summaryrefslogtreecommitdiffstats
path: root/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2019-9824.patch
diff options
context:
space:
mode:
Diffstat (limited to 'external/poky/meta/recipes-devtools/qemu/qemu/CVE-2019-9824.patch')
-rw-r--r--external/poky/meta/recipes-devtools/qemu/qemu/CVE-2019-9824.patch47
1 files changed, 0 insertions, 47 deletions
diff --git a/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2019-9824.patch b/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2019-9824.patch
deleted file mode 100644
index 7f830067..00000000
--- a/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2019-9824.patch
+++ /dev/null
@@ -1,47 +0,0 @@
-From d3222975c7d6cda9e25809dea05241188457b113 Mon Sep 17 00:00:00 2001
-From: William Bowling <will@wbowling.info>
-Date: Fri, 1 Mar 2019 21:45:56 +0000
-Subject: [PATCH 1/1] slirp: check sscanf result when emulating ident
-MIME-Version: 1.0
-Content-Type: text/plain; charset=utf8
-Content-Transfer-Encoding: 8bit
-
-When emulating ident in tcp_emu, if the strchr checks passed but the
-sscanf check failed, two uninitialized variables would be copied and
-sent in the reply, so move this code inside the if(sscanf()) clause.
-
-Signed-off-by: William Bowling <will@wbowling.info>
-Cc: qemu-stable@nongnu.org
-Cc: secalert@redhat.com
-Message-Id: <1551476756-25749-1-git-send-email-will@wbowling.info>
-Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
-Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-
-Upstream-Status: Backport
-https://git.qemu.org/?p=qemu.git;a=commitdiff;h=d3222975c7d6cda9e25809dea05241188457b113;hp=6c419a1e06c21c4568d5a12a9c5cafcdb00f6aa8
-CVE: CVE-2019-9824
-affects < 4.0.0
-Signed-off-by: Armin Kuster <akuster@mvista.com>
-
-Index: qemu-3.0.0/slirp/tcp_subr.c
-===================================================================
---- qemu-3.0.0.orig/slirp/tcp_subr.c
-+++ qemu-3.0.0/slirp/tcp_subr.c
-@@ -662,12 +662,12 @@ tcp_emu(struct socket *so, struct mbuf *
- break;
- }
- }
-+ so_rcv->sb_cc = snprintf(so_rcv->sb_data,
-+ so_rcv->sb_datalen,
-+ "%d,%d\r\n", n1, n2);
-+ so_rcv->sb_rptr = so_rcv->sb_data;
-+ so_rcv->sb_wptr = so_rcv->sb_data + so_rcv->sb_cc;
- }
-- so_rcv->sb_cc = snprintf(so_rcv->sb_data,
-- so_rcv->sb_datalen,
-- "%d,%d\r\n", n1, n2);
-- so_rcv->sb_rptr = so_rcv->sb_data;
-- so_rcv->sb_wptr = so_rcv->sb_data + so_rcv->sb_cc;
- }
- m_free(m);
- return 0;