From d18c6e71d58c511f19e0173fd39406b3943ec205 Mon Sep 17 00:00:00 2001
From: ryoon <ryoon@pkgsrc.org>
Date: Fri, 25 Sep 2015 14:57:59 +0000
Subject: Update to 2.4.0.1
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Changelog:
* net: avoid infinite loop when receiving packets(CVE-2015-5278)

Ne2000 NIC uses ring buffer of NE2000_MEM_SIZE(49152)
bytes to process network packets. While receiving packets
via ne2000_receive() routine, a local 'index' variable
could exceed the ring buffer size, leading to an infinite
loop situation.

Reported-by: Qinghao Tang <luodalongde@gmail.com>
Signed-off-by: P J P <pjp@fedoraproject.org>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
(cherry picked from commit 737d2b3c41d59eb8f94ab7eb419b957938f24943)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>

* net: add checks to validate ring buffer pointers(CVE-2015-5279)

Ne2000 NIC uses ring buffer of NE2000_MEM_SIZE(49152)
bytes to process network packets. While receiving packets
via ne2000_receive() routine, a local 'index' variable
could exceed the ring buffer size, which could lead to a
memory buffer overflow. Added other checks at initialisation.

Reported-by: Qinghao Tang <luodalongde@gmail.com>
Signed-off-by: P J P <pjp@fedoraproject.org>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
(cherry picked from commit 9bbdbc66e5765068dce76e9269dce4547afd8ad4)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>

* e1000: Avoid infinite loop in processing transmit descriptor (CVE-2015-6815)

While processing transmit descriptors, it could lead to an infinite
loop if 'bytes' was to become zero; Add a check to avoid it.

[The guest can force 'bytes' to 0 by setting the hdr_len and mss
descriptor fields to 0.
--Stefan]

Signed-off-by: P J P <pjp@fedoraproject.org>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Thomas Huth <thuth@redhat.com>
Message-id: 1441383666-6590-1-git-send-email-stefanha@redhat.com
(cherry picked from commit b947ac2bf26479e710489739c465c8af336599e7)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>

* vnc: fix memory corruption (CVE-2015-5225)

The _cmp_bytes variable added by commit "bea60dd ui/vnc: fix potential
memory corruption issues" can become negative.  Result is (possibly
exploitable) memory corruption.  Reason for that is it uses the stride
instead of bytes per scanline to apply limits.

For the server surface is is actually fine.  vnc creates that itself,
there is never any padding and thus scanline length always equals stride.

For the guest surface scanline length and stride are typically identical
too, but it doesn't has to be that way.  So add and use a new variable
(guest_ll) for the guest scanline length.  Also rename min_stride to
line_bytes to make more clear what it actually is.  Finally sprinkle
in an assert() to make sure we never use a negative _cmp_bytes again.

Reported-by: 范祚至(库特) <zuozhi.fzz@alibaba-inc.com>
Reviewed-by: P J P <ppandit@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
(cherry picked from commit eb8934b0418b3b1d125edddc4fc334a54334a49b)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 emulators/qemu/Makefile | 5 ++---
 emulators/qemu/distinfo | 8 ++++----
 2 files changed, 6 insertions(+), 7 deletions(-)

(limited to 'emulators')

diff --git a/emulators/qemu/Makefile b/emulators/qemu/Makefile
index c173c020d52..ba49b257a64 100644
--- a/emulators/qemu/Makefile
+++ b/emulators/qemu/Makefile
@@ -1,7 +1,6 @@
-# $NetBSD: Makefile,v 1.143 2015/08/18 07:31:07 wiz Exp $
+# $NetBSD: Makefile,v 1.144 2015/09/25 14:57:59 ryoon Exp $
 
-DISTNAME=	qemu-2.4.0
-PKGREVISION=	2
+DISTNAME=	qemu-2.4.0.1
 CATEGORIES=	emulators
 MASTER_SITES=	http://wiki.qemu.org/download/
 EXTRACT_SUFX=	.tar.bz2
diff --git a/emulators/qemu/distinfo b/emulators/qemu/distinfo
index 80a0c5e0983..da6dae9563d 100644
--- a/emulators/qemu/distinfo
+++ b/emulators/qemu/distinfo
@@ -1,8 +1,8 @@
-$NetBSD: distinfo,v 1.105 2015/08/12 06:55:59 ryoon Exp $
+$NetBSD: distinfo,v 1.106 2015/09/25 14:57:59 ryoon Exp $
 
-SHA1 (qemu-2.4.0.tar.bz2) = 27c4651243ad885a2a3b35fe6d2532e6a7f0711e
-RMD160 (qemu-2.4.0.tar.bz2) = f3b5ce602574aec28a5b5e43591248d4358ec5f7
-Size (qemu-2.4.0.tar.bz2) = 25070979 bytes
+SHA1 (qemu-2.4.0.1.tar.bz2) = 10701fb6fbb44646b2f655c6ab097cf7a04b2b52
+RMD160 (qemu-2.4.0.1.tar.bz2) = 203d22967bc29de0767c07cbc87a74df09a20d4b
+Size (qemu-2.4.0.1.tar.bz2) = 25068555 bytes
 SHA1 (patch-configure) = 2d0d2549056c9f53a932b236ed4d69a5ee58a856
 SHA1 (patch-ef) = 6e57de87f91067e8a9a1388c91133a31b3582b3a
 SHA1 (patch-et) = e9b850ac5985cbe934b541acbfdb330cce421d50
-- 
cgit v1.2.3