import qemu-kvm-4.2.0-34.module+el8.3.0+10437+1ca0c2ba.5

2021-04-05 12:21:10 -04:00 · 2021-04-05 12:21:10 -04:00 · e4a323cc3f
commit e4a323cc3f
parent fe4e4a7015
2 changed files with 56 additions and 1 deletions
--- a/SOURCES/kvm-Drop-bogus-IPv6-messages.patch
+++ b/SOURCES/kvm-Drop-bogus-IPv6-messages.patch
@ -0,0 +1,48 @@
 From 202f3d96a327b1fd7f9f15a692b946e81e855456 Mon Sep 17 00:00:00 2001
 From: Jon Maloy <jmaloy@redhat.com>
 Date: Tue, 19 Jan 2021 22:59:56 -0500
 Subject: [PATCH] Drop bogus IPv6 messages
 RH-Author: Jon Maloy <jmaloy@redhat.com>
 Message-id: <20210119225956.1346483-2-jmaloy@redhat.com>
 Patchwork-id: 100693
 O-Subject: [RHEL-8.3.0.z qemu-kvm PATCH 1/1] Drop bogus IPv6 messages
 Bugzilla: 1939493
 RH-Acked-by: Danilo de Paula <ddepaula@redhat.com>
 RH-Acked-by: Stefano Garzarella <sgarzare@redhat.com>
 RH-Acked-by: Thomas Huth <thuth@redhat.com>
 From: Ralf Haferkamp <rhafer@suse.com>
 Drop IPv6 message shorter than what's mentioned in the payload
 length header (+ the size of the IPv6 header). They're invalid an could
 lead to data leakage in icmp6_send_echoreply().
 (cherry picked from libslirp commit c7ede54cbd2e2b25385325600958ba0124e31cc0)
 Signed-off-by: Jon Maloy <jmaloy@redhat.com>
 Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
 ---
 slirp/src/ip6_input.c | 7 +++++++
 1 file changed, 7 insertions(+)
 diff --git a/slirp/src/ip6_input.c b/slirp/src/ip6_input.c
 index d9d2b7e9cd..0f2b17853a 100644
 --- a/slirp/src/ip6_input.c
 +++ b/slirp/src/ip6_input.c
@@ -49,6 +49,13 @@ void ip6_input(struct mbuf *m)
         goto bad;
     }
 +    // Check if the message size is big enough to hold what's
 +    // set in the payload length header. If not this is an invalid
 +    // packet
 +    if (m->m_len < ntohs(ip6->ip_pl) + sizeof(struct ip6)) {
 +        goto bad;
 +    }
 +
     /* check ip_ttl for a correct ICMP reply */
     if (ip6->ip_hl == 0) {
         icmp6_send_error(m, ICMP6_TIMXCEED, ICMP6_TIMXCEED_INTRANS);
 -- 
 2.27.0
--- a/SPECS/qemu-kvm.spec
+++ b/SPECS/qemu-kvm.spec
@ -67,7 +67,7 @@ Obsoletes: %1-rhev
 Summary: QEMU is a machine emulator and virtualizer
 Name: qemu-kvm
 Version: 4.2.0
-Release: 34%{?dist}.4
+Release: 34%{?dist}.5
 # Epoch because we pushed a qemu-1.0 package. AIUI this can't ever be dropped
 Epoch: 15
 License: GPLv2 and GPLv2+ and CC-BY
@ -968,6 +968,8 @@ Patch405: kvm-virtiofsd-extract-lo_do_open-from-lo_open.patch
 Patch406: kvm-virtiofsd-optionally-return-inode-pointer-from-lo_do.patch
 # For bz#1919109 - CVE-2020-35517 virt:rhel/qemu-kvm: QEMU: virtiofsd: potential privileged host device access from guest [rhel-8.3.0.z]
 Patch407: kvm-virtiofsd-prevent-opening-of-special-files-CVE-2020-.patch
 # For bz#1939493 - CVE-2020-10756 virt:rhel/qemu-kvm: QEMU: slirp: networking out-of-bounds read information disclosure vulnerability [rhel-8.3.0.z] [rhel-8.3.0.z]
 Patch408: kvm-Drop-bogus-IPv6-messages.patch
 BuildRequires: wget
 BuildRequires: rpm-build
@ -1903,6 +1905,11 @@ useradd -r -u 107 -g qemu -G kvm -d / -s /sbin/nologin \
 %changelog
 * Mon Mar 22 2021 Danilo Cesar Lemes de Paula <ddepaula@redhat.com> - 4.2.0-34.el8_3.5
 - kvm-Drop-bogus-IPv6-messages.patch [bz#1939493]
 - Resolves: bz#1939493
  (CVE-2020-10756 virt:rhel/qemu-kvm: QEMU: slirp: networking out-of-bounds read information disclosure vulnerability [rhel-8.3.0.z] [rhel-8.3.0.z])
 * Wed Feb 10 2021 Jon Maloy <jmaloy@redhat.com> - 4.2.0-34.el8_3.4
 - kvm-virtiofsd-extract-lo_do_open-from-lo_open.patch [bz#1919109]
 - kvm-virtiofsd-optionally-return-inode-pointer-from-lo_do.patch [bz#1919109]