[Pkg-xen-changes] r603 - in branches/etch/xen-3.0/debian: . patches

Bastian Blank waldi at alioth.debian.org
Tue Jul 15 19:02:00 UTC 2008 

Author: waldi
Date: Tue Jul 15 19:02:00 2008
New Revision: 603

Log:
Fix CVE-2007-5730.

* debian/changelog: Update.
* debian/patches/00list: Add new patch.
* debian/patches/CVE-2007-5730.dpatch: Add.


Added:
   branches/etch/xen-3.0/debian/patches/CVE-2007-5730.dpatch   (contents, props changed)
Modified:
   branches/etch/xen-3.0/debian/changelog
   branches/etch/xen-3.0/debian/patches/00list

Modified: branches/etch/xen-3.0/debian/changelog
==============================================================================
--- branches/etch/xen-3.0/debian/changelog	(original)
+++ branches/etch/xen-3.0/debian/changelog	Tue Jul 15 19:02:00 2008
@@ -2,6 +2,8 @@
 
   * Disable access to the qemu monitor.
     See: CVE-2007-0998
+  * Fix heap overflow in network handling.
+    See: CVE-2007-5730
   * Clear debug registers for HVM guests.
     See: CVE-2007-5906
   * Fix range checks in ioemu block support.

Modified: branches/etch/xen-3.0/debian/patches/00list
==============================================================================
--- branches/etch/xen-3.0/debian/patches/00list	(original)
+++ branches/etch/xen-3.0/debian/patches/00list	Tue Jul 15 19:02:00 2008
@@ -14,3 +14,4 @@
 CVE-2008-0928
 CVE-2008-2004
 CVE-2007-0998
+CVE-2007-5730

Added: branches/etch/xen-3.0/debian/patches/CVE-2007-5730.dpatch
==============================================================================
--- (empty file)
+++ branches/etch/xen-3.0/debian/patches/CVE-2007-5730.dpatch	Tue Jul 15 19:02:00 2008
@@ -0,0 +1,44 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+
+ at DPATCH@
+diff -r e63d316ff894 -r 02b4247ef707 tools/ioemu/vl.c
+--- a/tools/ioemu/vl.c	Tue Jul 15 20:17:06 2008 +0200
++++ b/tools/ioemu/vl.c	Tue Jul 15 20:57:15 2008 +0200
+@@ -3233,8 +3233,8 @@ typedef struct NetSocketState {
+     VLANClientState *vc;
+     int fd;
+     int state; /* 0 = getting length, 1 = getting data */
+-    int index;
+-    int packet_len;
++    unsigned int index;
++    unsigned int packet_len;
+     uint8_t buf[4096];
+     struct sockaddr_in dgram_dst; /* contains inet host and port destination iff connectionless (SOCK_DGRAM) */
+ } NetSocketState;
+@@ -3265,7 +3265,8 @@ static void net_socket_send(void *opaque
+ static void net_socket_send(void *opaque)
+ {
+     NetSocketState *s = opaque;
+-    int l, size, err;
++    int size, err;
++    unsigned l;
+     uint8_t buf1[4096];
+     const uint8_t *buf;
+ 
+@@ -3304,7 +3305,15 @@ static void net_socket_send(void *opaque
+             l = s->packet_len - s->index;
+             if (l > size)
+                 l = size;
+-            memcpy(s->buf + s->index, buf, l);
++            if (s->index + l <= sizeof(s->buf)) {
++                memcpy(s->buf + s->index, buf, l);
++            } else {
++                fprintf(stderr, "serious error: oversized packet received,"
++                    "connection terminated.\n");
++                s->state = 0;
++                goto eoc;
++            }
++
+             s->index += l;
+             buf += l;
+             size -= l;

More information about the Pkg-xen-changes mailing list