Hello, The VENOM vulnerability is unfixed in squeeze (except for squeeze-backports):
https://security-tracker.debian.org/tracker/CVE-2015-3456 Even though qemu is not supported in squeeze-lts, I propose to fix this particular vulnerability due to its severity, but make clear in the DLA that qemu is not supported in general (as suggest by Raphael Hertzog). I have attached a debdiff with the backported patch for fdc.c from [1] and I'd appreciate review comments. Best, Michael [1] http://git.qemu.org/?p=qemu.git;a=commitdiff_plain;h=e907746266721f305d67bc0718795fedee2e824c -- Michael Banck Projektleiter / Berater Tel.: +49 (2161) 4643-171 Fax: +49 (2161) 4643-100 Email: michael.ba...@credativ.de credativ GmbH, HRB Mönchengladbach 12080 USt-ID-Nummer: DE204566209 Hohenzollernstr. 133, 41061 Mönchengladbach Geschäftsführung: Dr. Michael Meskes, Jörg Folz, Sascha Heuer
diff -u qemu-0.12.5+dfsg/debian/changelog qemu-0.12.5+dfsg/debian/changelog --- qemu-0.12.5+dfsg/debian/changelog +++ qemu-0.12.5+dfsg/debian/changelog @@ -1,3 +1,10 @@ +qemu (0.12.5+dfsg-3squeeze5) squeeze-lts; urgency=high + + * fdc-force-the-fifo-access-to-be-in-bounds-CVE-2015-3456.patch + (Closes: CVE-2015-3456) + + -- Michael Banck <michael.ba...@credativ.de> Fri, 12 Jun 2015 13:34:20 +0200 + qemu (0.12.5+dfsg-3squeeze4) squeeze-security; urgency=high * fix guest-triggerable buffer overrun in virtio-net device diff -u qemu-0.12.5+dfsg/debian/patches/series qemu-0.12.5+dfsg/debian/patches/series --- qemu-0.12.5+dfsg/debian/patches/series +++ qemu-0.12.5+dfsg/debian/patches/series @@ -12,0 +13 @@ +fdc-force-the-fifo-access-to-be-in-bounds-CVE-2015-3456.patch only in patch2: unchanged: --- qemu-0.12.5+dfsg.orig/debian/patches/fdc-force-the-fifo-access-to-be-in-bounds-CVE-2015-3456.patch +++ qemu-0.12.5+dfsg/debian/patches/fdc-force-the-fifo-access-to-be-in-bounds-CVE-2015-3456.patch @@ -0,0 +1,79 @@ +From: Petr Matousek <pmato...@redhat.com> +Date: Wed, 6 May 2015 07:48:59 +0000 (+0200) +Subject: fdc: force the fifo access to be in bounds of the allocated buffer +X-Git-Url: http://git.qemu.org/?p=qemu.git;a=commitdiff_plain;h=e907746266721f305d67bc0718795fedee2e824c +Bug-Debian: http://bugs.debian.org/785424 +Comment: back-patched to 0.12 by mbanck + +fdc: force the fifo access to be in bounds of the allocated buffer + +During processing of certain commands such as FD_CMD_READ_ID and +FD_CMD_DRIVE_SPECIFICATION_COMMAND the fifo memory access could +get out of bounds leading to memory corruption with values coming +from the guest. + +Fix this by making sure that the index is always bounded by the +allocated memory. + +This is CVE-2015-3456. + +Signed-off-by: Petr Matousek <pmato...@redhat.com> +Reviewed-by: John Snow <js...@redhat.com> +Signed-off-by: John Snow <js...@redhat.com> +--- a/hw/fdc.c 2010-07-22 14:39:04.000000000 +0200 ++++ b/hw/fdc.c 2015-05-20 09:20:54.862475399 +0200 +@@ -1314,7 +1314,7 @@ + { + fdrive_t *cur_drv; + uint32_t retval = 0; +- int pos; ++ uint32_t pos; + + cur_drv = get_cur_drv(fdctrl); + fdctrl->dsr &= ~FD_DSR_PWRDOWN; +@@ -1323,8 +1323,8 @@ + return 0; + } + pos = fdctrl->data_pos; ++ pos %= FD_SECTOR_LEN; + if (fdctrl->msr & FD_MSR_NONDMA) { +- pos %= FD_SECTOR_LEN; + if (pos == 0) { + if (fdctrl->data_pos != 0) + if (!fdctrl_seek_to_next_sect(fdctrl, cur_drv)) { +@@ -1669,10 +1669,13 @@ + static void fdctrl_handle_drive_specification_command (fdctrl_t *fdctrl, int direction) + { + fdrive_t *cur_drv = get_cur_drv(fdctrl); ++ uint32_t pos; + +- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x80) { ++ pos = fdctrl->data_pos - 1; ++ pos %= FD_SECTOR_LEN; ++ if (fdctrl->fifo[pos] & 0x80) { + /* Command parameters done */ +- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x40) { ++ if (fdctrl->fifo[pos] & 0x40) { + fdctrl->fifo[0] = fdctrl->fifo[1]; + fdctrl->fifo[2] = 0; + fdctrl->fifo[3] = 0; +@@ -1767,7 +1770,7 @@ + static void fdctrl_write_data (fdctrl_t *fdctrl, uint32_t value) + { + fdrive_t *cur_drv; +- int pos; ++ uint32_t pos; + + /* Reset mode */ + if (!(fdctrl->dor & FD_DOR_nRESET)) { +@@ -1813,7 +1816,9 @@ + } + + FLOPPY_DPRINTF("%s: %02x\n", __func__, value); +- fdctrl->fifo[fdctrl->data_pos++] = value; ++ pos = fdctrl->data_pos++; ++ pos %= FD_SECTOR_LEN; ++ fdctrl->fifo[pos] = value; + if (fdctrl->data_pos == fdctrl->data_len) { + /* We now have all parameters + * and will be able to treat the command