rpms/kvm/F-10 kvm-cirrus-cve-2008-4539.patch, NONE, 1.1 kvm.spec, 1.72, 1.73

Tue Nov 11 15:58:05 UTC 2008

Author: glommer

Update of /cvs/pkgs/rpms/kvm/F-10
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv25505

Modified Files:
	kvm.spec 
Added Files:
	kvm-cirrus-cve-2008-4539.patch 
Log Message:
- Fix cirrus vulnerability (CVE-2008-4539) - #471055



kvm-cirrus-cve-2008-4539.patch:

--- NEW FILE kvm-cirrus-cve-2008-4539.patch ---
commit 8af1b920763da9802902603a17da9d5db1307b8d
Author: aurel32 <aurel32>
Date:   Sat Nov 1 00:53:39 2008 +0000

    CVE-2008-4539: fix a heap overflow in Cirrus emulation
    
    The code in hw/cirrus_vga.c has changed a lot between CVE-2007-1320 has
    been announced and the patch has been applied. As a consequence it has
    wrongly applied and QEMU is still vulnerable to this bug if using VNC.
    
    (noticed by Jan Niehusmann)
    
    Signed-off-by: Aurelien Jarno <aurelien at aurel32.net>

diff --git a/qemu/hw/cirrus_vga.c b/qemu/hw/cirrus_vga.c
index 55f3ced..af9c9e6 100644
--- a/qemu/hw/cirrus_vga.c
+++ b/qemu/hw/cirrus_vga.c
@@ -785,15 +785,14 @@ static void cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h)
 
 static int cirrus_bitblt_videotovideo_copy(CirrusVGAState * s)
 {
+    if (BLTUNSAFE(s))
+        return 0;
+
     if (s->ds->dpy_copy) {
 	cirrus_do_copy(s, s->cirrus_blt_dstaddr - s->start_addr,
 		       s->cirrus_blt_srcaddr - s->start_addr,
 		       s->cirrus_blt_width, s->cirrus_blt_height);
     } else {
-
-    if (BLTUNSAFE(s))
-        return 0;
-
 	(*s->cirrus_rop) (s, s->vram_ptr +
                 (s->cirrus_blt_dstaddr & s->cirrus_addr_mask),
 			  s->vram_ptr +


Index: kvm.spec
===================================================================
RCS file: /cvs/pkgs/rpms/kvm/F-10/kvm.spec,v
retrieving revision 1.72
retrieving revision 1.73
diff -u -r1.72 -r1.73
--- kvm.spec	22 Oct 2008 14:07:17 -0000	1.72
+++ kvm.spec	11 Nov 2008 15:57:35 -0000	1.73
@@ -1,7 +1,7 @@
 Summary: Kernel-based Virtual Machine
 Name: kvm
 Version: 74
-Release: 5%{?dist}
+Release: 6%{?dist}
 License: GPLv2+ and LGPLv2+
 Group: Development/Tools
 URL: http://%{name}.sf.net
@@ -13,6 +13,7 @@
 Patch2: %{name}-74-pxe-boot.patch
 Patch3: %{name}-74-page-find.patch
 Patch4: %{name}-fix-pc-bios-make-install-missing-files.patch
+Patch5: %{name}-cirrus-cve-2008-4539.patch
 # patches from upstream qemu
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 BuildRequires: SDL-devel
@@ -48,6 +49,7 @@
 %patch2 -p1
 %patch3 -p1
 %patch4 -p1
+%patch5 -p1
 # we must not use any of the binaries from the qemu/pc-bios/ directory,
 # as they don't have the corresponding sources shipped with them
 rm -f qemu/pc-bios/*
@@ -138,6 +140,9 @@
 %{_sysconfdir}/sysconfig/modules/%{name}.modules
 
 %changelog
+* Tue Nov 11 2008 Glauber Costa <glommer at redhat.com> - 74-6
+- Fix cirrus vulnerability (CVE-2008-4539) - #471055
+
 * Tue Oct 22 2008 Glauber Costa <glommer at redhat.com> - 74-5
 - Remove all prebuilt qemu/pc-bios binaries before building
 - Use symlinks to etherboot files for the pxe roms


