Index: emulators/qemu-devel/Makefile =================================================================== --- emulators/qemu-devel/Makefile +++ emulators/qemu-devel/Makefile @@ -3,6 +3,7 @@ PORTNAME= qemu PORTVERSION= 2.4.0 +PORTREVISION= 1 CATEGORIES= emulators MASTER_SITES= http://wiki.qemu.org/download/:release \ LOCAL/nox:snapshot Index: emulators/qemu-devel/files/patch-CVE-2015-5225 =================================================================== --- /dev/null +++ emulators/qemu-devel/files/patch-CVE-2015-5225 @@ -0,0 +1,50 @@ +diff --git a/ui/vnc.c b/ui/vnc.c +index e26973a..caf82f5 100644 +--- a/ui/vnc.c ++++ b/ui/vnc.c +@@ -2872,7 +2872,7 @@ static int vnc_refresh_server_surface(VncDisplay *vd) + pixman_image_get_width(vd->server)); + int height = MIN(pixman_image_get_height(vd->guest.fb), + pixman_image_get_height(vd->server)); +- int cmp_bytes, server_stride, min_stride, guest_stride, y = 0; ++ int cmp_bytes, server_stride, line_bytes, guest_ll, guest_stride, y = 0; + uint8_t *guest_row0 = NULL, *server_row0; + VncState *vs; + int has_dirty = 0; +@@ -2891,17 +2891,21 @@ static int vnc_refresh_server_surface(VncDisplay *vd) + * Update server dirty map. + */ + server_row0 = (uint8_t *)pixman_image_get_data(vd->server); +- server_stride = guest_stride = pixman_image_get_stride(vd->server); ++ server_stride = guest_stride = guest_ll = ++ pixman_image_get_stride(vd->server); + cmp_bytes = MIN(VNC_DIRTY_PIXELS_PER_BIT * VNC_SERVER_FB_BYTES, + server_stride); + if (vd->guest.format != VNC_SERVER_FB_FORMAT) { + int width = pixman_image_get_width(vd->server); + tmpbuf = qemu_pixman_linebuf_create(VNC_SERVER_FB_FORMAT, width); + } else { ++ int guest_bpp = ++ PIXMAN_FORMAT_BPP(pixman_image_get_format(vd->guest.fb)); + guest_row0 = (uint8_t *)pixman_image_get_data(vd->guest.fb); + guest_stride = pixman_image_get_stride(vd->guest.fb); ++ guest_ll = pixman_image_get_width(vd->guest.fb) * ((guest_bpp + 7) / 8); + } +- min_stride = MIN(server_stride, guest_stride); ++ line_bytes = MIN(server_stride, guest_ll); + + for (;;) { + int x; +@@ -2932,9 +2936,10 @@ static int vnc_refresh_server_surface(VncDisplay *vd) + if (!test_and_clear_bit(x, vd->guest.dirty[y])) { + continue; + } +- if ((x + 1) * cmp_bytes > min_stride) { +- _cmp_bytes = min_stride - x * cmp_bytes; ++ if ((x + 1) * cmp_bytes > line_bytes) { ++ _cmp_bytes = line_bytes - x * cmp_bytes; + } ++ assert(_cmp_bytes >= 0); + if (memcmp(server_ptr, guest_ptr, _cmp_bytes) == 0) { + continue; + } Index: emulators/qemu-devel/files/patch-CVE-2015-5278 =================================================================== --- /dev/null +++ emulators/qemu-devel/files/patch-CVE-2015-5278 @@ -0,0 +1,13 @@ +diff --git a/hw/net/ne2000.c b/hw/net/ne2000.c +index 3798a3b..010f9ef 100644 +--- a/hw/net/ne2000.c ++++ b/hw/net/ne2000.c +@@ -247,7 +247,7 @@ ssize_t ne2000_receive(NetClientState *nc, const uint8_t *buf, size_t size_) + if (index <= s->stop) + avail = s->stop - index; + else +- avail = 0; ++ break; + len = size; + if (len > avail) + len = avail; Index: emulators/qemu-devel/files/patch-CVE-2015-5279 =================================================================== --- /dev/null +++ emulators/qemu-devel/files/patch-CVE-2015-5279 @@ -0,0 +1,48 @@ +diff --git a/hw/net/ne2000.c b/hw/net/ne2000.c +index 53c704a..3798a3b 100644 +--- a/hw/net/ne2000.c ++++ b/hw/net/ne2000.c +@@ -221,6 +221,9 @@ ssize_t ne2000_receive(NetClientState *nc, const uint8_t *buf, size_t size_) + } + + index = s->curpag << 8; ++ if (index >= NE2000_PMEM_END) { ++ index = s->start; ++ } + /* 4 bytes for header */ + total_len = size + 4; + /* address for next packet (4 bytes for CRC) */ +@@ -306,13 +309,19 @@ static void ne2000_ioport_write(void *opaque, uint32_t addr, uint32_t val) + offset = addr | (page << 4); + switch(offset) { + case EN0_STARTPG: +- s->start = val << 8; ++ if (val << 8 <= NE2000_PMEM_END) { ++ s->start = val << 8; ++ } + break; + case EN0_STOPPG: +- s->stop = val << 8; ++ if (val << 8 <= NE2000_PMEM_END) { ++ s->stop = val << 8; ++ } + break; + case EN0_BOUNDARY: +- s->boundary = val; ++ if (val << 8 < NE2000_PMEM_END) { ++ s->boundary = val; ++ } + break; + case EN0_IMR: + s->imr = val; +@@ -353,7 +362,9 @@ static void ne2000_ioport_write(void *opaque, uint32_t addr, uint32_t val) + s->phys[offset - EN1_PHYS] = val; + break; + case EN1_CURPAG: +- s->curpag = val; ++ if (val << 8 < NE2000_PMEM_END) { ++ s->curpag = val; ++ } + break; + case EN1_MULT ... EN1_MULT + 7: + s->mult[offset - EN1_MULT] = val; Index: emulators/qemu-devel/files/patch-CVE-2015-6815 =================================================================== --- /dev/null +++ emulators/qemu-devel/files/patch-CVE-2015-6815 @@ -0,0 +1,14 @@ +diff --git a/hw/net/e1000.c b/hw/net/e1000.c +index 5c6bcd0..09c9e9d 100644 +--- a/hw/net/e1000.c ++++ b/hw/net/e1000.c +@@ -740,7 +740,8 @@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp) + memmove(tp->data, tp->header, tp->hdr_len); + tp->size = tp->hdr_len; + } +- } while (split_size -= bytes); ++ split_size -= bytes; ++ } while (bytes && split_size); + } else if (!tp->tse && tp->cptse) { + // context descriptor TSE is not set, while data descriptor TSE is set + DBGOUT(TXERR, "TCP segmentation error\n"); Index: emulators/qemu-devel/files/patch-CVE-2015-6855 =================================================================== --- /dev/null +++ emulators/qemu-devel/files/patch-CVE-2015-6855 @@ -0,0 +1,60 @@ +--- a/hw/ide/core.c.orig 2015-09-17 17:14:36 UTC ++++ b/hw/ide/core.c +@@ -1747,11 +1747,11 @@ static const struct { + } ide_cmd_table[0x100] = { + /* NOP not implemented, mandatory for CD */ + [CFA_REQ_EXT_ERROR_CODE] = { cmd_cfa_req_ext_error_code, CFA_OK }, +- [WIN_DSM] = { cmd_data_set_management, ALL_OK }, ++ [WIN_DSM] = { cmd_data_set_management, HD_CFA_OK }, + [WIN_DEVICE_RESET] = { cmd_device_reset, CD_OK }, + [WIN_RECAL] = { cmd_nop, HD_CFA_OK | SET_DSC}, + [WIN_READ] = { cmd_read_pio, ALL_OK }, +- [WIN_READ_ONCE] = { cmd_read_pio, ALL_OK }, ++ [WIN_READ_ONCE] = { cmd_read_pio, HD_CFA_OK }, + [WIN_READ_EXT] = { cmd_read_pio, HD_CFA_OK }, + [WIN_READDMA_EXT] = { cmd_read_dma, HD_CFA_OK }, + [WIN_READ_NATIVE_MAX_EXT] = { cmd_read_native_max, HD_CFA_OK | SET_DSC }, +@@ -1770,11 +1770,11 @@ static const struct { + [CFA_TRANSLATE_SECTOR] = { cmd_cfa_translate_sector, CFA_OK }, + [WIN_DIAGNOSE] = { cmd_exec_dev_diagnostic, ALL_OK }, + [WIN_SPECIFY] = { cmd_nop, HD_CFA_OK | SET_DSC }, +- [WIN_STANDBYNOW2] = { cmd_nop, ALL_OK }, +- [WIN_IDLEIMMEDIATE2] = { cmd_nop, ALL_OK }, +- [WIN_STANDBY2] = { cmd_nop, ALL_OK }, +- [WIN_SETIDLE2] = { cmd_nop, ALL_OK }, +- [WIN_CHECKPOWERMODE2] = { cmd_check_power_mode, ALL_OK | SET_DSC }, ++ [WIN_STANDBYNOW2] = { cmd_nop, HD_CFA_OK }, ++ [WIN_IDLEIMMEDIATE2] = { cmd_nop, HD_CFA_OK }, ++ [WIN_STANDBY2] = { cmd_nop, HD_CFA_OK }, ++ [WIN_SETIDLE2] = { cmd_nop, HD_CFA_OK }, ++ [WIN_CHECKPOWERMODE2] = { cmd_check_power_mode, HD_CFA_OK | SET_DSC }, + [WIN_SLEEPNOW2] = { cmd_nop, ALL_OK }, + [WIN_PACKETCMD] = { cmd_packet, CD_OK }, + [WIN_PIDENTIFY] = { cmd_identify_packet, CD_OK }, +@@ -1789,19 +1789,19 @@ static const struct { + [WIN_WRITEDMA] = { cmd_write_dma, HD_CFA_OK }, + [WIN_WRITEDMA_ONCE] = { cmd_write_dma, HD_CFA_OK }, + [CFA_WRITE_MULTI_WO_ERASE] = { cmd_write_multiple, CFA_OK }, +- [WIN_STANDBYNOW1] = { cmd_nop, ALL_OK }, +- [WIN_IDLEIMMEDIATE] = { cmd_nop, ALL_OK }, +- [WIN_STANDBY] = { cmd_nop, ALL_OK }, +- [WIN_SETIDLE1] = { cmd_nop, ALL_OK }, +- [WIN_CHECKPOWERMODE1] = { cmd_check_power_mode, ALL_OK | SET_DSC }, +- [WIN_SLEEPNOW1] = { cmd_nop, ALL_OK }, ++ [WIN_STANDBYNOW1] = { cmd_nop, HD_CFA_OK }, ++ [WIN_IDLEIMMEDIATE] = { cmd_nop, HD_CFA_OK }, ++ [WIN_STANDBY] = { cmd_nop, HD_CFA_OK }, ++ [WIN_SETIDLE1] = { cmd_nop, HD_CFA_OK }, ++ [WIN_CHECKPOWERMODE1] = { cmd_check_power_mode, HD_CFA_OK | SET_DSC }, ++ [WIN_SLEEPNOW1] = { cmd_nop, HD_CFA_OK }, + [WIN_FLUSH_CACHE] = { cmd_flush_cache, ALL_OK }, + [WIN_FLUSH_CACHE_EXT] = { cmd_flush_cache, HD_CFA_OK }, + [WIN_IDENTIFY] = { cmd_identify, ALL_OK }, + [WIN_SETFEATURES] = { cmd_set_features, ALL_OK | SET_DSC }, + [IBM_SENSE_CONDITION] = { cmd_ibm_sense_condition, CFA_OK | SET_DSC }, + [CFA_WEAR_LEVEL] = { cmd_cfa_erase_sectors, HD_CFA_OK | SET_DSC }, +- [WIN_READ_NATIVE_MAX] = { cmd_read_native_max, ALL_OK | SET_DSC }, ++ [WIN_READ_NATIVE_MAX] = { cmd_read_native_max, HD_CFA_OK | SET_DSC }, + }; + + static bool ide_cmd_permitted(IDEState *s, uint32_t cmd) Index: security/vuxml/vuln.xml =================================================================== --- security/vuxml/vuln.xml +++ security/vuxml/vuln.xml @@ -58,6 +58,47 @@ --> + + qemu -- multiple vulnerabilities + + + qemu-devel + 2.4.0_1 + + + + +

oss-sec reports:

+
+

Multiple vulnerabilities summarized below:

+
    +
  • CVE-2015-5225: vnc display driver buffer overflow
    • +
  • CVE-2015-5278: NE2000 infinite loop DoS
    • +
  • CVE-2015-5279: NE2000 heap buffer overflow
    • +
  • CVE-2015-6815: E1000 infinite loop DoS
    • +
  • CVE-2015-6855: ide divide by zero DoS
    • +
+
+ + + + http://seclists.org/oss-sec/2015/q3/418 + http://seclists.org/oss-sec/2015/q3/548 + http://seclists.org/oss-sec/2015/q3/549 + http://seclists.org/oss-sec/2015/q3/496 + http://seclists.org/oss-sec/2015/q3/531 + CVE-2015-5225 + CVE-2015-5278 + CVE-2015-5279 + CVE-2015-6815 + CVE-2015-6855 + + + 2015-09-09 + 2015-09-17 + + + shutter -- arbitrary code execution