diff options
| author | Leo Famulari <leo@famulari.name> | 2017-04-07 00:16:18 -0400 |
|---|---|---|
| committer | Leo Famulari <leo@famulari.name> | 2017-04-07 00:53:02 -0400 |
| commit | fbd6fb1a9d75bd7b5d1df24cb805b7df335b0223 (patch) | |
| tree | f3c44e6fad5ccde80fc4a093de28f17e8faa6642 /gnu/packages/patches/qemu-CVE-2017-5931.patch | |
| parent | 0715c0e69c2ec6f91551988d46de07e2e4cfaac2 (diff) | |
| download | guix-fbd6fb1a9d75bd7b5d1df24cb805b7df335b0223.tar.gz | |
gnu: qemu: Update to 2.8.1 [security fixes].
Fixes CVE-2016-{9602,9603} and CVE-2017-{2615,2620,2630,5667,5931}.
* gnu/packages/qemu.scm (qemu): Update to 2.8.1.
* gnu/packages/patches/qemu-CVE-2017-2615.patch,
gnu/packages/patches/qemu-CVE-2017-2620.patch,
gnu/packages/patches/qemu-CVE-2017-2630.patch,
gnu/packages/patches/qemu-CVE-2017-5667.patch,
gnu/packages/patches/qemu-CVE-2017-5931.patch: Delete files.
* gnu/local.mk (dist_patch_DATA): Remove them.
Diffstat (limited to 'gnu/packages/patches/qemu-CVE-2017-5931.patch')
| -rw-r--r-- | gnu/packages/patches/qemu-CVE-2017-5931.patch | 55 |
1 files changed, 0 insertions, 55 deletions
diff --git a/gnu/packages/patches/qemu-CVE-2017-5931.patch b/gnu/packages/patches/qemu-CVE-2017-5931.patch deleted file mode 100644 index 08910e5fac..0000000000 --- a/gnu/packages/patches/qemu-CVE-2017-5931.patch +++ /dev/null @@ -1,55 +0,0 @@ -Fix CVE-2017-5931 (integer overflow in handling virtio-crypto requests): - -http://seclists.org/oss-sec/2017/q1/337 -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5931 - -Patch copied from upstream source repository: - -http://git.qemu-project.org/?p=qemu.git;a=commit;h=a08aaff811fb194950f79711d2afe5a892ae03a4 - -From a08aaff811fb194950f79711d2afe5a892ae03a4 Mon Sep 17 00:00:00 2001 -From: Gonglei <arei.gonglei@huawei.com> -Date: Tue, 3 Jan 2017 14:50:03 +0800 -Subject: [PATCH] virtio-crypto: fix possible integer and heap overflow - -Because the 'size_t' type is 4 bytes in 32-bit platform, which -is the same with 'int'. It's easy to make 'max_len' to zero when -integer overflow and then cause heap overflow if 'max_len' is zero. - -Using uint_64 instead of size_t to avoid the integer overflow. - -Cc: qemu-stable@nongnu.org -Reported-by: Li Qiang <liqiang6-s@360.cn> -Signed-off-by: Gonglei <arei.gonglei@huawei.com> -Tested-by: Li Qiang <liqiang6-s@360.cn> -Reviewed-by: Michael S. Tsirkin <mst@redhat.com> -Signed-off-by: Michael S. Tsirkin <mst@redhat.com> ---- - hw/virtio/virtio-crypto.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/hw/virtio/virtio-crypto.c b/hw/virtio/virtio-crypto.c -index 2f2467e859..c23e1ad458 100644 ---- a/hw/virtio/virtio-crypto.c -+++ b/hw/virtio/virtio-crypto.c -@@ -416,7 +416,7 @@ virtio_crypto_sym_op_helper(VirtIODevice *vdev, - uint32_t hash_start_src_offset = 0, len_to_hash = 0; - uint32_t cipher_start_src_offset = 0, len_to_cipher = 0; - -- size_t max_len, curr_size = 0; -+ uint64_t max_len, curr_size = 0; - size_t s; - - /* Plain cipher */ -@@ -441,7 +441,7 @@ virtio_crypto_sym_op_helper(VirtIODevice *vdev, - return NULL; - } - -- max_len = iv_len + aad_len + src_len + dst_len + hash_result_len; -+ max_len = (uint64_t)iv_len + aad_len + src_len + dst_len + hash_result_len; - if (unlikely(max_len > vcrypto->conf.max_size)) { - virtio_error(vdev, "virtio-crypto too big length"); - return NULL; --- -2.11.1 - |