Sat Feb 4 12:42:21 2012 UTC ()
Pullup ticket #3672 - requested by bouyer
sysutils/xentools33: security patch
sysutils/xentools41: security patch

Revisions pulled up:
- sysutils/xentools33/Makefile                                  1.29 via patch
- sysutils/xentools33/distinfo                                  1.27 via patch
- sysutils/xentools33/patches/patch-qemu-e1000-CVSE-2012-0029   1.1
- sysutils/xentools41/Makefile                                  1.15 via patch
- sysutils/xentools41/distinfo                                  1.17
- sysutils/xentools41/patches/patch-qemu-e1000-CVSE-2012-0029   1.1

---
   Module Name:	pkgsrc
   Committed By:	bouyer
   Date:		Fri Feb  3 17:00:25 UTC 2012

   Modified Files:
   	pkgsrc/sysutils/xentools33: Makefile distinfo
   	pkgsrc/sysutils/xentools41: Makefile distinfo
   Added Files:
   	pkgsrc/sysutils/xentools33/patches: patch-qemu-e1000-CVSE-2012-0029
   	pkgsrc/sysutils/xentools41/patches: patch-qemu-e1000-CVSE-2012-0029

   Log Message:
   Pull up fix from Xen repository, fixing CVE-2012-0029:
   Heap-based buffer overflow in the process_tx_desc function in the
   e1000 emulation allows the guest to cause a denial of service (QEMU
   crash) and possibly execute arbitrary code via crafted legacy mode
   packets.

   Bump PKGREVISION


(tron)
diff -r1.27 -r1.27.2.1 pkgsrc/sysutils/xentools33/Makefile
diff -r1.25 -r1.25.2.1 pkgsrc/sysutils/xentools33/distinfo
diff -r0 -r1.1.2.2 pkgsrc/sysutils/xentools33/patches/patch-qemu-e1000-CVSE-2012-0029
diff -r1.13 -r1.13.2.1 pkgsrc/sysutils/xentools41/Makefile
diff -r1.15 -r1.15.2.1 pkgsrc/sysutils/xentools41/distinfo
diff -r0 -r1.1.2.2 pkgsrc/sysutils/xentools41/patches/patch-qemu-e1000-CVSE-2012-0029
cvs diff -r1.27 -r1.27.2.1 pkgsrc/sysutils/xentools33/Attic/Makefile (expand / switch to unified diff)

--- pkgsrc/sysutils/xentools33/Attic/Makefile 2011/10/03 17:01:24 1.27
+++ pkgsrc/sysutils/xentools33/Attic/Makefile 2012/02/04 12:42:20 1.27.2.1
@@ -1,20 +1,20 @@ @@ -1,20 +1,20 @@
1# $NetBSD: Makefile,v 1.27 2011/10/03 17:01:24 sborrill Exp $ 1# $NetBSD: Makefile,v 1.27.2.1 2012/02/04 12:42:20 tron Exp $
2# 2#
3 3
4VERSION= 3.3.2 4VERSION= 3.3.2
5DISTNAME= xen-${VERSION} 5DISTNAME= xen-${VERSION}
6PKGNAME= xentools33-${VERSION} 6PKGNAME= xentools33-${VERSION}
7PKGREVISION= 8 7PKGREVISION= 10
8CATEGORIES= sysutils 8CATEGORIES= sysutils
9MASTER_SITES= http://bits.xensource.com/oss-xen/release/${VERSION}/ 9MASTER_SITES= http://bits.xensource.com/oss-xen/release/${VERSION}/
10EXTRACT_SUFX= .tar.gz 10EXTRACT_SUFX= .tar.gz
11 11
12MAINTAINER= cegger@NetBSD.org 12MAINTAINER= cegger@NetBSD.org
13HOMEPAGE= http://xen.org/ 13HOMEPAGE= http://xen.org/
14COMMENT= Userland Tools for Xen 3.3.x 14COMMENT= Userland Tools for Xen 3.3.x
15 15
16LICENSE= gnu-gpl-v2 16LICENSE= gnu-gpl-v2
17 17
18PKG_DESTDIR_SUPPORT= user-destdir 18PKG_DESTDIR_SUPPORT= user-destdir
19 19
20#DEPENDS+= ${PYPKGPREFIX}-twisted-[0-9]*:../../net/py-twisted 20#DEPENDS+= ${PYPKGPREFIX}-twisted-[0-9]*:../../net/py-twisted
cvs diff -r1.25 -r1.25.2.1 pkgsrc/sysutils/xentools33/Attic/distinfo (expand / switch to unified diff)

--- pkgsrc/sysutils/xentools33/Attic/distinfo 2011/12/07 15:22:59 1.25
+++ pkgsrc/sysutils/xentools33/Attic/distinfo 2012/02/04 12:42:20 1.25.2.1
@@ -1,14 +1,14 @@ @@ -1,14 +1,14 @@
1$NetBSD: distinfo,v 1.25 2011/12/07 15:22:59 joerg Exp $ 1$NetBSD: distinfo,v 1.25.2.1 2012/02/04 12:42:20 tron Exp $
2 2
3SHA1 (xen-3.3.2.tar.gz) = 7f438e73ac81b25cf5e1570709e87001066bafe4 3SHA1 (xen-3.3.2.tar.gz) = 7f438e73ac81b25cf5e1570709e87001066bafe4
4RMD160 (xen-3.3.2.tar.gz) = 28faa56286f2a418e35dcba6079570ea871d6c7b 4RMD160 (xen-3.3.2.tar.gz) = 28faa56286f2a418e35dcba6079570ea871d6c7b
5Size (xen-3.3.2.tar.gz) = 11357576 bytes 5Size (xen-3.3.2.tar.gz) = 11357576 bytes
6SHA1 (patch-CVE-2011-1583) = c9f59d9fbb20f0cb76733a4c2d136a67253cae0a 6SHA1 (patch-CVE-2011-1583) = c9f59d9fbb20f0cb76733a4c2d136a67253cae0a
7SHA1 (patch-aa) = 74c3023e39baf488f8bae060e93f6175b32df61a 7SHA1 (patch-aa) = 74c3023e39baf488f8bae060e93f6175b32df61a
8SHA1 (patch-ab) = a73636bf27ad45fbdda791cb2b65254d26a5b899 8SHA1 (patch-ab) = a73636bf27ad45fbdda791cb2b65254d26a5b899
9SHA1 (patch-ac) = 70af1b1a787b9dad9e41a2ffe14d595c6797b4d7 9SHA1 (patch-ac) = 70af1b1a787b9dad9e41a2ffe14d595c6797b4d7
10SHA1 (patch-ad) = ccd63ed718e5ba3a742f181ae84af82e85f2f0c4 10SHA1 (patch-ad) = ccd63ed718e5ba3a742f181ae84af82e85f2f0c4
11SHA1 (patch-ae) = bb7116a71bf6637591b639511f055836a13d9887 11SHA1 (patch-ae) = bb7116a71bf6637591b639511f055836a13d9887
12SHA1 (patch-af) = 0d4cd2bc3c56934bd072bc72b34e5ed677d04969 12SHA1 (patch-af) = 0d4cd2bc3c56934bd072bc72b34e5ed677d04969
13SHA1 (patch-ag) = 6b6c26c5fbb28b9cc37e76b250cc90fed111e78a 13SHA1 (patch-ag) = 6b6c26c5fbb28b9cc37e76b250cc90fed111e78a
14SHA1 (patch-ah) = cc8d95c73d7f4a08f311e8417d26f53ffd010549 14SHA1 (patch-ah) = cc8d95c73d7f4a08f311e8417d26f53ffd010549
@@ -44,14 +44,15 @@ SHA1 (patch-ea) = 4c5cd6bd798488c13a264b @@ -44,14 +44,15 @@ SHA1 (patch-ea) = 4c5cd6bd798488c13a264b
44SHA1 (patch-eb) = cf63c43ccbc6b7b435be871e392f9729bd392ab4 44SHA1 (patch-eb) = cf63c43ccbc6b7b435be871e392f9729bd392ab4
45SHA1 (patch-ec) = ec7745d92a74a7101391e07508a4ede9a72fd1d1 45SHA1 (patch-ec) = ec7745d92a74a7101391e07508a4ede9a72fd1d1
46SHA1 (patch-ed) = 613f4c4605af860e5f88b68c49a0e7870ba6ecde 46SHA1 (patch-ed) = 613f4c4605af860e5f88b68c49a0e7870ba6ecde
47SHA1 (patch-ee) = 119029fda1d4ecee90d0a108151596cb3ef0ec74 47SHA1 (patch-ee) = 119029fda1d4ecee90d0a108151596cb3ef0ec74
48SHA1 (patch-ef) = c8740b1c9cfac686f2e4e32c7613b5f02206459d 48SHA1 (patch-ef) = c8740b1c9cfac686f2e4e32c7613b5f02206459d
49SHA1 (patch-eg) = 84e816c95167828314ef901e324772249a407c41 49SHA1 (patch-eg) = 84e816c95167828314ef901e324772249a407c41
50SHA1 (patch-fa) = b4a4b7334357ebcd1646886c18c9772e8b9ae765 50SHA1 (patch-fa) = b4a4b7334357ebcd1646886c18c9772e8b9ae765
51SHA1 (patch-fb) = 22a07628566b43aa786c410927d29a283e8cf141 51SHA1 (patch-fb) = 22a07628566b43aa786c410927d29a283e8cf141
52SHA1 (patch-fc) = d5afc1a1e16f26203a5615142efda8fade48b371 52SHA1 (patch-fc) = d5afc1a1e16f26203a5615142efda8fade48b371
53SHA1 (patch-fd) = 619b865b2f17814e6e62ebab21de9183474dd075 53SHA1 (patch-fd) = 619b865b2f17814e6e62ebab21de9183474dd075
54SHA1 (patch-fe) = 85d42672766fe8ce2dc7f745938722710c6ee5a3 54SHA1 (patch-fe) = 85d42672766fe8ce2dc7f745938722710c6ee5a3
55SHA1 (patch-ff) = 6ff97fa4f34f29c276e4aaab4b4db9ccf7b09957 55SHA1 (patch-ff) = 6ff97fa4f34f29c276e4aaab4b4db9ccf7b09957
56SHA1 (patch-fg) = 913295d341c1dd5bf4d1ef78f27520920f138d4c 56SHA1 (patch-fg) = 913295d341c1dd5bf4d1ef78f27520920f138d4c
 57SHA1 (patch-qemu-e1000-CVSE-2012-0029) = 8628504e1dfd013254f816cb4feeb7548b9ad2ec
57SHA1 (patch-qemu-phy-devices) = 29790e45372ae16157e906dc39a667229e8a0ba5 58SHA1 (patch-qemu-phy-devices) = 29790e45372ae16157e906dc39a667229e8a0ba5
File Added: pkgsrc/sysutils/xentools33/patches/Attic/patch-qemu-e1000-CVSE-2012-0029
$NetBSD: patch-qemu-e1000-CVSE-2012-0029,v 1.1.2.2 2012/02/04 12:42:20 tron Exp $

Backported from:
From 3cf61880403b4e484539596a95937cc066243388 Mon Sep 17 00:00:00 2001
From: Ian Campbell <Ian.Campbell@citrix.com>
Date: Thu, 2 Feb 2012 13:47:06 +0000
Subject: [PATCH] e1000: bounds packet size against buffer size

Otherwise we can write beyond the buffer and corrupt memory.  This is tracked
as CVE-2012-0029.

Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>

(Backported from qemu upstream 65f82df0d7a71ce1b10cd4c5ab08888d176ac840
 by Ian Campbell.)

Signed-off-by: Ian Campbell <Ian.Campbell@citrix.com>
(cherry picked from commit ebe37b2a3f844bad02dcc30d081f39eda06118f8)


--- ioemu/hw/e1000.c.orig	2009-08-06 14:56:34.000000000 +0200
+++ ioemu/hw/e1000.c	2012-02-03 14:51:56.000000000 +0100
@@ -397,6 +401,8 @@
             bytes = split_size;
             if (tp->size + bytes > msh)
                 bytes = msh - tp->size;
+
+	    bytes = MIN(sizeof(tp->data) - tp->size, bytes);
             cpu_physical_memory_read(addr, tp->data + tp->size, bytes);
             if ((sz = tp->size + bytes) >= hdr && tp->size < hdr)
                 memmove(tp->header, tp->data, hdr);
@@ -412,6 +418,7 @@
         // context descriptor TSE is not set, while data descriptor TSE is set
         DBGOUT(TXERR, "TCP segmentaion Error\n");
     } else {
+	split_size = MIN(sizeof(tp->data) - tp->size, split_size);
         cpu_physical_memory_read(addr, tp->data + tp->size, split_size);
         tp->size += split_size;
     }
cvs diff -r1.13 -r1.13.2.1 pkgsrc/sysutils/xentools41/Attic/Makefile (expand / switch to unified diff)

--- pkgsrc/sysutils/xentools41/Attic/Makefile 2011/12/06 00:19:25 1.13
+++ pkgsrc/sysutils/xentools41/Attic/Makefile 2012/02/04 12:42:20 1.13.2.1
@@ -1,22 +1,21 @@ @@ -1,22 +1,21 @@
1# $NetBSD: Makefile,v 1.13 2011/12/06 00:19:25 sbd Exp $ 1# $NetBSD: Makefile,v 1.13.2.1 2012/02/04 12:42:20 tron Exp $
2# 2#
3# VERSION is set in version.mk as it is shared with other packages 3# VERSION is set in version.mk as it is shared with other packages
4.include "version.mk" 4.include "version.mk"
5 5
6DISTNAME= xen-${VERSION} 6DISTNAME= xen-${VERSION}
7PKGNAME= xentools41-${VERSION} 7PKGNAME= xentools41-${VERSION}
8#PKGREVISION= 1 8PKGREVISION= 3
9PKGREVISION= 1 
10CATEGORIES= sysutils 9CATEGORIES= sysutils
11MASTER_SITES= http://bits.xensource.com/oss-xen/release/${VERSION}/ 10MASTER_SITES= http://bits.xensource.com/oss-xen/release/${VERSION}/
12 11
13DISTFILES= ${DISTNAME}.tar.gz 12DISTFILES= ${DISTNAME}.tar.gz
14DISTFILES+= ipxe-git-v1.0.0.tar.gz 13DISTFILES+= ipxe-git-v1.0.0.tar.gz
15SITES.ipxe-git-v1.0.0.tar.gz += http://xenbits.xensource.com/xen-extfiles/ 14SITES.ipxe-git-v1.0.0.tar.gz += http://xenbits.xensource.com/xen-extfiles/
16 15
17MAINTAINER= cegger@NetBSD.org 16MAINTAINER= cegger@NetBSD.org
18HOMEPAGE= http://xen.org/ 17HOMEPAGE= http://xen.org/
19COMMENT= Userland Tools for Xen 4.1.x 18COMMENT= Userland Tools for Xen 4.1.x
20 19
21LICENSE= gnu-gpl-v2 20LICENSE= gnu-gpl-v2
22 21
cvs diff -r1.15 -r1.15.2.1 pkgsrc/sysutils/xentools41/Attic/distinfo (expand / switch to unified diff)

--- pkgsrc/sysutils/xentools41/Attic/distinfo 2011/12/14 04:01:37 1.15
+++ pkgsrc/sysutils/xentools41/Attic/distinfo 2012/02/04 12:42:20 1.15.2.1
@@ -1,14 +1,14 @@ @@ -1,14 +1,14 @@
1$NetBSD: distinfo,v 1.15 2011/12/14 04:01:37 sbd Exp $ 1$NetBSD: distinfo,v 1.15.2.1 2012/02/04 12:42:20 tron Exp $
2 2
3SHA1 (ipxe-git-v1.0.0.tar.gz) = da052c8de5f3485fe0253c19cf52ed6d72528485 3SHA1 (ipxe-git-v1.0.0.tar.gz) = da052c8de5f3485fe0253c19cf52ed6d72528485
4RMD160 (ipxe-git-v1.0.0.tar.gz) = dcd9b6eaafa1ce05c1ebf2a15f2f73ad7a8c5547 4RMD160 (ipxe-git-v1.0.0.tar.gz) = dcd9b6eaafa1ce05c1ebf2a15f2f73ad7a8c5547
5Size (ipxe-git-v1.0.0.tar.gz) = 1996881 bytes 5Size (ipxe-git-v1.0.0.tar.gz) = 1996881 bytes
6SHA1 (xen-4.1.2.tar.gz) = db584cb0a0cc614888d7df3b196d514fdb2edd6e 6SHA1 (xen-4.1.2.tar.gz) = db584cb0a0cc614888d7df3b196d514fdb2edd6e
7RMD160 (xen-4.1.2.tar.gz) = 457797ec4be286afbbcad940a9ce04e44f3f40d6 7RMD160 (xen-4.1.2.tar.gz) = 457797ec4be286afbbcad940a9ce04e44f3f40d6
8Size (xen-4.1.2.tar.gz) = 10365786 bytes 8Size (xen-4.1.2.tar.gz) = 10365786 bytes
9SHA1 (patch-aa) = 9b53ba4a809dad7a1de34c8fa0dbe493d7256ada 9SHA1 (patch-aa) = 9b53ba4a809dad7a1de34c8fa0dbe493d7256ada
10SHA1 (patch-ab) = 0906a5ec3a7450fc987b01289e2560e60966d00d 10SHA1 (patch-ab) = 0906a5ec3a7450fc987b01289e2560e60966d00d
11SHA1 (patch-ac) = c3cc5335a1d6b066307c5f03fe72f513a9eb2bdb 11SHA1 (patch-ac) = c3cc5335a1d6b066307c5f03fe72f513a9eb2bdb
12SHA1 (patch-ad) = 5eb15470bff85d30b6d26d8fe094f59fc8e34175 12SHA1 (patch-ad) = 5eb15470bff85d30b6d26d8fe094f59fc8e34175
13SHA1 (patch-ae) = 400bd6cac23af1e75f45c3e4e88e3130a3517129 13SHA1 (patch-ae) = 400bd6cac23af1e75f45c3e4e88e3130a3517129
14SHA1 (patch-af) = e866e7d96766b735a53432350275810803eeb510 14SHA1 (patch-af) = e866e7d96766b735a53432350275810803eeb510
@@ -26,15 +26,16 @@ SHA1 (patch-cb) = 5563a72e203e789a86f416 @@ -26,15 +26,16 @@ SHA1 (patch-cb) = 5563a72e203e789a86f416
26SHA1 (patch-cc) = 24d71f68a93b59bd5c5441c257d34862e7302040 26SHA1 (patch-cc) = 24d71f68a93b59bd5c5441c257d34862e7302040
27SHA1 (patch-cd) = 7b25b3b3a8d58effae395d776f2a4b94d79acfcb 27SHA1 (patch-cd) = 7b25b3b3a8d58effae395d776f2a4b94d79acfcb
28SHA1 (patch-ce) = 613f4c4605af860e5f88b68c49a0e7870ba6ecde 28SHA1 (patch-ce) = 613f4c4605af860e5f88b68c49a0e7870ba6ecde
29SHA1 (patch-cf) = c8740b1c9cfac686f2e4e32c7613b5f02206459d 29SHA1 (patch-cf) = c8740b1c9cfac686f2e4e32c7613b5f02206459d
30SHA1 (patch-cg) = 119029fda1d4ecee90d0a108151596cb3ef0ec74 30SHA1 (patch-cg) = 119029fda1d4ecee90d0a108151596cb3ef0ec74
31SHA1 (patch-ch) = 84e816c95167828314ef901e324772249a407c41 31SHA1 (patch-ch) = 84e816c95167828314ef901e324772249a407c41
32SHA1 (patch-da) = 1a7ecd9536340deac2945786b9faae55680525ca 32SHA1 (patch-da) = 1a7ecd9536340deac2945786b9faae55680525ca
33SHA1 (patch-db) = 4766f9925462023332793bcea4321072758e289d 33SHA1 (patch-db) = 4766f9925462023332793bcea4321072758e289d
34SHA1 (patch-dc) = d860fe3725978227278d58f09e7d5157001e463e 34SHA1 (patch-dc) = d860fe3725978227278d58f09e7d5157001e463e
35SHA1 (patch-dd) = e66d9cc0028ba922b050fc142862b4095cd018f3 35SHA1 (patch-dd) = e66d9cc0028ba922b050fc142862b4095cd018f3
36SHA1 (patch-de) = fae94b61a430a1a7dd98c9a6a04e4513824c6d8d 36SHA1 (patch-de) = fae94b61a430a1a7dd98c9a6a04e4513824c6d8d
37SHA1 (patch-libxl_libxl_create.c) = 02b661ca684609939c6ef762c0ddd1c5e62ad4d0 37SHA1 (patch-libxl_libxl_create.c) = 02b661ca684609939c6ef762c0ddd1c5e62ad4d0
38SHA1 (patch-ocaml-include-path) = 959df25b0aae78d525b25f223190203d3c1185a6 38SHA1 (patch-ocaml-include-path) = 959df25b0aae78d525b25f223190203d3c1185a6
 39SHA1 (patch-qemu-e1000-CVSE-2012-0029) = 064ba74795e7a1ceb863d1f7bc171f3841c81b8a
39SHA1 (patch-qemu-phy-devices) = fef90e50ef0a58db2f2b49b6c23218f371791de5 40SHA1 (patch-qemu-phy-devices) = fef90e50ef0a58db2f2b49b6c23218f371791de5
40SHA1 (patch-xenstore_Makefile) = 4fa0ed7b76a96011c3cca9c5017be4b5151489f7 41SHA1 (patch-xenstore_Makefile) = 4fa0ed7b76a96011c3cca9c5017be4b5151489f7
File Added: pkgsrc/sysutils/xentools41/patches/Attic/patch-qemu-e1000-CVSE-2012-0029
$NetBSD: patch-qemu-e1000-CVSE-2012-0029,v 1.1.2.2 2012/02/04 12:42:21 tron Exp $

From 3cf61880403b4e484539596a95937cc066243388 Mon Sep 17 00:00:00 2001
From: Ian Campbell <Ian.Campbell@citrix.com>
Date: Thu, 2 Feb 2012 13:47:06 +0000
Subject: [PATCH] e1000: bounds packet size against buffer size

Otherwise we can write beyond the buffer and corrupt memory.  This is tracked
as CVE-2012-0029.

Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>

(Backported from qemu upstream 65f82df0d7a71ce1b10cd4c5ab08888d176ac840
 by Ian Campbell.)

Signed-off-by: Ian Campbell <Ian.Campbell@citrix.com>
(cherry picked from commit ebe37b2a3f844bad02dcc30d081f39eda06118f8)
---
 hw/e1000.c |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

diff --git a/hw/e1000.c b/hw/e1000.c
index bb3689e..97104ed 100644
--- ioemu-qemu-xen/hw/e1000.c.orig
+++ ioemu-qemu-xen/hw/e1000.c
@@ -444,6 +444,8 @@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp)
             bytes = split_size;
             if (tp->size + bytes > msh)
                 bytes = msh - tp->size;
+
+            bytes = MIN(sizeof(tp->data) - tp->size, bytes);
             cpu_physical_memory_read(addr, tp->data + tp->size, bytes);
             if ((sz = tp->size + bytes) >= hdr && tp->size < hdr)
                 memmove(tp->header, tp->data, hdr);
@@ -459,6 +461,7 @@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp)
         // context descriptor TSE is not set, while data descriptor TSE is set
         DBGOUT(TXERR, "TCP segmentaion Error\n");
     } else {
+        split_size = MIN(sizeof(tp->data) - tp->size, split_size);
         cpu_physical_memory_read(addr, tp->data + tp->size, split_size);
         tp->size += split_size;
     }
-- 
1.7.2.5