diff options
| author | Marius Bakke <mbakke@fastmail.com> | 2017-12-19 01:15:09 +0100 |
|---|---|---|
| committer | Marius Bakke <mbakke@fastmail.com> | 2017-12-19 01:15:09 +0100 |
| commit | 937790df9d9ed9f17d1807c7c0567ee71549d92b (patch) | |
| tree | 2232cd5810f20111095d25f3217b6afff75ebb8b /gnu/packages/patches/qemu-CVE-2017-15118.patch | |
| parent | 2ea3333504b391ac7ad26a0b93aad3e18028a2ea (diff) | |
| download | guix-937790df9d9ed9f17d1807c7c0567ee71549d92b.tar.gz | |
gnu: qemu: Update to 2.10.2.
* gnu/packages/patches/qemu-CVE-2017-15118.patch, gnu/packages/patches/qemu-CVE-2017-15119.patch, gnu/packages/patches/qemu-CVE-2017-15268.patch: Delete files. * gnu/local.mk (dist_patch_DATA): Remove them. * gnu/packages/virtualization.scm (qemu): Update to 2.10.2. [source](patches): Remove obsolete.
Diffstat (limited to 'gnu/packages/patches/qemu-CVE-2017-15118.patch')
| -rw-r--r-- | gnu/packages/patches/qemu-CVE-2017-15118.patch | 58 |
1 files changed, 0 insertions, 58 deletions
diff --git a/gnu/packages/patches/qemu-CVE-2017-15118.patch b/gnu/packages/patches/qemu-CVE-2017-15118.patch deleted file mode 100644 index d427317be9..0000000000 --- a/gnu/packages/patches/qemu-CVE-2017-15118.patch +++ /dev/null @@ -1,58 +0,0 @@ -Fix CVE-2017-15118: - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15118 -https://bugzilla.redhat.com/show_bug.cgi?id=1516922 - -Patch copied from upstream source repository: - -https://git.qemu.org/?p=qemu.git;a=commitdiff;h=51ae4f8455c9e32c54770c4ebc25bf86a8128183 - -From 51ae4f8455c9e32c54770c4ebc25bf86a8128183 Mon Sep 17 00:00:00 2001 -From: Eric Blake <eblake@redhat.com> -Date: Wed, 22 Nov 2017 15:07:22 -0600 -Subject: [PATCH] nbd/server: CVE-2017-15118 Stack smash on large export name - -Introduced in commit f37708f6b8 (2.10). The NBD spec says a client -can request export names up to 4096 bytes in length, even though -they should not expect success on names longer than 256. However, -qemu hard-codes the limit of 256, and fails to filter out a client -that probes for a longer name; the result is a stack smash that can -potentially give an attacker arbitrary control over the qemu -process. - -The smash can be easily demonstrated with this client: -$ qemu-io f raw nbd://localhost:10809/$(printf %3000d 1 | tr ' ' a) - -If the qemu NBD server binary (whether the standalone qemu-nbd, or -the builtin server of QMP nbd-server-start) was compiled with --fstack-protector-strong, the ability to exploit the stack smash -into arbitrary execution is a lot more difficult (but still -theoretically possible to a determined attacker, perhaps in -combination with other CVEs). Still, crashing a running qemu (and -losing the VM) is bad enough, even if the attacker did not obtain -full execution control. - -CC: qemu-stable@nongnu.org -Signed-off-by: Eric Blake <eblake@redhat.com> ---- - nbd/server.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/nbd/server.c b/nbd/server.c -index a81801e3bc..92c0fdd03b 100644 ---- a/nbd/server.c -+++ b/nbd/server.c -@@ -386,6 +386,10 @@ static int nbd_negotiate_handle_info(NBDClient *client, uint32_t length, - msg = "name length is incorrect"; - goto invalid; - } -+ if (namelen >= sizeof(name)) { -+ msg = "name too long for qemu"; -+ goto invalid; -+ } - if (nbd_read(client->ioc, name, namelen, errp) < 0) { - return -EIO; - } --- -2.15.0 - |