diff options
| author |   Matthias Maier <tamiko@gentoo.org> | 2016-09-09 21:23:22 -0500 |
|---|---|---|
| committer | Matthias Maier <tamiko@gentoo.org> | 2016-09-09 21:23:22 -0500 |
| commit | eaeffb27d67769a089170dcc45ea3e8a4efb645b (patch) | |
| tree | 18ee5db6f0eeac3ad421b08cdbec4ebfe2fe1aa9 /app-emulation | |
| parent | dev-libs/libgit2-glib: version bump 0.24.3 → 0.24.4 (diff) | |
| download | gentoo-eaeffb27d67769a089170dcc45ea3e8a4efb645b.tar.gz gentoo-eaeffb27d67769a089170dcc45ea3e8a4efb645b.tar.bz2 gentoo-eaeffb27d67769a089170dcc45ea3e8a4efb645b.zip | |
app-emulation/qemu: apply fix for CVE-2016-7170, bug #593284
Package-Manager: portage-2.2.28
Diffstat (limited to 'app-emulation')
| -rw-r--r-- | app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7170.patch | 40 | ||||
| -rw-r--r-- | app-emulation/qemu/qemu-2.7.0-r2.ebuild (renamed from app-emulation/qemu/qemu-2.7.0-r1.ebuild) | 1 |
2 files changed, 41 insertions, 0 deletions
diff --git a/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7170.patch b/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7170.patch new file mode 100644 index 000000000000..7eb5f76dd133 --- /dev/null +++ b/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7170.patch @@ -0,0 +1,40 @@ +From: Prasad J Pandit <address@hidden> + +When processing svga command DEFINE_CURSOR in vmsvga_fifo_run, +the computed BITMAP and PIXMAP size are checked against the +'cursor.mask[]' and 'cursor.image[]' array sizes in bytes. +Correct these checks to avoid OOB memory access. + +Reported-by: Qinghao Tang <address@hidden> +Reported-by: Li Qiang <address@hidden> +Signed-off-by: Prasad J Pandit <address@hidden> +--- + hw/display/vmware_vga.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c +index e51a05e..6599cf0 100644 +--- a/hw/display/vmware_vga.c ++++ b/hw/display/vmware_vga.c +@@ -676,11 +676,13 @@ static void vmsvga_fifo_run(struct vmsvga_state_s *s) + cursor.bpp = vmsvga_fifo_read(s); + + args = SVGA_BITMAP_SIZE(x, y) + SVGA_PIXMAP_SIZE(x, y, cursor.bpp); +- if (cursor.width > 256 || +- cursor.height > 256 || +- cursor.bpp > 32 || +- SVGA_BITMAP_SIZE(x, y) > sizeof cursor.mask || +- SVGA_PIXMAP_SIZE(x, y, cursor.bpp) > sizeof cursor.image) { ++ if (cursor.width > 256 ++ || cursor.height > 256 ++ || cursor.bpp > 32 ++ || SVGA_BITMAP_SIZE(x, y) ++ > sizeof(cursor.mask) / sizeof(cursor.mask[0]) ++ || SVGA_PIXMAP_SIZE(x, y, cursor.bpp) ++ > sizeof(cursor.image) / sizeof(cursor.image[0])) { + goto badcmd; + } + +-- +2.5.5 + diff --git a/app-emulation/qemu/qemu-2.7.0-r1.ebuild b/app-emulation/qemu/qemu-2.7.0-r2.ebuild index c75b7b6bc05c..42a669eb40a0 100644 --- a/app-emulation/qemu/qemu-2.7.0-r1.ebuild +++ b/app-emulation/qemu/qemu-2.7.0-r2.ebuild @@ -340,6 +340,7 @@ src_prepare() { epatch "${FILESDIR}"/${P}-CVE-2016-7156.patch # bug 593036 epatch "${FILESDIR}"/${P}-CVE-2016-7157-1.patch # bug 593038 epatch "${FILESDIR}"/${P}-CVE-2016-7157-2.patch # bug 593038 + epatch "${FILESDIR}"/${P}-CVE-2016-7170.patch # bug 593284 # Fix ld and objcopy being called directly tc-export AR LD OBJCOPY |