Package: qemu / 1:4.1-1

Metadata

Package Version Patches format
qemu 1:4.1-1 3.0 (quilt)

Patch series

view the series file
Patch File delta Description
use fixed data path.patch | (download)

os-posix.c | 2 2 + 0 - 0 !
vl.c | 7 1 + 6 - 0 !
2 files changed, 3 insertions(+), 6 deletions(-)

 use fixed data dir instead of determining it at runtime
bt use size_t type for length parameters instead of int CVE 2018 19665.patch | (download)

bt-host.c | 8 4 + 4 - 0 !
bt-vhci.c | 7 4 + 3 - 0 !
hw/bt/core.c | 2 1 + 1 - 0 !
hw/bt/hci-csr.c | 32 16 + 16 - 0 !
hw/bt/hci.c | 38 19 + 19 - 0 !
hw/bt/hid.c | 10 5 + 5 - 0 !
hw/bt/l2cap.c | 56 29 + 27 - 0 !
hw/bt/sdp.c | 6 3 + 3 - 0 !
hw/usb/dev-bluetooth.c | 12 6 + 6 - 0 !
include/hw/bt.h | 8 4 + 4 - 0 !
include/sysemu/bt.h | 10 5 + 5 - 0 !
11 files changed, 96 insertions(+), 93 deletions(-)

 bt: use size_t type for length parameters instead of int
Bug-Debian: https://bugs.debian.org/916278
Closes: #916278, CVE-2018-19665

The length parameter values are not negative, thus use an unsigned
type 'size_t' for them. Many routines pass 'len' values to memcpy(3)
calls. If it was negative, it could lead to memory corruption issues.
Add check to avoid it.

Reported-by: Arash TC <tohidi.arash@gmail.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>