diff --git a/CVE-2014-3640-qemut-slirp-NULL-pointer-deref-in-sosendto.patch b/CVE-2014-3640-qemut-slirp-NULL-pointer-deref-in-sosendto.patch new file mode 100644 index 0000000..1959a4d --- /dev/null +++ b/CVE-2014-3640-qemut-slirp-NULL-pointer-deref-in-sosendto.patch @@ -0,0 +1,36 @@ +Subject: slirp: udp: fix NULL pointer dereference because of uninitialized socket +From: Petr Matousek pmatouse@redhat.com Thu Sep 18 08:35:37 2014 +0200 +Date: Tue Sep 23 19:15:05 2014 +0100: +Git: 01f7cecf0037997cb0e58ec0d56bf9b5a6f7cb2a + +When guest sends udp packet with source port and source addr 0, +uninitialized socket is picked up when looking for matching and already +created udp sockets, and later passed to sosendto() where NULL pointer +dereference is hit during so->slirp->vnetwork_mask.s_addr access. + +Fix this by checking that the socket is not just a socket stub. + +This is CVE-2014-3640. + +Signed-off-by: Petr Matousek +Reported-by: Xavier Mehrenberger +Reported-by: Stephane Duverger +Reviewed-by: Jan Kiszka +Reviewed-by: Michael S. Tsirkin +Reviewed-by: Michael Tokarev +Message-id: 20140918063537.GX9321@dhcp-25-225.brq.redhat.com +Signed-off-by: Peter Maydell + +Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/slirp/udp.c +=================================================================== +--- xen-4.6.1-testing.orig/tools/qemu-xen-traditional-dir-remote/slirp/udp.c ++++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/slirp/udp.c +@@ -168,7 +168,7 @@ udp_input(m, iphlen) + * Locate pcb for datagram. + */ + so = udp_last_so; +- if (so->so_lport != uh->uh_sport || ++ if (so == &slirp->udb || so->so_lport != uh->uh_sport || + so->so_laddr.s_addr != ip->ip_src.s_addr) { + struct socket *tmp; + diff --git a/CVE-2015-5154-qemut-fix-START-STOP-UNIT-command-completion.patch b/CVE-2015-5154-qemut-fix-START-STOP-UNIT-command-completion.patch new file mode 100644 index 0000000..4b0fe54 --- /dev/null +++ b/CVE-2015-5154-qemut-fix-START-STOP-UNIT-command-completion.patch @@ -0,0 +1,54 @@ +Subject: ATAPI: STARTSTOPUNIT only eject/load media if powercondition is 0 +From: Ronnie Sahlberg ronniesahlberg@gmail.com Tue Jul 31 11:28:26 2012 +1000 +Date: Wed Sep 12 15:50:09 2012 +0200: +Git: ce560dcf20c14194db5ef3b9fc1ea592d4e68109 + +The START STOP UNIT command will only eject/load media if +power condition is zero. + +If power condition is !0 then LOEJ and START will be ignored. + +From MMC (sbc contains similar wordings too) + The Power Conditions field requests the block device to be placed + in the power condition defined in + Table 558. If this field has a value other than 0h then the Start + and LoEj bits shall be ignored. + +Signed-off-by: Ronnie Sahlberg +Signed-off-by: Kevin Wolf + +From aa851d30acfbb9580098ac1dc82885530cb8b3c1 Mon Sep 17 00:00:00 2001 +From: Kevin Wolf +Date: Wed, 3 Jun 2015 14:17:46 +0200 +Subject: [PATCH 2/3] ide/atapi: Fix START STOP UNIT command completion + +The command must be completed on all code paths. START STOP UNIT with +pwrcnd set should succeed without doing anything. + +Signed-off-by: Kevin Wolf +--- + hw/ide/atapi.c | 1 + + 1 file changed, 1 insertion(+) + +Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/ide.c +=================================================================== +--- xen-4.6.1-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/ide.c ++++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/ide.c +@@ -2098,9 +2098,16 @@ static void ide_atapi_cmd(IDEState *s) + break; + case GPCMD_START_STOP_UNIT: + { +- int start, eject; ++ int start, eject, pwrcnd; + start = packet[4] & 1; + eject = (packet[4] >> 1) & 1; ++ pwrcnd = buf[4] & 0xf0; ++ ++ if (pwrcnd) { ++ /* eject/load only happens for power condition == 0 */ ++ ide_atapi_cmd_ok(s); ++ return; ++ } + + if (eject && !start) { + /* eject the disk */ diff --git a/CVE-2015-6815-qemut-e1000-fix-infinite-loop.patch b/CVE-2015-6815-qemut-e1000-fix-infinite-loop.patch new file mode 100644 index 0000000..b9e79a8 --- /dev/null +++ b/CVE-2015-6815-qemut-e1000-fix-infinite-loop.patch @@ -0,0 +1,31 @@ +References: bsc#944697 + +From: P J P + +While processing transmit descriptors, it could lead to an infinite +loop if 'bytes' was to become zero; Add a check to avoid it. + +[The guest can force 'bytes' to 0 by setting the hdr_len and mss +descriptor fields to 0. +--Stefan] + +Signed-off-by: P J P +Signed-off-by: Stefan Hajnoczi +--- + hw/net/e1000.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/e1000.c +=================================================================== +--- xen-4.6.1-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/e1000.c ++++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/e1000.c +@@ -470,7 +470,8 @@ process_tx_desc(E1000State *s, struct e1 + memmove(tp->data, tp->header, hdr); + tp->size = hdr; + } +- } while (split_size -= bytes); ++ split_size -= bytes; ++ } while (bytes && split_size); + } else if (!tp->tse && tp->cptse) { + // context descriptor TSE is not set, while data descriptor TSE is set + DBGOUT(TXERR, "TCP segmentaion Error\n"); diff --git a/CVE-2016-1922-qemuu-i386-null-pointer-dereference-in-vapic_write.patch b/CVE-2016-1922-qemuu-i386-null-pointer-dereference-in-vapic_write.patch new file mode 100644 index 0000000..dde327a --- /dev/null +++ b/CVE-2016-1922-qemuu-i386-null-pointer-dereference-in-vapic_write.patch @@ -0,0 +1,61 @@ +References: bsc#962321 CVE-2016-1922 + +Subject: i386: avoid null pointer dereference +From: P J P ppandit@redhat.com Fri Dec 18 11:35:07 2015 +0530 +Date: Fri Jan 15 18:58:01 2016 +0100: +Git: 4c1396cb576c9b14425558b73de1584c7a9735d7 + + Hello, + +A null pointer dereference issue was reported by Mr Ling Liu, CC'd here. It +occurs while doing I/O port write operations via hmp interface. In that, +'current_cpu' remains null as it is not called from cpu_exec loop, which +results in the said issue. + +Below is a proposed (tested)patch to fix this issue; Does it look okay? + +=== +From ae88a4947fab9a148cd794f8ad2d812e7f5a1d0f Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Fri, 18 Dec 2015 11:16:07 +0530 +Subject: [PATCH] i386: avoid null pointer dereference + +When I/O port write operation is called from hmp interface, +'current_cpu' remains null, as it is not called from cpu_exec() +loop. This leads to a null pointer dereference in vapic_write +routine. Add check to avoid it. + +Reported-by: Ling Liu +Signed-off-by: Prasad J Pandit +Message-Id: +Signed-off-by: Paolo Bonzini +Signed-off-by: P J P + +Index: xen-4.6.1-testing/tools/qemu-xen-dir-remote/hw/i386/kvmvapic.c +=================================================================== +--- xen-4.6.1-testing.orig/tools/qemu-xen-dir-remote/hw/i386/kvmvapic.c ++++ xen-4.6.1-testing/tools/qemu-xen-dir-remote/hw/i386/kvmvapic.c +@@ -634,13 +634,18 @@ static int vapic_prepare(VAPICROMState * + static void vapic_write(void *opaque, hwaddr addr, uint64_t data, + unsigned int size) + { +- CPUState *cs = current_cpu; +- X86CPU *cpu = X86_CPU(cs); +- CPUX86State *env = &cpu->env; +- hwaddr rom_paddr; + VAPICROMState *s = opaque; ++ X86CPU *cpu; ++ CPUX86State *env; ++ hwaddr rom_paddr; ++ ++ if (!current_cpu) { ++ return; ++ } + +- cpu_synchronize_state(cs); ++ cpu_synchronize_state(current_cpu); ++ cpu = X86_CPU(current_cpu); ++ env = &cpu->env; + + /* + * The VAPIC supports two PIO-based hypercalls, both via port 0x7E. diff --git a/CVE-2016-1981-qemut-e1000-eliminate-infinite-loops-on-out-of-bounds-transfer.patch b/CVE-2016-1981-qemut-e1000-eliminate-infinite-loops-on-out-of-bounds-transfer.patch index 5e0f191..ca96162 100644 --- a/CVE-2016-1981-qemut-e1000-eliminate-infinite-loops-on-out-of-bounds-transfer.patch +++ b/CVE-2016-1981-qemut-e1000-eliminate-infinite-loops-on-out-of-bounds-transfer.patch @@ -68,11 +68,11 @@ Notes: hw/net/e1000.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) -Index: xen-4.6.0-testing/tools/qemu-xen-traditional-dir-remote/hw/e1000.c +Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/e1000.c =================================================================== ---- xen-4.6.0-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/e1000.c -+++ xen-4.6.0-testing/tools/qemu-xen-traditional-dir-remote/hw/e1000.c -@@ -537,7 +537,8 @@ start_xmit(E1000State *s) +--- xen-4.6.1-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/e1000.c ++++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/e1000.c +@@ -538,7 +538,8 @@ start_xmit(E1000State *s) * bogus values to TDT/TDLEN. * there's nothing too intelligent we could do about this. */ @@ -82,7 +82,7 @@ Index: xen-4.6.0-testing/tools/qemu-xen-traditional-dir-remote/hw/e1000.c DBGOUT(TXERR, "TDH wraparound @%x, TDT %x, TDLEN %x\n", tdh_start, s->mac_reg[TDT], s->mac_reg[TDLEN]); break; -@@ -727,7 +728,8 @@ e1000_receive(void *opaque, const uint8_ +@@ -728,7 +729,8 @@ e1000_receive(void *opaque, const uint8_ s->mac_reg[RDH] = 0; s->check_rxov = 1; /* see comment in start_xmit; same here */ diff --git a/CVE-2016-2391-qemut-usb-null-pointer-dereference-in-ohci-module.patch b/CVE-2016-2391-qemut-usb-null-pointer-dereference-in-ohci-module.patch new file mode 100644 index 0000000..1cfe199 --- /dev/null +++ b/CVE-2016-2391-qemut-usb-null-pointer-dereference-in-ohci-module.patch @@ -0,0 +1,54 @@ +References: bsc#967101 CVE-2016-2391 + +From d1b07becc481e09225cfe905ec357807ae07f095 Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Tue, 16 Feb 2016 15:15:04 +0100 +Subject: [PATCH] ohci timer fix + +Signed-off-by: Gerd Hoffmann +--- + hw/usb/hcd-ohci.c | 31 +++++-------------------------- + 1 file changed, 5 insertions(+), 26 deletions(-) + +Index: xen-4.5.2-testing/tools/qemu-xen-traditional-dir-remote/hw/usb-ohci.c +=================================================================== +--- xen-4.5.2-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/usb-ohci.c ++++ xen-4.5.2-testing/tools/qemu-xen-traditional-dir-remote/hw/usb-ohci.c +@@ -1139,16 +1139,6 @@ static void ohci_frame_boundary(void *op + */ + static int ohci_bus_start(OHCIState *ohci) + { +- ohci->eof_timer = qemu_new_timer(vm_clock, +- ohci_frame_boundary, +- ohci); +- +- if (ohci->eof_timer == NULL) { +- fprintf(stderr, "usb-ohci: %s: qemu_new_timer failed\n", ohci->name); +- /* TODO: Signal unrecoverable error */ +- return 0; +- } +- + dprintf("usb-ohci: %s: USB Operational\n", ohci->name); + + ohci_sof(ohci); +@@ -1159,9 +1149,7 @@ static int ohci_bus_start(OHCIState *ohc + /* Stop sending SOF tokens on the bus */ + static void ohci_bus_stop(OHCIState *ohci) + { +- if (ohci->eof_timer) +- qemu_del_timer(ohci->eof_timer); +- ohci->eof_timer = NULL; ++ qemu_del_timer(ohci->eof_timer); + } + + /* Sets a flag in a port status register but only set it if the port is +@@ -1654,6 +1642,9 @@ static void usb_ohci_init(OHCIState *ohc + ohci->async_td = 0; + qemu_register_reset(ohci_reset, ohci); + ohci_reset(ohci); ++ ++ ohci->eof_timer = qemu_new_timer(QEMU_CLOCK_VIRTUAL, ++ ohci_frame_boundary, ohci); + } + + typedef struct { diff --git a/CVE-2016-2391-qemuu-usb-null-pointer-dereference-in-ohci-module.patch b/CVE-2016-2391-qemuu-usb-null-pointer-dereference-in-ohci-module.patch index 621c6e0..d47b659 100644 --- a/CVE-2016-2391-qemuu-usb-null-pointer-dereference-in-ohci-module.patch +++ b/CVE-2016-2391-qemuu-usb-null-pointer-dereference-in-ohci-module.patch @@ -53,7 +53,17 @@ Index: xen-4.6.1-testing/tools/qemu-xen-dir-remote/hw/usb/hcd-ohci.c return 0; } -@@ -1997,23 +1985,13 @@ static bool ohci_eof_timer_needed(void * +@@ -1949,6 +1937,9 @@ static void usb_ohci_exit(PCIDevice *dev + if (!ohci->masterbus) { + usb_bus_release(&s->bus); + } ++ ++ timer_del(s->eof_timer); ++ timer_free(s->eof_timer); + } + + #define TYPE_SYSBUS_OHCI "sysbus-ohci" +@@ -1997,23 +1988,13 @@ static bool ohci_eof_timer_needed(void * { OHCIState *ohci = opaque; diff --git a/qemu-dm-segfault.patch b/qemu-dm-segfault.patch index 85a48f4..d0fae33 100644 --- a/qemu-dm-segfault.patch +++ b/qemu-dm-segfault.patch @@ -41,7 +41,7 @@ Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/ide.c if (ret < 0) { ide_atapi_io_error(s, ret); -@@ -2368,7 +2371,7 @@ static void cdrom_change_cb(void *opaque +@@ -2375,7 +2378,7 @@ static void cdrom_change_cb(void *opaque IDEState *s = opaque; uint64_t nb_sectors; diff --git a/xen.changes b/xen.changes index 3d62ebb..db8f15f 100644 --- a/xen.changes +++ b/xen.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Mon Feb 29 09:40:43 MST 2016 - carnold@suse.com + +- bsc#962321 - VUL-0: CVE-2016-1922: xen: i386: null pointer + dereference in vapic_write() + CVE-2016-1922-qemuu-i386-null-pointer-dereference-in-vapic_write.patch + ------------------------------------------------------------------- Wed Feb 24 08:05:02 MST 2016 - carnold@suse.com @@ -20,6 +27,7 @@ Wed Feb 17 08:30:35 MST 2016 - carnold@suse.com - bsc#967101 - VUL-0: CVE-2016-2391: xen: usb: multiple eof_timers in ohci module leads to null pointer dereference CVE-2016-2391-qemuu-usb-null-pointer-dereference-in-ohci-module.patch + CVE-2016-2391-qemut-usb-null-pointer-dereference-in-ohci-module.patch - bsc#967090 - VUL-0: CVE-2016-2392: xen: usb: null pointer dereference in remote NDIS control message handling CVE-2016-2392-qemuu-usb-null-pointer-dereference-in-NDIS-message-handling.patch @@ -84,6 +92,9 @@ Thu Feb 4 09:26:34 MST 2016 - carnold@suse.com - bsc#965156 - VUL-0: CVE-2015-6855: xen: ide: divide by zero issue CVE-2015-6855-qemuu-ide-divide-by-zero-issue.patch +- bsc#965112 - VUL-0: CVE-2014-3640: xen: slirp: NULL pointer deref + in sosendto() + CVE-2014-3640-qemut-slirp-NULL-pointer-deref-in-sosendto.patch ------------------------------------------------------------------- Wed Feb 3 10:47:41 MST 2016 - carnold@suse.com @@ -450,10 +461,8 @@ Wed Nov 4 10:33:59 MST 2015 - carnold@suse.com CVE-2015-5154-qemuu-fix-START-STOP-UNIT-command-completion.patch CVE-2015-5154-qemuu-clear-DRQ-after-handling-all-expected-accesses.patch CVE-2015-5154-qemut-check-array-bounds-before-writing-to-io_buffer.patch - CVE-2015-5154-qemut-fix-START-STOP-UNIT-command-completion.patch CVE-2015-5154-qemut-clear-DRQ-after-handling-all-expected-accesses.patch CVE-2015-6815-qemuu-e1000-fix-infinite-loop.patch - CVE-2015-6815-qemut-e1000-fix-infinite-loop.patch CVE-2015-5239-qemuu-limit-client_cut_text-msg-payload-size.patch CVE-2015-5239-qemut-limit-client_cut_text-msg-payload-size.patch" diff --git a/xen.spec b/xen.spec index a00602c..a6ddf1d 100644 --- a/xen.spec +++ b/xen.spec @@ -15,6 +15,7 @@ # Please submit bugfixes or comments via http://bugs.opensuse.org/ # + # needssslcertforbuild Name: xen @@ -224,41 +225,46 @@ Patch255: 0005-e1000-multi-buffer-packet-support.patch Patch256: 0006-e1000-clear-EOP-for-multi-buffer-descriptors.patch Patch257: 0007-e1000-verify-we-have-buffers-upfront.patch Patch258: 0008-e1000-check-buffer-availability.patch -Patch259: CVE-2015-4037-qemuu-smb-config-dir-name.patch -Patch260: CVE-2015-4037-qemut-smb-config-dir-name.patch -Patch262: CVE-2014-0222-qemut-qcow1-validate-l2-table-size.patch -Patch263: CVE-2015-8345-qemuu-eepro100-infinite-loop-fix.patch -Patch264: CVE-2015-8345-qemut-eepro100-infinite-loop-fix.patch -Patch265: CVE-2015-8504-qemut-vnc-avoid-floating-point-exception.patch -Patch266: CVE-2015-8504-qemuu-vnc-avoid-floating-point-exception.patch -Patch267: CVE-2015-7549-qemuu-pci-null-pointer-dereference-issue.patch -Patch268: CVE-2015-8558-qemuu-usb-infinite-loop-in-ehci_advance_state-results-in-DoS.patch -Patch269: CVE-2015-8568-qemuu-net-vmxnet3-avoid-memory-leakage-in-activate_device.patch -Patch270: CVE-2015-8745-qemuu-net-vmxnet3-read-IMR-registers-instead-of-assert.patch -Patch271: CVE-2015-8744-qemuu-net-vmxnet3-incorrect-l2-header-validation-leads-to-crash.patch -Patch272: CVE-2015-8743-qemuu-ne2000-OOB-memory-access-in-ioport-rw-functions.patch -Patch273: CVE-2015-8613-qemuu-scsi-initialise-info-object-with-appropriate-size.patch -Patch274: CVE-2016-1568-qemuu-ide-ahci-reset-ncq-object-to-unused-on-error.patch -Patch275: CVE-2016-1714-qemuu-fw_cfg-add-check-to-validate-current-entry-value.patch -Patch276: CVE-2016-1714-qemut-fw_cfg-add-check-to-validate-current-entry-value.patch -Patch277: CVE-2013-4538-qemut-ssd0323-fix-buffer-overun-on-invalid-state.patch -Patch278: CVE-2015-7512-qemuu-net-pcnet-buffer-overflow-in-non-loopback-mode.patch -Patch279: CVE-2015-7512-qemut-net-pcnet-buffer-overflow-in-non-loopback-mode.patch -Patch280: CVE-2014-7815-qemut-vnc-sanitize-bits_per_pixel-from-the-client.patch -Patch281: CVE-2013-4537-qemut-ssi-sd-fix-buffer-overrun-on-invalid-state-load.patch -Patch282: CVE-2015-1779-qemuu-incrementally-decode-websocket-frames.patch -Patch283: CVE-2015-1779-qemuu-limit-size-of-HTTP-headers-from-websockets-clients.patch -Patch284: CVE-2013-4539-qemut-tsc210x-fix-buffer-overrun-on-invalid-state-load.patch -Patch285: CVE-2016-1981-qemuu-e1000-eliminate-infinite-loops-on-out-of-bounds-transfer.patch -Patch286: CVE-2016-1981-qemut-e1000-eliminate-infinite-loops-on-out-of-bounds-transfer.patch -Patch287: CVE-2016-2198-qemuu-usb-ehci-null-pointer-dereference-in-ehci_caps_write.patch -Patch288: CVE-2013-4533-qemut-pxa2xx-buffer-overrun-on-incoming-migration.patch -Patch289: CVE-2015-5278-qemut-Infinite-loop-in-ne2000_receive-function.patch -Patch290: CVE-2015-6855-qemuu-ide-divide-by-zero-issue.patch -Patch291: CVE-2015-8619-qemuu-stack-based-OOB-write-in-hmp_sendkey-routine.patch -Patch292: CVE-2016-2392-qemuu-usb-null-pointer-dereference-in-NDIS-message-handling.patch -Patch293: CVE-2016-2391-qemuu-usb-null-pointer-dereference-in-ohci-module.patch -Patch294: CVE-2016-2538-qemuu-usb-integer-overflow-in-remote-NDIS-message-handling.patch +Patch259: CVE-2015-5154-qemut-fix-START-STOP-UNIT-command-completion.patch +Patch260: CVE-2015-6815-qemut-e1000-fix-infinite-loop.patch +Patch261: CVE-2015-4037-qemuu-smb-config-dir-name.patch +Patch262: CVE-2015-4037-qemut-smb-config-dir-name.patch +Patch263: CVE-2014-0222-qemut-qcow1-validate-l2-table-size.patch +Patch264: CVE-2015-8345-qemuu-eepro100-infinite-loop-fix.patch +Patch265: CVE-2015-8345-qemut-eepro100-infinite-loop-fix.patch +Patch266: CVE-2015-8504-qemut-vnc-avoid-floating-point-exception.patch +Patch267: CVE-2015-8504-qemuu-vnc-avoid-floating-point-exception.patch +Patch268: CVE-2015-7549-qemuu-pci-null-pointer-dereference-issue.patch +Patch269: CVE-2015-8558-qemuu-usb-infinite-loop-in-ehci_advance_state-results-in-DoS.patch +Patch270: CVE-2015-8568-qemuu-net-vmxnet3-avoid-memory-leakage-in-activate_device.patch +Patch271: CVE-2015-8745-qemuu-net-vmxnet3-read-IMR-registers-instead-of-assert.patch +Patch272: CVE-2015-8744-qemuu-net-vmxnet3-incorrect-l2-header-validation-leads-to-crash.patch +Patch273: CVE-2015-8743-qemuu-ne2000-OOB-memory-access-in-ioport-rw-functions.patch +Patch274: CVE-2015-8613-qemuu-scsi-initialise-info-object-with-appropriate-size.patch +Patch275: CVE-2016-1568-qemuu-ide-ahci-reset-ncq-object-to-unused-on-error.patch +Patch276: CVE-2016-1714-qemuu-fw_cfg-add-check-to-validate-current-entry-value.patch +Patch277: CVE-2016-1714-qemut-fw_cfg-add-check-to-validate-current-entry-value.patch +Patch278: CVE-2013-4538-qemut-ssd0323-fix-buffer-overun-on-invalid-state.patch +Patch279: CVE-2015-7512-qemuu-net-pcnet-buffer-overflow-in-non-loopback-mode.patch +Patch280: CVE-2015-7512-qemut-net-pcnet-buffer-overflow-in-non-loopback-mode.patch +Patch281: CVE-2014-7815-qemut-vnc-sanitize-bits_per_pixel-from-the-client.patch +Patch282: CVE-2013-4537-qemut-ssi-sd-fix-buffer-overrun-on-invalid-state-load.patch +Patch283: CVE-2015-1779-qemuu-incrementally-decode-websocket-frames.patch +Patch284: CVE-2015-1779-qemuu-limit-size-of-HTTP-headers-from-websockets-clients.patch +Patch285: CVE-2013-4539-qemut-tsc210x-fix-buffer-overrun-on-invalid-state-load.patch +Patch286: CVE-2016-1981-qemuu-e1000-eliminate-infinite-loops-on-out-of-bounds-transfer.patch +Patch287: CVE-2016-1981-qemut-e1000-eliminate-infinite-loops-on-out-of-bounds-transfer.patch +Patch288: CVE-2016-2198-qemuu-usb-ehci-null-pointer-dereference-in-ehci_caps_write.patch +Patch289: CVE-2013-4533-qemut-pxa2xx-buffer-overrun-on-incoming-migration.patch +Patch290: CVE-2015-5278-qemut-Infinite-loop-in-ne2000_receive-function.patch +Patch291: CVE-2014-3640-qemut-slirp-NULL-pointer-deref-in-sosendto.patch +Patch292: CVE-2015-6855-qemuu-ide-divide-by-zero-issue.patch +Patch293: CVE-2015-8619-qemuu-stack-based-OOB-write-in-hmp_sendkey-routine.patch +Patch294: CVE-2016-2392-qemuu-usb-null-pointer-dereference-in-NDIS-message-handling.patch +Patch295: CVE-2016-2391-qemuu-usb-null-pointer-dereference-in-ohci-module.patch +Patch296: CVE-2016-2391-qemut-usb-null-pointer-dereference-in-ohci-module.patch +Patch297: CVE-2016-2538-qemuu-usb-integer-overflow-in-remote-NDIS-message-handling.patch +Patch298: CVE-2016-1922-qemuu-i386-null-pointer-dereference-in-vapic_write.patch # Our platform specific patches Patch321: xen-destdir.patch Patch322: vif-bridge-no-iptables.patch @@ -554,6 +560,7 @@ Authors: %patch258 -p1 %patch259 -p1 %patch260 -p1 +%patch261 -p1 %patch262 -p1 %patch263 -p1 %patch264 -p1 @@ -587,6 +594,10 @@ Authors: %patch292 -p1 %patch293 -p1 %patch294 -p1 +%patch295 -p1 +%patch296 -p1 +%patch297 -p1 +%patch298 -p1 # Our platform specific patches %patch321 -p1 %patch322 -p1