Add patch from the xen-dev mailing list to fix CVE-2011-1583

Bump PKGREVISION
author: bouyer <bouyer> 2011-05-12 15:39:05 +0000
committer: bouyer <bouyer> 2011-05-12 15:39:05 +0000
commit: 023600a60470025abcfdbff5590f327b60c194fa (patch)
tree: f6190277a70ee684c94f5685a233d7a664645e91 /sysutils/xentools33
parent: 0ffe2cbf3948e4bca770105fcb99de23ab5e38ae (diff)
download: pkgsrc-023600a60470025abcfdbff5590f327b60c194fa.tar.gz
3 files changed, 88 insertions, 3 deletions
diff --git a/sysutils/xentools33/Makefile b/sysutils/xentools33/Makefile
index 41cd481e546..10d7d1946f5 100644
--- a/sysutils/xentools33/Makefile
+++ b/sysutils/xentools33/Makefile
@@ -1,10 +1,10 @@
-# $NetBSD: Makefile,v 1.24 2011/04/30 19:25:53 abs Exp $
+# $NetBSD: Makefile,v 1.25 2011/05/12 15:39:05 bouyer Exp $
 #
 
 VERSION=		3.3.2
 DISTNAME=		xen-${VERSION}
 PKGNAME=		xentools33-${VERSION}
-PKGREVISION=		6
+PKGREVISION=		7
 CATEGORIES=		sysutils
 MASTER_SITES=	http://bits.xensource.com/oss-xen/release/${VERSION}/
 EXTRACT_SUFX=		.tar.gz
diff --git a/sysutils/xentools33/distinfo b/sysutils/xentools33/distinfo
index bd3e264bb44..1c31f8a2593 100644
--- a/sysutils/xentools33/distinfo
+++ b/sysutils/xentools33/distinfo
@@ -1,8 +1,9 @@
-$NetBSD: distinfo,v 1.22 2010/12/13 13:37:49 wiz Exp $
+$NetBSD: distinfo,v 1.23 2011/05/12 15:39:05 bouyer Exp $
 
 SHA1 (xen-3.3.2.tar.gz) = 7f438e73ac81b25cf5e1570709e87001066bafe4
 RMD160 (xen-3.3.2.tar.gz) = 28faa56286f2a418e35dcba6079570ea871d6c7b
 Size (xen-3.3.2.tar.gz) = 11357576 bytes
+SHA1 (patch-CVE-2011-1583) = c9f59d9fbb20f0cb76733a4c2d136a67253cae0a
 SHA1 (patch-aa) = 74c3023e39baf488f8bae060e93f6175b32df61a
 SHA1 (patch-ab) = a6244d421dc995c9bcbc9959de422972f9d46b6d
 SHA1 (patch-ac) = 70af1b1a787b9dad9e41a2ffe14d595c6797b4d7
diff --git a/sysutils/xentools33/patches/patch-CVE-2011-1583 b/sysutils/xentools33/patches/patch-CVE-2011-1583
new file mode 100644
index 00000000000..81f63b9c0e7
--- /dev/null
+++ b/sysutils/xentools33/patches/patch-CVE-2011-1583
@@ -0,0 +1,84 @@
+$NetBSD: patch-CVE-2011-1583,v 1.1 2011/05/12 15:39:05 bouyer Exp $
+
+from http://lists.xensource.com/archives/html/xen-devel/2011-05/msg00491.html
+
+# HG changeset patch
+# Parent 11931301845c3b4b6a358f2d7246874b1d10c05f
+
+diff -r 11931301845c libxc/xc_dom_bzimageloader.c
+--- libxc/xc_dom_bzimageloader.c	Mon Mar 14 16:59:49 2011 +0000
++++ libxc/xc_dom_bzimageloader.c	Tue May 03 10:09:28 2011 +0100
+@@ -61,18 +61,18 @@
+ 
+ extern struct xc_dom_loader elf_loader;
+ 
+-static unsigned int payload_offset(struct setup_header *hdr)
++static int check_magic(struct xc_dom_image *dom, const void *magic, size_t len)
+ {
+-    unsigned int off;
++    if (len > dom->kernel_size)
++        return 0;
+ 
+-    off = (hdr->setup_sects + 1) * 512;
+-    off += hdr->payload_offset;
+-    return off;
++    return (memcmp(dom->kernel_blob, magic, len) == 0);
+ }
+ 
+ static int check_bzimage_kernel(struct xc_dom_image *dom, int verbose)
+ {
+     struct setup_header *hdr;
++    uint64_t payload_offset, payload_length;
+ 
+     if ( dom->kernel_blob == NULL )
+     {
+@@ -107,14 +107,43 @@
+         return -EINVAL;
+     }
+ 
+-    dom->kernel_blob = dom->kernel_blob + payload_offset(hdr);
+-    dom->kernel_size = hdr->payload_length;
+ 
+-    if ( xc_dom_try_gunzip(dom, &dom->kernel_blob, &dom->kernel_size) == -1 )
++    /* upcast to 64 bits to avoid overflow */
++    /* setup_sects is u8 and so cannot overflow */
++    payload_offset = (hdr->setup_sects + 1) * 512;
++    payload_offset += hdr->payload_offset;
++    payload_length = hdr->payload_length;
++
++    if ( payload_offset >= dom->kernel_size )
+     {
+-        if ( verbose )
+-            xc_dom_panic(XC_INVALID_KERNEL, "%s: unable to decompress kernel\n",
+-                         __FUNCTION__);
++        xc_dom_panic(XC_INVALID_KERNEL, "%s: payload offset overflow",
++                     __FUNCTION__);
++        return -EINVAL;
++    }
++    if ( (payload_offset + payload_length) > dom->kernel_size )
++    {
++        xc_dom_panic(XC_INVALID_KERNEL, "%s: payload length overflow",
++                     __FUNCTION__);
++        return -EINVAL;
++    }
++
++    dom->kernel_blob = dom->kernel_blob + payload_offset;
++    dom->kernel_size = payload_length;
++
++    if ( check_magic(dom, "\037\213", 2) )
++    {
++        if ( xc_dom_try_gunzip(dom, &dom->kernel_blob, &dom->kernel_size) == -1 )
++        {
++            if ( verbose )
++                xc_dom_panic(XC_INVALID_KERNEL, "%s: unable to decompress kernel\n",
++                             __FUNCTION__);
++            return -EINVAL;
++        }
++    }
++    else
++    {
++        xc_dom_panic(XC_INVALID_KERNEL, "%s: unknown compression format\n",
++                     __FUNCTION__);
+         return -EINVAL;
+     }
+
author	bouyer <bouyer>	2011-05-12 15:39:05 +0000
committer	bouyer <bouyer>	2011-05-12 15:39:05 +0000
commit	023600a60470025abcfdbff5590f327b60c194fa (patch)
tree	f6190277a70ee684c94f5685a233d7a664645e91 /sysutils/xentools33
parent	0ffe2cbf3948e4bca770105fcb99de23ab5e38ae (diff)
download	pkgsrc-023600a60470025abcfdbff5590f327b60c194fa.tar.gz