Bastian Blank
2008-Jul-15 18:18 UTC
[Pkg-xen-changes] r602 - in branches/etch/xen-3.0/debian: . patches
Author: waldi
Date: Tue Jul 15 18:18:45 2008
New Revision: 602
Log:
Fix CVE-2007-0998.
* debian/changelog: Update.
* debian/patches/00list: Add CVE-2007-0998.dpatch.
* debian/patches/CVE-2007-0998.dpatch: Add.
Added:
branches/etch/xen-3.0/debian/patches/CVE-2007-0998.dpatch (contents, props
changed)
Modified:
branches/etch/xen-3.0/debian/changelog
branches/etch/xen-3.0/debian/patches/00list
Modified: branches/etch/xen-3.0/debian/changelog
=============================================================================---
branches/etch/xen-3.0/debian/changelog (original)
+++ branches/etch/xen-3.0/debian/changelog Tue Jul 15 18:18:45 2008
@@ -1,5 +1,7 @@
xen-3.0 (3.0.3-0-5) UNRELEASED; urgency=low
+ * Disable access to the qemu monitor.
+ See: CVE-2007-0998
* Clear debug registers for HVM guests.
See: CVE-2007-5906
* Fix range checks in ioemu block support.
Modified: branches/etch/xen-3.0/debian/patches/00list
=============================================================================---
branches/etch/xen-3.0/debian/patches/00list (original)
+++ branches/etch/xen-3.0/debian/patches/00list Tue Jul 15 18:18:45 2008
@@ -13,3 +13,4 @@
CVE-2007-5906
CVE-2008-0928
CVE-2008-2004
+CVE-2007-0998
Added: branches/etch/xen-3.0/debian/patches/CVE-2007-0998.dpatch
=============================================================================---
(empty file)
+++ branches/etch/xen-3.0/debian/patches/CVE-2007-0998.dpatch Tue Jul 15
18:18:45 2008
@@ -0,0 +1,105 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+
+ at DPATCH@
+diff -r 9333e98676f8 -r e63d316ff894 tools/ioemu/vnc.c
+--- a/tools/ioemu/vnc.c Sat Jul 12 13:32:21 2008 +0200
++++ b/tools/ioemu/vnc.c Tue Jul 15 20:17:06 2008 +0200
+@@ -111,8 +111,6 @@ struct VncState
+ int visible_y;
+ int visible_w;
+ int visible_h;
+-
+- int ctl_keys; /* Ctrl+Alt starts calibration */
+ };
+
+ #define DIRTY_PIXEL_BITS 64
+@@ -849,80 +847,17 @@ static void pointer_event(VncState *vs,
+
+ static void do_key_event(VncState *vs, int down, uint32_t sym)
+ {
++ int keycode;
++
+ sym &= 0xFFFF;
+
+- if (is_graphic_console()) {
+- int keycode;
+-
+- keycode = keysym2scancode(vs->kbd_layout, sym);
+- if (keycode & 0x80)
+- kbd_put_keycode(0xe0);
+- if (down)
+- kbd_put_keycode(keycode & 0x7f);
+- else
+- kbd_put_keycode(keycode | 0x80);
+- } else if (down) {
+- int qemu_keysym = 0;
+-
+- if (sym <= 128) /* normal ascii */
+- qemu_keysym = sym;
+- else {
+- switch (sym) {
+- case XK_Up: qemu_keysym = QEMU_KEY_UP; break;
+- case XK_Down: qemu_keysym = QEMU_KEY_DOWN; break;
+- case XK_Left: qemu_keysym = QEMU_KEY_LEFT; break;
+- case XK_Right: qemu_keysym = QEMU_KEY_RIGHT; break;
+- case XK_Home: qemu_keysym = QEMU_KEY_HOME; break;
+- case XK_End: qemu_keysym = QEMU_KEY_END; break;
+- case XK_Page_Up: qemu_keysym = QEMU_KEY_PAGEUP; break;
+- case XK_Page_Down: qemu_keysym = QEMU_KEY_PAGEDOWN; break;
+- case XK_BackSpace: qemu_keysym = QEMU_KEY_BACKSPACE; break;
+- case XK_Delete: qemu_keysym = QEMU_KEY_DELETE; break;
+- case XK_Return:
+- case XK_Linefeed: qemu_keysym = sym; break;
+- default: break;
+- }
+- }
+- if (qemu_keysym != 0)
+- kbd_put_keysym(qemu_keysym);
+- }
+-
+- if (down) {
+- switch (sym) {
+- case XK_Control_L:
+- vs->ctl_keys |= 1;
+- break;
+-
+- case XK_Alt_L:
+- vs->ctl_keys |= 2;
+- break;
+-
+- default:
+- break;
+- }
+- } else {
+- switch (sym) {
+- case XK_Control_L:
+- vs->ctl_keys &= ~1;
+- break;
+-
+- case XK_Alt_L:
+- vs->ctl_keys &= ~2;
+- break;
+-
+- case XK_1 ... XK_9:
+- if ((vs->ctl_keys & 3) != 3)
+- break;
+-
+- console_select(sym - XK_1);
+- if (is_graphic_console()) {
+- /* tell the vga console to redisplay itself */
+- vga_hw_invalidate();
+- vnc_dpy_update(vs->ds, 0, 0, vs->ds->width, vs->ds->height);
+- }
+- break;
+- }
+- }
++ keycode = keysym2scancode(vs->kbd_layout, sym);
++ if (keycode & 0x80)
++ kbd_put_keycode(0xe0);
++ if (down)
++ kbd_put_keycode(keycode & 0x7f);
++ else
++ kbd_put_keycode(keycode | 0x80);
+ }
+
+ static void key_event(VncState *vs, int down, uint32_t sym)