Subject: CVS commit: [pkgsrc-2015Q3] pkgsrc/emulators/qemu
From: Benny Siegert
Date: 2015-09-27 20:51:37
Message id: 20150927185137.C8BE798@cvs.netbsd.org

Log Message:
Pullup ticket #4820 - requested by ryoon
emulators/qemu: security fix

Revisions pulled up:
- emulators/qemu/Makefile                                       1.144
- emulators/qemu/distinfo                                       1.106

---
   Module Name:    pkgsrc
   Committed By:   ryoon
   Date:           Fri Sep 25 14:57:59 UTC 2015

   Modified Files:
           pkgsrc/emulators/qemu: Makefile distinfo

   Log Message:
   Update to 2.4.0.1

   Changelog:
   * net: avoid infinite loop when receiving packets(CVE-2015-5278)

   Ne2000 NIC uses ring buffer of NE2000_MEM_SIZE(49152)
   bytes to process network packets. While receiving packets
   via ne2000_receive() routine, a local 'index' variable
   could exceed the ring buffer size, leading to an infinite
   loop situation.

   Reported-by: Qinghao Tang <luodalongde@gmail.com>
   Signed-off-by: P J P <pjp@fedoraproject.org>
   Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
   (cherry picked from commit 737d2b3c41d59eb8f94ab7eb419b957938f24943)
   Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>

   * net: add checks to validate ring buffer pointers(CVE-2015-5279)

   Ne2000 NIC uses ring buffer of NE2000_MEM_SIZE(49152)
   bytes to process network packets. While receiving packets
   via ne2000_receive() routine, a local 'index' variable
   could exceed the ring buffer size, which could lead to a
   memory buffer overflow. Added other checks at initialisation.

   Reported-by: Qinghao Tang <luodalongde@gmail.com>
   Signed-off-by: P J P <pjp@fedoraproject.org>
   Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
   (cherry picked from commit 9bbdbc66e5765068dce76e9269dce4547afd8ad4)
   Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>

   * e1000: Avoid infinite loop in processing transmit descriptor (CVE-2015-6815)

   While processing transmit descriptors, it could lead to an infinite
   loop if 'bytes' was to become zero; Add a check to avoid it.

   [The guest can force 'bytes' to 0 by setting the hdr_len and mss
   descriptor fields to 0.
   --Stefan]

   Signed-off-by: P J P <pjp@fedoraproject.org>
   Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
   Reviewed-by: Thomas Huth <thuth@redhat.com>
   Message-id: 1441383666-6590-1-git-send-email-stefanha@redhat.com
   (cherry picked from commit b947ac2bf26479e710489739c465c8af336599e7)
   Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>

   * vnc: fix memory corruption (CVE-2015-5225)

   The _cmp_bytes variable added by commit "bea60dd ui/vnc: fix potential
   memory corruption issues" can become negative.  Result is (possibly
   exploitable) memory corruption.  Reason for that is it uses the stride
   instead of bytes per scanline to apply limits.

   For the server surface is is actually fine.  vnc creates that itself,
   there is never any padding and thus scanline length always equals stride.

   For the guest surface scanline length and stride are typically identical
   too, but it doesn't has to be that way.  So add and use a new variable
   (guest_ll) for the guest scanline length.  Also rename min_stride to
   line_bytes to make more clear what it actually is.  Finally sprinkle
   in an assert() to make sure we never use a negative _cmp_bytes again.

   Reported-by: 范祚至(库特) <zuozhi.fzz@alibaba-inc.com>
   Reviewed-by: P J P <ppandit@redhat.com>
   Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
   (cherry picked from commit eb8934b0418b3b1d125edddc4fc334a54334a49b)
   Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>

Files:
RevisionActionfile
1.143.2.1modifypkgsrc/emulators/qemu/Makefile
1.105.2.1modifypkgsrc/emulators/qemu/distinfo