Re: Unblock request for qemu/0.9.1-9
On Wed, 2008-12-24 at 12:11 +-0100, Aurelien Jarno wrote:
+AD4 Hi,
+AD4
+AD4 qemu 0.9.1-9 fixes a remote DoS, please find the diff below. Could you
+AD4 please unblock it?
The same fix has also been applied to kvm in version kvm+AF8-72+-dfsg-4.
Please unblock it, too.
Thanks,
Jan
diff -u kvm-72+-dfsg/debian/changelog kvm-72+-dfsg/debian/changelog
--- kvm-72+-dfsg/debian/changelog
+-+-+- kvm-72+-dfsg/debian/changelog
+AEAAQA -1,3 +-1,10 +AEAAQA
+-kvm (72+-dfsg-4) unstable+ADs urgency+AD0-high
+-
+- +ACo debian/patches/core-2008-1210.patch: fix remote DoS via VNC
+- (CORE-2008-1210/CVE-2008-2382).
+-
+- -- Jan L+APw-bbe +ADw-jluebbe+AEA-debian.org+AD4 Wed, 24 Dec 2008 12:23:06 +-0100
+-
kvm (72+-dfsg-3) unstable+ADs urgency+AD0-medium
+ACo Apply patch from qemu (62+AF8-fix-ptyblocking.patch) which fixes a lockup
diff -u kvm-72+-dfsg/debian/patches/series kvm-72+-dfsg/debian/patches/series
--- kvm-72+-dfsg/debian/patches/series
+-+-+- kvm-72+-dfsg/debian/patches/series
+AEAAQA -16,0 +-17 +AEAAQA
+-core-2008-1210.patch
only in patch2:
unchanged:
--- kvm-72+-dfsg.orig/debian/patches/core-2008-1210.patch
+-+-+- kvm-72+-dfsg/debian/patches/core-2008-1210.patch
+AEAAQA -0,0 +-1,27 +AEAAQA
+-Fix CORE-2008-1210 VNC DoS
+-
+-If the client sends us a limit of zero, handle appropriately.
+-
+-Signed-off-by: Anthony Liguori +ADw-aliguori+AEA-us.ibm.com+AD4
+-
+-diff --git qemu/vnc.c qemu/vnc.c
+-index 3a7d762..575fd68 100644
+---- a/qemu/vnc.c
+-+-+-+- b/qemu/vnc.c
+-+AEAAQA -1503,10 +-1503,13 +AEAAQA static int protocol+AF8-client+AF8-msg(VncState +ACo-vs, uint8+AF8-t +ACo-data, size+AF8-t len)
+- if (len +AD0APQ 1)
+- return 4+ADs
+-
+-- if (len +AD0APQ 4)
+-- return 4 +- (read+AF8-u16(data, 2) +ACo 4)+ADs
+-+- if (len +AD0APQ 4) +AHs
+-+- limit +AD0 read+AF8-u16(data, 2)+ADs
+-+- if (limit +AD4 0)
+-+- return 4 +- (limit +ACo 4)+ADs
+-+- +AH0 else
+-+- limit +AD0 read+AF8-u16(data, 2)+ADs
+-
+-- limit +AD0 read+AF8-u16(data, 2)+ADs
+- for (i +AD0 0+ADs i +ADw limit+ADs i+-+-) +AHs
+- int32+AF8-t val +AD0 read+AF8-s32(data, 4 +- (i +ACo 4))+ADs
+- memcpy(data +- 4 +- (i +ACo 4), +ACY-val, sizeof(val))+ADs
Reply to: