Unblock request for qemu/0.9.1-9
Hi,
qemu 0.9.1-9 fixes a remote DoS, please find the diff below. Could you
please unblock it?
Thanks,
Aurelien
diff -u qemu-0.9.1/debian/changelog qemu-0.9.1/debian/changelog
--- qemu-0.9.1/debian/changelog
+++ qemu-0.9.1/debian/changelog
@@ -1,8 +1,15 @@
+qemu (0.9.1-9) unstable; urgency=low
+
+ * debian/patches/94_security.patch: fix remote DoS via VNC
+ (CORE-2008-1210/CVE-2008-2382).
+
+ -- Aurelien Jarno <aurel32@debian.org> Tue, 23 Dec 2008 15:06:11 +0100
+
qemu (0.9.1-8) unstable; urgency=low
* debian/patches:
- cherry-pick from svn: 61_pseudotty.patch 62_fix-ptyblocking.patch
- closes: #494831
+ qemu is affected by #494831 too, these patches fix it here.
-- Riku Voipio <riku@debian.org> Wed, 19 Nov 2008 23:21:43 +0200
diff -u qemu-0.9.1/debian/patches/series qemu-0.9.1/debian/patches/series
--- qemu-0.9.1/debian/patches/series
+++ qemu-0.9.1/debian/patches/series
@@ -47,0 +48 @@
+95_security.patch
--- qemu-0.9.1.orig/debian/patches/95_security.patch
+++ qemu-0.9.1/debian/patches/95_security.patch
@@ -0,0 +1,27 @@
+Properly handle the case of SetPixelEncodings with a length of zero.
+
+This commit addresses CORE-2008-1210/CVE-2008-2382.
+
+Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
+
+diff --git a/vnc.c b/vnc.c
+index 3a7d762..575fd68 100644
+--- a/vnc.c
++++ b/vnc.c
+@@ -1503,10 +1503,13 @@ static int protocol_client_msg(VncState *vs, uint8_t *data, size_t len)
+ if (len == 1)
+ return 4;
+
+- if (len == 4)
+- return 4 + (read_u16(data, 2) * 4);
++ if (len == 4) {
++ limit = read_u16(data, 2);
++ if (limit > 0)
++ return 4 + (limit * 4);
++ } else
++ limit = read_u16(data, 2);
+
+- limit = read_u16(data, 2);
+ for (i = 0; i < limit; i++) {
+ int32_t val = read_s32(data, 4 + (i * 4));
+ memcpy(data + 4 + (i * 4), &val, sizeof(val));
--
.''`. Aurelien Jarno | GPG: 1024D/F1BCDB73
: :' : Debian developer | Electrical Engineer
`. `' aurel32@debian.org | aurelien@aurel32.net
`- people.debian.org/~aurel32 | www.aurel32.net
Reply to: