new file mode 100644

@@ -0,0 +1,59 @@

+From fbf31e1a4cd19d6f6e33e0937a009775cd7d9513 Mon Sep 17 00:00:00 2001

+From: =?utf8?q?Daniel=20P.=20Berrang=C3=A9?= <berrange@redhat.com>

+Date: Thu, 1 Mar 2018 14:55:26 +0000

+Subject: [PATCH] qemu: avoid denial of service reading from QEMU guest agent (CVE-2018-1064)

+MIME-Version: 1.0

+Content-Type: text/plain; charset=utf8

+Content-Transfer-Encoding: 8bit

+

+We read from the agent until seeing a \r\n pair to indicate a completed

+reply or event. To avoid memory denial-of-service though, we must have a

+size limit on amount of data we buffer. 10 MB is large enough that it

+ought to cope with normal agent replies, and small enough that we're not

+consuming unreasonable mem.

+

+This is identical to the flaw we had reading from the QEMU monitor

+as CVE-2018-5748, so rather embarrassing that we forgot to fix

+the agent code at the same time.

+

+Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>

+---

+ src/qemu/qemu_agent.c |   15 +++++++++++++++

+ 1 files changed, 15 insertions(+), 0 deletions(-)

+

+diff --git a/src/qemu/qemu_agent.c b/src/qemu/qemu_agent.c

+index 0f36054..89183c3 100644

+--- a/src/qemu/qemu_agent.c

+@@ -53,6 +53,15 @@ VIR_LOG_INIT("qemu.qemu_agent");

+ #define DEBUG_IO 0

+ #define DEBUG_RAW_IO 0

+ 

++/* We read from QEMU until seeing a \r\n pair to indicate a

++ * completed reply or event. To avoid memory denial-of-service

++ * though, we must have a size limit on amount of data we

++ * buffer. 10 MB is large enough that it ought to cope with

++ * normal QEMU replies, and small enough that we're not

++ * consuming unreasonable mem.

++ */

++#define QEMU_AGENT_MAX_RESPONSE (10 * 1024 * 1024)

++

+ /* When you are the first to uncomment this,

+  * don't forget to uncomment the corresponding

+  * part in qemuAgentIOProcessEvent as well.

+@@ -535,6 +544,12 @@ qemuAgentIORead(qemuAgentPtr mon)

+     int ret = 0;

+ 

+     if (avail < 1024) {

++        if (mon->bufferLength >= QEMU_AGENT_MAX_RESPONSE) {

++            virReportSystemError(ERANGE,

++                                 _("No complete agent response found in %d bytes"),

++                                 QEMU_AGENT_MAX_RESPONSE);

++            return -1;

++        }

+         if (VIR_REALLOC_N(mon->buffer,

+                           mon->bufferLength + 1024) < 0)

+             return -1;

+-- 

+1.7.1

+

@@ -1,12 +1,13 @@

 Summary:        Virtualization API library that supports KVM, QEMU, Xen, ESX etc

 Name:           libvirt

 Version:        3.2.0

-Release:        4%{?dist}

+Release:        5%{?dist}

 License:        LGPL

 URL:            http://libvirt.org/

 Source0:        http://libvirt.org/sources/%{name}-%{version}.tar.xz

 %define sha1    libvirt=47d4b443fdf1e268589529018c436bbc4b413a7c

 Patch0:         libvirt-CVE-2017-1000256.patch

+Patch1:         libvirt-CVE-2018-1064.patch

 Group:          Virtualization/Libraries

 Vendor:         VMware, Inc.

 Distribution:   Photon

@@ -56,6 +57,7 @@ This contains development tools and libraries for libvirt.

 %prep

 %setup -q

 %patch0 -p1

+%patch1 -p1

 %build

 ./configure \

     --disable-silent-rules \

@@ -111,6 +113,8 @@ find %{buildroot} -name '*.la' -delete

 %{_mandir}/*

 %changelog

+*   Fri Apr 20 2018 Xiaolin Li <xiaolinl@vmware.com> 3.2.0-5

+-   Fix CVE-2018-1064

 *   Thu Dec 07 2017 Xiaolin Li <xiaolinl@vmware.com> 3.2.0-4

 -   Move so files in folder connection-driver and lock-driver to main package.

 *   Mon Dec 04 2017 Xiaolin Li <xiaolinl@vmware.com> 3.2.0-3