diff options
-rw-r--r-- | meta/recipes-devtools/qemu/qemu.inc | 1 | ||||
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2023-3255.patch | 65 |
2 files changed, 66 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index c1ac245f9f..7dc382ffdb 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc | |||
@@ -38,6 +38,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ | |||
38 | file://ppc.patch \ | 38 | file://ppc.patch \ |
39 | file://CVE-2023-0330.patch \ | 39 | file://CVE-2023-0330.patch \ |
40 | file://CVE-2023-3301.patch \ | 40 | file://CVE-2023-3301.patch \ |
41 | file://CVE-2023-3255.patch \ | ||
41 | " | 42 | " |
42 | UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" | 43 | UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" |
43 | 44 | ||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2023-3255.patch b/meta/recipes-devtools/qemu/qemu/CVE-2023-3255.patch new file mode 100644 index 0000000000..661af629b0 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2023-3255.patch | |||
@@ -0,0 +1,65 @@ | |||
1 | From d921fea338c1059a27ce7b75309d7a2e485f710b Mon Sep 17 00:00:00 2001 | ||
2 | From: Mauro Matteo Cascella <mcascell@redhat.com> | ||
3 | Date: Wed, 2 Aug 2023 12:29:55 +0000 | ||
4 | Subject: [PATCH] ui/vnc-clipboard: fix infinite loop in inflate_buffer | ||
5 | (CVE-2023-3255) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 | ||
6 | Content-Transfer-Encoding: 8bit MIME-Version: 1.0 Content-Type: text/plain; | ||
7 | charset=UTF-8 Content-Transfer-Encoding: 8bit | ||
8 | MIME-Version: 1.0 | ||
9 | Content-Type: text/plain; charset=UTF-8 | ||
10 | Content-Transfer-Encoding: 8bit | ||
11 | |||
12 | A wrong exit condition may lead to an infinite loop when inflating a | ||
13 | valid zlib buffer containing some extra bytes in the `inflate_buffer` | ||
14 | function. The bug only occurs post-authentication. Return the buffer | ||
15 | immediately if the end of the compressed data has been reached | ||
16 | (Z_STREAM_END). | ||
17 | |||
18 | Fixes: CVE-2023-3255 | ||
19 | Fixes: 0bf41cab ("ui/vnc: clipboard support") | ||
20 | Reported-by: Kevin Denis <kevin.denis@synacktiv.com> | ||
21 | Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com> | ||
22 | Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> | ||
23 | Tested-by: Marc-André Lureau <marcandre.lureau@redhat.com> | ||
24 | Message-ID: <20230704084210.101822-1-mcascell@redhat.com> | ||
25 | |||
26 | CVE: CVE-2023-3255 | ||
27 | |||
28 | Upstream-Status: Backport [https://github.com/qemu/qemu/commit/d921fea338c1059a27ce7b75309d7a2e485f710b] | ||
29 | |||
30 | Signed-off-by: Yogita Urade <yogita.urade@windriver.com> | ||
31 | --- | ||
32 | ui/vnc-clipboard.c | 10 ++++------ | ||
33 | 1 file changed, 4 insertions(+), 6 deletions(-) | ||
34 | |||
35 | diff --git a/ui/vnc-clipboard.c b/ui/vnc-clipboard.c | ||
36 | index 8aeadfaa2..c759be343 100644 | ||
37 | --- a/ui/vnc-clipboard.c | ||
38 | +++ b/ui/vnc-clipboard.c | ||
39 | @@ -50,8 +50,11 @@ static uint8_t *inflate_buffer(uint8_t *in, uint32_t in_len, uint32_t *size) | ||
40 | ret = inflate(&stream, Z_FINISH); | ||
41 | switch (ret) { | ||
42 | case Z_OK: | ||
43 | - case Z_STREAM_END: | ||
44 | break; | ||
45 | + case Z_STREAM_END: | ||
46 | + *size = stream.total_out; | ||
47 | + inflateEnd(&stream); | ||
48 | + return out; | ||
49 | case Z_BUF_ERROR: | ||
50 | out_len <<= 1; | ||
51 | if (out_len > (1 << 20)) { | ||
52 | @@ -66,11 +69,6 @@ static uint8_t *inflate_buffer(uint8_t *in, uint32_t in_len, uint32_t *size) | ||
53 | } | ||
54 | } | ||
55 | |||
56 | - *size = stream.total_out; | ||
57 | - inflateEnd(&stream); | ||
58 | - | ||
59 | - return out; | ||
60 | - | ||
61 | err_end: | ||
62 | inflateEnd(&stream); | ||
63 | err: | ||
64 | -- | ||
65 | 2.40.0 | ||