[gentoo-commits] gentoo-x86 commit in app-emulation/qemu/files: qemu-2.1.2-vnc-sanitize-bits.patch - gentoo-commits

From:	"Mike Frysinger (vapier)" <vapier@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] gentoo-x86 commit in app-emulation/qemu/files: qemu-2.1.2-vnc-sanitize-bits.patch
Date:	Fri, 31 Oct 2014 00:17:50
Message-Id:	`20141031001746.2593491AC@oystercatcher.gentoo.org`

1

vapier      14/10/31 00:17:46

2

3

  Added:                qemu-2.1.2-vnc-sanitize-bits.patch

4

  Log:

5

  Add fix from upstream for vnc arg sanitizing #527088 by Agostino Sarubbo.

6

7

  (Portage version: 2.2.14/cvs/Linux x86_64, signed Manifest commit with key D2E96200)

8

9

Revision  Changes    Path

10

1.1                  app-emulation/qemu/files/qemu-2.1.2-vnc-sanitize-bits.patch

11

12

file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-emulation/qemu/files/qemu-2.1.2-vnc-sanitize-bits.patch?rev=1.1&view=markup

13

plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-emulation/qemu/files/qemu-2.1.2-vnc-sanitize-bits.patch?rev=1.1&content-type=text/plain

14

15

Index: qemu-2.1.2-vnc-sanitize-bits.patch

16

===================================================================

17

https://bugs.gentoo.org/527088

18

19

From e6908bfe8e07f2b452e78e677da1b45b1c0f6829 Mon Sep 17 00:00:00 2001

20

From: Petr Matousek <pmatouse@××××××.com>

21

Date: Mon, 27 Oct 2014 12:41:44 +0100

22

Subject: [PATCH] vnc: sanitize bits_per_pixel from the client

23

24

bits_per_pixel that are less than 8 could result in accessing

25

non-initialized buffers later in the code due to the expectation

26

that bytes_per_pixel value that is used to initialize these buffers is

27

never zero.

28

29

To fix this check that bits_per_pixel from the client is one of the

30

values that the rfb protocol specification allows.

31

32

This is CVE-2014-7815.

33

34

Signed-off-by: Petr Matousek <pmatouse@××××××.com>

35

36

[ kraxel: apply codestyle fix ]

37

38

Signed-off-by: Gerd Hoffmann <kraxel@××××××.com>

39

---

40

 ui/vnc.c | 10 ++++++++++

41

 1 file changed, 10 insertions(+)

42

43

diff --git a/ui/vnc.c b/ui/vnc.c

44

index 0fe6eff..8bca597 100644

45

--- a/ui/vnc.c

46

+++ b/ui/vnc.c

47

@@ -2026,6 +2026,16 @@ static void set_pixel_format(VncState *vs,

48

         return;

49

}

50

51

+    switch (bits_per_pixel) {

52

+    case 8:

53

+    case 16:

54

+    case 32:

55

+        break;

56

+    default:

57

+        vnc_client_error(vs);

58

+        return;

59

+    }

60

+

61

     vs->client_pf.rmax = red_max;

62

     vs->client_pf.rbits = hweight_long(red_max);

63

     vs->client_pf.rshift = red_shift;

64

--

65

2.1.2

1	vapier 14/10/31 00:17:46
2
3	Added: qemu-2.1.2-vnc-sanitize-bits.patch
4	Log:
5	Add fix from upstream for vnc arg sanitizing #527088 by Agostino Sarubbo.
6
7	(Portage version: 2.2.14/cvs/Linux x86_64, signed Manifest commit with key D2E96200)
8
9	Revision Changes Path
10	1.1 app-emulation/qemu/files/qemu-2.1.2-vnc-sanitize-bits.patch
11
12	file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-emulation/qemu/files/qemu-2.1.2-vnc-sanitize-bits.patch?rev=1.1&view=markup
13	plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-emulation/qemu/files/qemu-2.1.2-vnc-sanitize-bits.patch?rev=1.1&content-type=text/plain
14
15	Index: qemu-2.1.2-vnc-sanitize-bits.patch
16	===================================================================
17	https://bugs.gentoo.org/527088
18
19	From e6908bfe8e07f2b452e78e677da1b45b1c0f6829 Mon Sep 17 00:00:00 2001
20	From: Petr Matousek <pmatouse@××××××.com>
21	Date: Mon, 27 Oct 2014 12:41:44 +0100
22	Subject: [PATCH] vnc: sanitize bits_per_pixel from the client
23
24	bits_per_pixel that are less than 8 could result in accessing
25	non-initialized buffers later in the code due to the expectation
26	that bytes_per_pixel value that is used to initialize these buffers is
27	never zero.
28
29	To fix this check that bits_per_pixel from the client is one of the
30	values that the rfb protocol specification allows.
31
32	This is CVE-2014-7815.
33
34	Signed-off-by: Petr Matousek <pmatouse@××××××.com>
35
36	[ kraxel: apply codestyle fix ]
37
38	Signed-off-by: Gerd Hoffmann <kraxel@××××××.com>
39	---
40	ui/vnc.c \| 10 ++++++++++
41	1 file changed, 10 insertions(+)
42
43	diff --git a/ui/vnc.c b/ui/vnc.c
44	index 0fe6eff..8bca597 100644
45	--- a/ui/vnc.c
46	+++ b/ui/vnc.c
47	@@ -2026,6 +2026,16 @@ static void set_pixel_format(VncState *vs,
48	return;
49	}
50
51	+ switch (bits_per_pixel) {
52	+ case 8:
53	+ case 16:
54	+ case 32:
55	+ break;
56	+ default:
57	+ vnc_client_error(vs);
58	+ return;
59	+ }
60	+
61	vs->client_pf.rmax = red_max;
62	vs->client_pf.rbits = hweight_long(red_max);
63	vs->client_pf.rshift = red_shift;
64	--
65	2.1.2

Gentoo Archives: gentoo-commits