On Wed, 2008-12-24 at 12:11 +0100, Aurelien Jarno wrote: > Hi, > > qemu 0.9.1-9 fixes a remote DoS, please find the diff below. Could you > please unblock it?
The same fix has also been applied to kvm in version kvm_72+dfsg-4. Please unblock it, too. Thanks, Jan diff -u kvm-72+dfsg/debian/changelog kvm-72+dfsg/debian/changelog --- kvm-72+dfsg/debian/changelog +++ kvm-72+dfsg/debian/changelog @@ -1,3 +1,10 @@ +kvm (72+dfsg-4) unstable; urgency=high + + * debian/patches/core-2008-1210.patch: fix remote DoS via VNC + (CORE-2008-1210/CVE-2008-2382). + + -- Jan Lübbe <[email protected]> Wed, 24 Dec 2008 12:23:06 +0100 + kvm (72+dfsg-3) unstable; urgency=medium * Apply patch from qemu (62_fix-ptyblocking.patch) which fixes a lockup diff -u kvm-72+dfsg/debian/patches/series kvm-72+dfsg/debian/patches/series --- kvm-72+dfsg/debian/patches/series +++ kvm-72+dfsg/debian/patches/series @@ -16,0 +17 @@ +core-2008-1210.patch only in patch2: unchanged: --- kvm-72+dfsg.orig/debian/patches/core-2008-1210.patch +++ kvm-72+dfsg/debian/patches/core-2008-1210.patch @@ -0,0 +1,27 @@ +Fix CORE-2008-1210 VNC DoS + +If the client sends us a limit of zero, handle appropriately. + +Signed-off-by: Anthony Liguori <[email protected]> + +diff --git qemu/vnc.c qemu/vnc.c +index 3a7d762..575fd68 100644 +--- a/qemu/vnc.c ++++ b/qemu/vnc.c +@@ -1503,10 +1503,13 @@ static int protocol_client_msg(VncState *vs, uint8_t *data, size_t len) + if (len == 1) + return 4; + +- if (len == 4) +- return 4 + (read_u16(data, 2) * 4); ++ if (len == 4) { ++ limit = read_u16(data, 2); ++ if (limit > 0) ++ return 4 + (limit * 4); ++ } else ++ limit = read_u16(data, 2); + +- limit = read_u16(data, 2); + for (i = 0; i < limit; i++) { + int32_t val = read_s32(data, 4 + (i * 4)); + memcpy(data + 4 + (i * 4), &val, sizeof(val)); -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
