Hi all, I would like to send debdiff file of qemu for reviewing. This patch aims to fix CVE-2014-3689 and CVE-2014-3640.
For packaging test, I follow steps listed in: https://www.debian.org/doc/manuals/developers-reference/pkgs.html#sanitycheck Only one error occurs when running lintian is bad distribution squeeze-lts. However, I can not find test cases for these two CVEs, so please test the update for me. Hope everything go fine since the vulnerable code is few and easy to back-port. Few notes for announcement: Multiple vulnerabilities has been found in qemu: CVE-2014-3640: Sending a udp package with 0 value in source port and address could trigger access to an uninitialized socket. CVE-2014-3689: Unspecified parameter related to rectangle handling could allow guest user to write to qemu memory locations and gain privileges. Thanks and best regards CongNT -- ===================================================================== Nguyen The Cong (Mr) Software Engineer Toshiba Software Development (Vietnam) Co.,Ltd 519 Kim Ma street, Ba Dinh District, Hanoi, Vietnam tel: +84-4-2220 8801 (Ext. 208) e-mail: [email protected] =====================================================================
diff -u qemu-0.12.5+dfsg/debian/changelog qemu-0.12.5+dfsg/debian/changelog --- qemu-0.12.5+dfsg/debian/changelog +++ qemu-0.12.5+dfsg/debian/changelog @@ -1,3 +1,19 @@ +qemu (0.12.5+dfsg-3squeeze5) squeeze-lts; urgency=low + + * Non-maintainer upload by the Debian LTS team. + * Turn off hardware acceleration functions which lack of sanity + check. This fix problem reported in CVE-2014-3689. + Refer to: + http://git.qemu.org/?p=qemu.git;a=commitdiff;h=83afa38eb20ca27e30683edc7729880e091387fc + + * slirp: udp: fix NULL pointer dereference because of + uninitialized socket. This fix problem reported in + CVE-2014-3640. + Refer to: + https://github.com/qemu/qemu/commit/01f7cecf0037997cb0e58ec0d56bf9b5a6f7cb2a + + -- Nguyen Cong <[email protected]> Mon, 23 Mar 2015 13:25:32 +0700 + qemu (0.12.5+dfsg-3squeeze4) squeeze-security; urgency=high * fix guest-triggerable buffer overrun in virtio-net device diff -u qemu-0.12.5+dfsg/debian/patches/series qemu-0.12.5+dfsg/debian/patches/series --- qemu-0.12.5+dfsg/debian/patches/series +++ qemu-0.12.5+dfsg/debian/patches/series @@ -12,0 +13,2 @@ +CVE-2014-3640.patch +CVE-2014-3689.patch only in patch2: unchanged: --- qemu-0.12.5+dfsg.orig/debian/patches/CVE-2014-3640.patch +++ qemu-0.12.5+dfsg/debian/patches/CVE-2014-3640.patch @@ -0,0 +1,29 @@ +Description: Fix NUll pointer dereference because of uninitialized socket + When guest sends udp packet with source port and source addr 0, + uninitialized socket is picked up when looking for matching and already + created udp sockets, and later passed to sosendto() where NULL pointer + dereference is hit during so->slirp->vnetwork_mask.s_addr access. + Fix this by checking that the socket is not just a socket stub. + This is CVE-2014-3640. +Author: Petr Matousek <[email protected]> +Origin: upstream, URL: https://github.com/qemu/qemu/commit/01f7cecf0037997cb0e58ec0d56bf9b5a6f7cb2a +Bug-Debian: 762532 +Applied-Upstream: https://github.com/qemu/qemu/commit/01f7cecf0037997cb0e58ec0d56bf9b5a6f7cb2a +Reviewed-by: + Jan Kiszka <[email protected]> + Michael S. Tsirkin <[email protected]> + Michael Tokarev <[email protected]> +Last-Update: 2015-03-23 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- a/slirp/udp.c ++++ b/slirp/udp.c +@@ -141,7 +141,7 @@ udp_input(register struct mbuf *m, int i + * Locate pcb for datagram. + */ + so = slirp->udp_last_so; +- if (so->so_lport != uh->uh_sport || ++ if (so == &slirp->udb || so->so_lport != uh->uh_sport || + so->so_laddr.s_addr != ip->ip_src.s_addr) { + struct socket *tmp; + only in patch2: unchanged: --- qemu-0.12.5+dfsg.orig/debian/patches/CVE-2014-3689.patch +++ qemu-0.12.5+dfsg/debian/patches/CVE-2014-3689.patch @@ -0,0 +1,22 @@ +Description: Compile out the hardware acceleration functions + Hardware acceleration functions which lack sanity checks have + been compiled out. +Author: Gerd Hoffmann <[email protected]> +Origin: upstream<URL:http://git.qemu.org/?p=qemu.git;a=commitdiff;h=83afa38eb20ca27e30683edc7729880e091387fc> +Bug-Debian: 765496 +Last-Update: 2015-03-23 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- a/hw/vmware_vga.c ++++ b/hw/vmware_vga.c +@@ -29,8 +29,10 @@ + + #define VERBOSE + #undef DIRECT_VRAM ++#if 0 + #define HW_RECT_ACCEL + #define HW_FILL_ACCEL ++#endif + #define HW_MOUSE_ACCEL + + # include "vga_int.h"
Format: 1.8 Date: Mon, 23 Mar 2015 13:25:32 +0700 Source: qemu Binary: qemu qemu-keymaps qemu-system qemu-user qemu-user-static qemu-utils libqemu-dev Architecture: source all i386 Version: 0.12.5+dfsg-3squeeze5 Distribution: squeeze-lts Urgency: low Maintainer: Debian QEMU Team <[email protected]> Changed-By: Nguyen Cong <[email protected]> Description: libqemu-dev - static libraries and headers for QEMU qemu - fast processor emulator qemu-keymaps - QEMU keyboard maps qemu-system - QEMU full system emulation binaries qemu-user - QEMU user mode emulation binaries qemu-user-static - QEMU user mode emulation binaries (static version) qemu-utils - QEMU utilities Changes: qemu (0.12.5+dfsg-3squeeze5) squeeze-lts; urgency=low . * Non-maintainer upload by the Debian LTS team. * Turn off hardware acceleration functions which lack of sanity check. This fix problem reported in CVE-2014-3689. Refer to: http://git.qemu.org/?p=qemu.git;a=commitdiff;h=83afa38eb20ca27e30683edc7729880e091387fc . * slirp: udp: fix NULL pointer dereference because of uninitialized socket. This fix problem reported in CVE-2014-3640. Refer to: https://github.com/qemu/qemu/commit/01f7cecf0037997cb0e58ec0d56bf9b5a6f7cb2a Checksums-Sha1: 9f414fe2f78afab88c73b3fbd4893269a5f4d58a 1772 qemu_0.12.5+dfsg-3squeeze5.dsc d59a4b0eeacb926ddf4f52f172239dd997ef97a5 49305 qemu_0.12.5+dfsg-3squeeze5.diff.gz e65c66079a3888e51d97cfc7bb3e95ba7d4ec89b 49516 qemu-keymaps_0.12.5+dfsg-3squeeze5_all.deb eff2593824f99efd8ab3b733a9d79765ef76ff06 106578 qemu_0.12.5+dfsg-3squeeze5_i386.deb e728ed2081a0deb1c53232194c1b6d7f6d320b53 12292366 qemu-system_0.12.5+dfsg-3squeeze5_i386.deb 70c09f197b42382613473630e835df42ce28564b 4205896 qemu-user_0.12.5+dfsg-3squeeze5_i386.deb 43e631f74963fe87be12867d55a8702a0149f322 8911772 qemu-user-static_0.12.5+dfsg-3squeeze5_i386.deb 57a1ce391d39c7ceff2e47b84277da4a9d89accf 367936 qemu-utils_0.12.5+dfsg-3squeeze5_i386.deb d42be63c5aec90260210b3cc9018297c6230781b 5020566 libqemu-dev_0.12.5+dfsg-3squeeze5_i386.deb Checksums-Sha256: cba3413af6d9c18c187e0258bae6569ea19c19e4d994fdf879e435d319d0b480 1772 qemu_0.12.5+dfsg-3squeeze5.dsc c3c1c78803ef7bea7f80b8fe139c5e2fb137db35f733b6b57a3dcd113555c78b 49305 qemu_0.12.5+dfsg-3squeeze5.diff.gz b2e5ac195f2ac794f59091e2d5c3eeb49631b5d2fa631c7953b831b53a74f0d1 49516 qemu-keymaps_0.12.5+dfsg-3squeeze5_all.deb 8821e5b4cbf128e0df32042df3859b25db3fb55ec1872dbd570e15785303a4cf 106578 qemu_0.12.5+dfsg-3squeeze5_i386.deb a3cd06b2cd4d63414e8e744cd5ea908422da83f45468b2de79245b71072c1e3b 12292366 qemu-system_0.12.5+dfsg-3squeeze5_i386.deb e4c70a35675e5e62aadf5847450c5557680dc915cb60a73aff0d72453b75d659 4205896 qemu-user_0.12.5+dfsg-3squeeze5_i386.deb 211d4785ed5c4c1a89d27067f8b19c37d272c60e6e65f88a365eedd961a8a619 8911772 qemu-user-static_0.12.5+dfsg-3squeeze5_i386.deb 7f3e14b6f1c21b41260c28332ee4b888b5e1ca9a692dd595206d55067e678c91 367936 qemu-utils_0.12.5+dfsg-3squeeze5_i386.deb b8cf5c9981a4ac94d485709c6bf4a1b4214f23477ba6f3114b96c39c0e11c2f3 5020566 libqemu-dev_0.12.5+dfsg-3squeeze5_i386.deb Files: 808591c5839342bffd19d4df19ebf3ca 1772 misc optional qemu_0.12.5+dfsg-3squeeze5.dsc adf587d57f58e07a936555511c8290e6 49305 misc optional qemu_0.12.5+dfsg-3squeeze5.diff.gz ee53d7e14b7cc81172f83ab86f2629ff 49516 misc optional qemu-keymaps_0.12.5+dfsg-3squeeze5_all.deb 09ea3d131493abab9328a20716be8c12 106578 misc optional qemu_0.12.5+dfsg-3squeeze5_i386.deb 3f3bdf8cc4b03a3d92e57a4f9c00a8bf 12292366 misc optional qemu-system_0.12.5+dfsg-3squeeze5_i386.deb 34f4a96899a7aa25cdfd7232ea635f7e 4205896 misc optional qemu-user_0.12.5+dfsg-3squeeze5_i386.deb fd4fc5037e5d01f60d1a1e537c3c6667 8911772 misc optional qemu-user-static_0.12.5+dfsg-3squeeze5_i386.deb 69f4896b3f34272a97db19381fdb22fc 367936 misc optional qemu-utils_0.12.5+dfsg-3squeeze5_i386.deb 6cfaadea24f005fe3b6d28d31086eb3c 5020566 libdevel optional libqemu-dev_0.12.5+dfsg-3squeeze5_i386.deb
-- This mail was scanned by BitDefender For more information please visit http://www.bitdefender.com
