Hello,

The VENOM vulnerability is unfixed in squeeze (except for
squeeze-backports):

https://security-tracker.debian.org/tracker/CVE-2015-3456

Even though qemu is not supported in squeeze-lts, I propose to fix this
particular vulnerability due to its severity, but make clear in the DLA
that qemu is not supported in general (as suggest by Raphael Hertzog).

I have attached a debdiff with the backported patch for fdc.c from [1]
and I'd appreciate review comments.


Best,

Michael

[1] 
http://git.qemu.org/?p=qemu.git;a=commitdiff_plain;h=e907746266721f305d67bc0718795fedee2e824c

-- 
Michael Banck
Projektleiter / Berater
Tel.: +49 (2161) 4643-171
Fax:  +49 (2161) 4643-100
Email: michael.ba...@credativ.de

credativ GmbH, HRB Mönchengladbach 12080
USt-ID-Nummer: DE204566209
Hohenzollernstr. 133, 41061 Mönchengladbach
Geschäftsführung: Dr. Michael Meskes, Jörg Folz, Sascha Heuer
diff -u qemu-0.12.5+dfsg/debian/changelog qemu-0.12.5+dfsg/debian/changelog
--- qemu-0.12.5+dfsg/debian/changelog
+++ qemu-0.12.5+dfsg/debian/changelog
@@ -1,3 +1,10 @@
+qemu (0.12.5+dfsg-3squeeze5) squeeze-lts; urgency=high
+
+  * fdc-force-the-fifo-access-to-be-in-bounds-CVE-2015-3456.patch
+    (Closes: CVE-2015-3456)
+
+ -- Michael Banck <michael.ba...@credativ.de>  Fri, 12 Jun 2015 13:34:20 +0200
+
 qemu (0.12.5+dfsg-3squeeze4) squeeze-security; urgency=high
 
   * fix guest-triggerable buffer overrun in virtio-net device
diff -u qemu-0.12.5+dfsg/debian/patches/series qemu-0.12.5+dfsg/debian/patches/series
--- qemu-0.12.5+dfsg/debian/patches/series
+++ qemu-0.12.5+dfsg/debian/patches/series
@@ -12,0 +13 @@
+fdc-force-the-fifo-access-to-be-in-bounds-CVE-2015-3456.patch
only in patch2:
unchanged:
--- qemu-0.12.5+dfsg.orig/debian/patches/fdc-force-the-fifo-access-to-be-in-bounds-CVE-2015-3456.patch
+++ qemu-0.12.5+dfsg/debian/patches/fdc-force-the-fifo-access-to-be-in-bounds-CVE-2015-3456.patch
@@ -0,0 +1,79 @@
+From: Petr Matousek <pmato...@redhat.com>
+Date: Wed, 6 May 2015 07:48:59 +0000 (+0200)
+Subject: fdc: force the fifo access to be in bounds of the allocated buffer
+X-Git-Url: http://git.qemu.org/?p=qemu.git;a=commitdiff_plain;h=e907746266721f305d67bc0718795fedee2e824c
+Bug-Debian: http://bugs.debian.org/785424
+Comment: back-patched to 0.12 by mbanck
+
+fdc: force the fifo access to be in bounds of the allocated buffer
+
+During processing of certain commands such as FD_CMD_READ_ID and
+FD_CMD_DRIVE_SPECIFICATION_COMMAND the fifo memory access could
+get out of bounds leading to memory corruption with values coming
+from the guest.
+
+Fix this by making sure that the index is always bounded by the
+allocated memory.
+
+This is CVE-2015-3456.
+
+Signed-off-by: Petr Matousek <pmato...@redhat.com>
+Reviewed-by: John Snow <js...@redhat.com>
+Signed-off-by: John Snow <js...@redhat.com>
+--- a/hw/fdc.c	2010-07-22 14:39:04.000000000 +0200
++++ b/hw/fdc.c	2015-05-20 09:20:54.862475399 +0200
+@@ -1314,7 +1314,7 @@
+ {
+     fdrive_t *cur_drv;
+     uint32_t retval = 0;
+-    int pos;
++    uint32_t pos;
+ 
+     cur_drv = get_cur_drv(fdctrl);
+     fdctrl->dsr &= ~FD_DSR_PWRDOWN;
+@@ -1323,8 +1323,8 @@
+         return 0;
+     }
+     pos = fdctrl->data_pos;
++    pos %= FD_SECTOR_LEN;
+     if (fdctrl->msr & FD_MSR_NONDMA) {
+-        pos %= FD_SECTOR_LEN;
+         if (pos == 0) {
+             if (fdctrl->data_pos != 0)
+                 if (!fdctrl_seek_to_next_sect(fdctrl, cur_drv)) {
+@@ -1669,10 +1669,13 @@
+ static void fdctrl_handle_drive_specification_command (fdctrl_t *fdctrl, int direction)
+ {
+     fdrive_t *cur_drv = get_cur_drv(fdctrl);
++    uint32_t pos;
+ 
+-    if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x80) {
++    pos = fdctrl->data_pos - 1;
++    pos %= FD_SECTOR_LEN;
++    if (fdctrl->fifo[pos] & 0x80) {
+         /* Command parameters done */
+-        if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x40) {
++        if (fdctrl->fifo[pos] & 0x40) {
+             fdctrl->fifo[0] = fdctrl->fifo[1];
+             fdctrl->fifo[2] = 0;
+             fdctrl->fifo[3] = 0;
+@@ -1767,7 +1770,7 @@
+ static void fdctrl_write_data (fdctrl_t *fdctrl, uint32_t value)
+ {
+     fdrive_t *cur_drv;
+-    int pos;
++    uint32_t pos;
+ 
+     /* Reset mode */
+     if (!(fdctrl->dor & FD_DOR_nRESET)) {
+@@ -1813,7 +1816,9 @@
+     }
+ 
+     FLOPPY_DPRINTF("%s: %02x\n", __func__, value);
+-    fdctrl->fifo[fdctrl->data_pos++] = value;
++    pos = fdctrl->data_pos++;
++    pos %= FD_SECTOR_LEN;
++    fdctrl->fifo[pos] = value;
+     if (fdctrl->data_pos == fdctrl->data_len) {
+         /* We now have all parameters
+          * and will be able to treat the command

Reply via email to