[Pkg-xen-changes] r603 - in branches/etch/xen-3.0/debian: . patches
Bastian Blank
waldi at alioth.debian.org
Tue Jul 15 19:02:00 UTC 2008
Author: waldi
Date: Tue Jul 15 19:02:00 2008
New Revision: 603
Log:
Fix CVE-2007-5730.
* debian/changelog: Update.
* debian/patches/00list: Add new patch.
* debian/patches/CVE-2007-5730.dpatch: Add.
Added:
branches/etch/xen-3.0/debian/patches/CVE-2007-5730.dpatch (contents, props changed)
Modified:
branches/etch/xen-3.0/debian/changelog
branches/etch/xen-3.0/debian/patches/00list
Modified: branches/etch/xen-3.0/debian/changelog
==============================================================================
--- branches/etch/xen-3.0/debian/changelog (original)
+++ branches/etch/xen-3.0/debian/changelog Tue Jul 15 19:02:00 2008
@@ -2,6 +2,8 @@
* Disable access to the qemu monitor.
See: CVE-2007-0998
+ * Fix heap overflow in network handling.
+ See: CVE-2007-5730
* Clear debug registers for HVM guests.
See: CVE-2007-5906
* Fix range checks in ioemu block support.
Modified: branches/etch/xen-3.0/debian/patches/00list
==============================================================================
--- branches/etch/xen-3.0/debian/patches/00list (original)
+++ branches/etch/xen-3.0/debian/patches/00list Tue Jul 15 19:02:00 2008
@@ -14,3 +14,4 @@
CVE-2008-0928
CVE-2008-2004
CVE-2007-0998
+CVE-2007-5730
Added: branches/etch/xen-3.0/debian/patches/CVE-2007-5730.dpatch
==============================================================================
--- (empty file)
+++ branches/etch/xen-3.0/debian/patches/CVE-2007-5730.dpatch Tue Jul 15 19:02:00 2008
@@ -0,0 +1,44 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+
+ at DPATCH@
+diff -r e63d316ff894 -r 02b4247ef707 tools/ioemu/vl.c
+--- a/tools/ioemu/vl.c Tue Jul 15 20:17:06 2008 +0200
++++ b/tools/ioemu/vl.c Tue Jul 15 20:57:15 2008 +0200
+@@ -3233,8 +3233,8 @@ typedef struct NetSocketState {
+ VLANClientState *vc;
+ int fd;
+ int state; /* 0 = getting length, 1 = getting data */
+- int index;
+- int packet_len;
++ unsigned int index;
++ unsigned int packet_len;
+ uint8_t buf[4096];
+ struct sockaddr_in dgram_dst; /* contains inet host and port destination iff connectionless (SOCK_DGRAM) */
+ } NetSocketState;
+@@ -3265,7 +3265,8 @@ static void net_socket_send(void *opaque
+ static void net_socket_send(void *opaque)
+ {
+ NetSocketState *s = opaque;
+- int l, size, err;
++ int size, err;
++ unsigned l;
+ uint8_t buf1[4096];
+ const uint8_t *buf;
+
+@@ -3304,7 +3305,15 @@ static void net_socket_send(void *opaque
+ l = s->packet_len - s->index;
+ if (l > size)
+ l = size;
+- memcpy(s->buf + s->index, buf, l);
++ if (s->index + l <= sizeof(s->buf)) {
++ memcpy(s->buf + s->index, buf, l);
++ } else {
++ fprintf(stderr, "serious error: oversized packet received,"
++ "connection terminated.\n");
++ s->state = 0;
++ goto eoc;
++ }
++
+ s->index += l;
+ buf += l;
+ size -= l;
More information about the Pkg-xen-changes
mailing list