← Back to branch summary

~ubuntu-branches/debian/jessie/qemu/jessie

« back to all changes in this revision

Viewing changes to debian/patches/fix-buffer-overrun-CVE-2011-4111.patch

  • Committer: Package Import Robot
  • Author(s): Vagrant Cascadian
  • Date: 2011-11-28 20:34:50 UTC
  • Revision ID: package-import@ubuntu.com-20111128203450-2b88f2udzswupe8z
Tags: 0.15.1+dfsg-2
* Add patch that fixes a buffer overrun (CVE-2011-4111). 
* Enable spice support on amd64:
  - Add Build-Depends: libspice-server-dev, libspice-protocol-dev
* debian/rules: Use dh_prep instead of "dh_clean -k", which is deprecated. 

Show diffs side-by-side

added added

removed removed

Lines of Context:
debian/patches/fix-buffer-overrun-CVE-2011-4111.patch
 
1
commit 7e62255a4b3e0e2ab84a3ec7398640e8ed58620a
 
2
Author: Markus Armbruster <armbru@redhat.com>
 
3
Date:   Mon Nov 28 20:27:37 2011 +0100
 
4
 
 
5
    ccid: Fix buffer overrun in handling of VSC_ATR message
 
6
    
 
7
    ATR size exceeding the limit is diagnosed, but then we merrily use it
 
8
    anyway, overrunning card->atr[].
 
9
    
 
10
    The message is read from a character device.  Obvious security
 
11
    implications unless the other end of the character device is trusted.
 
12
    
 
13
    Spotted by Coverity.  CVE-2011-4111.
 
14
    
 
15
    Signed-off-by: Markus Armbruster <armbru@redhat.com>
 
16
    Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
 
17
 
 
18
diff --git a/hw/ccid-card-passthru.c b/hw/ccid-card-passthru.c
 
19
index 2cbc81b..9f51c6c 100644
 
20
--- a/hw/ccid-card-passthru.c
 
21
+++ b/hw/ccid-card-passthru.c
 
22
@@ -150,6 +150,7 @@ static void ccid_card_vscard_handle_message(PassthruState *card,
 
23
             error_report("ATR size exceeds spec, ignoring");
 
24
             ccid_card_vscard_send_error(card, scr_msg_header->reader_id,
 
25
                                         VSC_GENERAL_ERROR);
 
26
+            break;
 
27
         }
 
28
         memcpy(card->atr, data, scr_msg_header->length);
 
29
         card->atr_length = scr_msg_header->length;