[Pkg-virtualbox-commits] [virtualbox] 02/02: Add patch for CVE-2015-3456 https://www.virtualbox.org/pipermail/vbox-dev/2015-May/013145.html

Gianfranco Costamagna locutusofborg-guest at moszumanska.debian.org
Mon May 18 16:36:03 UTC 2015 

This is an automated email from the git hooks/post-receive script.

locutusofborg-guest pushed a commit to branch wheezy
in repository virtualbox.

commit 3426d960fc44c86b31d8755717499c83fc127194
Author: Gianfranco Costamagna <costamagnagianfranco at yahoo.it>
Date:   Mon May 18 18:34:48 2015 +0200

    Add patch for CVE-2015-3456
    https://www.virtualbox.org/pipermail/vbox-dev/2015-May/013145.html
---
 debian/changelog                   |  7 ++++
 debian/patches/CVE-2015-3456.patch | 74 ++++++++++++++++++++++++++++++++++++++
 debian/patches/series              |  1 +
 3 files changed, 82 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index 599d549..d7635a1 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+virtualbox (4.1.18-dfsg-2+deb7u5) wheezy-security; urgency=medium
+
+  * d/p/CVE-2015-3456.patch fix for CVE-2015-3456 a.k.a. VENOM
+    (Closes: #785424)
+
+ -- Gianfranco Costamagna <costamagnagianfranco at yahoo.it>  Mon, 18 May 2015 18:32:20 +0200
+
 virtualbox (4.1.18-dfsg-2+deb7u4) wheezy-security; urgency=medium
 
   [ Frank Mehnert ]
diff --git a/debian/patches/CVE-2015-3456.patch b/debian/patches/CVE-2015-3456.patch
new file mode 100644
index 0000000..43956ce
--- /dev/null
+++ b/debian/patches/CVE-2015-3456.patch
@@ -0,0 +1,74 @@
+Index: virtualbox/src/VBox/Devices/Storage/fdc.c
+===================================================================
+--- virtualbox.orig/src/VBox/Devices/Storage/fdc.c
++++ virtualbox/src/VBox/Devices/Storage/fdc.c
+@@ -1737,7 +1737,7 @@
+         FLOPPY_ERROR("controller not ready for reading\n");
+         return 0;
+     }
+-    pos = fdctrl->data_pos;
++    pos = fdctrl->data_pos % FD_SECTOR_LEN;
+     if (fdctrl->msr & FD_MSR_NONDMA) {
+         pos %= FD_SECTOR_LEN;
+         if (pos == 0) {
+@@ -1961,7 +1961,7 @@
+ 
+     FLOPPY_DPRINTF("CMD:%02x SEL:%02x\n", fdctrl->fifo[0], fdctrl->fifo[1]);
+ 
+-    /* XXX: should set main status register to busy */
++    fdctrl->msr &= ~FD_MSR_RQM;
+     cur_drv->head = (fdctrl->fifo[1] >> 2) & 1;
+ #ifdef VBOX
+     TMTimerSetMillies(fdctrl->result_timer, 1000 / 50);
+@@ -2139,22 +2139,25 @@
+ {
+     fdrive_t *cur_drv = get_cur_drv(fdctrl);
+ 
+-    if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x80) {
++    /* This command takes a variable number of parameters. It can be terminated
++     * at any time if the high bit of a parameter is set. Once there are 6 bytes
++     * in the FIFO (command + 5 parameter bytes), data_len/data_pos will be 7.
++     */
++    if (fdctrl->data_len == 7 || (fdctrl->fifo[fdctrl->data_pos - 1] & 0x80)) {
++
+         /* Command parameters done */
+         if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x40) {
+-            fdctrl->fifo[0] = fdctrl->fifo[1];
++            /* Data is echoed, but not stored! */
++            fdctrl->fifo[0] = fdctrl->data_len > 2 ? fdctrl->fifo[1] : 0;
++            fdctrl->fifo[1] = fdctrl->data_len > 3 ? fdctrl->fifo[2] : 0;
+             fdctrl->fifo[2] = 0;
+             fdctrl->fifo[3] = 0;
+             fdctrl_set_fifo(fdctrl, 4, 0);
+         } else {
+             fdctrl_reset_fifo(fdctrl);
+         }
+-    } else if (fdctrl->data_len > 7) {
+-        /* ERROR */
+-        fdctrl->fifo[0] = 0x80 |
+-            (cur_drv->head << 2) | GET_CUR_DRV(fdctrl);
+-        fdctrl_set_fifo(fdctrl, 1, 0);
+-    }
++    } else
++        fdctrl->data_len++; /* Wait for another byte. */
+ }
+ 
+ static void fdctrl_handle_relative_seek_out(fdctrl_t *fdctrl, int direction)
+@@ -2219,7 +2222,7 @@
+     { FD_CMD_CONFIGURE, 0xff, "CONFIGURE", 3, fdctrl_handle_configure },
+     { FD_CMD_POWERDOWN_MODE, 0xff, "POWERDOWN MODE", 2, fdctrl_handle_powerdown_mode },
+     { FD_CMD_OPTION, 0xff, "OPTION", 1, fdctrl_handle_option },
+-    { FD_CMD_DRIVE_SPECIFICATION_COMMAND, 0xff, "DRIVE SPECIFICATION COMMAND", 5, fdctrl_handle_drive_specification_command },
++    { FD_CMD_DRIVE_SPECIFICATION_COMMAND, 0xff, "DRIVE SPECIFICATION COMMAND", 1, fdctrl_handle_drive_specification_command },
+     { FD_CMD_RELATIVE_SEEK_OUT, 0xff, "RELATIVE SEEK OUT", 2, fdctrl_handle_relative_seek_out },
+     { FD_CMD_FORMAT_AND_WRITE, 0xff, "FORMAT AND WRITE", 10, fdctrl_unimplemented },
+     { FD_CMD_RELATIVE_SEEK_IN, 0xff, "RELATIVE SEEK IN", 2, fdctrl_handle_relative_seek_in },
+@@ -2281,7 +2284,7 @@
+     }
+ 
+     FLOPPY_DPRINTF("%s: %02x\n", __func__, value);
+-    fdctrl->fifo[fdctrl->data_pos++] = value;
++    fdctrl->fifo[fdctrl->data_pos++ % FD_SECTOR_LEN] = value;
+     if (fdctrl->data_pos == fdctrl->data_len) {
+         /* We now have all parameters
+          * and will be able to treat the command
diff --git a/debian/patches/series b/debian/patches/series
index af6b8e6..913d697 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -22,3 +22,4 @@ CVE-2014-0981.patch
 CVE-2014-0983.patch
 CVE-2015-0377.patch
 CVE-2015-0418.patch
+CVE-2015-3456.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-virtualbox/virtualbox.git

More information about the Pkg-virtualbox-commits mailing list