diff options
| author | Leo Famulari <leo@famulari.name> | 2017-11-08 21:04:33 -0500 |
|---|---|---|
| committer | Leo Famulari <leo@famulari.name> | 2017-11-10 12:16:31 -0500 |
| commit | adf7e69cab6180ef75360a1c0731c93f4bff2b18 (patch) | |
| tree | 7cf0da9738e88fe7bb132a85636fccc315b1a9ba /gnu/packages/patches/qemu-CVE-2017-15038.patch | |
| parent | d4d7d70912642be18d93c9ce6470f8650097b5e5 (diff) | |
gnu: qemu: Fix CVE-2017-{15038,15268,15289}.
* gnu/packages/patches/qemu-CVE-2017-15038.patch,
gnu/packages/patches/qemu-CVE-2017-15268.patch,
gnu/packages/patches/qemu-CVE-2017-15289.patch: New files.
* gnu/local.mk (dist_patch_DATA): Add them.
* gnu/packages/virtualization.scm (qemu)[source]: Use them.
Diffstat (limited to 'gnu/packages/patches/qemu-CVE-2017-15038.patch')
| -rw-r--r-- | gnu/packages/patches/qemu-CVE-2017-15038.patch | 51 |
1 files changed, 51 insertions, 0 deletions
diff --git a/gnu/packages/patches/qemu-CVE-2017-15038.patch b/gnu/packages/patches/qemu-CVE-2017-15038.patch new file mode 100644 index 0000000000..4791a186bf --- /dev/null +++ b/gnu/packages/patches/qemu-CVE-2017-15038.patch @@ -0,0 +1,51 @@ +Fix CVE-2017-15038: + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15038 + +Patch copied from upstream source repository: + +https://git.qemu.org/?p=qemu.git;a=commitdiff;h=7bd92756303f2158a68d5166264dc30139b813b6 + +From 7bd92756303f2158a68d5166264dc30139b813b6 Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit <pjp@fedoraproject.org> +Date: Mon, 16 Oct 2017 14:21:59 +0200 +Subject: [PATCH] 9pfs: use g_malloc0 to allocate space for xattr + +9p back-end first queries the size of an extended attribute, +allocates space for it via g_malloc() and then retrieves its +value into allocated buffer. Race between querying attribute +size and retrieving its could lead to memory bytes disclosure. +Use g_malloc0() to avoid it. + +Reported-by: Tuomas Tynkkynen <tuomas.tynkkynen@iki.fi> +Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> +Signed-off-by: Greg Kurz <groug@kaod.org> +--- + hw/9pfs/9p.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c +index 23ac7bb532..f8bbac251d 100644 +--- a/hw/9pfs/9p.c ++++ b/hw/9pfs/9p.c +@@ -3234,7 +3234,7 @@ static void coroutine_fn v9fs_xattrwalk(void *opaque) + xattr_fidp->fid_type = P9_FID_XATTR; + xattr_fidp->fs.xattr.xattrwalk_fid = true; + if (size) { +- xattr_fidp->fs.xattr.value = g_malloc(size); ++ xattr_fidp->fs.xattr.value = g_malloc0(size); + err = v9fs_co_llistxattr(pdu, &xattr_fidp->path, + xattr_fidp->fs.xattr.value, + xattr_fidp->fs.xattr.len); +@@ -3267,7 +3267,7 @@ static void coroutine_fn v9fs_xattrwalk(void *opaque) + xattr_fidp->fid_type = P9_FID_XATTR; + xattr_fidp->fs.xattr.xattrwalk_fid = true; + if (size) { +- xattr_fidp->fs.xattr.value = g_malloc(size); ++ xattr_fidp->fs.xattr.value = g_malloc0(size); + err = v9fs_co_lgetxattr(pdu, &xattr_fidp->path, + &name, xattr_fidp->fs.xattr.value, + xattr_fidp->fs.xattr.len); +-- +2.15.0 + |