CVE-2014-7815 vnc: insufficient bits_per_pixel from the client sanitization (bz #1157647, bz #1157641)
CVE-2014-3689 vmware_vga: insufficient parameter validation in rectangle functions (bz #1153038, bz #1153035)
This commit is contained in:
parent
145f8dccfa
commit
725f84b743
@ -1,4 +1,3 @@
|
||||
From 6665e04d68d58a93d75a51a0840534f3a0ad2402 Mon Sep 17 00:00:00 2001
|
||||
From: "Richard W.M. Jones" <rjones@redhat.com>
|
||||
Date: Tue, 19 Aug 2014 18:56:28 +0100
|
||||
Subject: [PATCH] loader: Add load_image_gzipped function.
|
||||
|
@ -1,4 +1,3 @@
|
||||
From f06e2812a6813c8c93fee50bd8beb5ae5d8cb871 Mon Sep 17 00:00:00 2001
|
||||
From: "Richard W.M. Jones" <rjones@redhat.com>
|
||||
Date: Tue, 19 Aug 2014 18:56:28 +0100
|
||||
Subject: [PATCH] aarch64: Allow -kernel option to take a gzip-compressed
|
||||
|
@ -1,4 +1,3 @@
|
||||
From 5331434dbb2a1959a8a8d153fd4553ae434cc464 Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Henrique Barboza <danielhb@linux.vnet.ibm.com>
|
||||
Date: Wed, 13 Aug 2014 12:44:27 -0300
|
||||
Subject: [PATCH] block.curl: adding 'timeout' option
|
||||
|
@ -1,4 +1,3 @@
|
||||
From 4b3a1a47188c5df308d51048a8a0de630c45d12c Mon Sep 17 00:00:00 2001
|
||||
From: "Richard W.M. Jones" <rjones@redhat.com>
|
||||
Date: Fri, 29 Aug 2014 16:03:12 +0100
|
||||
Subject: [PATCH] curl: Allow a cookie or cookies to be sent with http/https
|
||||
|
@ -1,4 +1,3 @@
|
||||
From a1fd2da51b26f549d63000d3a81fbb70d7c40f4e Mon Sep 17 00:00:00 2001
|
||||
From: "Richard W.M. Jones" <rjones@redhat.com>
|
||||
Date: Thu, 28 Aug 2014 09:04:21 +0100
|
||||
Subject: [PATCH] curl: Don't deref NULL pointer in call to aio_poll.
|
||||
|
@ -1,4 +1,3 @@
|
||||
From a9862ff2c205aa289b62abcb7ddd03c7630f5c7a Mon Sep 17 00:00:00 2001
|
||||
From: "Michael S. Tsirkin" <mst@redhat.com>
|
||||
Date: Thu, 11 Sep 2014 18:45:33 +0200
|
||||
Subject: [PATCH] virtio-pci: enable bus master for old guests
|
||||
|
@ -1,4 +1,3 @@
|
||||
From 2c8d6826ebaf1bf846edd213f8fe8f95c0c300cb Mon Sep 17 00:00:00 2001
|
||||
From: "Michael S. Tsirkin" <mst@redhat.com>
|
||||
Date: Thu, 11 Sep 2014 18:34:29 +0300
|
||||
Subject: [PATCH] virtio-pci: fix migration for pci bus master
|
||||
|
@ -1,4 +1,3 @@
|
||||
From 9d8b817bfe327873c009fa4621c0308e7f3bc5de Mon Sep 17 00:00:00 2001
|
||||
From: "Michael S. Tsirkin" <mst@redhat.com>
|
||||
Date: Mon, 29 Sep 2014 11:27:32 +0300
|
||||
Subject: [PATCH] Revert "virtio-pci: fix migration for pci bus master"
|
||||
|
45
0009-vnc-sanitize-bits_per_pixel-from-the-client.patch
Normal file
45
0009-vnc-sanitize-bits_per_pixel-from-the-client.patch
Normal file
@ -0,0 +1,45 @@
|
||||
From: Petr Matousek <pmatouse@redhat.com>
|
||||
Date: Mon, 27 Oct 2014 12:41:44 +0100
|
||||
Subject: [PATCH] vnc: sanitize bits_per_pixel from the client
|
||||
|
||||
bits_per_pixel that are less than 8 could result in accessing
|
||||
non-initialized buffers later in the code due to the expectation
|
||||
that bytes_per_pixel value that is used to initialize these buffers is
|
||||
never zero.
|
||||
|
||||
To fix this check that bits_per_pixel from the client is one of the
|
||||
values that the rfb protocol specification allows.
|
||||
|
||||
This is CVE-2014-7815.
|
||||
|
||||
Signed-off-by: Petr Matousek <pmatouse@redhat.com>
|
||||
|
||||
[ kraxel: apply codestyle fix ]
|
||||
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
(cherry picked from commit e6908bfe8e07f2b452e78e677da1b45b1c0f6829)
|
||||
---
|
||||
ui/vnc.c | 10 ++++++++++
|
||||
1 file changed, 10 insertions(+)
|
||||
|
||||
diff --git a/ui/vnc.c b/ui/vnc.c
|
||||
index f8d9b7d..87e34ae 100644
|
||||
--- a/ui/vnc.c
|
||||
+++ b/ui/vnc.c
|
||||
@@ -2026,6 +2026,16 @@ static void set_pixel_format(VncState *vs,
|
||||
return;
|
||||
}
|
||||
|
||||
+ switch (bits_per_pixel) {
|
||||
+ case 8:
|
||||
+ case 16:
|
||||
+ case 32:
|
||||
+ break;
|
||||
+ default:
|
||||
+ vnc_client_error(vs);
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
vs->client_pf.rmax = red_max;
|
||||
vs->client_pf.rbits = hweight_long(red_max);
|
||||
vs->client_pf.rshift = red_shift;
|
34
0010-vmware-vga-CVE-2014-3689-turn-off-hw-accel.patch
Normal file
34
0010-vmware-vga-CVE-2014-3689-turn-off-hw-accel.patch
Normal file
@ -0,0 +1,34 @@
|
||||
From: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Date: Wed, 29 Oct 2014 12:56:06 +0100
|
||||
Subject: [PATCH] vmware-vga: CVE-2014-3689: turn off hw accel
|
||||
|
||||
Quick & easy stopgap for CVE-2014-3689: We just compile out the
|
||||
hardware acceleration functions which lack sanity checks. Thankfully
|
||||
we have capability bits for them (SVGA_CAP_RECT_COPY and
|
||||
SVGA_CAP_RECT_FILL), so guests should deal just fine, in theory.
|
||||
|
||||
Subsequent patches will add the missing checks and re-enable the
|
||||
hardware acceleration emulation.
|
||||
|
||||
Cc: qemu-stable@nongnu.org
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Reviewed-by: Don Koch <dkoch@verizon.com>
|
||||
---
|
||||
hw/display/vmware_vga.c | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c
|
||||
index 591b645..4a4229b 100644
|
||||
--- a/hw/display/vmware_vga.c
|
||||
+++ b/hw/display/vmware_vga.c
|
||||
@@ -29,8 +29,10 @@
|
||||
#include "hw/pci/pci.h"
|
||||
|
||||
#undef VERBOSE
|
||||
+#if 0
|
||||
#define HW_RECT_ACCEL
|
||||
#define HW_FILL_ACCEL
|
||||
+#endif
|
||||
#define HW_MOUSE_ACCEL
|
||||
|
||||
#include "vga_int.h"
|
79
0011-vmware-vga-add-vmsvga_verify_rect.patch
Normal file
79
0011-vmware-vga-add-vmsvga_verify_rect.patch
Normal file
@ -0,0 +1,79 @@
|
||||
From: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Date: Wed, 29 Oct 2014 12:56:07 +0100
|
||||
Subject: [PATCH] vmware-vga: add vmsvga_verify_rect
|
||||
|
||||
Add verification function for rectangles, returning
|
||||
true if verification passes and false otherwise.
|
||||
|
||||
Cc: qemu-stable@nongnu.org
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Reviewed-by: Don Koch <dkoch@verizon.com>
|
||||
---
|
||||
hw/display/vmware_vga.c | 53 ++++++++++++++++++++++++++++++++++++++++++++++++-
|
||||
1 file changed, 52 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c
|
||||
index 4a4229b..f0e487f 100644
|
||||
--- a/hw/display/vmware_vga.c
|
||||
+++ b/hw/display/vmware_vga.c
|
||||
@@ -294,8 +294,59 @@ enum {
|
||||
SVGA_CURSOR_ON_RESTORE_TO_FB = 3,
|
||||
};
|
||||
|
||||
+static inline bool vmsvga_verify_rect(DisplaySurface *surface,
|
||||
+ const char *name,
|
||||
+ int x, int y, int w, int h)
|
||||
+{
|
||||
+ if (x < 0) {
|
||||
+ fprintf(stderr, "%s: x was < 0 (%d)\n", name, x);
|
||||
+ return false;
|
||||
+ }
|
||||
+ if (x > SVGA_MAX_WIDTH) {
|
||||
+ fprintf(stderr, "%s: x was > %d (%d)\n", name, SVGA_MAX_WIDTH, x);
|
||||
+ return false;
|
||||
+ }
|
||||
+ if (w < 0) {
|
||||
+ fprintf(stderr, "%s: w was < 0 (%d)\n", name, w);
|
||||
+ return false;
|
||||
+ }
|
||||
+ if (w > SVGA_MAX_WIDTH) {
|
||||
+ fprintf(stderr, "%s: w was > %d (%d)\n", name, SVGA_MAX_WIDTH, w);
|
||||
+ return false;
|
||||
+ }
|
||||
+ if (x + w > surface_width(surface)) {
|
||||
+ fprintf(stderr, "%s: width was > %d (x: %d, w: %d)\n",
|
||||
+ name, surface_width(surface), x, w);
|
||||
+ return false;
|
||||
+ }
|
||||
+
|
||||
+ if (y < 0) {
|
||||
+ fprintf(stderr, "%s: y was < 0 (%d)\n", name, y);
|
||||
+ return false;
|
||||
+ }
|
||||
+ if (y > SVGA_MAX_HEIGHT) {
|
||||
+ fprintf(stderr, "%s: y was > %d (%d)\n", name, SVGA_MAX_HEIGHT, y);
|
||||
+ return false;
|
||||
+ }
|
||||
+ if (h < 0) {
|
||||
+ fprintf(stderr, "%s: h was < 0 (%d)\n", name, h);
|
||||
+ return false;
|
||||
+ }
|
||||
+ if (h > SVGA_MAX_HEIGHT) {
|
||||
+ fprintf(stderr, "%s: h was > %d (%d)\n", name, SVGA_MAX_HEIGHT, h);
|
||||
+ return false;
|
||||
+ }
|
||||
+ if (y + h > surface_height(surface)) {
|
||||
+ fprintf(stderr, "%s: update height > %d (y: %d, h: %d)\n",
|
||||
+ name, surface_height(surface), y, h);
|
||||
+ return false;
|
||||
+ }
|
||||
+
|
||||
+ return true;
|
||||
+}
|
||||
+
|
||||
static inline void vmsvga_update_rect(struct vmsvga_state_s *s,
|
||||
- int x, int y, int w, int h)
|
||||
+ int x, int y, int w, int h)
|
||||
{
|
||||
DisplaySurface *surface = qemu_console_surface(s->vga.con);
|
||||
int line;
|
@ -0,0 +1,61 @@
|
||||
From: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Date: Wed, 29 Oct 2014 12:56:08 +0100
|
||||
Subject: [PATCH] vmware-vga: use vmsvga_verify_rect in vmsvga_update_rect
|
||||
|
||||
Switch vmsvga_update_rect over to use vmsvga_verify_rect. Slight change
|
||||
in behavior: We don't try to automatically fixup rectangles any more.
|
||||
In case we find invalid update requests we'll do a full-screen update
|
||||
instead.
|
||||
|
||||
Cc: qemu-stable@nongnu.org
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Reviewed-by: Don Koch <dkoch@verizon.com>
|
||||
---
|
||||
hw/display/vmware_vga.c | 32 ++++----------------------------
|
||||
1 file changed, 4 insertions(+), 28 deletions(-)
|
||||
|
||||
diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c
|
||||
index f0e487f..718746e 100644
|
||||
--- a/hw/display/vmware_vga.c
|
||||
+++ b/hw/display/vmware_vga.c
|
||||
@@ -356,36 +356,12 @@ static inline void vmsvga_update_rect(struct vmsvga_state_s *s,
|
||||
uint8_t *src;
|
||||
uint8_t *dst;
|
||||
|
||||
- if (x < 0) {
|
||||
- fprintf(stderr, "%s: update x was < 0 (%d)\n", __func__, x);
|
||||
- w += x;
|
||||
+ if (!vmsvga_verify_rect(surface, __func__, x, y, w, h)) {
|
||||
+ /* go for a fullscreen update as fallback */
|
||||
x = 0;
|
||||
- }
|
||||
- if (w < 0) {
|
||||
- fprintf(stderr, "%s: update w was < 0 (%d)\n", __func__, w);
|
||||
- w = 0;
|
||||
- }
|
||||
- if (x + w > surface_width(surface)) {
|
||||
- fprintf(stderr, "%s: update width too large x: %d, w: %d\n",
|
||||
- __func__, x, w);
|
||||
- x = MIN(x, surface_width(surface));
|
||||
- w = surface_width(surface) - x;
|
||||
- }
|
||||
-
|
||||
- if (y < 0) {
|
||||
- fprintf(stderr, "%s: update y was < 0 (%d)\n", __func__, y);
|
||||
- h += y;
|
||||
y = 0;
|
||||
- }
|
||||
- if (h < 0) {
|
||||
- fprintf(stderr, "%s: update h was < 0 (%d)\n", __func__, h);
|
||||
- h = 0;
|
||||
- }
|
||||
- if (y + h > surface_height(surface)) {
|
||||
- fprintf(stderr, "%s: update height too large y: %d, h: %d\n",
|
||||
- __func__, y, h);
|
||||
- y = MIN(y, surface_height(surface));
|
||||
- h = surface_height(surface) - y;
|
||||
+ w = surface_width(surface);
|
||||
+ h = surface_height(surface);
|
||||
}
|
||||
|
||||
bypl = surface_stride(surface);
|
@ -0,0 +1,75 @@
|
||||
From: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Date: Wed, 29 Oct 2014 12:56:09 +0100
|
||||
Subject: [PATCH] vmware-vga: use vmsvga_verify_rect in vmsvga_copy_rect
|
||||
|
||||
Add verification to vmsvga_copy_rect, re-enable HW_RECT_ACCEL.
|
||||
|
||||
Cc: qemu-stable@nongnu.org
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Reviewed-by: Don Koch <dkoch@verizon.com>
|
||||
---
|
||||
hw/display/vmware_vga.c | 20 ++++++++++++++------
|
||||
1 file changed, 14 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c
|
||||
index 718746e..c2e0a43 100644
|
||||
--- a/hw/display/vmware_vga.c
|
||||
+++ b/hw/display/vmware_vga.c
|
||||
@@ -29,8 +29,8 @@
|
||||
#include "hw/pci/pci.h"
|
||||
|
||||
#undef VERBOSE
|
||||
-#if 0
|
||||
#define HW_RECT_ACCEL
|
||||
+#if 0
|
||||
#define HW_FILL_ACCEL
|
||||
#endif
|
||||
#define HW_MOUSE_ACCEL
|
||||
@@ -406,7 +406,7 @@ static inline void vmsvga_update_rect_flush(struct vmsvga_state_s *s)
|
||||
}
|
||||
|
||||
#ifdef HW_RECT_ACCEL
|
||||
-static inline void vmsvga_copy_rect(struct vmsvga_state_s *s,
|
||||
+static inline int vmsvga_copy_rect(struct vmsvga_state_s *s,
|
||||
int x0, int y0, int x1, int y1, int w, int h)
|
||||
{
|
||||
DisplaySurface *surface = qemu_console_surface(s->vga.con);
|
||||
@@ -417,6 +417,13 @@ static inline void vmsvga_copy_rect(struct vmsvga_state_s *s,
|
||||
int line = h;
|
||||
uint8_t *ptr[2];
|
||||
|
||||
+ if (!vmsvga_verify_rect(surface, "vmsvga_copy_rect/src", x0, y0, w, h)) {
|
||||
+ return -1;
|
||||
+ }
|
||||
+ if (!vmsvga_verify_rect(surface, "vmsvga_copy_rect/dst", x1, y1, w, h)) {
|
||||
+ return -1;
|
||||
+ }
|
||||
+
|
||||
if (y1 > y0) {
|
||||
ptr[0] = vram + bypp * x0 + bypl * (y0 + h - 1);
|
||||
ptr[1] = vram + bypp * x1 + bypl * (y1 + h - 1);
|
||||
@@ -432,6 +439,7 @@ static inline void vmsvga_copy_rect(struct vmsvga_state_s *s,
|
||||
}
|
||||
|
||||
vmsvga_update_rect_delayed(s, x1, y1, w, h);
|
||||
+ return 0;
|
||||
}
|
||||
#endif
|
||||
|
||||
@@ -625,12 +633,12 @@ static void vmsvga_fifo_run(struct vmsvga_state_s *s)
|
||||
width = vmsvga_fifo_read(s);
|
||||
height = vmsvga_fifo_read(s);
|
||||
#ifdef HW_RECT_ACCEL
|
||||
- vmsvga_copy_rect(s, x, y, dx, dy, width, height);
|
||||
- break;
|
||||
-#else
|
||||
+ if (vmsvga_copy_rect(s, x, y, dx, dy, width, height) == 0) {
|
||||
+ break;
|
||||
+ }
|
||||
+#endif
|
||||
args = 0;
|
||||
goto badcmd;
|
||||
-#endif
|
||||
|
||||
case SVGA_CMD_DEFINE_CURSOR:
|
||||
len -= 8;
|
@ -0,0 +1,72 @@
|
||||
From: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Date: Wed, 29 Oct 2014 12:56:10 +0100
|
||||
Subject: [PATCH] vmware-vga: use vmsvga_verify_rect in vmsvga_fill_rect
|
||||
|
||||
Add verification to vmsvga_fill_rect, re-enable HW_FILL_ACCEL.
|
||||
|
||||
Cc: qemu-stable@nongnu.org
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Reviewed-by: Don Koch <dkoch@verizon.com>
|
||||
---
|
||||
hw/display/vmware_vga.c | 17 ++++++++++-------
|
||||
1 file changed, 10 insertions(+), 7 deletions(-)
|
||||
|
||||
diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c
|
||||
index c2e0a43..d44e3e8 100644
|
||||
--- a/hw/display/vmware_vga.c
|
||||
+++ b/hw/display/vmware_vga.c
|
||||
@@ -30,9 +30,7 @@
|
||||
|
||||
#undef VERBOSE
|
||||
#define HW_RECT_ACCEL
|
||||
-#if 0
|
||||
#define HW_FILL_ACCEL
|
||||
-#endif
|
||||
#define HW_MOUSE_ACCEL
|
||||
|
||||
#include "vga_int.h"
|
||||
@@ -444,7 +442,7 @@ static inline int vmsvga_copy_rect(struct vmsvga_state_s *s,
|
||||
#endif
|
||||
|
||||
#ifdef HW_FILL_ACCEL
|
||||
-static inline void vmsvga_fill_rect(struct vmsvga_state_s *s,
|
||||
+static inline int vmsvga_fill_rect(struct vmsvga_state_s *s,
|
||||
uint32_t c, int x, int y, int w, int h)
|
||||
{
|
||||
DisplaySurface *surface = qemu_console_surface(s->vga.con);
|
||||
@@ -457,6 +455,10 @@ static inline void vmsvga_fill_rect(struct vmsvga_state_s *s,
|
||||
uint8_t *src;
|
||||
uint8_t col[4];
|
||||
|
||||
+ if (!vmsvga_verify_rect(surface, __func__, x, y, w, h)) {
|
||||
+ return -1;
|
||||
+ }
|
||||
+
|
||||
col[0] = c;
|
||||
col[1] = c >> 8;
|
||||
col[2] = c >> 16;
|
||||
@@ -481,6 +483,7 @@ static inline void vmsvga_fill_rect(struct vmsvga_state_s *s,
|
||||
}
|
||||
|
||||
vmsvga_update_rect_delayed(s, x, y, w, h);
|
||||
+ return 0;
|
||||
}
|
||||
#endif
|
||||
|
||||
@@ -613,12 +616,12 @@ static void vmsvga_fifo_run(struct vmsvga_state_s *s)
|
||||
width = vmsvga_fifo_read(s);
|
||||
height = vmsvga_fifo_read(s);
|
||||
#ifdef HW_FILL_ACCEL
|
||||
- vmsvga_fill_rect(s, colour, x, y, width, height);
|
||||
- break;
|
||||
-#else
|
||||
+ if (vmsvga_fill_rect(s, colour, x, y, width, height) == 0) {
|
||||
+ break;
|
||||
+ }
|
||||
+#endif
|
||||
args = 0;
|
||||
goto badcmd;
|
||||
-#endif
|
||||
|
||||
case SVGA_CMD_RECT_COPY:
|
||||
len -= 7;
|
28
qemu.spec
28
qemu.spec
@ -152,7 +152,7 @@
|
||||
Summary: QEMU is a FAST! processor emulator
|
||||
Name: qemu
|
||||
Version: 2.1.2
|
||||
Release: 5%{?dist}
|
||||
Release: 6%{?dist}
|
||||
Epoch: 2
|
||||
License: GPLv2+ and LGPLv2+ and BSD
|
||||
Group: Development/Tools
|
||||
@ -204,6 +204,16 @@ Patch0006: 0006-virtio-pci-enable-bus-master-for-old-guests.patch
|
||||
Patch0007: 0007-virtio-pci-fix-migration-for-pci-bus-master.patch
|
||||
# Fix PPC virtio regression (bz #1144490)
|
||||
Patch0008: 0008-Revert-virtio-pci-fix-migration-for-pci-bus-master.patch
|
||||
# CVE-2014-7815 vnc: insufficient bits_per_pixel from the client
|
||||
# sanitization (bz #1157647, bz #1157641)
|
||||
Patch0009: 0009-vnc-sanitize-bits_per_pixel-from-the-client.patch
|
||||
# CVE-2014-3689 vmware_vga: insufficient parameter validation in
|
||||
# rectangle functions (bz #1153038, bz #1153035)
|
||||
Patch0010: 0010-vmware-vga-CVE-2014-3689-turn-off-hw-accel.patch
|
||||
Patch0011: 0011-vmware-vga-add-vmsvga_verify_rect.patch
|
||||
Patch0012: 0012-vmware-vga-use-vmsvga_verify_rect-in-vmsvga_update_r.patch
|
||||
Patch0013: 0013-vmware-vga-use-vmsvga_verify_rect-in-vmsvga_copy_rec.patch
|
||||
Patch0014: 0014-vmware-vga-use-vmsvga_verify_rect-in-vmsvga_fill_rec.patch
|
||||
|
||||
BuildRequires: SDL2-devel
|
||||
BuildRequires: zlib-devel
|
||||
@ -742,6 +752,16 @@ CAC emulation development files.
|
||||
%patch0007 -p1
|
||||
# Fix PPC virtio regression (bz #1144490)
|
||||
%patch0008 -p1
|
||||
# CVE-2014-7815 vnc: insufficient bits_per_pixel from the client
|
||||
# sanitization (bz #1157647, bz #1157641)
|
||||
%patch0009 -p1
|
||||
# CVE-2014-3689 vmware_vga: insufficient parameter validation in
|
||||
# rectangle functions (bz #1153038, bz #1153035)
|
||||
%patch0010 -p1
|
||||
%patch0011 -p1
|
||||
%patch0012 -p1
|
||||
%patch0013 -p1
|
||||
%patch0014 -p1
|
||||
|
||||
|
||||
%build
|
||||
@ -1521,6 +1541,12 @@ getent passwd qemu >/dev/null || \
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Wed Oct 29 2014 Cole Robinson <crobinso@redhat.com> - 2:2.1.2-6
|
||||
- CVE-2014-7815 vnc: insufficient bits_per_pixel from the client sanitization
|
||||
(bz #1157647, bz #1157641)
|
||||
- CVE-2014-3689 vmware_vga: insufficient parameter validation in rectangle
|
||||
functions (bz #1153038, bz #1153035)
|
||||
|
||||
* Fri Oct 24 2014 Danel P. Berrange <berrange@redhat.com> - 2:2.1.2-5
|
||||
- Fix dep on numactl-devel to be build time not install time
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user