diff options
Diffstat (limited to 'meta/recipes-devtools')
| -rw-r--r-- | meta/recipes-devtools/qemu/qemu.inc | 1 | ||||
| -rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2023-3255.patch | 65 |
2 files changed, 66 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index c1ac245f9f..7dc382ffdb 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc | |||
| @@ -38,6 +38,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ | |||
| 38 | file://ppc.patch \ | 38 | file://ppc.patch \ |
| 39 | file://CVE-2023-0330.patch \ | 39 | file://CVE-2023-0330.patch \ |
| 40 | file://CVE-2023-3301.patch \ | 40 | file://CVE-2023-3301.patch \ |
| 41 | file://CVE-2023-3255.patch \ | ||
| 41 | " | 42 | " |
| 42 | UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" | 43 | UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" |
| 43 | 44 | ||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2023-3255.patch b/meta/recipes-devtools/qemu/qemu/CVE-2023-3255.patch new file mode 100644 index 0000000000..661af629b0 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2023-3255.patch | |||
| @@ -0,0 +1,65 @@ | |||
| 1 | From d921fea338c1059a27ce7b75309d7a2e485f710b Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Mauro Matteo Cascella <mcascell@redhat.com> | ||
| 3 | Date: Wed, 2 Aug 2023 12:29:55 +0000 | ||
| 4 | Subject: [PATCH] ui/vnc-clipboard: fix infinite loop in inflate_buffer | ||
| 5 | (CVE-2023-3255) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 | ||
| 6 | Content-Transfer-Encoding: 8bit MIME-Version: 1.0 Content-Type: text/plain; | ||
| 7 | charset=UTF-8 Content-Transfer-Encoding: 8bit | ||
| 8 | MIME-Version: 1.0 | ||
| 9 | Content-Type: text/plain; charset=UTF-8 | ||
| 10 | Content-Transfer-Encoding: 8bit | ||
| 11 | |||
| 12 | A wrong exit condition may lead to an infinite loop when inflating a | ||
| 13 | valid zlib buffer containing some extra bytes in the `inflate_buffer` | ||
| 14 | function. The bug only occurs post-authentication. Return the buffer | ||
| 15 | immediately if the end of the compressed data has been reached | ||
| 16 | (Z_STREAM_END). | ||
| 17 | |||
| 18 | Fixes: CVE-2023-3255 | ||
| 19 | Fixes: 0bf41cab ("ui/vnc: clipboard support") | ||
| 20 | Reported-by: Kevin Denis <kevin.denis@synacktiv.com> | ||
| 21 | Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com> | ||
| 22 | Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> | ||
| 23 | Tested-by: Marc-André Lureau <marcandre.lureau@redhat.com> | ||
| 24 | Message-ID: <20230704084210.101822-1-mcascell@redhat.com> | ||
| 25 | |||
| 26 | CVE: CVE-2023-3255 | ||
| 27 | |||
| 28 | Upstream-Status: Backport [https://github.com/qemu/qemu/commit/d921fea338c1059a27ce7b75309d7a2e485f710b] | ||
| 29 | |||
| 30 | Signed-off-by: Yogita Urade <yogita.urade@windriver.com> | ||
| 31 | --- | ||
| 32 | ui/vnc-clipboard.c | 10 ++++------ | ||
| 33 | 1 file changed, 4 insertions(+), 6 deletions(-) | ||
| 34 | |||
| 35 | diff --git a/ui/vnc-clipboard.c b/ui/vnc-clipboard.c | ||
| 36 | index 8aeadfaa2..c759be343 100644 | ||
| 37 | --- a/ui/vnc-clipboard.c | ||
| 38 | +++ b/ui/vnc-clipboard.c | ||
| 39 | @@ -50,8 +50,11 @@ static uint8_t *inflate_buffer(uint8_t *in, uint32_t in_len, uint32_t *size) | ||
| 40 | ret = inflate(&stream, Z_FINISH); | ||
| 41 | switch (ret) { | ||
| 42 | case Z_OK: | ||
| 43 | - case Z_STREAM_END: | ||
| 44 | break; | ||
| 45 | + case Z_STREAM_END: | ||
| 46 | + *size = stream.total_out; | ||
| 47 | + inflateEnd(&stream); | ||
| 48 | + return out; | ||
| 49 | case Z_BUF_ERROR: | ||
| 50 | out_len <<= 1; | ||
| 51 | if (out_len > (1 << 20)) { | ||
| 52 | @@ -66,11 +69,6 @@ static uint8_t *inflate_buffer(uint8_t *in, uint32_t in_len, uint32_t *size) | ||
| 53 | } | ||
| 54 | } | ||
| 55 | |||
| 56 | - *size = stream.total_out; | ||
| 57 | - inflateEnd(&stream); | ||
| 58 | - | ||
| 59 | - return out; | ||
| 60 | - | ||
| 61 | err_end: | ||
| 62 | inflateEnd(&stream); | ||
| 63 | err: | ||
| 64 | -- | ||
| 65 | 2.40.0 | ||