Hello community, here is the log from the commit of package kvm for openSUSE:12.1:Update:Test checked in at 2011-12-05 15:43:17 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:12.1:Update:Test/kvm (Old) and /work/SRC/openSUSE:12.1:Update:Test/.kvm.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "kvm", Maintainer is "[email protected]" Changes: -------- --- /work/SRC/openSUSE:12.1:Update:Test/kvm/kvm.changes 2011-12-05 15:43:22.000000000 +0100 +++ /work/SRC/openSUSE:12.1:Update:Test/.kvm.new/kvm.changes 2011-12-05 15:43:23.000000000 +0100 @@ -1,0 +2,6 @@ +Mon Nov 28 20:28:51 UTC 2011 - [email protected] + +- add missing break. Plugs potential buffer overflow in CCID card + passthru device (bnc#731086) + +------------------------------------------------------------------- New: ---- kvm-qemu-preXX-ccid-Fix-buffer-overrun-in-handling-of-VSC_ATR-message.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ kvm.spec ++++++ --- /var/tmp/diff_new_pack.0jAuKg/_old 2011-12-05 15:43:23.000000000 +0100 +++ /var/tmp/diff_new_pack.0jAuKg/_new 2011-12-05 15:43:23.000000000 +0100 @@ -129,6 +129,7 @@ Patch107: kvm-qemu-preXX-block-curl-Implement-a-flush-function-on-the-fd-han.patch Patch108: kvm-qemu-preXX-block-curl-Don-t-finish-AIOCBs-too-early.patch Patch109: kvm-qemu-preXX-e1000-Don-t-set-the-Capabilities-List-bit.patch +Patch110: kvm-qemu-preXX-ccid-Fix-buffer-overrun-in-handling-of-VSC_ATR-message.patch Patch150: qemu-kvm-common-code-fixes-for-s390-build.patch @@ -228,6 +229,7 @@ %patch107 -p1 %patch108 -p1 %patch109 -p1 +%patch110 -p1 %patch150 -p1 ++++++ kvm-qemu-preXX-ccid-Fix-buffer-overrun-in-handling-of-VSC_ATR-message.patch ++++++ From: Markus Armbruster <[email protected]> Date: Thu, 3 Nov 2011 10:39:23 +0100 Subject: [PATCH] ccid: Fix buffer overrun in handling of VSC_ATR message ATR size exceeding the limit is diagnosed, but then we merrily use it anyway, overrunning card->atr[]. The message is read from a character device. Obvious security implications unless the other end of the character device is trusted. Spotted by Coverity. Signed-off-by: Markus Armbruster <[email protected]> --- hw/ccid-card-passthru.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) diff --git a/hw/ccid-card-passthru.c b/hw/ccid-card-passthru.c index 2cbc81b..9f51c6c 100644 --- a/hw/ccid-card-passthru.c +++ b/hw/ccid-card-passthru.c @@ -150,6 +150,7 @@ static void ccid_card_vscard_handle_message(PassthruState *card, error_report("ATR size exceeds spec, ignoring"); ccid_card_vscard_send_error(card, scr_msg_header->reader_id, VSC_GENERAL_ERROR); + break; } memcpy(card->atr, data, scr_msg_header->length); card->atr_length = scr_msg_header->length; -- 1.7.6.4 -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
