Branch: refs/heads/master
Home: https://github.com/qemu/qemu
Commit: 9569f5cb5b4bffa9d3ebc8ba7da1e03830a9a895
https://github.com/qemu/qemu/commit/9569f5cb5b4bffa9d3ebc8ba7da1e03830a9a895
Author: Mauro Matteo Cascella <[email protected]>
Date: 2022-04-07 (Thu, 07 Apr 2022)
Changed paths:
M hw/display/qxl-render.c
Log Message:
-----------
display/qxl-render: fix race condition in qxl_cursor (CVE-2021-4207)
Avoid fetching 'width' and 'height' a second time to prevent possible
race condition. Refer to security advisory
https://starlabs.sg/advisories/22-4207/ for more information.
Fixes: CVE-2021-4207
Signed-off-by: Mauro Matteo Cascella <[email protected]>
Reviewed-by: Marc-André Lureau <[email protected]>
Message-Id: <[email protected]>
Signed-off-by: Gerd Hoffmann <[email protected]>
Commit: fa892e9abb728e76afcf27323ab29c57fb0fe7aa
https://github.com/qemu/qemu/commit/fa892e9abb728e76afcf27323ab29c57fb0fe7aa
Author: Mauro Matteo Cascella <[email protected]>
Date: 2022-04-07 (Thu, 07 Apr 2022)
Changed paths:
M hw/display/qxl-render.c
M hw/display/vmware_vga.c
M ui/cursor.c
Log Message:
-----------
ui/cursor: fix integer overflow in cursor_alloc (CVE-2021-4206)
Prevent potential integer overflow by limiting 'width' and 'height' to
512x512. Also change 'datasize' type to size_t. Refer to security
advisory https://starlabs.sg/advisories/22-4206/ for more information.
Fixes: CVE-2021-4206
Signed-off-by: Mauro Matteo Cascella <[email protected]>
Reviewed-by: Marc-André Lureau <[email protected]>
Message-Id: <[email protected]>
Signed-off-by: Gerd Hoffmann <[email protected]>
Commit: dde8689d1fe82e295a278ba4bf1abd9be5c7bcab
https://github.com/qemu/qemu/commit/dde8689d1fe82e295a278ba4bf1abd9be5c7bcab
Author: Peter Maydell <[email protected]>
Date: 2022-04-08 (Fri, 08 Apr 2022)
Changed paths:
M hw/display/qxl-render.c
M hw/display/vmware_vga.c
M ui/cursor.c
Log Message:
-----------
Merge tag 'fixes-20220408-pull-request' of git://git.kraxel.org/qemu into
staging
two cursor/qxl related security fixes.
# gpg: Signature made Fri 08 Apr 2022 05:37:16 BST
# gpg: using RSA key A0328CFFB93A17A79901FE7D4CB6D8EED3E87138
# gpg: Good signature from "Gerd Hoffmann (work) <[email protected]>" [full]
# gpg: aka "Gerd Hoffmann <[email protected]>" [full]
# gpg: aka "Gerd Hoffmann (private) <[email protected]>" [full]
# Primary key fingerprint: A032 8CFF B93A 17A7 9901 FE7D 4CB6 D8EE D3E8 7138
* tag 'fixes-20220408-pull-request' of git://git.kraxel.org/qemu:
ui/cursor: fix integer overflow in cursor_alloc (CVE-2021-4206)
display/qxl-render: fix race condition in qxl_cursor (CVE-2021-4207)
Signed-off-by: Peter Maydell <[email protected]>
Compare: https://github.com/qemu/qemu/compare/95a3fcc7487e...dde8689d1fe8
