import qemu-kvm-4.2.0-34.module+el8.3.0+10437+1ca0c2ba.5

This commit is contained in:
CentOS Sources 2021-04-05 12:21:10 -04:00 committed by Andrew Lukoshko
parent fe4e4a7015
commit e4a323cc3f
2 changed files with 56 additions and 1 deletions

View File

@ -0,0 +1,48 @@
From 202f3d96a327b1fd7f9f15a692b946e81e855456 Mon Sep 17 00:00:00 2001
From: Jon Maloy <jmaloy@redhat.com>
Date: Tue, 19 Jan 2021 22:59:56 -0500
Subject: [PATCH] Drop bogus IPv6 messages
RH-Author: Jon Maloy <jmaloy@redhat.com>
Message-id: <20210119225956.1346483-2-jmaloy@redhat.com>
Patchwork-id: 100693
O-Subject: [RHEL-8.3.0.z qemu-kvm PATCH 1/1] Drop bogus IPv6 messages
Bugzilla: 1939493
RH-Acked-by: Danilo de Paula <ddepaula@redhat.com>
RH-Acked-by: Stefano Garzarella <sgarzare@redhat.com>
RH-Acked-by: Thomas Huth <thuth@redhat.com>
From: Ralf Haferkamp <rhafer@suse.com>
Drop IPv6 message shorter than what's mentioned in the payload
length header (+ the size of the IPv6 header). They're invalid an could
lead to data leakage in icmp6_send_echoreply().
(cherry picked from libslirp commit c7ede54cbd2e2b25385325600958ba0124e31cc0)
Signed-off-by: Jon Maloy <jmaloy@redhat.com>
Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
---
slirp/src/ip6_input.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/slirp/src/ip6_input.c b/slirp/src/ip6_input.c
index d9d2b7e9cd..0f2b17853a 100644
--- a/slirp/src/ip6_input.c
+++ b/slirp/src/ip6_input.c
@@ -49,6 +49,13 @@ void ip6_input(struct mbuf *m)
goto bad;
}
+ // Check if the message size is big enough to hold what's
+ // set in the payload length header. If not this is an invalid
+ // packet
+ if (m->m_len < ntohs(ip6->ip_pl) + sizeof(struct ip6)) {
+ goto bad;
+ }
+
/* check ip_ttl for a correct ICMP reply */
if (ip6->ip_hl == 0) {
icmp6_send_error(m, ICMP6_TIMXCEED, ICMP6_TIMXCEED_INTRANS);
--
2.27.0

View File

@ -67,7 +67,7 @@ Obsoletes: %1-rhev
Summary: QEMU is a machine emulator and virtualizer
Name: qemu-kvm
Version: 4.2.0
Release: 34%{?dist}.4
Release: 34%{?dist}.5
# Epoch because we pushed a qemu-1.0 package. AIUI this can't ever be dropped
Epoch: 15
License: GPLv2 and GPLv2+ and CC-BY
@ -968,6 +968,8 @@ Patch405: kvm-virtiofsd-extract-lo_do_open-from-lo_open.patch
Patch406: kvm-virtiofsd-optionally-return-inode-pointer-from-lo_do.patch
# For bz#1919109 - CVE-2020-35517 virt:rhel/qemu-kvm: QEMU: virtiofsd: potential privileged host device access from guest [rhel-8.3.0.z]
Patch407: kvm-virtiofsd-prevent-opening-of-special-files-CVE-2020-.patch
# For bz#1939493 - CVE-2020-10756 virt:rhel/qemu-kvm: QEMU: slirp: networking out-of-bounds read information disclosure vulnerability [rhel-8.3.0.z] [rhel-8.3.0.z]
Patch408: kvm-Drop-bogus-IPv6-messages.patch
BuildRequires: wget
BuildRequires: rpm-build
@ -1903,6 +1905,11 @@ useradd -r -u 107 -g qemu -G kvm -d / -s /sbin/nologin \
%changelog
* Mon Mar 22 2021 Danilo Cesar Lemes de Paula <ddepaula@redhat.com> - 4.2.0-34.el8_3.5
- kvm-Drop-bogus-IPv6-messages.patch [bz#1939493]
- Resolves: bz#1939493
(CVE-2020-10756 virt:rhel/qemu-kvm: QEMU: slirp: networking out-of-bounds read information disclosure vulnerability [rhel-8.3.0.z] [rhel-8.3.0.z])
* Wed Feb 10 2021 Jon Maloy <jmaloy@redhat.com> - 4.2.0-34.el8_3.4
- kvm-virtiofsd-extract-lo_do_open-from-lo_open.patch [bz#1919109]
- kvm-virtiofsd-optionally-return-inode-pointer-from-lo_do.patch [bz#1919109]