From e4a323cc3f00d34d9d40de07b6af53fa6581075e Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Mon, 5 Apr 2021 12:21:10 -0400 Subject: [PATCH] import qemu-kvm-4.2.0-34.module+el8.3.0+10437+1ca0c2ba.5 --- SOURCES/kvm-Drop-bogus-IPv6-messages.patch | 48 ++++++++++++++++++++++ SPECS/qemu-kvm.spec | 9 +++- 2 files changed, 56 insertions(+), 1 deletion(-) create mode 100644 SOURCES/kvm-Drop-bogus-IPv6-messages.patch diff --git a/SOURCES/kvm-Drop-bogus-IPv6-messages.patch b/SOURCES/kvm-Drop-bogus-IPv6-messages.patch new file mode 100644 index 0000000..4d6c9ed --- /dev/null +++ b/SOURCES/kvm-Drop-bogus-IPv6-messages.patch @@ -0,0 +1,48 @@ +From 202f3d96a327b1fd7f9f15a692b946e81e855456 Mon Sep 17 00:00:00 2001 +From: Jon Maloy +Date: Tue, 19 Jan 2021 22:59:56 -0500 +Subject: [PATCH] Drop bogus IPv6 messages + +RH-Author: Jon Maloy +Message-id: <20210119225956.1346483-2-jmaloy@redhat.com> +Patchwork-id: 100693 +O-Subject: [RHEL-8.3.0.z qemu-kvm PATCH 1/1] Drop bogus IPv6 messages +Bugzilla: 1939493 +RH-Acked-by: Danilo de Paula +RH-Acked-by: Stefano Garzarella +RH-Acked-by: Thomas Huth + +From: Ralf Haferkamp + +Drop IPv6 message shorter than what's mentioned in the payload +length header (+ the size of the IPv6 header). They're invalid an could +lead to data leakage in icmp6_send_echoreply(). + +(cherry picked from libslirp commit c7ede54cbd2e2b25385325600958ba0124e31cc0) +Signed-off-by: Jon Maloy +Signed-off-by: Danilo C. L. de Paula +--- + slirp/src/ip6_input.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/slirp/src/ip6_input.c b/slirp/src/ip6_input.c +index d9d2b7e9cd..0f2b17853a 100644 +--- a/slirp/src/ip6_input.c ++++ b/slirp/src/ip6_input.c +@@ -49,6 +49,13 @@ void ip6_input(struct mbuf *m) + goto bad; + } + ++ // Check if the message size is big enough to hold what's ++ // set in the payload length header. If not this is an invalid ++ // packet ++ if (m->m_len < ntohs(ip6->ip_pl) + sizeof(struct ip6)) { ++ goto bad; ++ } ++ + /* check ip_ttl for a correct ICMP reply */ + if (ip6->ip_hl == 0) { + icmp6_send_error(m, ICMP6_TIMXCEED, ICMP6_TIMXCEED_INTRANS); +-- +2.27.0 + diff --git a/SPECS/qemu-kvm.spec b/SPECS/qemu-kvm.spec index 2ca1028..7642e3f 100644 --- a/SPECS/qemu-kvm.spec +++ b/SPECS/qemu-kvm.spec @@ -67,7 +67,7 @@ Obsoletes: %1-rhev Summary: QEMU is a machine emulator and virtualizer Name: qemu-kvm Version: 4.2.0 -Release: 34%{?dist}.4 +Release: 34%{?dist}.5 # Epoch because we pushed a qemu-1.0 package. AIUI this can't ever be dropped Epoch: 15 License: GPLv2 and GPLv2+ and CC-BY @@ -968,6 +968,8 @@ Patch405: kvm-virtiofsd-extract-lo_do_open-from-lo_open.patch Patch406: kvm-virtiofsd-optionally-return-inode-pointer-from-lo_do.patch # For bz#1919109 - CVE-2020-35517 virt:rhel/qemu-kvm: QEMU: virtiofsd: potential privileged host device access from guest [rhel-8.3.0.z] Patch407: kvm-virtiofsd-prevent-opening-of-special-files-CVE-2020-.patch +# For bz#1939493 - CVE-2020-10756 virt:rhel/qemu-kvm: QEMU: slirp: networking out-of-bounds read information disclosure vulnerability [rhel-8.3.0.z] [rhel-8.3.0.z] +Patch408: kvm-Drop-bogus-IPv6-messages.patch BuildRequires: wget BuildRequires: rpm-build @@ -1903,6 +1905,11 @@ useradd -r -u 107 -g qemu -G kvm -d / -s /sbin/nologin \ %changelog +* Mon Mar 22 2021 Danilo Cesar Lemes de Paula - 4.2.0-34.el8_3.5 +- kvm-Drop-bogus-IPv6-messages.patch [bz#1939493] +- Resolves: bz#1939493 + (CVE-2020-10756 virt:rhel/qemu-kvm: QEMU: slirp: networking out-of-bounds read information disclosure vulnerability [rhel-8.3.0.z] [rhel-8.3.0.z]) + * Wed Feb 10 2021 Jon Maloy - 4.2.0-34.el8_3.4 - kvm-virtiofsd-extract-lo_do_open-from-lo_open.patch [bz#1919109] - kvm-virtiofsd-optionally-return-inode-pointer-from-lo_do.patch [bz#1919109]