From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-commits+bounces-900667-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by finch.gentoo.org (Postfix) with ESMTPS id B3F99138330
	for <garchives@archives.gentoo.org>; Sat, 10 Sep 2016 02:23:51 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 3E939E0AE6;
	Sat, 10 Sep 2016 02:23:49 +0000 (UTC)
Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id 04AE7E0AE6
	for <gentoo-commits@lists.gentoo.org>; Sat, 10 Sep 2016 02:23:48 +0000 (UTC)
Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.gentoo.org (Postfix) with ESMTPS id 4ECA333BE23
	for <gentoo-commits@lists.gentoo.org>; Sat, 10 Sep 2016 02:23:46 +0000 (UTC)
Received: from localhost.localdomain (localhost [127.0.0.1])
	by oystercatcher.gentoo.org (Postfix) with ESMTP id 067002478
	for <gentoo-commits@lists.gentoo.org>; Sat, 10 Sep 2016 02:23:44 +0000 (UTC)
From: "Matthias Maier" <tamiko@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Content-Transfer-Encoding: 8bit
Content-type: text/plain; charset=UTF-8
Reply-To: gentoo-dev@lists.gentoo.org, "Matthias Maier" <tamiko@gentoo.org>
Message-ID: <1473474202.eaeffb27d67769a089170dcc45ea3e8a4efb645b.tamiko@gentoo>
Subject: [gentoo-commits] repo/gentoo:master commit in: app-emulation/qemu/, app-emulation/qemu/files/
X-VCS-Repository: repo/gentoo
X-VCS-Files: app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7170.patch app-emulation/qemu/qemu-2.7.0-r1.ebuild app-emulation/qemu/qemu-2.7.0-r2.ebuild
X-VCS-Directories: app-emulation/qemu/files/ app-emulation/qemu/
X-VCS-Committer: tamiko
X-VCS-Committer-Name: Matthias Maier
X-VCS-Revision: eaeffb27d67769a089170dcc45ea3e8a4efb645b
X-VCS-Branch: master
Date: Sat, 10 Sep 2016 02:23:44 +0000 (UTC)
Precedence: bulk
List-Post: <mailto:gentoo-commits@lists.gentoo.org>
List-Help: <mailto:gentoo-commits+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org>
X-BeenThere: gentoo-commits@lists.gentoo.org
X-Archives-Salt: b45bedb6-3ef2-468f-be86-e8fff808d6ae
X-Archives-Hash: 9602ebc3f8286976a10a18391338b6eb

commit:     eaeffb27d67769a089170dcc45ea3e8a4efb645b
Author:     Matthias Maier <tamiko <AT> gentoo <DOT> org>
AuthorDate: Sat Sep 10 02:23:22 2016 +0000
Commit:     Matthias Maier <tamiko <AT> gentoo <DOT> org>
CommitDate: Sat Sep 10 02:23:22 2016 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=eaeffb27

app-emulation/qemu: apply fix for CVE-2016-7170, bug #593284

Package-Manager: portage-2.2.28

 .../qemu/files/qemu-2.7.0-CVE-2016-7170.patch      | 40 ++++++++++++++++++++++
 .../{qemu-2.7.0-r1.ebuild => qemu-2.7.0-r2.ebuild} |  1 +
 2 files changed, 41 insertions(+)

diff --git a/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7170.patch b/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7170.patch
new file mode 100644
index 00000000..7eb5f76
--- /dev/null
+++ b/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7170.patch
@@ -0,0 +1,40 @@
+From: Prasad J Pandit <address@hidden>
+
+When processing svga command DEFINE_CURSOR in vmsvga_fifo_run,
+the computed BITMAP and PIXMAP size are checked against the
+'cursor.mask[]' and 'cursor.image[]' array sizes in bytes.
+Correct these checks to avoid OOB memory access.
+
+Reported-by: Qinghao Tang <address@hidden>
+Reported-by: Li Qiang <address@hidden>
+Signed-off-by: Prasad J Pandit <address@hidden>
+---
+ hw/display/vmware_vga.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c
+index e51a05e..6599cf0 100644
+--- a/hw/display/vmware_vga.c
++++ b/hw/display/vmware_vga.c
+@@ -676,11 +676,13 @@ static void vmsvga_fifo_run(struct vmsvga_state_s *s)
+             cursor.bpp = vmsvga_fifo_read(s);
+ 
+             args = SVGA_BITMAP_SIZE(x, y) + SVGA_PIXMAP_SIZE(x, y, cursor.bpp);
+-            if (cursor.width > 256 ||
+-                cursor.height > 256 ||
+-                cursor.bpp > 32 ||
+-                SVGA_BITMAP_SIZE(x, y) > sizeof cursor.mask ||
+-                SVGA_PIXMAP_SIZE(x, y, cursor.bpp) > sizeof cursor.image) {
++            if (cursor.width > 256
++                || cursor.height > 256
++                || cursor.bpp > 32
++                || SVGA_BITMAP_SIZE(x, y)
++                    > sizeof(cursor.mask) / sizeof(cursor.mask[0])
++                || SVGA_PIXMAP_SIZE(x, y, cursor.bpp)
++                    > sizeof(cursor.image) / sizeof(cursor.image[0])) {
+                     goto badcmd;
+             }
+ 
+-- 
+2.5.5
+

diff --git a/app-emulation/qemu/qemu-2.7.0-r1.ebuild b/app-emulation/qemu/qemu-2.7.0-r2.ebuild
similarity index 99%
rename from app-emulation/qemu/qemu-2.7.0-r1.ebuild
rename to app-emulation/qemu/qemu-2.7.0-r2.ebuild
index c75b7b6..42a669e 100644
--- a/app-emulation/qemu/qemu-2.7.0-r1.ebuild
+++ b/app-emulation/qemu/qemu-2.7.0-r2.ebuild
@@ -340,6 +340,7 @@ src_prepare() {
 	epatch "${FILESDIR}"/${P}-CVE-2016-7156.patch   # bug 593036
 	epatch "${FILESDIR}"/${P}-CVE-2016-7157-1.patch # bug 593038
 	epatch "${FILESDIR}"/${P}-CVE-2016-7157-2.patch # bug 593038
+	epatch "${FILESDIR}"/${P}-CVE-2016-7170.patch   # bug 593284
 
 	# Fix ld and objcopy being called directly
 	tc-export AR LD OBJCOPY