31905d81fa
xen-4.6.1-testing-src.tar.bz2 - Dropped patches now contained in tarball or unnecessary xen-4.6.0-testing-src.tar.bz2 5604f239-x86-PV-properly-populate-descriptor-tables.patch 561bbc8b-VT-d-don-t-suppress-invalidation-address-write-when-it-is-zero.patch 561d2046-VT-d-use-proper-error-codes-in-iommu_enable_x2apic_IR.patch 561d20a0-x86-hide-MWAITX-from-PV-domains.patch 561e3283-x86-NUMA-fix-SRAT-table-processor-entry-parsing-and-consumption.patch 5632118e-arm-Support-hypercall_create_continuation-for-multicall.patch 56321222-arm-rate-limit-logging-from-unimplemented-PHYSDEVOP-and-HVMOP.patch 56321249-arm-handle-races-between-relinquish_memory-and-free_domheap_pages.patch 5632127b-x86-guard-against-undue-super-page-PTE-creation.patch 5632129c-free-domain-s-vcpu-array.patch 563212c9-x86-PoD-Eager-sweep-for-zeroed-pages.patch 563212e4-xenoprof-free-domain-s-vcpu-array.patch 563212ff-x86-rate-limit-logging-in-do_xen-oprof-pmu-_op.patch 56323737-libxl-adjust-PoD-target-by-memory-fudge-too.patch 56377442-x86-PoD-Make-p2m_pod_empty_cache-restartable.patch 5641ceec-x86-HVM-always-intercept-AC-and-DB.patch 56549f24-x86-vPMU-document-as-unsupported.patch 5677f350-x86-make-debug-output-consistent-in-hvm_set_callback_via.patch xen-4.6.0-testing-src.tar.bz2 xsa155-qemut-qdisk-double-access.patch xsa155-qemut-xenfb.patch xsa155-qemuu-qdisk-double-access.patch xsa155-qemuu-xenfb.patch xsa159.patch xsa160.patch xsa162-qemut.patch OBS-URL: https://build.opensuse.org/package/show/Virtualization/xen?expand=0&rev=399
45 lines
1.4 KiB
Diff
45 lines
1.4 KiB
Diff
References: bsc#962627 CVE-2014-7815
|
|
|
|
Subject: vnc: sanitize bits_per_pixel from the client
|
|
From: Petr Matousek pmatouse@redhat.com Mon Oct 27 12:41:44 2014 +0100
|
|
Date: Tue Oct 28 11:51:04 2014 +0100:
|
|
Git: e6908bfe8e07f2b452e78e677da1b45b1c0f6829
|
|
|
|
bits_per_pixel that are less than 8 could result in accessing
|
|
non-initialized buffers later in the code due to the expectation
|
|
that bytes_per_pixel value that is used to initialize these buffers is
|
|
never zero.
|
|
|
|
To fix this check that bits_per_pixel from the client is one of the
|
|
values that the rfb protocol specification allows.
|
|
|
|
This is CVE-2014-7815.
|
|
|
|
Signed-off-by: Petr Matousek <pmatouse@redhat.com>
|
|
|
|
[ kraxel: apply codestyle fix ]
|
|
|
|
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
|
|
|
Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/vnc.c
|
|
===================================================================
|
|
--- xen-4.6.1-testing.orig/tools/qemu-xen-traditional-dir-remote/vnc.c
|
|
+++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/vnc.c
|
|
@@ -1643,6 +1643,16 @@ static void set_pixel_format(VncState *v
|
|
return;
|
|
}
|
|
|
|
+ switch (bits_per_pixel) {
|
|
+ case 8:
|
|
+ case 16:
|
|
+ case 32:
|
|
+ break;
|
|
+ default:
|
|
+ vnc_client_error(vs);
|
|
+ return;
|
|
+ }
|
|
+
|
|
vs->clientds = vs->serverds;
|
|
vs->clientds.pf.rmax = red_max ? red_max : 0xFF;
|
|
count_bits(vs->clientds.pf.rbits, red_max);
|