diff options
| -rw-r--r-- | meta/recipes-devtools/qemu/qemu.inc | 1 | ||||
| -rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2023-3255.patch | 64 |
2 files changed, 65 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index d5d210194b..83959f3c68 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc | |||
| @@ -95,6 +95,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ | |||
| 95 | file://0001-hw-display-qxl-Pass-requested-buffer-size-to-qxl_phy.patch \ | 95 | file://0001-hw-display-qxl-Pass-requested-buffer-size-to-qxl_phy.patch \ |
| 96 | file://CVE-2023-0330.patch \ | 96 | file://CVE-2023-0330.patch \ |
| 97 | file://CVE-2023-3301.patch \ | 97 | file://CVE-2023-3301.patch \ |
| 98 | file://CVE-2023-3255.patch \ | ||
| 98 | " | 99 | " |
| 99 | UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" | 100 | UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" |
| 100 | 101 | ||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2023-3255.patch b/meta/recipes-devtools/qemu/qemu/CVE-2023-3255.patch new file mode 100644 index 0000000000..f030df111f --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2023-3255.patch | |||
| @@ -0,0 +1,64 @@ | |||
| 1 | From d921fea338c1059a27ce7b75309d7a2e485f710b Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Mauro Matteo Cascella <mcascell@redhat.com> | ||
| 3 | Date: Tue, 4 Jul 2023 10:41:22 +0200 | ||
| 4 | Subject: [PATCH] ui/vnc-clipboard: fix infinite loop in inflate_buffer | ||
| 5 | (CVE-2023-3255) | ||
| 6 | MIME-Version: 1.0 | ||
| 7 | Content-Type: text/plain; charset=UTF-8 | ||
| 8 | Content-Transfer-Encoding: 8bit | ||
| 9 | |||
| 10 | A wrong exit condition may lead to an infinite loop when inflating a | ||
| 11 | valid zlib buffer containing some extra bytes in the `inflate_buffer` | ||
| 12 | function. The bug only occurs post-authentication. Return the buffer | ||
| 13 | immediately if the end of the compressed data has been reached | ||
| 14 | (Z_STREAM_END). | ||
| 15 | |||
| 16 | Fixes: CVE-2023-3255 | ||
| 17 | Fixes: 0bf41cab ("ui/vnc: clipboard support") | ||
| 18 | Reported-by: Kevin Denis <kevin.denis@synacktiv.com> | ||
| 19 | Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com> | ||
| 20 | Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> | ||
| 21 | Tested-by: Marc-André Lureau <marcandre.lureau@redhat.com> | ||
| 22 | Message-ID: <20230704084210.101822-1-mcascell@redhat.com> | ||
| 23 | |||
| 24 | Upstream-Status: Backport [https://github.com/qemu/qemu/commit/d921fea338c1059a27ce7b75309d7a2e485f710b] | ||
| 25 | |||
| 26 | CVE: CVE-2023-3255 | ||
| 27 | |||
| 28 | Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> | ||
| 29 | |||
| 30 | --- | ||
| 31 | ui/vnc-clipboard.c | 10 ++++------ | ||
| 32 | 1 file changed, 4 insertions(+), 6 deletions(-) | ||
| 33 | |||
| 34 | diff --git a/ui/vnc-clipboard.c b/ui/vnc-clipboard.c | ||
| 35 | index 8aeadfaa21..c759be3438 100644 | ||
| 36 | --- a/ui/vnc-clipboard.c | ||
| 37 | +++ b/ui/vnc-clipboard.c | ||
| 38 | @@ -50,8 +50,11 @@ static uint8_t *inflate_buffer(uint8_t *in, uint32_t in_len, uint32_t *size) | ||
| 39 | ret = inflate(&stream, Z_FINISH); | ||
| 40 | switch (ret) { | ||
| 41 | case Z_OK: | ||
| 42 | - case Z_STREAM_END: | ||
| 43 | break; | ||
| 44 | + case Z_STREAM_END: | ||
| 45 | + *size = stream.total_out; | ||
| 46 | + inflateEnd(&stream); | ||
| 47 | + return out; | ||
| 48 | case Z_BUF_ERROR: | ||
| 49 | out_len <<= 1; | ||
| 50 | if (out_len > (1 << 20)) { | ||
| 51 | @@ -66,11 +69,6 @@ static uint8_t *inflate_buffer(uint8_t *in, uint32_t in_len, uint32_t *size) | ||
| 52 | } | ||
| 53 | } | ||
| 54 | |||
| 55 | - *size = stream.total_out; | ||
| 56 | - inflateEnd(&stream); | ||
| 57 | - | ||
| 58 | - return out; | ||
| 59 | - | ||
| 60 | err_end: | ||
| 61 | inflateEnd(&stream); | ||
| 62 | err: | ||
| 63 | -- | ||
| 64 | 2.40.0 | ||