rpm/xen
SHA256
1
0
Fork 0
forked from pool/xen
Code Pull Requests Activity

- bsc#962321 - VUL-0: CVE-2016-1922: xen: i386: null pointer

Browse Source 
dereference in vapic_write()
  CVE-2016-1922-qemuu-i386-null-pointer-dereference-in-vapic_write.patch
  CVE-2016-2391-qemut-usb-null-pointer-dereference-in-ohci-module.patch
- bsc#965112 - VUL-0: CVE-2014-3640: xen: slirp: NULL pointer deref
  in sosendto()
  CVE-2014-3640-qemut-slirp-NULL-pointer-deref-in-sosendto.patch

OBS-URL: https://build.opensuse.org/package/show/Virtualization/xen?expand=0&rev=404
This commit is contained in:
Charles Arnold 2016-03-01 21:45:58 +00:00 committed by Git OBS Bridge
parent 5ef52f56fd
commit 95d1280885
10 changed files with 310 additions and 44 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
CVE-2014-3640-qemut-slirp-NULL-pointer-deref-in-sosendto.patch Normal file
View File

@ -0,0 +1,36 @@
Subject: slirp: udp: fix NULL pointer dereference because of uninitialized socket
From: Petr Matousek pmatouse@redhat.com Thu Sep 18 08:35:37 2014 +0200
Date: Tue Sep 23 19:15:05 2014 +0100:
Git: 01f7cecf0037997cb0e58ec0d56bf9b5a6f7cb2a
When guest sends udp packet with source port and source addr 0,
uninitialized socket is picked up when looking for matching and already
created udp sockets, and later passed to sosendto() where NULL pointer
dereference is hit during so->slirp->vnetwork_mask.s_addr access.
Fix this by checking that the socket is not just a socket stub.
This is CVE-2014-3640.
Signed-off-by: Petr Matousek <pmatouse@redhat.com>
Reported-by: Xavier Mehrenberger <xavier.mehrenberger@airbus.com>
Reported-by: Stephane Duverger <stephane.duverger@eads.net>
Reviewed-by: Jan Kiszka <jan.kiszka@siemens.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Michael Tokarev <mjt@tls.msk.ru>
Message-id: 20140918063537.GX9321@dhcp-25-225.brq.redhat.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/slirp/udp.c
===================================================================
--- xen-4.6.1-testing.orig/tools/qemu-xen-traditional-dir-remote/slirp/udp.c
+++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/slirp/udp.c
@@ -168,7 +168,7 @@ udp_input(m, iphlen)
* Locate pcb for datagram.
*/
so = udp_last_so;
- if (so->so_lport != uh->uh_sport ||
+ if (so == &slirp->udb || so->so_lport != uh->uh_sport ||
so->so_laddr.s_addr != ip->ip_src.s_addr) {
struct socket *tmp;

54
CVE-2015-5154-qemut-fix-START-STOP-UNIT-command-completion.patch Normal file
View File

@ -0,0 +1,54 @@
Subject: ATAPI: STARTSTOPUNIT only eject/load media if powercondition is 0
From: Ronnie Sahlberg ronniesahlberg@gmail.com Tue Jul 31 11:28:26 2012 +1000
Date: Wed Sep 12 15:50:09 2012 +0200:
Git: ce560dcf20c14194db5ef3b9fc1ea592d4e68109
The START STOP UNIT command will only eject/load media if
power condition is zero.
If power condition is !0 then LOEJ and START will be ignored.
From MMC (sbc contains similar wordings too)
The Power Conditions field requests the block device to be placed
in the power condition defined in
Table 558. If this field has a value other than 0h then the Start
and LoEj bits shall be ignored.
Signed-off-by: Ronnie Sahlberg <ronniesahlberg@gmail.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
From aa851d30acfbb9580098ac1dc82885530cb8b3c1 Mon Sep 17 00:00:00 2001
From: Kevin Wolf <kwolf@redhat.com>
Date: Wed, 3 Jun 2015 14:17:46 +0200
Subject: [PATCH 2/3] ide/atapi: Fix START STOP UNIT command completion
The command must be completed on all code paths. START STOP UNIT with
pwrcnd set should succeed without doing anything.
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
---
hw/ide/atapi.c | 1 +
1 file changed, 1 insertion(+)
Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/ide.c
===================================================================
--- xen-4.6.1-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/ide.c
+++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/ide.c
@@ -2098,9 +2098,16 @@ static void ide_atapi_cmd(IDEState *s)
break;
case GPCMD_START_STOP_UNIT:
{
- int start, eject;
+ int start, eject, pwrcnd;
start = packet[4] & 1;
eject = (packet[4] >> 1) & 1;
+ pwrcnd = buf[4] & 0xf0;
+
+ if (pwrcnd) {
+ /* eject/load only happens for power condition == 0 */
+ ide_atapi_cmd_ok(s);
+ return;
+ }
if (eject && !start) {
/* eject the disk */

31
CVE-2015-6815-qemut-e1000-fix-infinite-loop.patch Normal file
View File

@ -0,0 +1,31 @@
References: bsc#944697
From: P J P <address@hidden>
While processing transmit descriptors, it could lead to an infinite
loop if 'bytes' was to become zero; Add a check to avoid it.
[The guest can force 'bytes' to 0 by setting the hdr_len and mss
descriptor fields to 0.
--Stefan]
Signed-off-by: P J P <address@hidden>
Signed-off-by: Stefan Hajnoczi <address@hidden>
---
hw/net/e1000.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/e1000.c
===================================================================
--- xen-4.6.1-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/e1000.c
+++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/e1000.c
@@ -470,7 +470,8 @@ process_tx_desc(E1000State *s, struct e1
memmove(tp->data, tp->header, hdr);
tp->size = hdr;
}
- } while (split_size -= bytes);
+ split_size -= bytes;
+ } while (bytes && split_size);
} else if (!tp->tse && tp->cptse) {
// context descriptor TSE is not set, while data descriptor TSE is set
DBGOUT(TXERR, "TCP segmentaion Error\n");

61
CVE-2016-1922-qemuu-i386-null-pointer-dereference-in-vapic_write.patch Normal file
View File

@ -0,0 +1,61 @@
References: bsc#962321 CVE-2016-1922
Subject: i386: avoid null pointer dereference
From: P J P ppandit@redhat.com Fri Dec 18 11:35:07 2015 +0530
Date: Fri Jan 15 18:58:01 2016 +0100:
Git: 4c1396cb576c9b14425558b73de1584c7a9735d7
Hello,
A null pointer dereference issue was reported by Mr Ling Liu, CC'd here. It
occurs while doing I/O port write operations via hmp interface. In that,
'current_cpu' remains null as it is not called from cpu_exec loop, which
results in the said issue.
Below is a proposed (tested)patch to fix this issue; Does it look okay?
===
From ae88a4947fab9a148cd794f8ad2d812e7f5a1d0f Mon Sep 17 00:00:00 2001
From: Prasad J Pandit <pjp@fedoraproject.org>
Date: Fri, 18 Dec 2015 11:16:07 +0530
Subject: [PATCH] i386: avoid null pointer dereference
When I/O port write operation is called from hmp interface,
'current_cpu' remains null, as it is not called from cpu_exec()
loop. This leads to a null pointer dereference in vapic_write
routine. Add check to avoid it.
Reported-by: Ling Liu <liuling-it@360.cn>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Message-Id: <alpine.LFD.2.20.1512181129320.9805@wniryva>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: P J P <ppandit@redhat.com>
Index: xen-4.6.1-testing/tools/qemu-xen-dir-remote/hw/i386/kvmvapic.c
===================================================================
--- xen-4.6.1-testing.orig/tools/qemu-xen-dir-remote/hw/i386/kvmvapic.c
+++ xen-4.6.1-testing/tools/qemu-xen-dir-remote/hw/i386/kvmvapic.c
@@ -634,13 +634,18 @@ static int vapic_prepare(VAPICROMState *
static void vapic_write(void *opaque, hwaddr addr, uint64_t data,
unsigned int size)
{
- CPUState *cs = current_cpu;
- X86CPU *cpu = X86_CPU(cs);
- CPUX86State *env = &cpu->env;
- hwaddr rom_paddr;
VAPICROMState *s = opaque;
+ X86CPU *cpu;
+ CPUX86State *env;
+ hwaddr rom_paddr;
+
+ if (!current_cpu) {
+ return;
+ }
- cpu_synchronize_state(cs);
+ cpu_synchronize_state(current_cpu);
+ cpu = X86_CPU(current_cpu);
+ env = &cpu->env;
/*
* The VAPIC supports two PIO-based hypercalls, both via port 0x7E.

10
CVE-2016-1981-qemut-e1000-eliminate-infinite-loops-on-out-of-bounds-transfer.patch
View File

@ -68,11 +68,11 @@ Notes:
hw/net/e1000.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
Index: xen-4.6.0-testing/tools/qemu-xen-traditional-dir-remote/hw/e1000.c
Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/e1000.c
===================================================================
--- xen-4.6.0-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/e1000.c
+++ xen-4.6.0-testing/tools/qemu-xen-traditional-dir-remote/hw/e1000.c
@@ -537,7 +537,8 @@ start_xmit(E1000State *s)
--- xen-4.6.1-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/e1000.c
+++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/e1000.c
@@ -538,7 +538,8 @@ start_xmit(E1000State *s)
* bogus values to TDT/TDLEN.
* there's nothing too intelligent we could do about this.
*/
@ -82,7 +82,7 @@ Index: xen-4.6.0-testing/tools/qemu-xen-traditional-dir-remote/hw/e1000.c
DBGOUT(TXERR, "TDH wraparound @%x, TDT %x, TDLEN %x\n",
tdh_start, s->mac_reg[TDT], s->mac_reg[TDLEN]);
break;
@@ -727,7 +728,8 @@ e1000_receive(void *opaque, const uint8_
@@ -728,7 +729,8 @@ e1000_receive(void *opaque, const uint8_
s->mac_reg[RDH] = 0;
s->check_rxov = 1;
/* see comment in start_xmit; same here */

54
CVE-2016-2391-qemut-usb-null-pointer-dereference-in-ohci-module.patch Normal file
View File

@ -0,0 +1,54 @@
References: bsc#967101 CVE-2016-2391
From d1b07becc481e09225cfe905ec357807ae07f095 Mon Sep 17 00:00:00 2001
From: Gerd Hoffmann <address@hidden>
Date: Tue, 16 Feb 2016 15:15:04 +0100
Subject: [PATCH] ohci timer fix
Signed-off-by: Gerd Hoffmann <address@hidden>
---
hw/usb/hcd-ohci.c | 31 +++++--------------------------
1 file changed, 5 insertions(+), 26 deletions(-)
Index: xen-4.5.2-testing/tools/qemu-xen-traditional-dir-remote/hw/usb-ohci.c
===================================================================
--- xen-4.5.2-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/usb-ohci.c
+++ xen-4.5.2-testing/tools/qemu-xen-traditional-dir-remote/hw/usb-ohci.c
@@ -1139,16 +1139,6 @@ static void ohci_frame_boundary(void *op
*/
static int ohci_bus_start(OHCIState *ohci)
{
- ohci->eof_timer = qemu_new_timer(vm_clock,
- ohci_frame_boundary,
- ohci);
-
- if (ohci->eof_timer == NULL) {
- fprintf(stderr, "usb-ohci: %s: qemu_new_timer failed\n", ohci->name);
- /* TODO: Signal unrecoverable error */
- return 0;
- }
-
dprintf("usb-ohci: %s: USB Operational\n", ohci->name);
ohci_sof(ohci);
@@ -1159,9 +1149,7 @@ static int ohci_bus_start(OHCIState *ohc
/* Stop sending SOF tokens on the bus */
static void ohci_bus_stop(OHCIState *ohci)
{
- if (ohci->eof_timer)
- qemu_del_timer(ohci->eof_timer);
- ohci->eof_timer = NULL;
+ qemu_del_timer(ohci->eof_timer);
}
/* Sets a flag in a port status register but only set it if the port is
@@ -1654,6 +1642,9 @@ static void usb_ohci_init(OHCIState *ohc
ohci->async_td = 0;
qemu_register_reset(ohci_reset, ohci);
ohci_reset(ohci);
+
+ ohci->eof_timer = qemu_new_timer(QEMU_CLOCK_VIRTUAL,
+ ohci_frame_boundary, ohci);
}
typedef struct {

12
CVE-2016-2391-qemuu-usb-null-pointer-dereference-in-ohci-module.patch
View File

@ -53,7 +53,17 @@ Index: xen-4.6.1-testing/tools/qemu-xen-dir-remote/hw/usb/hcd-ohci.c
return 0;
}
@@ -1997,23 +1985,13 @@ static bool ohci_eof_timer_needed(void *
@@ -1949,6 +1937,9 @@ static void usb_ohci_exit(PCIDevice *dev
if (!ohci->masterbus) {
usb_bus_release(&s->bus);
}
+
+ timer_del(s->eof_timer);
+ timer_free(s->eof_timer);
}
#define TYPE_SYSBUS_OHCI "sysbus-ohci"
@@ -1997,23 +1988,13 @@ static bool ohci_eof_timer_needed(void *
{
OHCIState *ohci = opaque;

2
qemu-dm-segfault.patch
View File

@ -41,7 +41,7 @@ Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/ide.c
if (ret < 0) {
ide_atapi_io_error(s, ret);
@@ -2368,7 +2371,7 @@ static void cdrom_change_cb(void *opaque
@@ -2375,7 +2378,7 @@ static void cdrom_change_cb(void *opaque
IDEState *s = opaque;
uint64_t nb_sectors;

13
xen.changes
View File

@ -1,3 +1,10 @@
-------------------------------------------------------------------
Mon Feb 29 09:40:43 MST 2016 - carnold@suse.com
- bsc#962321 - VUL-0: CVE-2016-1922: xen: i386: null pointer
dereference in vapic_write()
CVE-2016-1922-qemuu-i386-null-pointer-dereference-in-vapic_write.patch
-------------------------------------------------------------------
Wed Feb 24 08:05:02 MST 2016 - carnold@suse.com
@ -20,6 +27,7 @@ Wed Feb 17 08:30:35 MST 2016 - carnold@suse.com
- bsc#967101 - VUL-0: CVE-2016-2391: xen: usb: multiple eof_timers
in ohci module leads to null pointer dereference
CVE-2016-2391-qemuu-usb-null-pointer-dereference-in-ohci-module.patch
CVE-2016-2391-qemut-usb-null-pointer-dereference-in-ohci-module.patch
- bsc#967090 - VUL-0: CVE-2016-2392: xen: usb: null pointer
dereference in remote NDIS control message handling
CVE-2016-2392-qemuu-usb-null-pointer-dereference-in-NDIS-message-handling.patch
@ -84,6 +92,9 @@ Thu Feb 4 09:26:34 MST 2016 - carnold@suse.com
- bsc#965156 - VUL-0: CVE-2015-6855: xen: ide: divide by zero issue
CVE-2015-6855-qemuu-ide-divide-by-zero-issue.patch
- bsc#965112 - VUL-0: CVE-2014-3640: xen: slirp: NULL pointer deref
in sosendto()
CVE-2014-3640-qemut-slirp-NULL-pointer-deref-in-sosendto.patch
-------------------------------------------------------------------
Wed Feb 3 10:47:41 MST 2016 - carnold@suse.com
@ -450,10 +461,8 @@ Wed Nov 4 10:33:59 MST 2015 - carnold@suse.com
CVE-2015-5154-qemuu-fix-START-STOP-UNIT-command-completion.patch
CVE-2015-5154-qemuu-clear-DRQ-after-handling-all-expected-accesses.patch
CVE-2015-5154-qemut-check-array-bounds-before-writing-to-io_buffer.patch
CVE-2015-5154-qemut-fix-START-STOP-UNIT-command-completion.patch
CVE-2015-5154-qemut-clear-DRQ-after-handling-all-expected-accesses.patch
CVE-2015-6815-qemuu-e1000-fix-infinite-loop.patch
CVE-2015-6815-qemut-e1000-fix-infinite-loop.patch
CVE-2015-5239-qemuu-limit-client_cut_text-msg-payload-size.patch
CVE-2015-5239-qemut-limit-client_cut_text-msg-payload-size.patch"

81
xen.spec
View File

@ -15,6 +15,7 @@
# Please submit bugfixes or comments via http://bugs.opensuse.org/
#
# needssslcertforbuild
Name: xen
@ -224,41 +225,46 @@ Patch255: 0005-e1000-multi-buffer-packet-support.patch
Patch256: 0006-e1000-clear-EOP-for-multi-buffer-descriptors.patch
Patch257: 0007-e1000-verify-we-have-buffers-upfront.patch
Patch258: 0008-e1000-check-buffer-availability.patch
Patch259: CVE-2015-4037-qemuu-smb-config-dir-name.patch
Patch260: CVE-2015-4037-qemut-smb-config-dir-name.patch
Patch262: CVE-2014-0222-qemut-qcow1-validate-l2-table-size.patch
Patch263: CVE-2015-8345-qemuu-eepro100-infinite-loop-fix.patch
Patch264: CVE-2015-8345-qemut-eepro100-infinite-loop-fix.patch
Patch265: CVE-2015-8504-qemut-vnc-avoid-floating-point-exception.patch
Patch266: CVE-2015-8504-qemuu-vnc-avoid-floating-point-exception.patch
Patch267: CVE-2015-7549-qemuu-pci-null-pointer-dereference-issue.patch
Patch268: CVE-2015-8558-qemuu-usb-infinite-loop-in-ehci_advance_state-results-in-DoS.patch
Patch269: CVE-2015-8568-qemuu-net-vmxnet3-avoid-memory-leakage-in-activate_device.patch
Patch270: CVE-2015-8745-qemuu-net-vmxnet3-read-IMR-registers-instead-of-assert.patch
Patch271: CVE-2015-8744-qemuu-net-vmxnet3-incorrect-l2-header-validation-leads-to-crash.patch
Patch272: CVE-2015-8743-qemuu-ne2000-OOB-memory-access-in-ioport-rw-functions.patch
Patch273: CVE-2015-8613-qemuu-scsi-initialise-info-object-with-appropriate-size.patch
Patch274: CVE-2016-1568-qemuu-ide-ahci-reset-ncq-object-to-unused-on-error.patch
Patch275: CVE-2016-1714-qemuu-fw_cfg-add-check-to-validate-current-entry-value.patch
Patch276: CVE-2016-1714-qemut-fw_cfg-add-check-to-validate-current-entry-value.patch
Patch277: CVE-2013-4538-qemut-ssd0323-fix-buffer-overun-on-invalid-state.patch
Patch278: CVE-2015-7512-qemuu-net-pcnet-buffer-overflow-in-non-loopback-mode.patch
Patch279: CVE-2015-7512-qemut-net-pcnet-buffer-overflow-in-non-loopback-mode.patch
Patch280: CVE-2014-7815-qemut-vnc-sanitize-bits_per_pixel-from-the-client.patch
Patch281: CVE-2013-4537-qemut-ssi-sd-fix-buffer-overrun-on-invalid-state-load.patch
Patch282: CVE-2015-1779-qemuu-incrementally-decode-websocket-frames.patch
Patch283: CVE-2015-1779-qemuu-limit-size-of-HTTP-headers-from-websockets-clients.patch
Patch284: CVE-2013-4539-qemut-tsc210x-fix-buffer-overrun-on-invalid-state-load.patch
Patch285: CVE-2016-1981-qemuu-e1000-eliminate-infinite-loops-on-out-of-bounds-transfer.patch
Patch286: CVE-2016-1981-qemut-e1000-eliminate-infinite-loops-on-out-of-bounds-transfer.patch
Patch287: CVE-2016-2198-qemuu-usb-ehci-null-pointer-dereference-in-ehci_caps_write.patch
Patch288: CVE-2013-4533-qemut-pxa2xx-buffer-overrun-on-incoming-migration.patch
Patch289: CVE-2015-5278-qemut-Infinite-loop-in-ne2000_receive-function.patch
Patch290: CVE-2015-6855-qemuu-ide-divide-by-zero-issue.patch
Patch291: CVE-2015-8619-qemuu-stack-based-OOB-write-in-hmp_sendkey-routine.patch
Patch292: CVE-2016-2392-qemuu-usb-null-pointer-dereference-in-NDIS-message-handling.patch
Patch293: CVE-2016-2391-qemuu-usb-null-pointer-dereference-in-ohci-module.patch
Patch294: CVE-2016-2538-qemuu-usb-integer-overflow-in-remote-NDIS-message-handling.patch
Patch259: CVE-2015-5154-qemut-fix-START-STOP-UNIT-command-completion.patch
Patch260: CVE-2015-6815-qemut-e1000-fix-infinite-loop.patch
Patch261: CVE-2015-4037-qemuu-smb-config-dir-name.patch
Patch262: CVE-2015-4037-qemut-smb-config-dir-name.patch
Patch263: CVE-2014-0222-qemut-qcow1-validate-l2-table-size.patch
Patch264: CVE-2015-8345-qemuu-eepro100-infinite-loop-fix.patch
Patch265: CVE-2015-8345-qemut-eepro100-infinite-loop-fix.patch
Patch266: CVE-2015-8504-qemut-vnc-avoid-floating-point-exception.patch
Patch267: CVE-2015-8504-qemuu-vnc-avoid-floating-point-exception.patch
Patch268: CVE-2015-7549-qemuu-pci-null-pointer-dereference-issue.patch
Patch269: CVE-2015-8558-qemuu-usb-infinite-loop-in-ehci_advance_state-results-in-DoS.patch
Patch270: CVE-2015-8568-qemuu-net-vmxnet3-avoid-memory-leakage-in-activate_device.patch
Patch271: CVE-2015-8745-qemuu-net-vmxnet3-read-IMR-registers-instead-of-assert.patch
Patch272: CVE-2015-8744-qemuu-net-vmxnet3-incorrect-l2-header-validation-leads-to-crash.patch
Patch273: CVE-2015-8743-qemuu-ne2000-OOB-memory-access-in-ioport-rw-functions.patch
Patch274: CVE-2015-8613-qemuu-scsi-initialise-info-object-with-appropriate-size.patch
Patch275: CVE-2016-1568-qemuu-ide-ahci-reset-ncq-object-to-unused-on-error.patch
Patch276: CVE-2016-1714-qemuu-fw_cfg-add-check-to-validate-current-entry-value.patch
Patch277: CVE-2016-1714-qemut-fw_cfg-add-check-to-validate-current-entry-value.patch
Patch278: CVE-2013-4538-qemut-ssd0323-fix-buffer-overun-on-invalid-state.patch
Patch279: CVE-2015-7512-qemuu-net-pcnet-buffer-overflow-in-non-loopback-mode.patch
Patch280: CVE-2015-7512-qemut-net-pcnet-buffer-overflow-in-non-loopback-mode.patch
Patch281: CVE-2014-7815-qemut-vnc-sanitize-bits_per_pixel-from-the-client.patch
Patch282: CVE-2013-4537-qemut-ssi-sd-fix-buffer-overrun-on-invalid-state-load.patch
Patch283: CVE-2015-1779-qemuu-incrementally-decode-websocket-frames.patch
Patch284: CVE-2015-1779-qemuu-limit-size-of-HTTP-headers-from-websockets-clients.patch
Patch285: CVE-2013-4539-qemut-tsc210x-fix-buffer-overrun-on-invalid-state-load.patch
Patch286: CVE-2016-1981-qemuu-e1000-eliminate-infinite-loops-on-out-of-bounds-transfer.patch
Patch287: CVE-2016-1981-qemut-e1000-eliminate-infinite-loops-on-out-of-bounds-transfer.patch
Patch288: CVE-2016-2198-qemuu-usb-ehci-null-pointer-dereference-in-ehci_caps_write.patch
Patch289: CVE-2013-4533-qemut-pxa2xx-buffer-overrun-on-incoming-migration.patch
Patch290: CVE-2015-5278-qemut-Infinite-loop-in-ne2000_receive-function.patch
Patch291: CVE-2014-3640-qemut-slirp-NULL-pointer-deref-in-sosendto.patch
Patch292: CVE-2015-6855-qemuu-ide-divide-by-zero-issue.patch
Patch293: CVE-2015-8619-qemuu-stack-based-OOB-write-in-hmp_sendkey-routine.patch
Patch294: CVE-2016-2392-qemuu-usb-null-pointer-dereference-in-NDIS-message-handling.patch
Patch295: CVE-2016-2391-qemuu-usb-null-pointer-dereference-in-ohci-module.patch
Patch296: CVE-2016-2391-qemut-usb-null-pointer-dereference-in-ohci-module.patch
Patch297: CVE-2016-2538-qemuu-usb-integer-overflow-in-remote-NDIS-message-handling.patch
Patch298: CVE-2016-1922-qemuu-i386-null-pointer-dereference-in-vapic_write.patch
# Our platform specific patches
Patch321: xen-destdir.patch
Patch322: vif-bridge-no-iptables.patch
@ -554,6 +560,7 @@ Authors:
%patch258 -p1
%patch259 -p1
%patch260 -p1
%patch261 -p1
%patch262 -p1
%patch263 -p1
%patch264 -p1
@ -587,6 +594,10 @@ Authors:
%patch292 -p1
%patch293 -p1
%patch294 -p1
%patch295 -p1
%patch296 -p1
%patch297 -p1
%patch298 -p1
# Our platform specific patches
%patch321 -p1
%patch322 -p1