Version in base suite: 72+dfsg-5~lenny2 Version in overlay suite: (not present) Base version: kvm_72+dfsg-5~lenny2 Target version: kvm_72+dfsg-5~lenny3 Base file: /org/ftp.debian.org/ftp/pool/main/k/kvm/kvm_72+dfsg-5~lenny2.dsc Target file: /org/ftp.debian.org/queue/p-u-new/kvm_72+dfsg-5~lenny3.dsc debian/patches/CVE-2008-5714.patch | 33 +++++++++++++++++++++++++++++++++ debian/patches/CVE-2009-3290.patch | 32 ++++++++++++++++++++++++++++++++ kvm-72+dfsg/debian/changelog | 9 +++++++++ kvm-72+dfsg/debian/patches/series | 2 ++ 4 files changed, 76 insertions(+) diff -u kvm-72+dfsg/debian/changelog kvm-72+dfsg/debian/changelog --- kvm-72+dfsg/debian/changelog +++ kvm-72+dfsg/debian/changelog @@ -1,3 +1,12 @@ +kvm (72+dfsg-5~lenny3) stable-security; urgency=high + + * Non-maintainer upload by the Security Team. + * Considers hypercalls valid only if issued from guest ring 0 (CVE-2009-3290) + (Closes: 548975) + * Add patch from upstream qemu for CVE-2008-5714 (Closes: #509997) + + -- Giuseppe Iuculano Sun, 11 Oct 2009 11:16:45 +0200 + kvm (72+dfsg-5~lenny2) stable-security; urgency=high * Non-maintainer upload by the security team diff -u kvm-72+dfsg/debian/patches/series kvm-72+dfsg/debian/patches/series --- kvm-72+dfsg/debian/patches/series +++ kvm-72+dfsg/debian/patches/series @@ -19,0 +20,2 @@ +CVE-2009-3290.patch +CVE-2008-5714.patch only in patch2: unchanged: --- kvm-72+dfsg.orig/debian/patches/CVE-2009-3290.patch +++ kvm-72+dfsg/debian/patches/CVE-2009-3290.patch @@ -0,0 +1,32 @@ +--- a/kernel/include/linux/kvm_para.h ++++ b/kernel/include/linux/kvm_para.h +@@ -13,6 +13,7 @@ + #define KVM_ENOSYS 1000 + #define KVM_EFAULT EFAULT + #define KVM_E2BIG E2BIG ++#define KVM_EPERM EPERM + + #define KVM_HC_VAPIC_POLL_IRQ 1 + #define KVM_HC_MMU_OP 2 +--- a/kernel/x86.c ++++ b/kernel/x86.c +@@ -2571,6 +2571,11 @@ int kvm_emulate_hypercall(struct kvm_vcp + a3 &= 0xFFFFFFFF; + } + ++ if (kvm_x86_ops->get_cpl(vcpu) != 0) { ++ ret = -KVM_EPERM; ++ goto out; ++ } ++ + switch (nr) { + case KVM_HC_VAPIC_POLL_IRQ: + ret = 0; +@@ -2582,6 +2587,7 @@ int kvm_emulate_hypercall(struct kvm_vcp + ret = -KVM_ENOSYS; + break; + } ++out: + kvm_register_write(vcpu, VCPU_REGS_RAX, ret); + ++vcpu->stat.hypercalls; + return r; only in patch2: unchanged: --- kvm-72+dfsg.orig/debian/patches/CVE-2008-5714.patch +++ kvm-72+dfsg/debian/patches/CVE-2008-5714.patch @@ -0,0 +1,33 @@ +From 2a7e8dda090af586f3d0b3d157054a9e18776a52 Mon Sep 17 00:00:00 2001 +From: aliguori +Date: Wed, 10 Dec 2008 15:12:57 +0000 +Subject: [PATCH] Fix off-by-one bug limiting VNC passwords to 7 chars (Chris Webb) + +monitor_readline expects buf_size to include the terminating \0, but +do_change_vnc in monitor.c calls it as though it doesn't. The other site +where monitor_readline reads a password (in vl.c) passes the buffer +length +correctly. + +Signed-off-by: Chris Webb +Signed-off-by: Anthony Liguori + + + +git-svn-id: svn://svn.savannah.nongnu.org/qemu/trunk@5966 c046a42c-6fe2-441c-8c8c-71466251a162 +--- + monitor.c | 3 +-- + 1 files changed, 1 insertions(+), 2 deletions(-) + +--- a/qemu/monitor.c ++++ b/qemu/monitor.c +@@ -449,8 +449,7 @@ static void do_change_vnc(const char *ta + if (strcmp(target, "passwd") == 0 || + strcmp(target, "password") == 0) { + char password[9]; +- monitor_readline("Password: ", 1, password, sizeof(password)-1); +- password[sizeof(password)-1] = '\0'; ++ monitor_readline("Password: ", 1, password, sizeof(password)); + if (vnc_display_password(NULL, password) < 0) + term_printf("could not set VNC server password\n"); + } else {