diff --git a/qemu.spec b/qemu.spec index 115f3f6d189d39bddf6ebf9030cb8296ea1f14b8..ac5719a2209525363fc1bca2176eced27989e039 100644 --- a/qemu.spec +++ b/qemu.spec @@ -1,6 +1,6 @@ Name: qemu Version: 4.1.0 -Release: 18 +Release: 19 Epoch: 2 Summary: QEMU is a generic and open source machine emulator and virtualizer License: GPLv2 and BSD and MIT and CC-BY @@ -184,6 +184,7 @@ Patch0171: megasas-use-unsigned-type-for-positive-numeric-field.patch Patch0172: hw-scsi-megasas-Fix-possible-out-of-bounds-array-acc.patch Patch0173: hw-arm-acpi-enable-SHPC-native-hot-plug.patch PATCH0174: hw-usb-core-fix-buffer-overflow.patch +Patch0175: slirp-networking-fix-out-of-bounds-read-information.patch BuildRequires: flex BuildRequires: bison @@ -529,6 +530,9 @@ getent passwd qemu >/dev/null || \ %endif %changelog +* Fri Sep 11 2020 Huawei Technologies Co., Ltd +- slirp/src/ip6_input.c: fix out-of-bounds read information vulnerablity + * Thu Aug 27 2020 Huawei Technologies Co., Ltd - hw/usb/core.c: fix buffer overflow in do_token_setup function diff --git a/slirp-networking-fix-out-of-bounds-read-information.patch b/slirp-networking-fix-out-of-bounds-read-information.patch new file mode 100644 index 0000000000000000000000000000000000000000..e5a19147124c961809f5fe4008e944103b3505af --- /dev/null +++ b/slirp-networking-fix-out-of-bounds-read-information.patch @@ -0,0 +1,36 @@ +From 353521693d409d3800fa9bb29981bf15b7be9729 Mon Sep 17 00:00:00 2001 +From: Jiajie Li +Date: Thu, 10 Sep 2020 10:49:36 +0800 +Subject: [PATCH] Init slirp/src/ip6_input.c + +Drop Ipv6 message shorter than what's mentioned in the payload +length header (+ the size of the IPv6 header). Ther're invalid and could +lead to data leakage in icmp6_send_echoreply(). + +Signed-off-by Ralf Haferkamp + +--- + slirp/src/ip6_input.c | 7 ------- + 1 file changed, 7 deletions(-) + +diff --git a/slirp/src/ip6_input.c b/slirp/src/ip6_input.c +index c966d91..d9d2b7e 100644 +--- a/slirp/src/ip6_input.c ++++ b/slirp/src/ip6_input.c +@@ -49,13 +49,6 @@ void ip6_input(struct mbuf *m) + goto bad; + } + +- // Check if the message size is big enough to hold what's +- // set in the payload length header. If not this is an invalid +- // packet +- if(m->m_len < ntohs(ip6->ip_pl) + sizeof(struct ip6)){ +- goto bad; +- } +- + /* check ip_ttl for a correct ICMP reply */ + if (ip6->ip_hl == 0) { + icmp6_send_error(m, ICMP6_TIMXCEED, ICMP6_TIMXCEED_INTRANS); +-- +1.8.3.1 +