diff options
Diffstat (limited to 'meta')
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/vnc-CVE-2014-7815.patch | 53 | ||||
-rw-r--r-- | meta/recipes-devtools/qemu/qemu_2.1.0.bb | 1 |
2 files changed, 54 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/vnc-CVE-2014-7815.patch b/meta/recipes-devtools/qemu/qemu/vnc-CVE-2014-7815.patch new file mode 100644 index 0000000000..10a6dacbe5 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/vnc-CVE-2014-7815.patch | |||
@@ -0,0 +1,53 @@ | |||
1 | From b2f1d90530301d7915dddc8a750063757675b21a Mon Sep 17 00:00:00 2001 | ||
2 | From: Petr Matousek <pmatouse@redhat.com> | ||
3 | Date: Mon, 27 Oct 2014 12:41:44 +0100 | ||
4 | Subject: [PATCH] vnc: sanitize bits_per_pixel from the client | ||
5 | |||
6 | bits_per_pixel that are less than 8 could result in accessing | ||
7 | non-initialized buffers later in the code due to the expectation | ||
8 | that bytes_per_pixel value that is used to initialize these buffers is | ||
9 | never zero. | ||
10 | |||
11 | To fix this check that bits_per_pixel from the client is one of the | ||
12 | values that the rfb protocol specification allows. | ||
13 | |||
14 | This is CVE-2014-7815. | ||
15 | |||
16 | Upstream-Status: Backport | ||
17 | |||
18 | Signed-off-by: Petr Matousek <pmatouse@redhat.com> | ||
19 | |||
20 | [ kraxel: apply codestyle fix ] | ||
21 | |||
22 | Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> | ||
23 | (cherry picked from commit e6908bfe8e07f2b452e78e677da1b45b1c0f6829) | ||
24 | Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | ||
25 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
26 | --- | ||
27 | ui/vnc.c | 10 ++++++++++ | ||
28 | 1 file changed, 10 insertions(+) | ||
29 | |||
30 | diff --git a/ui/vnc.c b/ui/vnc.c | ||
31 | index f8d9b7d..87e34ae 100644 | ||
32 | --- a/ui/vnc.c | ||
33 | +++ b/ui/vnc.c | ||
34 | @@ -2026,6 +2026,16 @@ static void set_pixel_format(VncState *vs, | ||
35 | return; | ||
36 | } | ||
37 | |||
38 | + switch (bits_per_pixel) { | ||
39 | + case 8: | ||
40 | + case 16: | ||
41 | + case 32: | ||
42 | + break; | ||
43 | + default: | ||
44 | + vnc_client_error(vs); | ||
45 | + return; | ||
46 | + } | ||
47 | + | ||
48 | vs->client_pf.rmax = red_max; | ||
49 | vs->client_pf.rbits = hweight_long(red_max); | ||
50 | vs->client_pf.rshift = red_shift; | ||
51 | -- | ||
52 | 1.9.1 | ||
53 | |||
diff --git a/meta/recipes-devtools/qemu/qemu_2.1.0.bb b/meta/recipes-devtools/qemu/qemu_2.1.0.bb index 5e5ecf00db..444a4220bd 100644 --- a/meta/recipes-devtools/qemu/qemu_2.1.0.bb +++ b/meta/recipes-devtools/qemu/qemu_2.1.0.bb | |||
@@ -9,6 +9,7 @@ SRC_URI += "file://configure-fix-Darwin-target-detection.patch \ | |||
9 | file://0001-Back-porting-security-fix-CVE-2014-5388.patch \ | 9 | file://0001-Back-porting-security-fix-CVE-2014-5388.patch \ |
10 | file://qemu-CVE-2015-3456.patch \ | 10 | file://qemu-CVE-2015-3456.patch \ |
11 | file://CVE-2014-7840.patch \ | 11 | file://CVE-2014-7840.patch \ |
12 | file://vnc-CVE-2014-7815.patch \ | ||
12 | " | 13 | " |
13 | SRC_URI_prepend = "http://wiki.qemu-project.org/download/${BP}.tar.bz2" | 14 | SRC_URI_prepend = "http://wiki.qemu-project.org/download/${BP}.tar.bz2" |
14 | SRC_URI[md5sum] = "6726977292b448cbc7f89998fac6983b" | 15 | SRC_URI[md5sum] = "6726977292b448cbc7f89998fac6983b" |