]> git.proxmox.com Git - pve-qemu-kvm.git/blob - debian/patches/vncticket.diff
Fix CVE-2016-2841, CVE-2016-2857, CVE-2016-2858
[pve-qemu-kvm.git] / debian / patches / vncticket.diff
1 Index: qemu-kvm/console.h
2 ===================================================================
3 --- qemu-kvm.orig/console.h 2010-10-21 13:40:20.000000000 +0200
4 +++ qemu-kvm/console.h 2010-10-21 14:06:21.000000000 +0200
5 @@ -368,7 +368,7 @@
6 void vnc_display_init(DisplayState *ds);
7 void vnc_display_close(DisplayState *ds);
8 int vnc_display_open(DisplayState *ds, const char *display);
9 -int vnc_display_password(DisplayState *ds, const char *password);
10 +int vnc_display_password(DisplayState *ds, const char *password, int limit);
11 void do_info_vnc_print(Monitor *mon, const QObject *data);
12 void do_info_vnc(Monitor *mon, QObject **ret_data);
13 char *vnc_display_local_addr(DisplayState *ds);
14 Index: qemu-kvm/ui/vnc.c
15 ===================================================================
16 --- qemu-kvm.orig/ui/vnc.c 2010-10-21 13:40:21.000000000 +0200
17 +++ qemu-kvm/ui/vnc.c 2010-10-21 14:06:21.000000000 +0200
18 @@ -1790,7 +1790,7 @@
19 static void set_pixel_conversion(VncState *vs)
20 {
21 if ((vs->clientds.flags & QEMU_BIG_ENDIAN_FLAG) ==
22 - (vs->ds->surface->flags & QEMU_BIG_ENDIAN_FLAG) &&
23 + (vs->ds->surface->flags & QEMU_BIG_ENDIAN_FLAG) &&
24 !memcmp(&(vs->clientds.pf), &(vs->ds->surface->pf), sizeof(PixelFormat))) {
25 vs->write_pixels = vnc_write_pixels_copy;
26 vnc_hextile_set_pixel_conversion(vs, 0);
27 @@ -1876,7 +1876,7 @@
28 vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
29 vnc_write_u8(vs, 0);
30 vnc_write_u16(vs, 1); /* number of rects */
31 - vnc_framebuffer_update(vs, 0, 0, ds_get_width(vs->ds),
32 + vnc_framebuffer_update(vs, 0, 0, ds_get_width(vs->ds),
33 ds_get_height(vs->ds), VNC_ENCODING_WMVi);
34 pixel_format_message(vs);
35 vnc_unlock_output(vs);
36 @@ -2079,7 +2079,10 @@
37 int i, j, pwlen;
38 unsigned char key[8];
39
40 - if (!vs->vd->password || !vs->vd->password[0]) {
41 + if (vs->vd->retries >= 0)
42 + vs->vd->retries++;
43 +
44 + if (!vs->vd->password || !vs->vd->password[0] || vs->vd->retries > 3) {
45 VNC_DEBUG("No password configured on server");
46 vnc_write_u32(vs, 1); /* Reject auth */
47 if (vs->minor >= 8) {
48 @@ -2478,7 +2481,7 @@
49 #endif
50 }
51
52 -int vnc_display_password(DisplayState *ds, const char *password)
53 +int vnc_display_password(DisplayState *ds, const char *password, int limit)
54 {
55 VncDisplay *vs = ds ? (VncDisplay *)ds->opaque : vnc_display;
56
57 @@ -2493,6 +2496,7 @@
58 if (password && password[0]) {
59 if (!(vs->password = qemu_strdup(password)))
60 return -1;
61 + vs->retries = limit ? 0 : -1;
62 if (vs->auth == VNC_AUTH_NONE) {
63 vs->auth = VNC_AUTH_VNC;
64 }
65 Index: qemu-kvm/ui/vnc.h
66 ===================================================================
67 --- qemu-kvm.orig/ui/vnc.h 2010-10-21 13:40:20.000000000 +0200
68 +++ qemu-kvm/ui/vnc.h 2010-10-21 14:06:21.000000000 +0200
69 @@ -120,6 +120,7 @@
70
71 char *display;
72 char *password;
73 + int retries;
74 int auth;
75 bool lossy;
76 #ifdef CONFIG_VNC_TLS
77 Index: qemu-kvm/monitor.c
78 ===================================================================
79 --- qemu-kvm.orig/monitor.c 2010-10-21 13:40:21.000000000 +0200
80 +++ qemu-kvm/monitor.c 2010-10-21 14:14:38.000000000 +0200
81 @@ -978,7 +978,7 @@
82
83 static int change_vnc_password(const char *password)
84 {
85 - if (vnc_display_password(NULL, password) < 0) {
86 + if (vnc_display_password(NULL, password, 0) < 0) {
87 qerror_report(QERR_SET_PASSWD_FAILED);
88 return -1;
89 }
90 @@ -986,6 +986,17 @@
91 return 0;
92 }
93
94 +static int change_vnc_ticket(const char *password)
95 +{
96 + if (vnc_display_password(NULL, password, 1) < 0) {
97 + qerror_report(QERR_SET_PASSWD_FAILED);
98 + return -1;
99 + }
100 +
101 + return 0;
102 +}
103 +
104 +
105 static void change_vnc_password_cb(Monitor *mon, const char *password,
106 void *opaque)
107 {
108 @@ -996,12 +1007,16 @@
109 static int do_change_vnc(Monitor *mon, const char *target, const char *arg)
110 {
111 if (strcmp(target, "passwd") == 0 ||
112 - strcmp(target, "password") == 0) {
113 + strcmp(target, "password") == 0 ||
114 + strcmp(target, "ticket") == 0) {
115 if (arg) {
116 char password[9];
117 strncpy(password, arg, sizeof(password));
118 password[sizeof(password) - 1] = '\0';
119 - return change_vnc_password(password);
120 + if (strcmp(target, "ticket") == 0)
121 + return change_vnc_ticket(password);
122 + else
123 + return change_vnc_password(password);
124 } else {
125 return monitor_read_password(mon, change_vnc_password_cb, NULL);
126 }
127 @@ -3324,11 +3339,11 @@
128 static int is_valid_option(const char *c, const char *typestr)
129 {
130 char option[3];
131 -
132 +
133 option[0] = '-';
134 option[1] = *c;
135 option[2] = '\0';
136 -
137 +
138 typestr = strstr(typestr, option);
139 return (typestr != NULL);
140 }
141 @@ -3640,7 +3655,7 @@
142 p++;
143 if(c != *p) {
144 if(!is_valid_option(p, typestr)) {
145 -
146 +
147 monitor_printf(mon, "%s: unsupported option -%c\n",
148 cmdname, *p);
149 goto fail;