svn commit: r433847 - in branches/2017Q1/sysutils/xen-tools: . files

Roger Pau Monné royger at FreeBSD.org
Sat Feb 11 08:43:46 UTC 2017 

Author: royger (src committer)
Date: Sat Feb 11 08:43:45 2017
New Revision: 433847
URL: https://svnweb.freebsd.org/changeset/ports/433847

Log:
  MFH: r433792
  
  xen: apply XSA-209
  
  Sponsored by:	Citrix Systems R&D
  Approved by:	ports-secteam (junovitch)

Added:
  branches/2017Q1/sysutils/xen-tools/files/xsa208-qemuu.patch
     - copied unchanged from r433792, head/sysutils/xen-tools/files/xsa208-qemuu.patch
Modified:
  branches/2017Q1/sysutils/xen-tools/Makefile
Directory Properties:
  branches/2017Q1/   (props changed)

Modified: branches/2017Q1/sysutils/xen-tools/Makefile
==============================================================================
--- branches/2017Q1/sysutils/xen-tools/Makefile	Sat Feb 11 08:38:13 2017	(r433846)
+++ branches/2017Q1/sysutils/xen-tools/Makefile	Sat Feb 11 08:43:45 2017	(r433847)
@@ -3,7 +3,7 @@
 PORTNAME=	xen
 PKGNAMESUFFIX=	-tools
 PORTVERSION=	4.7.1
-PORTREVISION=   1
+PORTREVISION=   2
 CATEGORIES=	sysutils emulators
 MASTER_SITES=	http://downloads.xenproject.org/release/xen/${PORTVERSION}/
 

Copied: branches/2017Q1/sysutils/xen-tools/files/xsa208-qemuu.patch (from r433792, head/sysutils/xen-tools/files/xsa208-qemuu.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ branches/2017Q1/sysutils/xen-tools/files/xsa208-qemuu.patch	Sat Feb 11 08:43:45 2017	(r433847, copy of r433792, head/sysutils/xen-tools/files/xsa208-qemuu.patch)
@@ -0,0 +1,45 @@
+From: Li Qiang <address at hidden>
+
+When doing bitblt copy in backward mode, we should minus the
+blt width first just like the adding in the forward mode. This
+can avoid the oob access of the front of vga's vram.
+
+Signed-off-by: Li Qiang <address at hidden>
+Message-id: address at hidden
+
+{ kraxel: with backward blits (negative pitch) addr is the topmost
+          address, so check it as-is against vram size ]
+
+[ This is CVE-2017-2615 / XSA-208  - Ian Jackson ]
+
+Cc: address at hidden
+Cc: P J P <address at hidden>
+Cc: Laszlo Ersek <address at hidden>
+Cc: Paolo Bonzini <address at hidden>
+Cc: Wolfgang Bumiller <address at hidden>
+Fixes: d3532a0db02296e687711b8cdc7791924efccea0 (CVE-2014-8106)
+Signed-off-by: Gerd Hoffmann <address at hidden>
+---
+ hw/display/cirrus_vga.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
+index bdb092e..3bbe3d5 100644
+--- a/hw/display/cirrus_vga.c
++++ b/hw/display/cirrus_vga.c
+@@ -277,10 +277,9 @@ static bool blit_region_is_unsafe(struct CirrusVGAState *s,
+     }
+     if (pitch < 0) {
+         int64_t min = addr
+-            + ((int64_t)s->cirrus_blt_height-1) * pitch;
+-        int32_t max = addr
+-            + s->cirrus_blt_width;
+-        if (min < 0 || max > s->vga.vram_size) {
++            + ((int64_t)s->cirrus_blt_height - 1) * pitch
++            - s->cirrus_blt_width;
++        if (min < -1 || addr >= s->vga.vram_size) {
+             return true;
+         }
+     } else {
+-- 
+1.8.3.1

More information about the svn-ports-branches mailing list