c5cafcdb00f6aa8
+CVE: CVE-2019-9824
+affects < 4.0.0
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+Index: qemu-3.0.0/slirp/tcp_subr.c
+===================================================================
+--- qemu-3.0.0.orig/slirp/tcp_subr.c
+++ qemu-3.0.0/slirp/tcp_subr.c
+@@ -662,12 +662,12 @@ tcp_emu(struct socket *so, struct mbuf *
+                                                        break;
+                                                }
+                                        }
+                so_rcv->sb_cc = snprintf(so_rcv->sb_data, 
+                                         so_rcv->sb_datalen,
+                                         "%d,%d\r\n", n1, n2);
+                so_rcv->sb_rptr = so_rcv->sb_data;
+                so_rcv->sb_wptr = so_rcv->sb_data + so_rcv->sb_cc;
+                                }
+-                                so_rcv->sb_cc = snprintf(so_rcv->sb_data,
+-                                                         so_rcv->sb_datalen,
+-                                                         "%d,%d\r\n", n1, n2);
+-                               so_rcv->sb_rptr = so_rcv->sb_data;
+-                               so_rcv->sb_wptr = so_rcv->sb_data + so_rcv->sb_cc;
+                        }
+                        m_free(m);
+                        return 0;
author	Armin Kuster <akuster@mvista.com>	2019-07-01 17:30:37 -0700
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2019-07-27 18:05:18 +0100
commit	e2f3997a84d0d700b0570a0f5d6f17ceffd955c4 (patch)
tree	be18f12e4296eeb0eae4e70799281c8653be3693 /meta/recipes-devtools/qemu/qemu/CVE-2019-9824.patch
parent	45e662b445970d6f57b8787c0c61b903cdfaa238 (diff)
download	poky-e2f3997a84d0d700b0570a0f5d6f17ceffd955c4.tar.gz

diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2019-9824.patch b/meta/recipes-devtools/qemu/qemu/CVE-2019-9824.patch new file mode 100644 index 0000000000..7f8300672b --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2019-9824.patch
@@ -0,0 +1,47 @@
	1	From d3222975c7d6cda9e25809dea05241188457b113 Mon Sep 17 00:00:00 2001
	2	From: William Bowling <will@wbowling.info>
	3	Date: Fri, 1 Mar 2019 21:45:56 +0000
	4	Subject: [PATCH 1/1] slirp: check sscanf result when emulating ident
	5	MIME-Version: 1.0
	6	Content-Type: text/plain; charset=utf8
	7	Content-Transfer-Encoding: 8bit
	8
	9	When emulating ident in tcp_emu, if the strchr checks passed but the
	10	sscanf check failed, two uninitialized variables would be copied and
	11	sent in the reply, so move this code inside the if(sscanf()) clause.
	12
	13	Signed-off-by: William Bowling <will@wbowling.info>
	14	Cc: qemu-stable@nongnu.org
	15	Cc: secalert@redhat.com
	16	Message-Id: <1551476756-25749-1-git-send-email-will@wbowling.info>
	17	Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
	18	Reviewed-by: Philippe Mathieu-DaudÃ© <philmd@redhat.com>
	19
	20	Upstream-Status: Backport
	21	https://git.qemu.org/?p=qemu.git;a=commitdiff;h=d3222975c7d6cda9e25809dea05241188457b113;hp=6c419a1e06c21c4568d5a12a9c5cafcdb00f6aa8
	22	CVE: CVE-2019-9824
	23	affects < 4.0.0
	24	Signed-off-by: Armin Kuster <akuster@mvista.com>
	25
	26	Index: qemu-3.0.0/slirp/tcp_subr.c
	27	===================================================================
	28	--- qemu-3.0.0.orig/slirp/tcp_subr.c
	29	+++ qemu-3.0.0/slirp/tcp_subr.c
	30	@@ -662,12 +662,12 @@ tcp_emu(struct socket so, struct mbuf
	31	break;
	32	}
	33	}
	34	+ so_rcv->sb_cc = snprintf(so_rcv->sb_data,
	35	+ so_rcv->sb_datalen,
	36	+ "%d,%d\r\n", n1, n2);
	37	+ so_rcv->sb_rptr = so_rcv->sb_data;
	38	+ so_rcv->sb_wptr = so_rcv->sb_data + so_rcv->sb_cc;
	39	}
	40	- so_rcv->sb_cc = snprintf(so_rcv->sb_data,
	41	- so_rcv->sb_datalen,
	42	- "%d,%d\r\n", n1, n2);
	43	- so_rcv->sb_rptr = so_rcv->sb_data;
	44	- so_rcv->sb_wptr = so_rcv->sb_data + so_rcv->sb_cc;
	45	}
	46	m_free(m);
	47	return 0;