squeeze update of qemu?
Hello,
The VENOM vulnerability is unfixed in squeeze (except for
squeeze-backports):
https://security-tracker.debian.org/tracker/CVE-2015-3456
Even though qemu is not supported in squeeze-lts, I propose to fix this
particular vulnerability due to its severity, but make clear in the DLA
that qemu is not supported in general (as suggest by Raphael Hertzog).
I have attached a debdiff with the backported patch for fdc.c from [1]
and I'd appreciate review comments.
Best,
Michael
[1] http://git.qemu.org/?p=qemu.git;a=commitdiff_plain;h=e907746266721f305d67bc0718795fedee2e824c
--
Michael Banck
Projektleiter / Berater
Tel.: +49 (2161) 4643-171
Fax: +49 (2161) 4643-100
Email: michael.banck@credativ.de
credativ GmbH, HRB Mönchengladbach 12080
USt-ID-Nummer: DE204566209
Hohenzollernstr. 133, 41061 Mönchengladbach
Geschäftsführung: Dr. Michael Meskes, Jörg Folz, Sascha Heuer
diff -u qemu-0.12.5+dfsg/debian/changelog qemu-0.12.5+dfsg/debian/changelog
--- qemu-0.12.5+dfsg/debian/changelog
+++ qemu-0.12.5+dfsg/debian/changelog
@@ -1,3 +1,10 @@
+qemu (0.12.5+dfsg-3squeeze5) squeeze-lts; urgency=high
+
+ * fdc-force-the-fifo-access-to-be-in-bounds-CVE-2015-3456.patch
+ (Closes: CVE-2015-3456)
+
+ -- Michael Banck <michael.banck@credativ.de> Fri, 12 Jun 2015 13:34:20 +0200
+
qemu (0.12.5+dfsg-3squeeze4) squeeze-security; urgency=high
* fix guest-triggerable buffer overrun in virtio-net device
diff -u qemu-0.12.5+dfsg/debian/patches/series qemu-0.12.5+dfsg/debian/patches/series
--- qemu-0.12.5+dfsg/debian/patches/series
+++ qemu-0.12.5+dfsg/debian/patches/series
@@ -12,0 +13 @@
+fdc-force-the-fifo-access-to-be-in-bounds-CVE-2015-3456.patch
only in patch2:
unchanged:
--- qemu-0.12.5+dfsg.orig/debian/patches/fdc-force-the-fifo-access-to-be-in-bounds-CVE-2015-3456.patch
+++ qemu-0.12.5+dfsg/debian/patches/fdc-force-the-fifo-access-to-be-in-bounds-CVE-2015-3456.patch
@@ -0,0 +1,79 @@
+From: Petr Matousek <pmatouse@redhat.com>
+Date: Wed, 6 May 2015 07:48:59 +0000 (+0200)
+Subject: fdc: force the fifo access to be in bounds of the allocated buffer
+X-Git-Url: http://git.qemu.org/?p=qemu.git;a=commitdiff_plain;h=e907746266721f305d67bc0718795fedee2e824c
+Bug-Debian: http://bugs.debian.org/785424
+Comment: back-patched to 0.12 by mbanck
+
+fdc: force the fifo access to be in bounds of the allocated buffer
+
+During processing of certain commands such as FD_CMD_READ_ID and
+FD_CMD_DRIVE_SPECIFICATION_COMMAND the fifo memory access could
+get out of bounds leading to memory corruption with values coming
+from the guest.
+
+Fix this by making sure that the index is always bounded by the
+allocated memory.
+
+This is CVE-2015-3456.
+
+Signed-off-by: Petr Matousek <pmatouse@redhat.com>
+Reviewed-by: John Snow <jsnow@redhat.com>
+Signed-off-by: John Snow <jsnow@redhat.com>
+--- a/hw/fdc.c 2010-07-22 14:39:04.000000000 +0200
++++ b/hw/fdc.c 2015-05-20 09:20:54.862475399 +0200
+@@ -1314,7 +1314,7 @@
+ {
+ fdrive_t *cur_drv;
+ uint32_t retval = 0;
+- int pos;
++ uint32_t pos;
+
+ cur_drv = get_cur_drv(fdctrl);
+ fdctrl->dsr &= ~FD_DSR_PWRDOWN;
+@@ -1323,8 +1323,8 @@
+ return 0;
+ }
+ pos = fdctrl->data_pos;
++ pos %= FD_SECTOR_LEN;
+ if (fdctrl->msr & FD_MSR_NONDMA) {
+- pos %= FD_SECTOR_LEN;
+ if (pos == 0) {
+ if (fdctrl->data_pos != 0)
+ if (!fdctrl_seek_to_next_sect(fdctrl, cur_drv)) {
+@@ -1669,10 +1669,13 @@
+ static void fdctrl_handle_drive_specification_command (fdctrl_t *fdctrl, int direction)
+ {
+ fdrive_t *cur_drv = get_cur_drv(fdctrl);
++ uint32_t pos;
+
+- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x80) {
++ pos = fdctrl->data_pos - 1;
++ pos %= FD_SECTOR_LEN;
++ if (fdctrl->fifo[pos] & 0x80) {
+ /* Command parameters done */
+- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x40) {
++ if (fdctrl->fifo[pos] & 0x40) {
+ fdctrl->fifo[0] = fdctrl->fifo[1];
+ fdctrl->fifo[2] = 0;
+ fdctrl->fifo[3] = 0;
+@@ -1767,7 +1770,7 @@
+ static void fdctrl_write_data (fdctrl_t *fdctrl, uint32_t value)
+ {
+ fdrive_t *cur_drv;
+- int pos;
++ uint32_t pos;
+
+ /* Reset mode */
+ if (!(fdctrl->dor & FD_DOR_nRESET)) {
+@@ -1813,7 +1816,9 @@
+ }
+
+ FLOPPY_DPRINTF("%s: %02x\n", __func__, value);
+- fdctrl->fifo[fdctrl->data_pos++] = value;
++ pos = fdctrl->data_pos++;
++ pos %= FD_SECTOR_LEN;
++ fdctrl->fifo[pos] = value;
+ if (fdctrl->data_pos == fdctrl->data_len) {
+ /* We now have all parameters
+ * and will be able to treat the command
Reply to: