From 911a4b03a5ef774610832131e2cb9df0cd33ac78 Mon Sep 17 00:00:00 2001 From: Yogita Urade Date: Thu, 10 Aug 2023 07:00:11 +0000 Subject: qemu: fix CVE-2023-3255 QEMU: VNC: infinite loop in inflate_buffer() leads to denial of service Reference: https://nvd.nist.gov/vuln/detail/CVE-2023-3255 (From OE-Core rev: 886536b056230a9d72c900eacc8d1d8b44bd2836) Signed-off-by: Yogita Urade Signed-off-by: Steve Sakoman --- meta/recipes-devtools/qemu/qemu.inc | 1 + .../recipes-devtools/qemu/qemu/CVE-2023-3255.patch | 65 ++++++++++++++++++++++ 2 files changed, 66 insertions(+) create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2023-3255.patch diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index c1ac245f9f..7dc382ffdb 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc @@ -38,6 +38,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ file://ppc.patch \ file://CVE-2023-0330.patch \ file://CVE-2023-3301.patch \ + file://CVE-2023-3255.patch \ " UPSTREAM_CHECK_REGEX = "qemu-(?P\d+(\.\d+)+)\.tar" diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2023-3255.patch b/meta/recipes-devtools/qemu/qemu/CVE-2023-3255.patch new file mode 100644 index 0000000000..661af629b0 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2023-3255.patch @@ -0,0 +1,65 @@ +From d921fea338c1059a27ce7b75309d7a2e485f710b Mon Sep 17 00:00:00 2001 +From: Mauro Matteo Cascella +Date: Wed, 2 Aug 2023 12:29:55 +0000 +Subject: [PATCH] ui/vnc-clipboard: fix infinite loop in inflate_buffer + (CVE-2023-3255) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 + Content-Transfer-Encoding: 8bit MIME-Version: 1.0 Content-Type: text/plain; + charset=UTF-8 Content-Transfer-Encoding: 8bit +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +A wrong exit condition may lead to an infinite loop when inflating a +valid zlib buffer containing some extra bytes in the `inflate_buffer` +function. The bug only occurs post-authentication. Return the buffer +immediately if the end of the compressed data has been reached +(Z_STREAM_END). + +Fixes: CVE-2023-3255 +Fixes: 0bf41cab ("ui/vnc: clipboard support") +Reported-by: Kevin Denis +Signed-off-by: Mauro Matteo Cascella +Reviewed-by: Marc-André Lureau +Tested-by: Marc-André Lureau +Message-ID: <20230704084210.101822-1-mcascell@redhat.com> + +CVE: CVE-2023-3255 + +Upstream-Status: Backport [https://github.com/qemu/qemu/commit/d921fea338c1059a27ce7b75309d7a2e485f710b] + +Signed-off-by: Yogita Urade +--- + ui/vnc-clipboard.c | 10 ++++------ + 1 file changed, 4 insertions(+), 6 deletions(-) + +diff --git a/ui/vnc-clipboard.c b/ui/vnc-clipboard.c +index 8aeadfaa2..c759be343 100644 +--- a/ui/vnc-clipboard.c ++++ b/ui/vnc-clipboard.c +@@ -50,8 +50,11 @@ static uint8_t *inflate_buffer(uint8_t *in, uint32_t in_len, uint32_t *size) + ret = inflate(&stream, Z_FINISH); + switch (ret) { + case Z_OK: +- case Z_STREAM_END: + break; ++ case Z_STREAM_END: ++ *size = stream.total_out; ++ inflateEnd(&stream); ++ return out; + case Z_BUF_ERROR: + out_len <<= 1; + if (out_len > (1 << 20)) { +@@ -66,11 +69,6 @@ static uint8_t *inflate_buffer(uint8_t *in, uint32_t in_len, uint32_t *size) + } + } + +- *size = stream.total_out; +- inflateEnd(&stream); +- +- return out; +- + err_end: + inflateEnd(&stream); + err: +-- +2.40.0 -- cgit v1.2.3-54-g00ecf