diff options
author | melikamp <melikamp@melikamp.net> | 2015-07-13 07:54:06 +0700 |
---|---|---|
committer | Robby Workman <rworkman@slackbuilds.org> | 2015-07-16 10:57:18 -0500 |
commit | 1e5b1227cfc474a609f00f4a19e798c4e31cbf97 (patch) | |
tree | dd2cf47deba4c2687a21b4cfb063f952b8c5e81a /system | |
parent | 9f2d4d7a39b90f503a7a905ed8bb964defc38676 (diff) |
system/qemu: Patched to fix CVE-2015-3209.
Signed-off-by: Willy Sudiarto Raharjo <willysr@slackbuilds.org>
Diffstat (limited to 'system')
-rw-r--r-- | system/qemu/qemu.SlackBuild | 6 | ||||
-rw-r--r-- | system/qemu/qemu_pcnet.patch | 18 |
2 files changed, 23 insertions, 1 deletions
diff --git a/system/qemu/qemu.SlackBuild b/system/qemu/qemu.SlackBuild index c9c7c4698f405..1da81e8417361 100644 --- a/system/qemu/qemu.SlackBuild +++ b/system/qemu/qemu.SlackBuild @@ -40,10 +40,11 @@ # 1.7 01-JAN-2015 updated to 2.2.0 ; build and link static libusb option (rw, tm, SBo list) # 1.8 27-APR-2015 updated to version 2.3.0 # 1.9 14-MAY-2015 patched for "Venom" CVE-2015-3456 http://git.qemu.org/?p=qemu.git;a=commitdiff;h=e907746266721f305d67bc0718795fedee2e824c +# 2.0 11-JUL-2015 patched for Heap-based buffer overflow in the PCNET controller CVE-2015-3209 http://git.qemu.org/?p=qemu.git;a=commitdiff;h=9f7c594c006289ad41169b854d70f5da6e400a2a PRGNAM=qemu VERSION=${VERSION:-2.3.0} -BUILD=${BUILD:-2} +BUILD=${BUILD:-3} TAG=${TAG:-_SBo} KVMGROUP=${KVMGROUP:-users} @@ -140,6 +141,9 @@ fi # patch Venom bug CVE-2015-3456 patch -p1 < $CWD/qemu_venom.patch +# patch PCNET controller bug CVE-2015-3209 +patch -p1 < $CWD/qemu_pcnet.patch + PKG_CONFIG_PATH+="${USBSTATIC}" \ CFLAGS="$SLKCFLAGS" \ CXXFLAGS="$SLKCFLAGS" \ diff --git a/system/qemu/qemu_pcnet.patch b/system/qemu/qemu_pcnet.patch new file mode 100644 index 0000000000000..5fc27c6069b0b --- /dev/null +++ b/system/qemu/qemu_pcnet.patch @@ -0,0 +1,18 @@ +index bdfd38f..68b9981 100644 (file) +--- a/hw/net/pcnet.c ++++ b/hw/net/pcnet.c +@@ -1241,6 +1241,14 @@ static void pcnet_transmit(PCNetState *s) + } + + bcnt = 4096 - GET_FIELD(tmd.length, TMDL, BCNT); ++ ++ /* if multi-tmd packet outsizes s->buffer then skip it silently. ++ Note: this is not what real hw does */ ++ if (s->xmit_pos + bcnt > sizeof(s->buffer)) { ++ s->xmit_pos = -1; ++ goto txdone; ++ } ++ + s->phys_mem_read(s->dma_opaque, PHYSADDR(s, tmd.tbadr), + s->buffer + s->xmit_pos, bcnt, CSR_BSWP(s)); + s->xmit_pos += bcnt;
\ No newline at end of file |