From adf7e69cab6180ef75360a1c0731c93f4bff2b18 Mon Sep 17 00:00:00 2001 From: Leo Famulari Date: Wed, 8 Nov 2017 21:04:33 -0500 Subject: gnu: qemu: Fix CVE-2017-{15038,15268,15289}. * gnu/packages/patches/qemu-CVE-2017-15038.patch, gnu/packages/patches/qemu-CVE-2017-15268.patch, gnu/packages/patches/qemu-CVE-2017-15289.patch: New files. * gnu/local.mk (dist_patch_DATA): Add them. * gnu/packages/virtualization.scm (qemu)[source]: Use them. --- gnu/packages/patches/qemu-CVE-2017-15038.patch | 51 ++++++++++++++++++++++++++ 1 file changed, 51 insertions(+) create mode 100644 gnu/packages/patches/qemu-CVE-2017-15038.patch (limited to 'gnu/packages/patches/qemu-CVE-2017-15038.patch') diff --git a/gnu/packages/patches/qemu-CVE-2017-15038.patch b/gnu/packages/patches/qemu-CVE-2017-15038.patch new file mode 100644 index 0000000000..4791a186bf --- /dev/null +++ b/gnu/packages/patches/qemu-CVE-2017-15038.patch @@ -0,0 +1,51 @@ +Fix CVE-2017-15038: + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15038 + +Patch copied from upstream source repository: + +https://git.qemu.org/?p=qemu.git;a=commitdiff;h=7bd92756303f2158a68d5166264dc30139b813b6 + +From 7bd92756303f2158a68d5166264dc30139b813b6 Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Mon, 16 Oct 2017 14:21:59 +0200 +Subject: [PATCH] 9pfs: use g_malloc0 to allocate space for xattr + +9p back-end first queries the size of an extended attribute, +allocates space for it via g_malloc() and then retrieves its +value into allocated buffer. Race between querying attribute +size and retrieving its could lead to memory bytes disclosure. +Use g_malloc0() to avoid it. + +Reported-by: Tuomas Tynkkynen +Signed-off-by: Prasad J Pandit +Signed-off-by: Greg Kurz +--- + hw/9pfs/9p.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c +index 23ac7bb532..f8bbac251d 100644 +--- a/hw/9pfs/9p.c ++++ b/hw/9pfs/9p.c +@@ -3234,7 +3234,7 @@ static void coroutine_fn v9fs_xattrwalk(void *opaque) + xattr_fidp->fid_type = P9_FID_XATTR; + xattr_fidp->fs.xattr.xattrwalk_fid = true; + if (size) { +- xattr_fidp->fs.xattr.value = g_malloc(size); ++ xattr_fidp->fs.xattr.value = g_malloc0(size); + err = v9fs_co_llistxattr(pdu, &xattr_fidp->path, + xattr_fidp->fs.xattr.value, + xattr_fidp->fs.xattr.len); +@@ -3267,7 +3267,7 @@ static void coroutine_fn v9fs_xattrwalk(void *opaque) + xattr_fidp->fid_type = P9_FID_XATTR; + xattr_fidp->fs.xattr.xattrwalk_fid = true; + if (size) { +- xattr_fidp->fs.xattr.value = g_malloc(size); ++ xattr_fidp->fs.xattr.value = g_malloc0(size); + err = v9fs_co_lgetxattr(pdu, &xattr_fidp->path, + &name, xattr_fidp->fs.xattr.value, + xattr_fidp->fs.xattr.len); +-- +2.15.0 + -- cgit 1.4.1