> > See https://access.redhat.com/security/cve/CVE-2015-5260, > https://access.redhat.com/security/cve/CVE-2015-5261 and > http://openwall.com/lists/oss-security/2015/10/06/4 for some > details on the security problems discovered. > > These patches were already be sended to different distribution > and updates are available for RedHat products (and perhaps others). > > First two patches contains additional checks for accessing surfaces > array in RedWorker structure (see server/red_worker.c). > > The other patches group up similar issues related to races between host > and guest and some structure checking. > Some of these missing checks allow quite easily to read/write large > arbitrary memory ranges in the host. > These patches were reviewed internally and are already pushed. Frediano > Frediano Ziglio (19): > worker: validate correctly surfaces > worker: avoid double free or double create of surfaces > Define a constant to limit data from guest. > Fix some integer overflow causing large memory allocations > Check properly surface to be created > Fix buffer reading overflow > Prevent 32 bit integer overflow in bitmap_consistent > Fix race condition on red_get_clip_rects > Fix race in red_get_image > Fix race condition in red_get_string > Fix integer overflow computing glyph_size in red_get_string > Fix race condition in red_get_data_chunks_ptr > Prevent memory leak if red_get_data_chunks_ptr fails > Prevent DoS from guest trying to allocate too much data on host for > chunks > Fix some possible overflows in red_get_string for 32 bit > Make sure we can read QXLPathSeg structures > Avoid race condition copying segments in red_get_path > Prevent data_size to be set independently from data > Prevent leak if size from red_get_data_chunks don't match in > red_get_image > > server/red_parse_qxl.c | 218 > ++++++++++++++++++++++++++++++++++++++----------- > server/red_worker.c | 42 ++++++---- > 2 files changed, 196 insertions(+), 64 deletions(-) > > -- > 2.4.3 > > _______________________________________________ Spice-devel mailing list Spice-devel@xxxxxxxxxxxxxxxxxxxxx http://lists.freedesktop.org/mailman/listinfo/spice-devel