From owner-svn-ports-all@freebsd.org Fri Mar 16 15:20:29 2018 Return-Path: Delivered-To: svn-ports-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 15D8BF5693E; Fri, 16 Mar 2018 15:20:29 +0000 (UTC) (envelope-from novel@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id BD20B8341D; Fri, 16 Mar 2018 15:20:28 +0000 (UTC) (envelope-from novel@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 9EF84258F8; Fri, 16 Mar 2018 15:20:28 +0000 (UTC) (envelope-from novel@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id w2GFKSEa064491; Fri, 16 Mar 2018 15:20:28 GMT (envelope-from novel@FreeBSD.org) Received: (from novel@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id w2GFKSlR064489; Fri, 16 Mar 2018 15:20:28 GMT (envelope-from novel@FreeBSD.org) Message-Id: <201803161520.w2GFKSlR064489@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: novel set sender to novel@FreeBSD.org using -f From: Roman Bogorodskiy Date: Fri, 16 Mar 2018 15:20:28 +0000 (UTC) To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r464689 - in head/devel/libvirt: . files X-SVN-Group: ports-head X-SVN-Commit-Author: novel X-SVN-Commit-Paths: in head/devel/libvirt: . files X-SVN-Commit-Revision: 464689 X-SVN-Commit-Repository: ports MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-ports-all@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: SVN commit messages for the ports tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 Mar 2018 15:20:29 -0000 Author: novel Date: Fri Mar 16 15:20:28 2018 New Revision: 464689 URL: https://svnweb.freebsd.org/changeset/ports/464689 Log: devel/libvirt: add a fix for QEMU agent denial of service vulnerability Add a fix from upstream master for QEMU agent denial of service (LSN-2018-0004, CVE-2018-1064). Security: https://security.libvirt.org/2018/0004.html Added: head/devel/libvirt/files/patch-src_qemu_qemu__agent.c (contents, props changed) Modified: head/devel/libvirt/Makefile Modified: head/devel/libvirt/Makefile ============================================================================== --- head/devel/libvirt/Makefile Fri Mar 16 14:29:38 2018 (r464688) +++ head/devel/libvirt/Makefile Fri Mar 16 15:20:28 2018 (r464689) @@ -3,7 +3,7 @@ PORTNAME= libvirt PORTVERSION= 4.1.0 -PORTREVISION= 1 +PORTREVISION= 2 CATEGORIES= devel MASTER_SITES= http://libvirt.org/sources/ \ ftp://libvirt.org/libvirt/ Added: head/devel/libvirt/files/patch-src_qemu_qemu__agent.c ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/devel/libvirt/files/patch-src_qemu_qemu__agent.c Fri Mar 16 15:20:28 2018 (r464689) @@ -0,0 +1,31 @@ +--- src/qemu/qemu_agent.c.orig 2018-02-26 09:02:18 UTC ++++ src/qemu/qemu_agent.c +@@ -53,6 +53,15 @@ VIR_LOG_INIT("qemu.qemu_agent"); + #define DEBUG_IO 0 + #define DEBUG_RAW_IO 0 + ++/* We read from QEMU until seeing a \r\n pair to indicate a ++ * completed reply or event. To avoid memory denial-of-service ++ * though, we must have a size limit on amount of data we ++ * buffer. 10 MB is large enough that it ought to cope with ++ * normal QEMU replies, and small enough that we're not ++ * consuming unreasonable mem. ++ */ ++#define QEMU_AGENT_MAX_RESPONSE (10 * 1024 * 1024) ++ + /* When you are the first to uncomment this, + * don't forget to uncomment the corresponding + * part in qemuAgentIOProcessEvent as well. +@@ -535,6 +544,12 @@ qemuAgentIORead(qemuAgentPtr mon) + int ret = 0; + + if (avail < 1024) { ++ if (mon->bufferLength >= QEMU_AGENT_MAX_RESPONSE) { ++ virReportSystemError(ERANGE, ++ _("No complete agent response found in %d bytes"), ++ QEMU_AGENT_MAX_RESPONSE); ++ return -1; ++ } + if (VIR_REALLOC_N(mon->buffer, + mon->bufferLength + 1024) < 0) + return -1;