Commit e1405346 authored by Michael Tokarev's avatar Michael Tokarev

slirp-check-sscanf-result-when-emulating-ident-CVE-2019-9824.patch, 3.1+dfsg-6 release

parent 6917af1e
qemu (1:3.1+dfsg-6) unstable; urgency=high
* slirp-check-sscanf-result-when-emulating-ident-CVE-2019-9824.patch
fix information leakage in slirp code (Closes: CVE-2019-9824)
-- Michael Tokarev <mjt@tls.msk.ru> Mon, 18 Mar 2019 14:41:51 +0300
qemu (1:3.1+dfsg-5) unstable; urgency=high
* i2c-ddc-fix-oob-read-CVE-2019-3812.patch fixes
......
......@@ -7,3 +7,4 @@ sparc64-timeval.tv_usec-is-int.patch
scsi-generic-avoid-possible-oob-access-to-r-buf-CVE-2019-6501.patch
slirp-check-data-length-while-emulating-ident-function-CVE-2019-6778.patch
i2c-ddc-fix-oob-read-CVE-2019-3812.patch
slirp-check-sscanf-result-when-emulating-ident-CVE-2019-9824.patch
From: Samuel Thibault <samuel.thibault@ens-lyon.org>
Date: Thu, 7 Mar 2019 12:51:34 +0100
Message-Id: <20190307115143.780-5-samuel.thibault@ens-lyon.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Subject: slirp: check sscanf result when emulating ident (CVE-2019-9824)
From: William Bowling <will@wbowling.info>
When emulating ident in tcp_emu, if the strchr checks passed but the
sscanf check failed, two uninitialized variables would be copied and
sent in the reply, so move this code inside the if(sscanf()) clause.
Signed-off-by: William Bowling <will@wbowling.info>
Cc: qemu-stable@nongnu.org
Cc: secalert@redhat.com
Message-Id: <1551476756-25749-1-git-send-email-will@wbowling.info>
Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
---
slirp/tcp_subr.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/slirp/tcp_subr.c b/slirp/tcp_subr.c
index 262a42d6c8..ef9d99c154 100644
--- a/slirp/tcp_subr.c
+++ b/slirp/tcp_subr.c
@@ -664,12 +664,12 @@ tcp_emu(struct socket *so, struct mbuf *m)
break;
}
}
+ so_rcv->sb_cc = snprintf(so_rcv->sb_data,
+ so_rcv->sb_datalen,
+ "%d,%d\r\n", n1, n2);
+ so_rcv->sb_rptr = so_rcv->sb_data;
+ so_rcv->sb_wptr = so_rcv->sb_data + so_rcv->sb_cc;
}
- so_rcv->sb_cc = snprintf(so_rcv->sb_data,
- so_rcv->sb_datalen,
- "%d,%d\r\n", n1, n2);
- so_rcv->sb_rptr = so_rcv->sb_data;
- so_rcv->sb_wptr = so_rcv->sb_data + so_rcv->sb_cc;
}
m_free(m);
return 0;
--
2.20.1
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment