VNC: infinite loop in inflate_buffer() leads to denial of service References: https://nvd.nist.gov/vuln/detail/CVE-2023-3255
Upstream patches: https://gitlab.com/qemu-project/qemu/-/commit/d921fea338c1059a27ce7b75309d7a2e485f710b Signed-off-by: Archana Polampalli <archana.polampa...@windriver.com> --- meta/recipes-devtools/qemu/qemu.inc | 1 + .../qemu/qemu/CVE-2023-3255.patch | 64 +++++++++++++++++++ 2 files changed, 65 insertions(+) create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2023-3255.patch diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index d5d210194b..83959f3c68 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc @@ -95,6 +95,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ file://0001-hw-display-qxl-Pass-requested-buffer-size-to-qxl_phy.patch \ file://CVE-2023-0330.patch \ file://CVE-2023-3301.patch \ + file://CVE-2023-3255.patch \ " UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2023-3255.patch b/meta/recipes-devtools/qemu/qemu/CVE-2023-3255.patch new file mode 100644 index 0000000000..f030df111f --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2023-3255.patch @@ -0,0 +1,64 @@ +From d921fea338c1059a27ce7b75309d7a2e485f710b Mon Sep 17 00:00:00 2001 +From: Mauro Matteo Cascella <mcasc...@redhat.com> +Date: Tue, 4 Jul 2023 10:41:22 +0200 +Subject: [PATCH] ui/vnc-clipboard: fix infinite loop in inflate_buffer + (CVE-2023-3255) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +A wrong exit condition may lead to an infinite loop when inflating a +valid zlib buffer containing some extra bytes in the `inflate_buffer` +function. The bug only occurs post-authentication. Return the buffer +immediately if the end of the compressed data has been reached +(Z_STREAM_END). + +Fixes: CVE-2023-3255 +Fixes: 0bf41cab ("ui/vnc: clipboard support") +Reported-by: Kevin Denis <kevin.de...@synacktiv.com> +Signed-off-by: Mauro Matteo Cascella <mcasc...@redhat.com> +Reviewed-by: Marc-André Lureau <marcandre.lur...@redhat.com> +Tested-by: Marc-André Lureau <marcandre.lur...@redhat.com> +Message-ID: <20230704084210.101822-1-mcasc...@redhat.com> + +Upstream-Status: Backport [https://github.com/qemu/qemu/commit/d921fea338c1059a27ce7b75309d7a2e485f710b] + +CVE: CVE-2023-3255 + +Signed-off-by: Archana Polampalli <archana.polampa...@windriver.com> + +--- + ui/vnc-clipboard.c | 10 ++++------ + 1 file changed, 4 insertions(+), 6 deletions(-) + +diff --git a/ui/vnc-clipboard.c b/ui/vnc-clipboard.c +index 8aeadfaa21..c759be3438 100644 +--- a/ui/vnc-clipboard.c ++++ b/ui/vnc-clipboard.c +@@ -50,8 +50,11 @@ static uint8_t *inflate_buffer(uint8_t *in, uint32_t in_len, uint32_t *size) + ret = inflate(&stream, Z_FINISH); + switch (ret) { + case Z_OK: +- case Z_STREAM_END: + break; ++ case Z_STREAM_END: ++ *size = stream.total_out; ++ inflateEnd(&stream); ++ return out; + case Z_BUF_ERROR: + out_len <<= 1; + if (out_len > (1 << 20)) { +@@ -66,11 +69,6 @@ static uint8_t *inflate_buffer(uint8_t *in, uint32_t in_len, uint32_t *size) + } + } + +- *size = stream.total_out; +- inflateEnd(&stream); +- +- return out; +- + err_end: + inflateEnd(&stream); + err: +-- +2.40.0 -- 2.40.0
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#185189): https://lists.openembedded.org/g/openembedded-core/message/185189 Mute This Topic: https://lists.openembedded.org/mt/100477151/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-