diff --git a/qemu.spec b/qemu.spec index 74162a1452e2384333f19e7b15cdd56a6b783efa..80dc052c09137643a7393e5671e47c4c4c41a95e 100644 --- a/qemu.spec +++ b/qemu.spec @@ -1,6 +1,6 @@ Name: qemu Version: 4.1.0 -Release: 23 +Release: 24 Epoch: 2 Summary: QEMU is a generic and open source machine emulator and virtualizer License: GPLv2 and BSD and MIT and CC-BY @@ -228,6 +228,7 @@ Patch0215: target-arm-Update-ID-fields.patch Patch0216: target-arm-Add-more-CPU-features.patch Patch0217: hw-usb-core-fix-buffer-overflow.patch Patch0218: target-arm-ignore-evtstrm-and-cpuid-CPU-features.patch +Patch0219: slirp-networking-fix-out-of-bounds-read-information.patch BuildRequires: flex BuildRequires: bison @@ -574,6 +575,9 @@ getent passwd qemu >/dev/null || \ %endif %changelog +* Fri Sep 11 2020 Huawei Technologies Co., Ltd +- slirp/src/ip6_input.c: fix out-of-bounds read information vulnerability + * Tue Sep 08 2020 Huawei Technologies Co., Ltd - target/arm: ignore evtstrm and cpuid CPU features diff --git a/slirp-networking-fix-out-of-bounds-read-information.patch b/slirp-networking-fix-out-of-bounds-read-information.patch new file mode 100644 index 0000000000000000000000000000000000000000..e5a19147124c961809f5fe4008e944103b3505af --- /dev/null +++ b/slirp-networking-fix-out-of-bounds-read-information.patch @@ -0,0 +1,36 @@ +From 353521693d409d3800fa9bb29981bf15b7be9729 Mon Sep 17 00:00:00 2001 +From: Jiajie Li +Date: Thu, 10 Sep 2020 10:49:36 +0800 +Subject: [PATCH] Init slirp/src/ip6_input.c + +Drop Ipv6 message shorter than what's mentioned in the payload +length header (+ the size of the IPv6 header). Ther're invalid and could +lead to data leakage in icmp6_send_echoreply(). + +Signed-off-by Ralf Haferkamp + +--- + slirp/src/ip6_input.c | 7 ------- + 1 file changed, 7 deletions(-) + +diff --git a/slirp/src/ip6_input.c b/slirp/src/ip6_input.c +index c966d91..d9d2b7e 100644 +--- a/slirp/src/ip6_input.c ++++ b/slirp/src/ip6_input.c +@@ -49,13 +49,6 @@ void ip6_input(struct mbuf *m) + goto bad; + } + +- // Check if the message size is big enough to hold what's +- // set in the payload length header. If not this is an invalid +- // packet +- if(m->m_len < ntohs(ip6->ip_pl) + sizeof(struct ip6)){ +- goto bad; +- } +- + /* check ip_ttl for a correct ICMP reply */ + if (ip6->ip_hl == 0) { + icmp6_send_error(m, ICMP6_TIMXCEED, ICMP6_TIMXCEED_INTRANS); +-- +1.8.3.1 +