rpms/xen/F-7 pygrub-dont-exec.patch, NONE, 1.1 xen-qemu-ne2000-CVE-2007-1321.patch, NONE, 1.1 xen.spec, 1.185, 1.186

Wed Sep 26 16:39:18 UTC 2007

Author: clalance

Update of /cvs/pkgs/rpms/xen/F-7
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv28794

Modified Files:
	xen.spec 
Added Files:
	pygrub-dont-exec.patch xen-qemu-ne2000-CVE-2007-1321.patch 
Log Message:
- Fixes for CVE-2007-1321, CVE-2007-4993



pygrub-dont-exec.patch:

--- NEW FILE pygrub-dont-exec.patch ---
diff -up xen-3.1.0-src/tools/pygrub/src/GrubConf.py.noexec xen-3.1.0-src/tools/pygrub/src/GrubConf.py
--- xen-3.1.0-src/tools/pygrub/src/GrubConf.py.noexec	2007-09-25 15:20:14.000000000 -0400
+++ xen-3.1.0-src/tools/pygrub/src/GrubConf.py	2007-09-25 15:20:25.000000000 -0400
@@ -101,7 +101,7 @@ class GrubImage(object):
 
         if self.commands.has_key(com):
             if self.commands[com] is not None:
-                exec("%s = r\"%s\"" %(self.commands[com], arg.strip()))
+                setattr(self, self.commands[com], arg.strip())
             else:
                 logging.info("Ignored image directive %s" %(com,))
         else:
@@ -142,11 +142,11 @@ class GrubImage(object):
     initrd = property(get_initrd, set_initrd)
 
     # set up command handlers
-    commands = { "title": "self.title",
-                 "root": "self.root",
-                 "rootnoverify": "self.root",
-                 "kernel": "self.kernel",
-                 "initrd": "self.initrd",
+    commands = { "title": "title",
+                 "root": "root",
+                 "rootnoverify": "root",
+                 "kernel": "kernel",
+                 "initrd": "initrd",
                  "chainloader": None,
                  "module": None}
         
@@ -195,7 +195,7 @@ class GrubConfigFile(object):
             (com, arg) = grub_exact_split(l, 2)
             if self.commands.has_key(com):
                 if self.commands[com] is not None:
-                    exec("%s = r\"%s\"" %(self.commands[com], arg.strip()))
+                    setattr(self, self.commands[com], arg.strip())
                 else:
                     logging.info("Ignored directive %s" %(com,))
             else:
@@ -208,7 +208,7 @@ class GrubConfigFile(object):
         (com, arg) = grub_exact_split(line, 2)
         if self.commands.has_key(com):
             if self.commands[com] is not None:
-                exec("%s = r\"%s\"" %(self.commands[com], arg.strip()))
+                setattr(self, self.commands[com], arg.strip())
             else:
                 logging.info("Ignored directive %s" %(com,))
         else:
@@ -236,12 +236,12 @@ class GrubConfigFile(object):
     splash = property(get_splash, set_splash)
 
     # set up command handlers
-    commands = { "default": "self.default",
-                 "timeout": "self.timeout",
-                 "fallback": "self.fallback",
-                 "hiddenmenu": "self.hiddenmenu",
-                 "splashimage": "self.splash",
-                 "password": "self.password" }
+    commands = { "default": "default",
+                 "timeout": "timeout",
+                 "fallback": "fallback",
+                 "hiddenmenu": "hiddenmenu",
+                 "splashimage": "splash",
+                 "password": "password" }
     for c in ("bootp", "color", "device", "dhcp", "hide", "ifconfig",
               "pager", "partnew", "parttype", "rarp", "serial",
               "setkey", "terminal", "terminfo", "tftpserver", "unhide"):
diff -up xen-3.1.0-src/tools/pygrub/src/LiloConf.py.noexec xen-3.1.0-src/tools/pygrub/src/LiloConf.py
--- xen-3.1.0-src/tools/pygrub/src/LiloConf.py.noexec	2007-09-25 15:20:18.000000000 -0400
+++ xen-3.1.0-src/tools/pygrub/src/LiloConf.py	2007-09-25 15:20:23.000000000 -0400
@@ -30,7 +30,7 @@ class LiloImage(object):
 
         if self.commands.has_key(com):
             if self.commands[com] is not None:
-                exec("%s = r\'%s\'" %(self.commands[com], re.sub('^"(.+)"$', r"\1", arg.strip())))
+                setattr(self, self.commands[com], re.sub('^"(.+)"$', r"\1", arg.strip()))
             else:
                 logging.info("Ignored image directive %s" %(com,))
         else:
@@ -56,12 +56,12 @@ class LiloImage(object):
     initrd = property(get_initrd, set_initrd)
 
     # set up command handlers
-    commands = { "label": "self.title",
-                 "root": "self.root",
-                 "rootnoverify": "self.root",
-                 "image": "self.kernel",
-                 "initrd": "self.initrd",
-                 "append": "self.args",
+    commands = { "label": "title",
+                 "root": "root",
+                 "rootnoverify": "root",
+                 "image": "kernel",
+                 "initrd": "initrd",
+                 "append": "args",
                  "read-only": None,
                  "chainloader": None,
                  "module": None}
@@ -111,7 +111,7 @@ class LiloConfigFile(object):
             (com, arg) = GrubConf.grub_exact_split(l, 2)
             if self.commands.has_key(com):
                 if self.commands[com] is not None:
-                    exec("%s = r\"%s\"" %(self.commands[com], arg.strip()))
+                    setattr(self, self.commands[com], arg.strip())
                 else:
                     logging.info("Ignored directive %s" %(com,))
             else:

xen-qemu-ne2000-CVE-2007-1321.patch:

--- NEW FILE xen-qemu-ne2000-CVE-2007-1321.patch ---
diff -up xen-3.0.3_0-src/tools/ioemu/hw/ne2000.c.cve xen-3.0.3_0-src/tools/ioemu/hw/ne2000.c
--- xen-3.0.3_0-src/tools/ioemu/hw/ne2000.c.cve	2007-09-25 10:27:44.000000000 -0400
+++ xen-3.0.3_0-src/tools/ioemu/hw/ne2000.c	2007-09-25 10:27:47.000000000 -0400
@@ -252,7 +252,7 @@ static void ne2000_receive(void *opaque,
 {
     NE2000State *s = opaque;
     uint8_t *p;
-    int total_len, next, avail, len, index, mcast_idx;
+    unsigned int total_len, next, avail, len, index, mcast_idx;
     uint8_t buf1[60];
     static const uint8_t broadcast_macaddr[6] = 
         { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff };
@@ -327,7 +327,10 @@ static void ne2000_receive(void *opaque,
 
     /* write packet data */
     while (size > 0) {
-        avail = s->stop - index;
+        if (index <= s->stop)
+            avail = s->stop - index;
+        else
+            avail = 0;
         len = size;
         if (len > avail)
             len = avail;


Index: xen.spec
===================================================================
RCS file: /cvs/pkgs/rpms/xen/F-7/xen.spec,v
retrieving revision 1.185
retrieving revision 1.186
diff -u -r1.185 -r1.186
--- xen.spec	25 Sep 2007 04:57:02 -0000	1.185
+++ xen.spec	26 Sep 2007 16:38:46 -0000	1.186
@@ -3,7 +3,7 @@
 Summary: Xen is a virtual machine monitor
 Name:    xen
 Version: 3.1.0
-Release: 5%{dist}
+Release: 6%{dist}
 Group:   Development/Libraries
 License: GPL
 URL:     http://www.cl.cam.ac.uk/Research/SRG/netos/xen/index.html
@@ -52,6 +52,11 @@
 Patch303: vnc-client-iterator.patch
 Patch304: vnc-double-cleanup.patch
 
+# CVE-2007-1321
+Patch600: xen-qemu-ne2000-CVE-2007-1321.patch
+# CVE-2007-4993
+Patch601: pygrub-dont-exec.patch
+
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
 BuildRequires: transfig libidn-devel zlib-devel texi2html SDL-devel curl-devel
 BuildRequires: libX11-devel python-devel ghostscript tetex-latex 
@@ -163,6 +168,10 @@
 %patch304 -p2
 popd
 
+# CVE patches
+%patch600 -p1
+%patch601 -p1
+
 %build
 # libvncserver first
 pushd LibVNCServer-0.8.2
@@ -280,6 +289,10 @@
 %{_libdir}/*.a
 
 %changelog
+* Wed Sep 26 2007 Chris Lalancette <clalance at redhat.com> - 3.1.0-6.fc7
+- QEmu NE2000 overflow check - CVE-2007-1321
+- Pygrub guest escape - CVE-2007-4993
+
 * Mon Sep 24 2007 Daniel P. Berrange <berrange at redhat.com> - 3.1.0-5.fc7
 - Fix generation of manual pages (rhbz #250791)
 - Fix 32-on-64 PVFB for FC6 legacy guests


