* Thu Sep 28 2023 Jon Maloy <jmaloy@redhat.com> - 6.2.0-40
- kvm-ui-vnc-clipboard-fix-infinite-loop-in-inflate_buffer.patch [bz#2218488] - Resolves: bz#2218488 (CVE-2023-3255 virt:rhel/qemu-kvm: QEMU: VNC: infinite loop in inflate_buffer() leads to denial of service [rhel-8])
This commit is contained in:
Jon Maloy
parent
fd7488b82b
commit
5d18fc78b6
|
|
@ -0,0 +1,76 @@
|
|||
From efbf51a42b51665fd70ea49b9c583a208cfd2deb Mon Sep 17 00:00:00 2001
|
||||
From: Jon Maloy <jmaloy@redhat.com>
|
||||
Date: Tue, 4 Jul 2023 10:41:22 +0200
|
||||
Subject: [PATCH] ui/vnc-clipboard: fix infinite loop in inflate_buffer
|
||||
(CVE-2023-3255)
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
RH-Author: Jon Maloy <jmaloy@redhat.com>
|
||||
RH-MergeRequest: 316: ui/vnc-clipboard: fix infinite loop in inflate_buffer (CVE-2023-3255)
|
||||
RH-Bugzilla: 2218488
|
||||
RH-Acked-by: Mauro Matteo Cascella <None>
|
||||
RH-Commit: [1/1] f3cb05fb6e40261da5fe10f003fa3e57920469bb (redhat/rhel/src/qemu-kvm/jons-qemu-kvm-2)
|
||||
|
||||
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2218488
|
||||
CVE: CVE-2023-3255
|
||||
Upstream: Merged
|
||||
|
||||
commit d921fea338c1059a27ce7b75309d7a2e485f710b
|
||||
Author: Mauro Matteo Cascella <mcascell@redhat.com>
|
||||
Date: Tue Jul 4 10:41:22 2023 +0200
|
||||
|
||||
ui/vnc-clipboard: fix infinite loop in inflate_buffer (CVE-2023-3255)
|
||||
|
||||
A wrong exit condition may lead to an infinite loop when inflating a
|
||||
valid zlib buffer containing some extra bytes in the `inflate_buffer`
|
||||
function. The bug only occurs post-authentication. Return the buffer
|
||||
immediately if the end of the compressed data has been reached
|
||||
(Z_STREAM_END).
|
||||
|
||||
Fixes: CVE-2023-3255
|
||||
Fixes: 0bf41cab ("ui/vnc: clipboard support")
|
||||
Reported-by: Kevin Denis <kevin.denis@synacktiv.com>
|
||||
Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
|
||||
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
||||
Tested-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
||||
Message-ID: <20230704084210.101822-1-mcascell@redhat.com>
|
||||
|
||||
Signed-off-by: Jon Maloy <jmaloy@redhat.com>
|
||||
---
|
||||
ui/vnc-clipboard.c | 10 ++++------
|
||||
1 file changed, 4 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/ui/vnc-clipboard.c b/ui/vnc-clipboard.c
|
||||
index 67284b556c..c84599cfdb 100644
|
||||
--- a/ui/vnc-clipboard.c
|
||||
+++ b/ui/vnc-clipboard.c
|
||||
@@ -51,8 +51,11 @@ static uint8_t *inflate_buffer(uint8_t *in, uint32_t in_len, uint32_t *size)
|
||||
ret = inflate(&stream, Z_FINISH);
|
||||
switch (ret) {
|
||||
case Z_OK:
|
||||
- case Z_STREAM_END:
|
||||
break;
|
||||
+ case Z_STREAM_END:
|
||||
+ *size = stream.total_out;
|
||||
+ inflateEnd(&stream);
|
||||
+ return out;
|
||||
case Z_BUF_ERROR:
|
||||
out_len <<= 1;
|
||||
if (out_len > (1 << 20)) {
|
||||
@@ -67,11 +70,6 @@ static uint8_t *inflate_buffer(uint8_t *in, uint32_t in_len, uint32_t *size)
|
||||
}
|
||||
}
|
||||
|
||||
- *size = stream.total_out;
|
||||
- inflateEnd(&stream);
|
||||
-
|
||||
- return out;
|
||||
-
|
||||
err_end:
|
||||
inflateEnd(&stream);
|
||||
err:
|
||||
--
|
||||
2.41.0
|
||||
|
||||
|
|
@ -83,7 +83,7 @@ Obsoletes: %1-rhev <= %{epoch}:%{version}-%{release}
|
|||
Summary: QEMU is a machine emulator and virtualizer
|
||||
Name: qemu-kvm
|
||||
Version: 6.2.0
|
||||
Release: 39%{?rcrel}%{?dist}
|
||||
Release: 40%{?rcrel}%{?dist}
|
||||
# Epoch because we pushed a qemu-1.0 package. AIUI this can't ever be dropped
|
||||
Epoch: 15
|
||||
License: GPLv2 and GPLv2+ and CC-BY
|
||||
|
|
@ -781,6 +781,8 @@ Patch309: kvm-i386-cpu-Update-how-the-EBX-register-of-CPUID-0x8000.patch
|
|||
Patch310: kvm-target-i386-kvm-Fix-disabling-MPX-on-cpu-host-with-M.patch
|
||||
# For bz#2215786 - CVE-2023-3301 virt:rhel/qemu-kvm: QEMU: net: triggerable assertion due to race condition in hot-unplug [rhel-8]
|
||||
Patch311: kvm-vhost-vdpa-do-not-cleanup-the-vdpa-vhost-net-structu.patch
|
||||
# For bz#2218488 - CVE-2023-3255 virt:rhel/qemu-kvm: QEMU: VNC: infinite loop in inflate_buffer() leads to denial of service [rhel-8]
|
||||
Patch312: kvm-ui-vnc-clipboard-fix-infinite-loop-in-inflate_buffer.patch
|
||||
|
||||
BuildRequires: wget
|
||||
BuildRequires: rpm-build
|
||||
|
|
@ -1950,6 +1952,11 @@ sh %{_sysconfdir}/sysconfig/modules/kvm.modules &> /dev/null || :
|
|||
|
||||
|
||||
%changelog
|
||||
* Thu Sep 28 2023 Jon Maloy <jmaloy@redhat.com> - 6.2.0-40
|
||||
- kvm-ui-vnc-clipboard-fix-infinite-loop-in-inflate_buffer.patch [bz#2218488]
|
||||
- Resolves: bz#2218488
|
||||
(CVE-2023-3255 virt:rhel/qemu-kvm: QEMU: VNC: infinite loop in inflate_buffer() leads to denial of service [rhel-8])
|
||||
|
||||
* Mon Aug 28 2023 Miroslav Rezanina <mrezanin@redhat.com> - 6.2.0-39
|
||||
- kvm-vhost-vdpa-do-not-cleanup-the-vdpa-vhost-net-structu.patch [bz#2215786]
|
||||
- Resolves: bz#2215786
|
||||
|
|
|
|||
Loading…
Reference in New Issue