[Pkg-xen-changes] r1099 - in branches/wheezy/xen/debian: . patches
Bastian Blank
waldi at alioth.debian.org
Fri Sep 7 17:38:59 UTC 2012
Author: waldi
Date: Fri Sep 7 17:38:58 2012
New Revision: 1099
Log:
* debian/changelog: Update.
* debian/patches: Add security fix.
Added:
branches/wheezy/xen/debian/patches/CVE-2012-4411
Modified:
branches/wheezy/xen/debian/changelog
branches/wheezy/xen/debian/patches/series
Modified: branches/wheezy/xen/debian/changelog
==============================================================================
--- branches/wheezy/xen/debian/changelog Fri Sep 7 16:05:34 2012 (r1098)
+++ branches/wheezy/xen/debian/changelog Fri Sep 7 17:38:58 2012 (r1099)
@@ -10,6 +10,8 @@
CVE-2012-3498
* Properly check bounds while setting the cursor in qemu.
CVE-2012-3515
+ * Disable monitor in qemu by default.
+ CVE-2012-4411
-- Bastian Blank <waldi at debian.org> Wed, 05 Sep 2012 18:23:55 +0200
Added: branches/wheezy/xen/debian/patches/CVE-2012-4411
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ branches/wheezy/xen/debian/patches/CVE-2012-4411 Fri Sep 7 17:38:58 2012 (r1099)
@@ -0,0 +1,31 @@
+commit d7d453f51459b591faa96d1c123b5bfff7c5b6b6
+Author: Ian Jackson <ian.jackson at eu.citrix.com>
+Date: Thu Sep 6 17:05:30 2012 +0100
+
+ Disable qemu monitor by default. The qemu monitor is an overly
+ powerful feature which must be protected from untrusted (guest)
+ administrators.
+
+ Neither xl nor xend expect qemu to produce this monitor unless it is
+ explicitly requested.
+
+ This is a security problem, XSA-19. Previously it was CVE-2007-0998
+ in Red Hat but we haven't dealt with it in upstream. We hope to have
+ a new CVE for it here but we don't have one yet.
+
+ Signed-off-by: Ian Jackson <ian.jackson at eu.citrix.com>
+ (cherry picked from commit bacc0d302445c75f18f4c826750fb5853b60e7ca)
+
+diff --git a/vl.c b/vl.c
+index f07a659..686a9bd 100644
+--- a/qemu/vl.c
++++ b/qemu/vl.c
+@@ -4910,7 +4910,7 @@ int main(int argc, char **argv, char **envp)
+ kernel_cmdline = "";
+ cyls = heads = secs = 0;
+ translation = BIOS_ATA_TRANSLATION_AUTO;
+- monitor_device = "vc:80Cx24C";
++ monitor_device = "null";
+
+ serial_devices[0] = "vc:80Cx24C";
+ for(i = 1; i < MAX_SERIAL_PORTS; i++)
Modified: branches/wheezy/xen/debian/patches/series
==============================================================================
--- branches/wheezy/xen/debian/patches/series Fri Sep 7 16:05:34 2012 (r1098)
+++ branches/wheezy/xen/debian/patches/series Fri Sep 7 17:38:58 2012 (r1099)
@@ -9,6 +9,7 @@
CVE-2012-3496
CVE-2012-3498
CVE-2012-3515
+CVE-2012-4411
xen-x86-interrupt-pointer-missmatch.diff
More information about the Pkg-xen-changes
mailing list