Pullup ticket #3672 - requested by bouyer sysutils/xentools33: security patch sysutils/xentools41: security patch Revisions pulled up: - sysutils/xentools33/Makefile 1.29 via patch - sysutils/xentools33/distinfo 1.27 via patch - sysutils/xentools33/patches/patch-qemu-e1000-CVSE-2012-0029 1.1 - sysutils/xentools41/Makefile 1.15 via patch - sysutils/xentools41/distinfo 1.17 - sysutils/xentools41/patches/patch-qemu-e1000-CVSE-2012-0029 1.1 --- Module Name: pkgsrc Committed By: bouyer Date: Fri Feb 3 17:00:25 UTC 2012 Modified Files: pkgsrc/sysutils/xentools33: Makefile distinfo pkgsrc/sysutils/xentools41: Makefile distinfo Added Files: pkgsrc/sysutils/xentools33/patches: patch-qemu-e1000-CVSE-2012-0029 pkgsrc/sysutils/xentools41/patches: patch-qemu-e1000-CVSE-2012-0029 Log Message: Pull up fix from Xen repository, fixing CVE-2012-0029: Heap-based buffer overflow in the process_tx_desc function in the e1000 emulation allows the guest to cause a denial of service (QEMU crash) and possibly execute arbitrary code via crafted legacy mode packets. Bump PKGREVISIONdiff -r1.27 -r1.27.2.1 pkgsrc/sysutils/xentools33/Makefile
(tron)
@@ -1,20 +1,20 @@ | @@ -1,20 +1,20 @@ | |||
1 | # $NetBSD: Makefile,v 1.27 2011/10/03 17:01:24 sborrill Exp $ | 1 | # $NetBSD: Makefile,v 1.27.2.1 2012/02/04 12:42:20 tron Exp $ | |
2 | # | 2 | # | |
3 | 3 | |||
4 | VERSION= 3.3.2 | 4 | VERSION= 3.3.2 | |
5 | DISTNAME= xen-${VERSION} | 5 | DISTNAME= xen-${VERSION} | |
6 | PKGNAME= xentools33-${VERSION} | 6 | PKGNAME= xentools33-${VERSION} | |
7 | PKGREVISION= 8 | 7 | PKGREVISION= 10 | |
8 | CATEGORIES= sysutils | 8 | CATEGORIES= sysutils | |
9 | MASTER_SITES= http://bits.xensource.com/oss-xen/release/${VERSION}/ | 9 | MASTER_SITES= http://bits.xensource.com/oss-xen/release/${VERSION}/ | |
10 | EXTRACT_SUFX= .tar.gz | 10 | EXTRACT_SUFX= .tar.gz | |
11 | 11 | |||
12 | MAINTAINER= cegger@NetBSD.org | 12 | MAINTAINER= cegger@NetBSD.org | |
13 | HOMEPAGE= http://xen.org/ | 13 | HOMEPAGE= http://xen.org/ | |
14 | COMMENT= Userland Tools for Xen 3.3.x | 14 | COMMENT= Userland Tools for Xen 3.3.x | |
15 | 15 | |||
16 | LICENSE= gnu-gpl-v2 | 16 | LICENSE= gnu-gpl-v2 | |
17 | 17 | |||
18 | PKG_DESTDIR_SUPPORT= user-destdir | 18 | PKG_DESTDIR_SUPPORT= user-destdir | |
19 | 19 | |||
20 | #DEPENDS+= ${PYPKGPREFIX}-twisted-[0-9]*:../../net/py-twisted | 20 | #DEPENDS+= ${PYPKGPREFIX}-twisted-[0-9]*:../../net/py-twisted |
@@ -1,14 +1,14 @@ | @@ -1,14 +1,14 @@ | |||
1 | $NetBSD: distinfo,v 1.25 2011/12/07 15:22:59 joerg Exp $ | 1 | $NetBSD: distinfo,v 1.25.2.1 2012/02/04 12:42:20 tron Exp $ | |
2 | 2 | |||
3 | SHA1 (xen-3.3.2.tar.gz) = 7f438e73ac81b25cf5e1570709e87001066bafe4 | 3 | SHA1 (xen-3.3.2.tar.gz) = 7f438e73ac81b25cf5e1570709e87001066bafe4 | |
4 | RMD160 (xen-3.3.2.tar.gz) = 28faa56286f2a418e35dcba6079570ea871d6c7b | 4 | RMD160 (xen-3.3.2.tar.gz) = 28faa56286f2a418e35dcba6079570ea871d6c7b | |
5 | Size (xen-3.3.2.tar.gz) = 11357576 bytes | 5 | Size (xen-3.3.2.tar.gz) = 11357576 bytes | |
6 | SHA1 (patch-CVE-2011-1583) = c9f59d9fbb20f0cb76733a4c2d136a67253cae0a | 6 | SHA1 (patch-CVE-2011-1583) = c9f59d9fbb20f0cb76733a4c2d136a67253cae0a | |
7 | SHA1 (patch-aa) = 74c3023e39baf488f8bae060e93f6175b32df61a | 7 | SHA1 (patch-aa) = 74c3023e39baf488f8bae060e93f6175b32df61a | |
8 | SHA1 (patch-ab) = a73636bf27ad45fbdda791cb2b65254d26a5b899 | 8 | SHA1 (patch-ab) = a73636bf27ad45fbdda791cb2b65254d26a5b899 | |
9 | SHA1 (patch-ac) = 70af1b1a787b9dad9e41a2ffe14d595c6797b4d7 | 9 | SHA1 (patch-ac) = 70af1b1a787b9dad9e41a2ffe14d595c6797b4d7 | |
10 | SHA1 (patch-ad) = ccd63ed718e5ba3a742f181ae84af82e85f2f0c4 | 10 | SHA1 (patch-ad) = ccd63ed718e5ba3a742f181ae84af82e85f2f0c4 | |
11 | SHA1 (patch-ae) = bb7116a71bf6637591b639511f055836a13d9887 | 11 | SHA1 (patch-ae) = bb7116a71bf6637591b639511f055836a13d9887 | |
12 | SHA1 (patch-af) = 0d4cd2bc3c56934bd072bc72b34e5ed677d04969 | 12 | SHA1 (patch-af) = 0d4cd2bc3c56934bd072bc72b34e5ed677d04969 | |
13 | SHA1 (patch-ag) = 6b6c26c5fbb28b9cc37e76b250cc90fed111e78a | 13 | SHA1 (patch-ag) = 6b6c26c5fbb28b9cc37e76b250cc90fed111e78a | |
14 | SHA1 (patch-ah) = cc8d95c73d7f4a08f311e8417d26f53ffd010549 | 14 | SHA1 (patch-ah) = cc8d95c73d7f4a08f311e8417d26f53ffd010549 | |
@@ -44,14 +44,15 @@ SHA1 (patch-ea) = 4c5cd6bd798488c13a264b | @@ -44,14 +44,15 @@ SHA1 (patch-ea) = 4c5cd6bd798488c13a264b | |||
44 | SHA1 (patch-eb) = cf63c43ccbc6b7b435be871e392f9729bd392ab4 | 44 | SHA1 (patch-eb) = cf63c43ccbc6b7b435be871e392f9729bd392ab4 | |
45 | SHA1 (patch-ec) = ec7745d92a74a7101391e07508a4ede9a72fd1d1 | 45 | SHA1 (patch-ec) = ec7745d92a74a7101391e07508a4ede9a72fd1d1 | |
46 | SHA1 (patch-ed) = 613f4c4605af860e5f88b68c49a0e7870ba6ecde | 46 | SHA1 (patch-ed) = 613f4c4605af860e5f88b68c49a0e7870ba6ecde | |
47 | SHA1 (patch-ee) = 119029fda1d4ecee90d0a108151596cb3ef0ec74 | 47 | SHA1 (patch-ee) = 119029fda1d4ecee90d0a108151596cb3ef0ec74 | |
48 | SHA1 (patch-ef) = c8740b1c9cfac686f2e4e32c7613b5f02206459d | 48 | SHA1 (patch-ef) = c8740b1c9cfac686f2e4e32c7613b5f02206459d | |
49 | SHA1 (patch-eg) = 84e816c95167828314ef901e324772249a407c41 | 49 | SHA1 (patch-eg) = 84e816c95167828314ef901e324772249a407c41 | |
50 | SHA1 (patch-fa) = b4a4b7334357ebcd1646886c18c9772e8b9ae765 | 50 | SHA1 (patch-fa) = b4a4b7334357ebcd1646886c18c9772e8b9ae765 | |
51 | SHA1 (patch-fb) = 22a07628566b43aa786c410927d29a283e8cf141 | 51 | SHA1 (patch-fb) = 22a07628566b43aa786c410927d29a283e8cf141 | |
52 | SHA1 (patch-fc) = d5afc1a1e16f26203a5615142efda8fade48b371 | 52 | SHA1 (patch-fc) = d5afc1a1e16f26203a5615142efda8fade48b371 | |
53 | SHA1 (patch-fd) = 619b865b2f17814e6e62ebab21de9183474dd075 | 53 | SHA1 (patch-fd) = 619b865b2f17814e6e62ebab21de9183474dd075 | |
54 | SHA1 (patch-fe) = 85d42672766fe8ce2dc7f745938722710c6ee5a3 | 54 | SHA1 (patch-fe) = 85d42672766fe8ce2dc7f745938722710c6ee5a3 | |
55 | SHA1 (patch-ff) = 6ff97fa4f34f29c276e4aaab4b4db9ccf7b09957 | 55 | SHA1 (patch-ff) = 6ff97fa4f34f29c276e4aaab4b4db9ccf7b09957 | |
56 | SHA1 (patch-fg) = 913295d341c1dd5bf4d1ef78f27520920f138d4c | 56 | SHA1 (patch-fg) = 913295d341c1dd5bf4d1ef78f27520920f138d4c | |
57 | SHA1 (patch-qemu-e1000-CVSE-2012-0029) = 8628504e1dfd013254f816cb4feeb7548b9ad2ec | |||
57 | SHA1 (patch-qemu-phy-devices) = 29790e45372ae16157e906dc39a667229e8a0ba5 | 58 | SHA1 (patch-qemu-phy-devices) = 29790e45372ae16157e906dc39a667229e8a0ba5 |
$NetBSD: patch-qemu-e1000-CVSE-2012-0029,v 1.1.2.2 2012/02/04 12:42:20 tron Exp $
Backported from:
From 3cf61880403b4e484539596a95937cc066243388 Mon Sep 17 00:00:00 2001
From: Ian Campbell <Ian.Campbell@citrix.com>
Date: Thu, 2 Feb 2012 13:47:06 +0000
Subject: [PATCH] e1000: bounds packet size against buffer size
Otherwise we can write beyond the buffer and corrupt memory. This is tracked
as CVE-2012-0029.
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(Backported from qemu upstream 65f82df0d7a71ce1b10cd4c5ab08888d176ac840
by Ian Campbell.)
Signed-off-by: Ian Campbell <Ian.Campbell@citrix.com>
(cherry picked from commit ebe37b2a3f844bad02dcc30d081f39eda06118f8)
--- ioemu/hw/e1000.c.orig 2009-08-06 14:56:34.000000000 +0200
+++ ioemu/hw/e1000.c 2012-02-03 14:51:56.000000000 +0100
@@ -397,6 +401,8 @@
bytes = split_size;
if (tp->size + bytes > msh)
bytes = msh - tp->size;
+
+ bytes = MIN(sizeof(tp->data) - tp->size, bytes);
cpu_physical_memory_read(addr, tp->data + tp->size, bytes);
if ((sz = tp->size + bytes) >= hdr && tp->size < hdr)
memmove(tp->header, tp->data, hdr);
@@ -412,6 +418,7 @@
// context descriptor TSE is not set, while data descriptor TSE is set
DBGOUT(TXERR, "TCP segmentaion Error\n");
} else {
+ split_size = MIN(sizeof(tp->data) - tp->size, split_size);
cpu_physical_memory_read(addr, tp->data + tp->size, split_size);
tp->size += split_size;
}
@@ -1,22 +1,21 @@ | @@ -1,22 +1,21 @@ | |||
1 | # $NetBSD: Makefile,v 1.13 2011/12/06 00:19:25 sbd Exp $ | 1 | # $NetBSD: Makefile,v 1.13.2.1 2012/02/04 12:42:20 tron Exp $ | |
2 | # | 2 | # | |
3 | # VERSION is set in version.mk as it is shared with other packages | 3 | # VERSION is set in version.mk as it is shared with other packages | |
4 | .include "version.mk" | 4 | .include "version.mk" | |
5 | 5 | |||
6 | DISTNAME= xen-${VERSION} | 6 | DISTNAME= xen-${VERSION} | |
7 | PKGNAME= xentools41-${VERSION} | 7 | PKGNAME= xentools41-${VERSION} | |
8 | #PKGREVISION= 1 | 8 | PKGREVISION= 3 | |
9 | PKGREVISION= 1 | |||
10 | CATEGORIES= sysutils | 9 | CATEGORIES= sysutils | |
11 | MASTER_SITES= http://bits.xensource.com/oss-xen/release/${VERSION}/ | 10 | MASTER_SITES= http://bits.xensource.com/oss-xen/release/${VERSION}/ | |
12 | 11 | |||
13 | DISTFILES= ${DISTNAME}.tar.gz | 12 | DISTFILES= ${DISTNAME}.tar.gz | |
14 | DISTFILES+= ipxe-git-v1.0.0.tar.gz | 13 | DISTFILES+= ipxe-git-v1.0.0.tar.gz | |
15 | SITES.ipxe-git-v1.0.0.tar.gz += http://xenbits.xensource.com/xen-extfiles/ | 14 | SITES.ipxe-git-v1.0.0.tar.gz += http://xenbits.xensource.com/xen-extfiles/ | |
16 | 15 | |||
17 | MAINTAINER= cegger@NetBSD.org | 16 | MAINTAINER= cegger@NetBSD.org | |
18 | HOMEPAGE= http://xen.org/ | 17 | HOMEPAGE= http://xen.org/ | |
19 | COMMENT= Userland Tools for Xen 4.1.x | 18 | COMMENT= Userland Tools for Xen 4.1.x | |
20 | 19 | |||
21 | LICENSE= gnu-gpl-v2 | 20 | LICENSE= gnu-gpl-v2 | |
22 | 21 |
@@ -1,14 +1,14 @@ | @@ -1,14 +1,14 @@ | |||
1 | $NetBSD: distinfo,v 1.15 2011/12/14 04:01:37 sbd Exp $ | 1 | $NetBSD: distinfo,v 1.15.2.1 2012/02/04 12:42:20 tron Exp $ | |
2 | 2 | |||
3 | SHA1 (ipxe-git-v1.0.0.tar.gz) = da052c8de5f3485fe0253c19cf52ed6d72528485 | 3 | SHA1 (ipxe-git-v1.0.0.tar.gz) = da052c8de5f3485fe0253c19cf52ed6d72528485 | |
4 | RMD160 (ipxe-git-v1.0.0.tar.gz) = dcd9b6eaafa1ce05c1ebf2a15f2f73ad7a8c5547 | 4 | RMD160 (ipxe-git-v1.0.0.tar.gz) = dcd9b6eaafa1ce05c1ebf2a15f2f73ad7a8c5547 | |
5 | Size (ipxe-git-v1.0.0.tar.gz) = 1996881 bytes | 5 | Size (ipxe-git-v1.0.0.tar.gz) = 1996881 bytes | |
6 | SHA1 (xen-4.1.2.tar.gz) = db584cb0a0cc614888d7df3b196d514fdb2edd6e | 6 | SHA1 (xen-4.1.2.tar.gz) = db584cb0a0cc614888d7df3b196d514fdb2edd6e | |
7 | RMD160 (xen-4.1.2.tar.gz) = 457797ec4be286afbbcad940a9ce04e44f3f40d6 | 7 | RMD160 (xen-4.1.2.tar.gz) = 457797ec4be286afbbcad940a9ce04e44f3f40d6 | |
8 | Size (xen-4.1.2.tar.gz) = 10365786 bytes | 8 | Size (xen-4.1.2.tar.gz) = 10365786 bytes | |
9 | SHA1 (patch-aa) = 9b53ba4a809dad7a1de34c8fa0dbe493d7256ada | 9 | SHA1 (patch-aa) = 9b53ba4a809dad7a1de34c8fa0dbe493d7256ada | |
10 | SHA1 (patch-ab) = 0906a5ec3a7450fc987b01289e2560e60966d00d | 10 | SHA1 (patch-ab) = 0906a5ec3a7450fc987b01289e2560e60966d00d | |
11 | SHA1 (patch-ac) = c3cc5335a1d6b066307c5f03fe72f513a9eb2bdb | 11 | SHA1 (patch-ac) = c3cc5335a1d6b066307c5f03fe72f513a9eb2bdb | |
12 | SHA1 (patch-ad) = 5eb15470bff85d30b6d26d8fe094f59fc8e34175 | 12 | SHA1 (patch-ad) = 5eb15470bff85d30b6d26d8fe094f59fc8e34175 | |
13 | SHA1 (patch-ae) = 400bd6cac23af1e75f45c3e4e88e3130a3517129 | 13 | SHA1 (patch-ae) = 400bd6cac23af1e75f45c3e4e88e3130a3517129 | |
14 | SHA1 (patch-af) = e866e7d96766b735a53432350275810803eeb510 | 14 | SHA1 (patch-af) = e866e7d96766b735a53432350275810803eeb510 | |
@@ -26,15 +26,16 @@ SHA1 (patch-cb) = 5563a72e203e789a86f416 | @@ -26,15 +26,16 @@ SHA1 (patch-cb) = 5563a72e203e789a86f416 | |||
26 | SHA1 (patch-cc) = 24d71f68a93b59bd5c5441c257d34862e7302040 | 26 | SHA1 (patch-cc) = 24d71f68a93b59bd5c5441c257d34862e7302040 | |
27 | SHA1 (patch-cd) = 7b25b3b3a8d58effae395d776f2a4b94d79acfcb | 27 | SHA1 (patch-cd) = 7b25b3b3a8d58effae395d776f2a4b94d79acfcb | |
28 | SHA1 (patch-ce) = 613f4c4605af860e5f88b68c49a0e7870ba6ecde | 28 | SHA1 (patch-ce) = 613f4c4605af860e5f88b68c49a0e7870ba6ecde | |
29 | SHA1 (patch-cf) = c8740b1c9cfac686f2e4e32c7613b5f02206459d | 29 | SHA1 (patch-cf) = c8740b1c9cfac686f2e4e32c7613b5f02206459d | |
30 | SHA1 (patch-cg) = 119029fda1d4ecee90d0a108151596cb3ef0ec74 | 30 | SHA1 (patch-cg) = 119029fda1d4ecee90d0a108151596cb3ef0ec74 | |
31 | SHA1 (patch-ch) = 84e816c95167828314ef901e324772249a407c41 | 31 | SHA1 (patch-ch) = 84e816c95167828314ef901e324772249a407c41 | |
32 | SHA1 (patch-da) = 1a7ecd9536340deac2945786b9faae55680525ca | 32 | SHA1 (patch-da) = 1a7ecd9536340deac2945786b9faae55680525ca | |
33 | SHA1 (patch-db) = 4766f9925462023332793bcea4321072758e289d | 33 | SHA1 (patch-db) = 4766f9925462023332793bcea4321072758e289d | |
34 | SHA1 (patch-dc) = d860fe3725978227278d58f09e7d5157001e463e | 34 | SHA1 (patch-dc) = d860fe3725978227278d58f09e7d5157001e463e | |
35 | SHA1 (patch-dd) = e66d9cc0028ba922b050fc142862b4095cd018f3 | 35 | SHA1 (patch-dd) = e66d9cc0028ba922b050fc142862b4095cd018f3 | |
36 | SHA1 (patch-de) = fae94b61a430a1a7dd98c9a6a04e4513824c6d8d | 36 | SHA1 (patch-de) = fae94b61a430a1a7dd98c9a6a04e4513824c6d8d | |
37 | SHA1 (patch-libxl_libxl_create.c) = 02b661ca684609939c6ef762c0ddd1c5e62ad4d0 | 37 | SHA1 (patch-libxl_libxl_create.c) = 02b661ca684609939c6ef762c0ddd1c5e62ad4d0 | |
38 | SHA1 (patch-ocaml-include-path) = 959df25b0aae78d525b25f223190203d3c1185a6 | 38 | SHA1 (patch-ocaml-include-path) = 959df25b0aae78d525b25f223190203d3c1185a6 | |
39 | SHA1 (patch-qemu-e1000-CVSE-2012-0029) = 064ba74795e7a1ceb863d1f7bc171f3841c81b8a | |||
39 | SHA1 (patch-qemu-phy-devices) = fef90e50ef0a58db2f2b49b6c23218f371791de5 | 40 | SHA1 (patch-qemu-phy-devices) = fef90e50ef0a58db2f2b49b6c23218f371791de5 | |
40 | SHA1 (patch-xenstore_Makefile) = 4fa0ed7b76a96011c3cca9c5017be4b5151489f7 | 41 | SHA1 (patch-xenstore_Makefile) = 4fa0ed7b76a96011c3cca9c5017be4b5151489f7 |
$NetBSD: patch-qemu-e1000-CVSE-2012-0029,v 1.1.2.2 2012/02/04 12:42:21 tron Exp $
From 3cf61880403b4e484539596a95937cc066243388 Mon Sep 17 00:00:00 2001
From: Ian Campbell <Ian.Campbell@citrix.com>
Date: Thu, 2 Feb 2012 13:47:06 +0000
Subject: [PATCH] e1000: bounds packet size against buffer size
Otherwise we can write beyond the buffer and corrupt memory. This is tracked
as CVE-2012-0029.
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(Backported from qemu upstream 65f82df0d7a71ce1b10cd4c5ab08888d176ac840
by Ian Campbell.)
Signed-off-by: Ian Campbell <Ian.Campbell@citrix.com>
(cherry picked from commit ebe37b2a3f844bad02dcc30d081f39eda06118f8)
---
hw/e1000.c | 3 +++
1 files changed, 3 insertions(+), 0 deletions(-)
diff --git a/hw/e1000.c b/hw/e1000.c
index bb3689e..97104ed 100644
--- ioemu-qemu-xen/hw/e1000.c.orig
+++ ioemu-qemu-xen/hw/e1000.c
@@ -444,6 +444,8 @@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp)
bytes = split_size;
if (tp->size + bytes > msh)
bytes = msh - tp->size;
+
+ bytes = MIN(sizeof(tp->data) - tp->size, bytes);
cpu_physical_memory_read(addr, tp->data + tp->size, bytes);
if ((sz = tp->size + bytes) >= hdr && tp->size < hdr)
memmove(tp->header, tp->data, hdr);
@@ -459,6 +461,7 @@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp)
// context descriptor TSE is not set, while data descriptor TSE is set
DBGOUT(TXERR, "TCP segmentaion Error\n");
} else {
+ split_size = MIN(sizeof(tp->data) - tp->size, split_size);
cpu_physical_memory_read(addr, tp->data + tp->size, split_size);
tp->size += split_size;
}
--
1.7.2.5