parent
e224718dc0
commit
495677c360
|
@ -0,0 +1,133 @@
|
||||||
|
From 840031ac0f74c51622490bb72e6671f7e35b95ff Mon Sep 17 00:00:00 2001
|
||||||
|
Message-Id: <840031ac0f74c51622490bb72e6671f7e35b95ff.1349642201.git.crobinso@redhat.com>
|
||||||
|
From: Ian Campbell <ian.campbell@citrix.com>
|
||||||
|
Date: Tue, 4 Sep 2012 10:26:09 -0500
|
||||||
|
Subject: [PATCH] console: bounds check whenever changing the cursor due to an
|
||||||
|
escape code
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
This is XSA-17 / CVE-2012-3515
|
||||||
|
|
||||||
|
Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
|
||||||
|
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
|
||||||
|
(cherry picked from commit 3eea5498ca501922520b3447ba94815bfc109743)
|
||||||
|
|
||||||
|
[AF: Resolves BNC#777084]
|
||||||
|
Signed-off-by: Andreas Färber <afaerber@suse.de>
|
||||||
|
Signed-off-by: Cole Robinson <crobinso@redhat.com>
|
||||||
|
---
|
||||||
|
console.c | 57 ++++++++++++++++++++++++++++-----------------------------
|
||||||
|
1 file changed, 28 insertions(+), 29 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/console.c b/console.c
|
||||||
|
index 07c82b8..f9eb5a1 100644
|
||||||
|
--- a/console.c
|
||||||
|
+++ b/console.c
|
||||||
|
@@ -833,6 +833,26 @@ static void console_clear_xy(TextConsole *s, int x, int y)
|
||||||
|
update_xy(s, x, y);
|
||||||
|
}
|
||||||
|
|
||||||
|
+/* set cursor, checking bounds */
|
||||||
|
+static void set_cursor(TextConsole *s, int x, int y)
|
||||||
|
+{
|
||||||
|
+ if (x < 0) {
|
||||||
|
+ x = 0;
|
||||||
|
+ }
|
||||||
|
+ if (y < 0) {
|
||||||
|
+ y = 0;
|
||||||
|
+ }
|
||||||
|
+ if (y >= s->height) {
|
||||||
|
+ y = s->height - 1;
|
||||||
|
+ }
|
||||||
|
+ if (x >= s->width) {
|
||||||
|
+ x = s->width - 1;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ s->x = x;
|
||||||
|
+ s->y = y;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
static void console_putchar(TextConsole *s, int ch)
|
||||||
|
{
|
||||||
|
TextCell *c;
|
||||||
|
@@ -904,7 +924,8 @@ static void console_putchar(TextConsole *s, int ch)
|
||||||
|
s->esc_params[s->nb_esc_params] * 10 + ch - '0';
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
- s->nb_esc_params++;
|
||||||
|
+ if (s->nb_esc_params < MAX_ESC_PARAMS)
|
||||||
|
+ s->nb_esc_params++;
|
||||||
|
if (ch == ';')
|
||||||
|
break;
|
||||||
|
#ifdef DEBUG_CONSOLE
|
||||||
|
@@ -918,59 +939,37 @@ static void console_putchar(TextConsole *s, int ch)
|
||||||
|
if (s->esc_params[0] == 0) {
|
||||||
|
s->esc_params[0] = 1;
|
||||||
|
}
|
||||||
|
- s->y -= s->esc_params[0];
|
||||||
|
- if (s->y < 0) {
|
||||||
|
- s->y = 0;
|
||||||
|
- }
|
||||||
|
+ set_cursor(s, s->x, s->y - s->esc_params[0]);
|
||||||
|
break;
|
||||||
|
case 'B':
|
||||||
|
/* move cursor down */
|
||||||
|
if (s->esc_params[0] == 0) {
|
||||||
|
s->esc_params[0] = 1;
|
||||||
|
}
|
||||||
|
- s->y += s->esc_params[0];
|
||||||
|
- if (s->y >= s->height) {
|
||||||
|
- s->y = s->height - 1;
|
||||||
|
- }
|
||||||
|
+ set_cursor(s, s->x, s->y + s->esc_params[0]);
|
||||||
|
break;
|
||||||
|
case 'C':
|
||||||
|
/* move cursor right */
|
||||||
|
if (s->esc_params[0] == 0) {
|
||||||
|
s->esc_params[0] = 1;
|
||||||
|
}
|
||||||
|
- s->x += s->esc_params[0];
|
||||||
|
- if (s->x >= s->width) {
|
||||||
|
- s->x = s->width - 1;
|
||||||
|
- }
|
||||||
|
+ set_cursor(s, s->x + s->esc_params[0], s->y);
|
||||||
|
break;
|
||||||
|
case 'D':
|
||||||
|
/* move cursor left */
|
||||||
|
if (s->esc_params[0] == 0) {
|
||||||
|
s->esc_params[0] = 1;
|
||||||
|
}
|
||||||
|
- s->x -= s->esc_params[0];
|
||||||
|
- if (s->x < 0) {
|
||||||
|
- s->x = 0;
|
||||||
|
- }
|
||||||
|
+ set_cursor(s, s->x - s->esc_params[0], s->y);
|
||||||
|
break;
|
||||||
|
case 'G':
|
||||||
|
/* move cursor to column */
|
||||||
|
- s->x = s->esc_params[0] - 1;
|
||||||
|
- if (s->x < 0) {
|
||||||
|
- s->x = 0;
|
||||||
|
- }
|
||||||
|
+ set_cursor(s, s->esc_params[0] - 1, s->y);
|
||||||
|
break;
|
||||||
|
case 'f':
|
||||||
|
case 'H':
|
||||||
|
/* move cursor to row, column */
|
||||||
|
- s->x = s->esc_params[1] - 1;
|
||||||
|
- if (s->x < 0) {
|
||||||
|
- s->x = 0;
|
||||||
|
- }
|
||||||
|
- s->y = s->esc_params[0] - 1;
|
||||||
|
- if (s->y < 0) {
|
||||||
|
- s->y = 0;
|
||||||
|
- }
|
||||||
|
+ set_cursor(s, s->esc_params[1] - 1, s->esc_params[0] - 1);
|
||||||
|
break;
|
||||||
|
case 'J':
|
||||||
|
switch (s->esc_params[0]) {
|
||||||
|
--
|
||||||
|
1.7.11.4
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
Summary: QEMU is a FAST! processor emulator
|
Summary: QEMU is a FAST! processor emulator
|
||||||
Name: qemu
|
Name: qemu
|
||||||
Version: 0.15.1
|
Version: 0.15.1
|
||||||
Release: 7%{?dist}
|
Release: 8%{?dist}
|
||||||
# Epoch because we pushed a qemu-1.0 package. AIUI this can't ever be dropped
|
# Epoch because we pushed a qemu-1.0 package. AIUI this can't ever be dropped
|
||||||
Epoch: 2
|
Epoch: 2
|
||||||
License: GPLv2+ and LGPLv2+ and BSD
|
License: GPLv2+ and LGPLv2+ and BSD
|
||||||
|
@ -133,6 +133,8 @@ Patch241: %{name}-fix-systemtap.patch
|
||||||
Patch242: %{name}-spice-server-threading.patch
|
Patch242: %{name}-spice-server-threading.patch
|
||||||
# Fix text mode screendumps (bz 819155)
|
# Fix text mode screendumps (bz 819155)
|
||||||
Patch243: %{name}-fix-text-mode-screendumps.patch
|
Patch243: %{name}-fix-text-mode-screendumps.patch
|
||||||
|
# CVE-2012-3515 VT100 emulation vulnerability (bz 854600, bz 851252)
|
||||||
|
Patch244: 0244-console-bounds-check-whenever-changing-the-cursor-du.patch
|
||||||
|
|
||||||
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
|
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
|
||||||
BuildRequires: SDL-devel zlib-devel which texi2html gnutls-devel cyrus-sasl-devel
|
BuildRequires: SDL-devel zlib-devel which texi2html gnutls-devel cyrus-sasl-devel
|
||||||
|
@ -435,6 +437,7 @@ such as kvm_stat.
|
||||||
%patch241 -p1
|
%patch241 -p1
|
||||||
%patch242 -p1
|
%patch242 -p1
|
||||||
%patch243 -p1
|
%patch243 -p1
|
||||||
|
%patch244 -p1
|
||||||
|
|
||||||
%build
|
%build
|
||||||
# By default we build everything, but allow x86 to build a minimal version
|
# By default we build everything, but allow x86 to build a minimal version
|
||||||
|
@ -823,6 +826,9 @@ fi
|
||||||
%{_mandir}/man1/qemu-img.1*
|
%{_mandir}/man1/qemu-img.1*
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Sun Oct 07 2012 Cole Robinson <crobinso@redhat.com> - 0.15.1-8
|
||||||
|
- CVE-2012-3515 VT100 emulation vulnerability (bz #854600, bz #851252)
|
||||||
|
|
||||||
* Sun Jul 29 2012 Cole Robinson <crobinso@redhat.com> - 0.15.1-7
|
* Sun Jul 29 2012 Cole Robinson <crobinso@redhat.com> - 0.15.1-7
|
||||||
- Pull patches from 0.15 stable
|
- Pull patches from 0.15 stable
|
||||||
- CVE-2012-2652: Possible symlink attacks with -snapshot (bz 825697, bz
|
- CVE-2012-2652: Possible symlink attacks with -snapshot (bz 825697, bz
|
||||||
|
|
Loading…
Reference in New Issue