diff options
author | Tudor Florea <tudor.florea@enea.com> | 2015-07-07 00:29:37 +0200 |
---|---|---|
committer | Tudor Florea <tudor.florea@enea.com> | 2015-07-07 00:29:37 +0200 |
commit | c190b396d5d2b0ce2caabf7366f3b08546187f11 (patch) | |
tree | 5a0748d0fe6581dd4c8eaf9dbdefe498bf9a0e64 /meta/recipes-devtools/qemu/qemu/vnc-CVE-2014-7815.patch | |
parent | e8be346c3a210a1b4da8b6943c5fe2e5556d29b9 (diff) | |
download | poky-c190b396d5d2b0ce2caabf7366f3b08546187f11.tar.gz |
qemu: fixed multiple CVEs
CVE-2015-3456, fdc: out-of-bounds fifo buffer memory access
CVE-2014-5263, missing field list terminator in vmstate_xhci_event
CVE-2014-3689, vmware_vga: insufficient parameter validation in rectangle
functions
CVE-2014-7815, vnc: insufficient bits_per_pixel from the client sanitization
References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3456
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5263
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3689
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7815
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Tudor Florea <tudor.florea@enea.com>
Diffstat (limited to 'meta/recipes-devtools/qemu/qemu/vnc-CVE-2014-7815.patch')
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/vnc-CVE-2014-7815.patch | 51 |
1 files changed, 51 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/vnc-CVE-2014-7815.patch b/meta/recipes-devtools/qemu/qemu/vnc-CVE-2014-7815.patch new file mode 100644 index 0000000000..cf90984f6a --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/vnc-CVE-2014-7815.patch | |||
@@ -0,0 +1,51 @@ | |||
1 | From e6908bfe8e07f2b452e78e677da1b45b1c0f6829 Mon Sep 17 00:00:00 2001 | ||
2 | From: Petr Matousek <pmatouse@redhat.com> | ||
3 | Date: Mon, 27 Oct 2014 12:41:44 +0100 | ||
4 | Subject: [PATCH] vnc: sanitize bits_per_pixel from the client | ||
5 | |||
6 | bits_per_pixel that are less than 8 could result in accessing | ||
7 | non-initialized buffers later in the code due to the expectation | ||
8 | that bytes_per_pixel value that is used to initialize these buffers is | ||
9 | never zero. | ||
10 | |||
11 | To fix this check that bits_per_pixel from the client is one of the | ||
12 | values that the rfb protocol specification allows. | ||
13 | |||
14 | This is CVE-2014-7815. | ||
15 | |||
16 | Upstream-Status: Backport | ||
17 | |||
18 | Signed-off-by: Petr Matousek <pmatouse@redhat.com> | ||
19 | |||
20 | [ kraxel: apply codestyle fix ] | ||
21 | |||
22 | Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> | ||
23 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
24 | --- | ||
25 | ui/vnc.c | 10 ++++++++++ | ||
26 | 1 file changed, 10 insertions(+) | ||
27 | |||
28 | diff --git a/ui/vnc.c b/ui/vnc.c | ||
29 | index 0fe6eff..8bca597 100644 | ||
30 | --- a/ui/vnc.c | ||
31 | +++ b/ui/vnc.c | ||
32 | @@ -2026,6 +2026,16 @@ static void set_pixel_format(VncState *vs, | ||
33 | return; | ||
34 | } | ||
35 | |||
36 | + switch (bits_per_pixel) { | ||
37 | + case 8: | ||
38 | + case 16: | ||
39 | + case 32: | ||
40 | + break; | ||
41 | + default: | ||
42 | + vnc_client_error(vs); | ||
43 | + return; | ||
44 | + } | ||
45 | + | ||
46 | vs->client_pf.rmax = red_max; | ||
47 | vs->client_pf.rbits = hweight_long(red_max); | ||
48 | vs->client_pf.rshift = red_shift; | ||
49 | -- | ||
50 | 1.9.1 | ||
51 | |||