[Pkg-virtualbox-commits] [virtualbox] 02/02: Add patch for CVE-2015-3456 https://www.virtualbox.org/pipermail/vbox-dev/2015-May/013145.html
Gianfranco Costamagna
locutusofborg-guest at moszumanska.debian.org
Mon May 18 16:36:03 UTC 2015
This is an automated email from the git hooks/post-receive script.
locutusofborg-guest pushed a commit to branch wheezy
in repository virtualbox.
commit 3426d960fc44c86b31d8755717499c83fc127194
Author: Gianfranco Costamagna <costamagnagianfranco at yahoo.it>
Date: Mon May 18 18:34:48 2015 +0200
Add patch for CVE-2015-3456
https://www.virtualbox.org/pipermail/vbox-dev/2015-May/013145.html
---
debian/changelog | 7 ++++
debian/patches/CVE-2015-3456.patch | 74 ++++++++++++++++++++++++++++++++++++++
debian/patches/series | 1 +
3 files changed, 82 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index 599d549..d7635a1 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+virtualbox (4.1.18-dfsg-2+deb7u5) wheezy-security; urgency=medium
+
+ * d/p/CVE-2015-3456.patch fix for CVE-2015-3456 a.k.a. VENOM
+ (Closes: #785424)
+
+ -- Gianfranco Costamagna <costamagnagianfranco at yahoo.it> Mon, 18 May 2015 18:32:20 +0200
+
virtualbox (4.1.18-dfsg-2+deb7u4) wheezy-security; urgency=medium
[ Frank Mehnert ]
diff --git a/debian/patches/CVE-2015-3456.patch b/debian/patches/CVE-2015-3456.patch
new file mode 100644
index 0000000..43956ce
--- /dev/null
+++ b/debian/patches/CVE-2015-3456.patch
@@ -0,0 +1,74 @@
+Index: virtualbox/src/VBox/Devices/Storage/fdc.c
+===================================================================
+--- virtualbox.orig/src/VBox/Devices/Storage/fdc.c
++++ virtualbox/src/VBox/Devices/Storage/fdc.c
+@@ -1737,7 +1737,7 @@
+ FLOPPY_ERROR("controller not ready for reading\n");
+ return 0;
+ }
+- pos = fdctrl->data_pos;
++ pos = fdctrl->data_pos % FD_SECTOR_LEN;
+ if (fdctrl->msr & FD_MSR_NONDMA) {
+ pos %= FD_SECTOR_LEN;
+ if (pos == 0) {
+@@ -1961,7 +1961,7 @@
+
+ FLOPPY_DPRINTF("CMD:%02x SEL:%02x\n", fdctrl->fifo[0], fdctrl->fifo[1]);
+
+- /* XXX: should set main status register to busy */
++ fdctrl->msr &= ~FD_MSR_RQM;
+ cur_drv->head = (fdctrl->fifo[1] >> 2) & 1;
+ #ifdef VBOX
+ TMTimerSetMillies(fdctrl->result_timer, 1000 / 50);
+@@ -2139,22 +2139,25 @@
+ {
+ fdrive_t *cur_drv = get_cur_drv(fdctrl);
+
+- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x80) {
++ /* This command takes a variable number of parameters. It can be terminated
++ * at any time if the high bit of a parameter is set. Once there are 6 bytes
++ * in the FIFO (command + 5 parameter bytes), data_len/data_pos will be 7.
++ */
++ if (fdctrl->data_len == 7 || (fdctrl->fifo[fdctrl->data_pos - 1] & 0x80)) {
++
+ /* Command parameters done */
+ if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x40) {
+- fdctrl->fifo[0] = fdctrl->fifo[1];
++ /* Data is echoed, but not stored! */
++ fdctrl->fifo[0] = fdctrl->data_len > 2 ? fdctrl->fifo[1] : 0;
++ fdctrl->fifo[1] = fdctrl->data_len > 3 ? fdctrl->fifo[2] : 0;
+ fdctrl->fifo[2] = 0;
+ fdctrl->fifo[3] = 0;
+ fdctrl_set_fifo(fdctrl, 4, 0);
+ } else {
+ fdctrl_reset_fifo(fdctrl);
+ }
+- } else if (fdctrl->data_len > 7) {
+- /* ERROR */
+- fdctrl->fifo[0] = 0x80 |
+- (cur_drv->head << 2) | GET_CUR_DRV(fdctrl);
+- fdctrl_set_fifo(fdctrl, 1, 0);
+- }
++ } else
++ fdctrl->data_len++; /* Wait for another byte. */
+ }
+
+ static void fdctrl_handle_relative_seek_out(fdctrl_t *fdctrl, int direction)
+@@ -2219,7 +2222,7 @@
+ { FD_CMD_CONFIGURE, 0xff, "CONFIGURE", 3, fdctrl_handle_configure },
+ { FD_CMD_POWERDOWN_MODE, 0xff, "POWERDOWN MODE", 2, fdctrl_handle_powerdown_mode },
+ { FD_CMD_OPTION, 0xff, "OPTION", 1, fdctrl_handle_option },
+- { FD_CMD_DRIVE_SPECIFICATION_COMMAND, 0xff, "DRIVE SPECIFICATION COMMAND", 5, fdctrl_handle_drive_specification_command },
++ { FD_CMD_DRIVE_SPECIFICATION_COMMAND, 0xff, "DRIVE SPECIFICATION COMMAND", 1, fdctrl_handle_drive_specification_command },
+ { FD_CMD_RELATIVE_SEEK_OUT, 0xff, "RELATIVE SEEK OUT", 2, fdctrl_handle_relative_seek_out },
+ { FD_CMD_FORMAT_AND_WRITE, 0xff, "FORMAT AND WRITE", 10, fdctrl_unimplemented },
+ { FD_CMD_RELATIVE_SEEK_IN, 0xff, "RELATIVE SEEK IN", 2, fdctrl_handle_relative_seek_in },
+@@ -2281,7 +2284,7 @@
+ }
+
+ FLOPPY_DPRINTF("%s: %02x\n", __func__, value);
+- fdctrl->fifo[fdctrl->data_pos++] = value;
++ fdctrl->fifo[fdctrl->data_pos++ % FD_SECTOR_LEN] = value;
+ if (fdctrl->data_pos == fdctrl->data_len) {
+ /* We now have all parameters
+ * and will be able to treat the command
diff --git a/debian/patches/series b/debian/patches/series
index af6b8e6..913d697 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -22,3 +22,4 @@ CVE-2014-0981.patch
CVE-2014-0983.patch
CVE-2015-0377.patch
CVE-2015-0418.patch
+CVE-2015-3456.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-virtualbox/virtualbox.git
More information about the Pkg-virtualbox-commits
mailing list