1 files changed, 0 insertions, 59 deletions
diff --git a/meta-xilinx-core/recipes-devtools/qemu/qemu-xilinx-7.1.0/CVE-2022-3165.patch b/meta-xilinx-core/recipes-devtools/qemu/qemu-xilinx-7.1.0/CVE-2022-3165.patch
deleted file mode 100644
index 3b4a6694..00000000
--- a/meta-xilinx-core/recipes-devtools/qemu/qemu-xilinx-7.1.0/CVE-2022-3165.patch
+++ /dev/null
@@ -1,59 +0,0 @@
-CVE: CVE-2022-3165
-Upstream-Status: Backport
-Signed-off-by: Ross Burton <ross.burton@arm.com>
-From d307040b18bfcb1393b910f1bae753d5c12a4dc7 Mon Sep 17 00:00:00 2001
-From: Mauro Matteo Cascella <mcascell@redhat.com>
-Date: Sun, 25 Sep 2022 22:45:11 +0200
-Subject: [PATCH] ui/vnc-clipboard: fix integer underflow in
- vnc_client_cut_text_ext
-Extended ClientCutText messages start with a 4-byte header. If len < 4,
-an integer underflow occurs in vnc_client_cut_text_ext. The result is
-used to decompress data in a while loop in inflate_buffer, leading to
-CPU consumption and denial of service. Prevent this by checking dlen in
-protocol_client_msg.
-Fixes: CVE-2022-3165
-Fixes: 0bf41cab93e5 ("ui/vnc: clipboard support")
-Reported-by: TangPeng <tangpeng@qianxin.com>
-Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
-Message-Id: <20220925204511.1103214-1-mcascell@redhat.com>
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
- ui/vnc.c | 11 ++++++++---
- 1 file changed, 8 insertions(+), 3 deletions(-)
-diff --git a/ui/vnc.c b/ui/vnc.c
-index 6a05d06147..acb3629cd8 100644
--- a/ui/vnc.c
-+++ b/ui/vnc.c
-@@ -2442,8 +2442,8 @@ static int protocol_client_msg(VncState *vs, uint8_t *data, size_t len)
-         if (len == 1) {
-             return 8;
-         }
-+        uint32_t dlen = abs(read_s32(data, 4));
-         if (len == 8) {
-            uint32_t dlen = abs(read_s32(data, 4));
-             if (dlen > (1 << 20)) {
-                 error_report("vnc: client_cut_text msg payload has %u bytes"
-                              " which exceeds our limit of 1MB.", dlen);
-@@ -2456,8 +2456,13 @@ static int protocol_client_msg(VncState *vs, uint8_t *data, size_t len)
-         }
- 
-         if (read_s32(data, 4) < 0) {
-            vnc_client_cut_text_ext(vs, abs(read_s32(data, 4)),
-                                    read_u32(data, 8), data + 12);
-+            if (dlen < 4) {
-+                error_report("vnc: malformed payload (header less than 4 bytes)"
-+                             " in extended clipboard pseudo-encoding.");
-+                vnc_client_error(vs);
-+                break;
-+            }
-+            vnc_client_cut_text_ext(vs, dlen, read_u32(data, 8), data + 12);
-             break;
-         }
-         vnc_client_cut_text(vs, read_u32(data, 4), data + 8);
-- 
-GitLab

diff --git a/meta-xilinx-core/recipes-devtools/qemu/qemu-xilinx-7.1.0/CVE-2022-3165.patch b/meta-xilinx-core/recipes-devtools/qemu/qemu-xilinx-7.1.0/CVE-2022-3165.patch deleted file mode 100644 index 3b4a6694..00000000 --- a/meta-xilinx-core/recipes-devtools/qemu/qemu-xilinx-7.1.0/CVE-2022-3165.patch +++ /dev/null
@@ -1,59 +0,0 @@
1	CVE: CVE-2022-3165
2	Upstream-Status: Backport
3	Signed-off-by: Ross Burton <ross.burton@arm.com>
4
5	From d307040b18bfcb1393b910f1bae753d5c12a4dc7 Mon Sep 17 00:00:00 2001
6	From: Mauro Matteo Cascella <mcascell@redhat.com>
7	Date: Sun, 25 Sep 2022 22:45:11 +0200
8	Subject: [PATCH] ui/vnc-clipboard: fix integer underflow in
9	vnc_client_cut_text_ext
10
11	Extended ClientCutText messages start with a 4-byte header. If len < 4,
12	an integer underflow occurs in vnc_client_cut_text_ext. The result is
13	used to decompress data in a while loop in inflate_buffer, leading to
14	CPU consumption and denial of service. Prevent this by checking dlen in
15	protocol_client_msg.
16
17	Fixes: CVE-2022-3165
18	Fixes: 0bf41cab93e5 ("ui/vnc: clipboard support")
19	Reported-by: TangPeng <tangpeng@qianxin.com>
20	Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
21	Message-Id: <20220925204511.1103214-1-mcascell@redhat.com>
22	Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
23	---
24	ui/vnc.c \| 11 ++++++++---
25	1 file changed, 8 insertions(+), 3 deletions(-)
26
27	diff --git a/ui/vnc.c b/ui/vnc.c
28	index 6a05d06147..acb3629cd8 100644
29	--- a/ui/vnc.c
30	+++ b/ui/vnc.c
31	@@ -2442,8 +2442,8 @@ static int protocol_client_msg(VncState vs, uint8_t data, size_t len)
32	if (len == 1) {
33	return 8;
34	}
35	+ uint32_t dlen = abs(read_s32(data, 4));
36	if (len == 8) {
37	- uint32_t dlen = abs(read_s32(data, 4));
38	if (dlen > (1 << 20)) {
39	error_report("vnc: client_cut_text msg payload has %u bytes"
40	" which exceeds our limit of 1MB.", dlen);
41	@@ -2456,8 +2456,13 @@ static int protocol_client_msg(VncState vs, uint8_t data, size_t len)
42	}
43
44	if (read_s32(data, 4) < 0) {
45	- vnc_client_cut_text_ext(vs, abs(read_s32(data, 4)),
46	- read_u32(data, 8), data + 12);
47	+ if (dlen < 4) {
48	+ error_report("vnc: malformed payload (header less than 4 bytes)"
49	+ " in extended clipboard pseudo-encoding.");
50	+ vnc_client_error(vs);
51	+ break;
52	+ }
53	+ vnc_client_cut_text_ext(vs, dlen, read_u32(data, 8), data + 12);
54	break;
55	}
56	vnc_client_cut_text(vs, read_u32(data, 4), data + 8);
57	--
58	GitLab
59