[qemu/f16] CVE-2012-3515 VT100 emulation vulnerability (bz #854600, bz #851252)
Cole Robinson
crobinso at fedoraproject.org
Sun Oct 7 20:45:16 UTC 2012
commit 495677c360836057bdfccfc3b65f2e35893dc0c2
Author: Cole Robinson <crobinso at redhat.com>
Date: Sun Oct 7 16:45:12 2012 -0400
CVE-2012-3515 VT100 emulation vulnerability (bz #854600, bz #851252)
...nds-check-whenever-changing-the-cursor-du.patch | 133 ++++++++++++++++++++
qemu.spec | 8 +-
2 files changed, 140 insertions(+), 1 deletions(-)
---
diff --git a/0244-console-bounds-check-whenever-changing-the-cursor-du.patch b/0244-console-bounds-check-whenever-changing-the-cursor-du.patch
new file mode 100644
index 0000000..1e82ffd
--- /dev/null
+++ b/0244-console-bounds-check-whenever-changing-the-cursor-du.patch
@@ -0,0 +1,133 @@
+From 840031ac0f74c51622490bb72e6671f7e35b95ff Mon Sep 17 00:00:00 2001
+Message-Id: <840031ac0f74c51622490bb72e6671f7e35b95ff.1349642201.git.crobinso at redhat.com>
+From: Ian Campbell <ian.campbell at citrix.com>
+Date: Tue, 4 Sep 2012 10:26:09 -0500
+Subject: [PATCH] console: bounds check whenever changing the cursor due to an
+ escape code
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This is XSA-17 / CVE-2012-3515
+
+Signed-off-by: Ian Campbell <ian.campbell at citrix.com>
+Signed-off-by: Anthony Liguori <aliguori at us.ibm.com>
+(cherry picked from commit 3eea5498ca501922520b3447ba94815bfc109743)
+
+[AF: Resolves BNC#777084]
+Signed-off-by: Andreas Färber <afaerber at suse.de>
+Signed-off-by: Cole Robinson <crobinso at redhat.com>
+---
+ console.c | 57 ++++++++++++++++++++++++++++-----------------------------
+ 1 file changed, 28 insertions(+), 29 deletions(-)
+
+diff --git a/console.c b/console.c
+index 07c82b8..f9eb5a1 100644
+--- a/console.c
++++ b/console.c
+@@ -833,6 +833,26 @@ static void console_clear_xy(TextConsole *s, int x, int y)
+ update_xy(s, x, y);
+ }
+
++/* set cursor, checking bounds */
++static void set_cursor(TextConsole *s, int x, int y)
++{
++ if (x < 0) {
++ x = 0;
++ }
++ if (y < 0) {
++ y = 0;
++ }
++ if (y >= s->height) {
++ y = s->height - 1;
++ }
++ if (x >= s->width) {
++ x = s->width - 1;
++ }
++
++ s->x = x;
++ s->y = y;
++}
++
+ static void console_putchar(TextConsole *s, int ch)
+ {
+ TextCell *c;
+@@ -904,7 +924,8 @@ static void console_putchar(TextConsole *s, int ch)
+ s->esc_params[s->nb_esc_params] * 10 + ch - '0';
+ }
+ } else {
+- s->nb_esc_params++;
++ if (s->nb_esc_params < MAX_ESC_PARAMS)
++ s->nb_esc_params++;
+ if (ch == ';')
+ break;
+ #ifdef DEBUG_CONSOLE
+@@ -918,59 +939,37 @@ static void console_putchar(TextConsole *s, int ch)
+ if (s->esc_params[0] == 0) {
+ s->esc_params[0] = 1;
+ }
+- s->y -= s->esc_params[0];
+- if (s->y < 0) {
+- s->y = 0;
+- }
++ set_cursor(s, s->x, s->y - s->esc_params[0]);
+ break;
+ case 'B':
+ /* move cursor down */
+ if (s->esc_params[0] == 0) {
+ s->esc_params[0] = 1;
+ }
+- s->y += s->esc_params[0];
+- if (s->y >= s->height) {
+- s->y = s->height - 1;
+- }
++ set_cursor(s, s->x, s->y + s->esc_params[0]);
+ break;
+ case 'C':
+ /* move cursor right */
+ if (s->esc_params[0] == 0) {
+ s->esc_params[0] = 1;
+ }
+- s->x += s->esc_params[0];
+- if (s->x >= s->width) {
+- s->x = s->width - 1;
+- }
++ set_cursor(s, s->x + s->esc_params[0], s->y);
+ break;
+ case 'D':
+ /* move cursor left */
+ if (s->esc_params[0] == 0) {
+ s->esc_params[0] = 1;
+ }
+- s->x -= s->esc_params[0];
+- if (s->x < 0) {
+- s->x = 0;
+- }
++ set_cursor(s, s->x - s->esc_params[0], s->y);
+ break;
+ case 'G':
+ /* move cursor to column */
+- s->x = s->esc_params[0] - 1;
+- if (s->x < 0) {
+- s->x = 0;
+- }
++ set_cursor(s, s->esc_params[0] - 1, s->y);
+ break;
+ case 'f':
+ case 'H':
+ /* move cursor to row, column */
+- s->x = s->esc_params[1] - 1;
+- if (s->x < 0) {
+- s->x = 0;
+- }
+- s->y = s->esc_params[0] - 1;
+- if (s->y < 0) {
+- s->y = 0;
+- }
++ set_cursor(s, s->esc_params[1] - 1, s->esc_params[0] - 1);
+ break;
+ case 'J':
+ switch (s->esc_params[0]) {
+--
+1.7.11.4
+
diff --git a/qemu.spec b/qemu.spec
index 86918a3..d4de9de 100644
--- a/qemu.spec
+++ b/qemu.spec
@@ -1,7 +1,7 @@
Summary: QEMU is a FAST! processor emulator
Name: qemu
Version: 0.15.1
-Release: 7%{?dist}
+Release: 8%{?dist}
# Epoch because we pushed a qemu-1.0 package. AIUI this can't ever be dropped
Epoch: 2
License: GPLv2+ and LGPLv2+ and BSD
@@ -133,6 +133,8 @@ Patch241: %{name}-fix-systemtap.patch
Patch242: %{name}-spice-server-threading.patch
# Fix text mode screendumps (bz 819155)
Patch243: %{name}-fix-text-mode-screendumps.patch
+# CVE-2012-3515 VT100 emulation vulnerability (bz 854600, bz 851252)
+Patch244: 0244-console-bounds-check-whenever-changing-the-cursor-du.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildRequires: SDL-devel zlib-devel which texi2html gnutls-devel cyrus-sasl-devel
@@ -435,6 +437,7 @@ such as kvm_stat.
%patch241 -p1
%patch242 -p1
%patch243 -p1
+%patch244 -p1
%build
# By default we build everything, but allow x86 to build a minimal version
@@ -823,6 +826,9 @@ fi
%{_mandir}/man1/qemu-img.1*
%changelog
+* Sun Oct 07 2012 Cole Robinson <crobinso at redhat.com> - 0.15.1-8
+- CVE-2012-3515 VT100 emulation vulnerability (bz #854600, bz #851252)
+
* Sun Jul 29 2012 Cole Robinson <crobinso at redhat.com> - 0.15.1-7
- Pull patches from 0.15 stable
- CVE-2012-2652: Possible symlink attacks with -snapshot (bz 825697, bz
More information about the scm-commits
mailing list