Re: Unblock request for qemu/0.9.1-9

[Aurelien Jarno <aurelien@aurel32.net>]

On Wed, Dec 24, 2008 at 09:01:50PM +0100, Philipp Kern wrote:
> On Wed, Dec 24, 2008 at 01:19:01PM +0100, Jan Luebbe wrote:
> > On Wed, 2008-12-24 at 12:11 +0100, Aurelien Jarno wrote:
> > > Hi,
> > > 
> > > qemu 0.9.1-9 fixes a remote DoS, please find the diff below. Could you
> > > please unblock it?
> > The same fix has also been applied to kvm in version kvm_72+dfsg-4.
> > Please unblock it, too.
> 
> Both unblocked, thanks.
> 

Thanks a lot. Unfortunately a new CVE has been issued in the meanwhile,
so I have done a new upload, please see the diff below.

Could you please unblock it?

Thanks,
Aurelien


diff -u qemu-0.9.1/debian/changelog qemu-0.9.1/debian/changelog
--- qemu-0.9.1/debian/changelog
+++ qemu-0.9.1/debian/changelog
@@ -1,6 +1,13 @@
+qemu (0.9.1-10) unstable; urgency=low
+
+  * debian/patches/96_security.patch: fix off-by-one bug limiting VNC
+    passwords to 7 chars (CVE-2008-5714).
+
+ -- Aurelien Jarno <aurel32@debian.org>  Sun, 28 Dec 2008 12:38:40 +0100
+
 qemu (0.9.1-9) unstable; urgency=low
 
-  * debian/patches/94_security.patch: fix remote DoS via VNC 
+  * debian/patches/95_security.patch: fix remote DoS via VNC 
     (CORE-2008-1210/CVE-2008-2382).
 
  -- Aurelien Jarno <aurel32@debian.org>  Tue, 23 Dec 2008 15:06:11 +0100
diff -u qemu-0.9.1/debian/patches/series qemu-0.9.1/debian/patches/series
--- qemu-0.9.1/debian/patches/series
+++ qemu-0.9.1/debian/patches/series
@@ -48,0 +49 @@
+96_security.patch
only in patch2:
unchanged:
--- qemu-0.9.1.orig/debian/patches/96_security.patch
+++ qemu-0.9.1/debian/patches/96_security.patch
@@ -0,0 +1,33 @@
+commit 7e5b685255b2dbc9d96f954c86fcc86a56fee0c6
+Author: aliguori <aliguori@c046a42c-6fe2-441c-8c8c-71466251a162>
+Date:   Wed Dec 10 15:12:57 2008 +0000
+
+    Fix off-by-one bug limiting VNC passwords to 7 chars (Chris Webb)
+    
+    monitor_readline expects buf_size to include the terminating \0, but
+    do_change_vnc in monitor.c calls it as though it doesn't. The other site
+    where monitor_readline reads a password (in vl.c) passes the buffer
+    length
+    correctly.
+    
+    Signed-off-by: Chris Webb <chris@arachsys.com>
+    Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
+    
+    
+    
+    git-svn-id: svn+ssh://svn.savannah.nongnu.org/qemu/trunk@5966 c046a42c-6fe2-441c-8c8c-71466251a162
+
+diff --git a/monitor.c b/monitor.c
+index f142a87..bec9211 100644
+--- a/monitor.c
++++ b/monitor.c
+@@ -434,8 +434,7 @@ static void do_change_vnc(const char *target)
+     if (strcmp(target, "passwd") == 0 ||
+ 	strcmp(target, "password") == 0) {
+ 	char password[9];
+-	monitor_readline("Password: ", 1, password, sizeof(password)-1);
+-	password[sizeof(password)-1] = '\0';
++	monitor_readline("Password: ", 1, password, sizeof(password));
+ 	if (vnc_display_password(NULL, password) < 0)
+ 	    term_printf("could not set VNC server password\n");
+     } else {

-- 
  .''`.  Aurelien Jarno	            | GPG: 1024D/F1BCDB73
 : :' :  Debian developer           | Electrical Engineer
 `. `'   aurel32@debian.org         | aurelien@aurel32.net
   `-    people.debian.org/~aurel32 | www.aurel32.net

Attachment: signature.asc
Description: Digital signature