diff -Nru virtualbox-4.1.12-dfsg/debian/changelog virtualbox-4.1.12-dfsg/debian/changelog --- virtualbox-4.1.12-dfsg/debian/changelog 2013-09-30 10:55:24.000000000 +0200 +++ virtualbox-4.1.12-dfsg/debian/changelog 2014-04-14 23:35:04.000000000 +0200 @@ -1,3 +1,18 @@ +virtualbox (4.1.12-dfsg-2ubuntu0.6) precise-security; urgency=medium + + * SECURITY UPDATE: Virtual graphics device user vulnerability (LP: #1307725) + - debian/patches/CVE-2013-0420.patch: backport upstream patch + - CVE-2013-0420 + * SECURITY UPDATE: Apply fixes from the January 2014 security advisory + - debian/patches/38-security-fixes-2014-01.patch: backport upstream fixes + - CVE-2013-5892, CVE-2014-0407, CVE-2014-0406, CVE-2014-0404 + * SECURITY UPDATE: Fix memory corruption vulnerabilities in 3D acceleration + - debian/patches/CVE-2014-0981.patch, debian/patches/CVE-2014-0983.patch: + backport fixes from version 4.0.24 + - CVE-2014-0981, CVE-2014-0983 + + -- Felix Geyer Mon, 14 Apr 2014 17:37:39 +0200 + virtualbox (4.1.12-dfsg-2ubuntu0.5) precise-proposed; urgency=low * Update the patch for Linux 3.11 with a more complete diff -Nru virtualbox-4.1.12-dfsg/debian/patches/38-security-fixes-2014-01.patch virtualbox-4.1.12-dfsg/debian/patches/38-security-fixes-2014-01.patch --- virtualbox-4.1.12-dfsg/debian/patches/38-security-fixes-2014-01.patch 1970-01-01 01:00:00.000000000 +0100 +++ virtualbox-4.1.12-dfsg/debian/patches/38-security-fixes-2014-01.patch 2014-01-28 21:20:29.000000000 +0100 @@ -0,0 +1,471 @@ +--- a/include/VBox/VMMDev.h ++++ b/include/VBox/VMMDev.h +@@ -114,6 +114,10 @@ + + /** Maximum request packet size. */ + #define VMMDEV_MAX_VMMDEVREQ_SIZE _1M ++/** Maximum number of HGCM parameters. */ ++#define VMMDEV_MAX_HGCM_PARMS 1024 ++/** Maximum total size of hgcm buffers in one call. */ ++#define VMMDEV_MAX_HGCM_DATA_SIZE UINT32_C(0x7FFFFFFF) + + /** + * VMMDev request types. +--- a/src/VBox/Devices/Graphics/DevVGA_VBVA.cpp ++++ b/src/VBox/Devices/Graphics/DevVGA_VBVA.cpp +@@ -613,6 +613,13 @@ + + if (fShape) + { ++ if (pShape->u32Width > 8192 || pShape->u32Height > 8192) ++ { ++ Log(("vbvaMousePointerShape: unsupported size %ux%u\n", ++ pShape->u32Width, pShape->u32Height)); ++ return VERR_INVALID_PARAMETER; ++ } ++ + cbPointerData = ((((pShape->u32Width + 7) / 8) * pShape->u32Height + 3) & ~3) + + pShape->u32Width * 4 * pShape->u32Height; + } +--- a/src/VBox/Devices/VMMDev/VMMDev.cpp ++++ b/src/VBox/Devices/VMMDev/VMMDev.cpp +@@ -795,6 +795,20 @@ + + #endif /* VBOX_WITH_PAGE_SHARING */ + ++static int vmmdevVerifyPointerShape(VMMDevReqMousePointer *pReq) ++{ ++ /* Should be enough for most mouse pointers. */ ++ if (pReq->width > 8192 || pReq->height > 8192) ++ return VERR_INVALID_PARAMETER; ++ ++ uint32_t cbShape = (pReq->width + 7) / 8 * pReq->height; /* size of the AND mask */ ++ cbShape = ((cbShape + 3) & ~3) + pReq->width * 4 * pReq->height; /* + gap + size of the XOR mask */ ++ if (RT_UOFFSETOF(VMMDevReqMousePointer, pointerData) + cbShape > pReq->header.size) ++ return VERR_INVALID_PARAMETER; ++ ++ return VINF_SUCCESS; ++} ++ + /** + * Port I/O Handler for the generic request interface + * @see FNIOMIOPORTOUT for details. +@@ -1163,6 +1177,10 @@ + /* forward call to driver */ + if (fShape) + { ++ pRequestHeader->rc = vmmdevVerifyPointerShape(pointerShape); ++ if (RT_FAILURE(pRequestHeader->rc)) ++ break; ++ + pThis->pDrv->pfnUpdatePointerShape(pThis->pDrv, + fVisible, + fAlpha, +--- a/src/VBox/Devices/VMMDev/VMMDevHGCM.cpp ++++ b/src/VBox/Devices/VMMDev/VMMDevHGCM.cpp +@@ -97,6 +97,9 @@ + */ + VBOXHGCMSVCPARM *paHostParms; + ++ /* Number of elements in paHostParms */ ++ uint32_t cHostParms; ++ + /* Linear pointer parameters information. */ + int cLinPtrs; + +@@ -250,8 +253,6 @@ + { + int rc = VINF_SUCCESS; + +- AssertRelease (u32Size > 0); +- + VBOXHGCMLINPTR *pLinPtr = &paLinPtrs[iLinPtr]; + + /* Take the offset into the current page also into account! */ +@@ -294,8 +295,6 @@ + GCPtr += PAGE_SIZE; + } + +- AssertRelease (iPage == cPages); +- + return rc; + } + +@@ -310,7 +309,7 @@ + + VBOXHGCMLINPTR *pLinPtr = &paLinPtrs[iLinPtr]; + +- AssertRelease (u32Size > 0 && iParm == (uint32_t)pLinPtr->iParm); ++ AssertLogRelReturn(u32Size > 0 && iParm == (uint32_t)pLinPtr->iParm, VERR_INVALID_PARAMETER); + + RTGCPHYS GCPhysDst = pLinPtr->paPages[0] + pLinPtr->offFirstPage; + uint8_t *pu8Src = (uint8_t *)pvHost; +@@ -332,12 +331,17 @@ + + if (cbWrite >= u32Size) + { +- PDMDevHlpPhysWrite(pDevIns, GCPhysDst, pu8Src, u32Size); ++ rc = PDMDevHlpPhysWrite(pDevIns, GCPhysDst, pu8Src, u32Size); ++ if (RT_FAILURE(rc)) ++ break; ++ + u32Size = 0; + break; + } + + PDMDevHlpPhysWrite(pDevIns, GCPhysDst, pu8Src, cbWrite); ++ if (RT_FAILURE(rc)) ++ break; + + /* next */ + u32Size -= cbWrite; +@@ -346,8 +350,10 @@ + GCPhysDst = pLinPtr->paPages[iPage]; + } + +- AssertRelease (iPage == pLinPtr->cPages); +- Assert(u32Size == 0); ++ if (RT_SUCCESS(rc)) ++ { ++ AssertLogRelReturn(iPage == pLinPtr->cPages, VERR_INVALID_PARAMETER); ++ } + + return rc; + } +@@ -623,6 +629,20 @@ + Log(("vmmdevHGCMCall: cParms = %d\n", cParms)); + + /* ++ * Sane upper limit. ++ */ ++ if (cParms > VMMDEV_MAX_HGCM_PARMS) ++ { ++ static int s_cRelWarn; ++ if (s_cRelWarn < 50) ++ { ++ s_cRelWarn++; ++ LogRel(("VMMDev: request packet with too many parameters (%d). Refusing operation.\n", cParms)); ++ } ++ return VERR_INVALID_PARAMETER; ++ } ++ ++ /* + * Compute size of required memory buffer. + */ + +@@ -654,6 +674,12 @@ + if (pGuestParm->u.Pointer.size > 0) + { + /* Only pointers with some actual data are counted. */ ++ if (pGuestParm->u.Pointer.size > VMMDEV_MAX_HGCM_DATA_SIZE - cbCmdSize) ++ { ++ rc = VERR_INVALID_PARAMETER; ++ break; ++ } ++ + cbCmdSize += pGuestParm->u.Pointer.size; + + cLinPtrs++; +@@ -667,6 +693,12 @@ + + case VMMDevHGCMParmType_PageList: + { ++ if (pGuestParm->u.PageList.size > VMMDEV_MAX_HGCM_DATA_SIZE - cbCmdSize) ++ { ++ rc = VERR_INVALID_PARAMETER; ++ break; ++ } ++ + cbCmdSize += pGuestParm->u.PageList.size; + Log(("vmmdevHGCMCall: pagelist size = %d\n", pGuestParm->u.PageList.size)); + } break; +@@ -706,6 +738,12 @@ + if (pGuestParm->u.Pointer.size > 0) + { + /* Only pointers with some actual data are counted. */ ++ if (pGuestParm->u.Pointer.size > VMMDEV_MAX_HGCM_DATA_SIZE - cbCmdSize) ++ { ++ rc = VERR_INVALID_PARAMETER; ++ break; ++ } ++ + cbCmdSize += pGuestParm->u.Pointer.size; + + cLinPtrs++; +@@ -719,6 +757,12 @@ + + case VMMDevHGCMParmType_PageList: + { ++ if (pGuestParm->u.PageList.size > VMMDEV_MAX_HGCM_DATA_SIZE - cbCmdSize) ++ { ++ rc = VERR_INVALID_PARAMETER; ++ break; ++ } ++ + cbCmdSize += pGuestParm->u.PageList.size; + Log(("vmmdevHGCMCall: pagelist size = %d\n", pGuestParm->u.PageList.size)); + } break; +@@ -787,6 +831,7 @@ + uint8_t *pcBuf = (uint8_t *)pHostParm + cParms * sizeof (VBOXHGCMSVCPARM); + + pCmd->paHostParms = pHostParm; ++ pCmd->cHostParms = cParms; + + uint32_t iLinPtr = 0; + RTGCPHYS *pPages = (RTGCPHYS *)((uint8_t *)pCmd->paLinPtrs + sizeof (VBOXHGCMLINPTR) *cLinPtrs); +@@ -1135,6 +1180,20 @@ + Log(("vmmdevHGCMCall: cParms = %d\n", cParms)); + + /* ++ * Sane upper limit. ++ */ ++ if (cParms > VMMDEV_MAX_HGCM_PARMS) ++ { ++ static int s_cRelWarn; ++ if (s_cRelWarn < 50) ++ { ++ s_cRelWarn++; ++ LogRel(("VMMDev: request packet with too many parameters (%d). Refusing operation.\n", cParms)); ++ } ++ return VERR_INVALID_PARAMETER; ++ } ++ ++ /* + * Compute size of required memory buffer. + */ + +@@ -1289,6 +1348,7 @@ + uint8_t *pu8Buf = (uint8_t *)pHostParm + cParms * sizeof (VBOXHGCMSVCPARM); + + pCmd->paHostParms = pHostParm; ++ pCmd->cHostParms = cParms; + + uint32_t iParm; + int iLinPtr = 0; +@@ -1758,6 +1818,88 @@ + return VERR_INVALID_PARAMETER; + } + ++#ifdef VBOX_WITH_64_BITS_GUESTS ++static int vmmdevHGCMParmVerify64(HGCMFunctionParameter64 *pGuestParm, VBOXHGCMSVCPARM *pHostParm) ++{ ++ int rc = VERR_INVALID_PARAMETER; ++ ++ switch (pGuestParm->type) ++ { ++ case VMMDevHGCMParmType_32bit: ++ if (pHostParm->type == VBOX_HGCM_SVC_PARM_32BIT) ++ rc = VINF_SUCCESS; ++ break; ++ ++ case VMMDevHGCMParmType_64bit: ++ if (pHostParm->type == VBOX_HGCM_SVC_PARM_64BIT) ++ rc = VINF_SUCCESS; ++ break; ++ ++ case VMMDevHGCMParmType_LinAddr_In: /* In (read) */ ++ case VMMDevHGCMParmType_LinAddr_Out: /* Out (write) */ ++ case VMMDevHGCMParmType_LinAddr: /* In & Out */ ++ if ( pHostParm->type == VBOX_HGCM_SVC_PARM_PTR ++ && pGuestParm->u.Pointer.size >= pHostParm->u.pointer.size) ++ rc = VINF_SUCCESS; ++ break; ++ ++ case VMMDevHGCMParmType_PageList: ++ if ( pHostParm->type == VBOX_HGCM_SVC_PARM_PTR ++ && pGuestParm->u.PageList.size >= pHostParm->u.pointer.size) ++ rc = VINF_SUCCESS; ++ break; ++ ++ default: ++ AssertLogRelMsgFailed(("hgcmCompleted: invalid parameter type %08X\n", pGuestParm->type)); ++ break; ++ } ++ ++ return rc; ++} ++#endif /* VBOX_WITH_64_BITS_GUESTS */ ++ ++#ifdef VBOX_WITH_64_BITS_GUESTS ++static int vmmdevHGCMParmVerify32(HGCMFunctionParameter32 *pGuestParm, VBOXHGCMSVCPARM *pHostParm) ++#else ++static int vmmdevHGCMParmVerify32(HGCMFunctionParameter *pGuestParm, VBOXHGCMSVCPARM *pHostParm) ++#endif ++{ ++ int rc = VERR_INVALID_PARAMETER; ++ ++ switch (pGuestParm->type) ++ { ++ case VMMDevHGCMParmType_32bit: ++ if (pHostParm->type == VBOX_HGCM_SVC_PARM_32BIT) ++ rc = VINF_SUCCESS; ++ break; ++ ++ case VMMDevHGCMParmType_64bit: ++ if (pHostParm->type == VBOX_HGCM_SVC_PARM_64BIT) ++ rc = VINF_SUCCESS; ++ break; ++ ++ case VMMDevHGCMParmType_LinAddr_In: /* In (read) */ ++ case VMMDevHGCMParmType_LinAddr_Out: /* Out (write) */ ++ case VMMDevHGCMParmType_LinAddr: /* In & Out */ ++ if ( pHostParm->type == VBOX_HGCM_SVC_PARM_PTR ++ && pGuestParm->u.Pointer.size >= pHostParm->u.pointer.size) ++ rc = VINF_SUCCESS; ++ break; ++ ++ case VMMDevHGCMParmType_PageList: ++ if ( pHostParm->type == VBOX_HGCM_SVC_PARM_PTR ++ && pGuestParm->u.PageList.size >= pHostParm->u.pointer.size) ++ rc = VINF_SUCCESS; ++ break; ++ ++ default: ++ AssertLogRelMsgFailed(("hgcmCompleted: invalid parameter type %08X\n", pGuestParm->type)); ++ break; ++ } ++ ++ return rc; ++} ++ + #define PDMIHGCMPORT_2_VMMDEVSTATE(pInterface) ( (VMMDevState *) ((uintptr_t)pInterface - RT_OFFSETOF(VMMDevState, IHGCMPort)) ) + + DECLCALLBACK(void) hgcmCompletedWorker (PPDMIHGCMPORT pInterface, int32_t result, PVBOXHGCMCMD pCmd) +@@ -1858,6 +2000,8 @@ + VMMDevHGCMCall *pHGCMCall = (VMMDevHGCMCall *)pHeader; + + uint32_t cParms = pHGCMCall->cParms; ++ if (cParms != pCmd->cHostParms) ++ rc = VERR_INVALID_PARAMETER; + + VBOXHGCMSVCPARM *pHostParm = pCmd->paHostParms; + +@@ -1866,8 +2010,12 @@ + + HGCMFunctionParameter64 *pGuestParm = VMMDEV_HGCM_CALL_PARMS64(pHGCMCall); + +- for (i = 0; i < cParms; i++, pGuestParm++, pHostParm++) ++ for (i = 0; i < cParms && RT_SUCCESS(rc); i++, pGuestParm++, pHostParm++) + { ++ rc = vmmdevHGCMParmVerify64(pGuestParm, pHostParm); ++ if (RT_FAILURE(rc)) ++ break; ++ + switch (pGuestParm->type) + { + case VMMDevHGCMParmType_32bit: +@@ -1894,7 +2042,6 @@ + /* Use the saved page list to write data back to the guest RAM. */ + rc = vmmdevHGCMWriteLinPtr (pVMMDevState->pDevIns, i, pHostParm->u.pointer.addr, + size, iLinPtr, pCmd->paLinPtrs); +- AssertReleaseRC(rc); + } + + /* All linptrs with size > 0 were saved. Advance the index to the next linptr. */ +@@ -1945,7 +2092,8 @@ + default: + { + /* This indicates that the guest request memory was corrupted. */ +- AssertReleaseMsgFailed(("hgcmCompleted: invalid parameter type %08X\n", pGuestParm->type)); ++ rc = VERR_INVALID_PARAMETER; ++ break; + } + } + } +@@ -1961,6 +2109,8 @@ + VMMDevHGCMCall *pHGCMCall = (VMMDevHGCMCall *)pHeader; + + uint32_t cParms = pHGCMCall->cParms; ++ if (cParms != pCmd->cHostParms) ++ rc = VERR_INVALID_PARAMETER; + + VBOXHGCMSVCPARM *pHostParm = pCmd->paHostParms; + +@@ -1969,8 +2119,12 @@ + + HGCMFunctionParameter32 *pGuestParm = VMMDEV_HGCM_CALL_PARMS32(pHGCMCall); + +- for (i = 0; i < cParms; i++, pGuestParm++, pHostParm++) ++ for (i = 0; i < cParms && RT_SUCCESS(rc); i++, pGuestParm++, pHostParm++) + { ++ rc = vmmdevHGCMParmVerify32(pGuestParm, pHostParm); ++ if (RT_FAILURE(rc)) ++ break; ++ + switch (pGuestParm->type) + { + case VMMDevHGCMParmType_32bit: +@@ -1996,7 +2150,6 @@ + { + /* Use the saved page list to write data back to the guest RAM. */ + rc = vmmdevHGCMWriteLinPtr (pVMMDevState->pDevIns, i, pHostParm->u.pointer.addr, size, iLinPtr, pCmd->paLinPtrs); +- AssertReleaseRC(rc); + } + + /* All linptrs with size > 0 were saved. Advance the index to the next linptr. */ +@@ -2047,7 +2200,8 @@ + default: + { + /* This indicates that the guest request memory was corrupted. */ +- AssertReleaseMsgFailed(("hgcmCompleted: invalid parameter type %08X\n", pGuestParm->type)); ++ rc = VERR_INVALID_PARAMETER; ++ break; + } + } + } +@@ -2063,6 +2217,8 @@ + VMMDevHGCMCall *pHGCMCall = (VMMDevHGCMCall *)pHeader; + + uint32_t cParms = pHGCMCall->cParms; ++ if (cParms != pCmd->cHostParms) ++ rc = VERR_INVALID_PARAMETER; + + VBOXHGCMSVCPARM *pHostParm = pCmd->paHostParms; + +@@ -2071,8 +2227,12 @@ + + HGCMFunctionParameter *pGuestParm = VMMDEV_HGCM_CALL_PARMS(pHGCMCall); + +- for (i = 0; i < cParms; i++, pGuestParm++, pHostParm++) ++ for (i = 0; i < cParms && RT_SUCCESS(rc); i++, pGuestParm++, pHostParm++) + { ++ rc = vmmdevHGCMParmVerify32(pGuestParm, pHostParm); ++ if (RT_FAILURE(rc)) ++ break; ++ + switch (pGuestParm->type) + { + case VMMDevHGCMParmType_32bit: +@@ -2098,7 +2258,6 @@ + { + /* Use the saved page list to write data back to the guest RAM. */ + rc = vmmdevHGCMWriteLinPtr (pVMMDevState->pDevIns, i, pHostParm->u.pointer.addr, size, iLinPtr, pCmd->paLinPtrs); +- AssertReleaseRC(rc); + } + + /* All linptrs with size > 0 were saved. Advance the index to the next linptr. */ +@@ -2149,7 +2308,8 @@ + default: + { + /* This indicates that the guest request memory was corrupted. */ +- AssertReleaseMsgFailed(("hgcmCompleted: invalid parameter type %08X\n", pGuestParm->type)); ++ rc = VERR_INVALID_PARAMETER; ++ break; + } + } + } +@@ -2175,10 +2335,11 @@ + break; + } + } +- else ++ ++ if (RT_FAILURE(rc)) + { +- /* Command type is wrong. Return error to the guest. */ +- pHeader->header.rc = rc; ++ /* Command is wrong. Return HGCM error result to the guest. */ ++ pHeader->result = rc; + } + + /* Mark request as processed. */ diff -Nru virtualbox-4.1.12-dfsg/debian/patches/CVE-2013-0420.patch virtualbox-4.1.12-dfsg/debian/patches/CVE-2013-0420.patch --- virtualbox-4.1.12-dfsg/debian/patches/CVE-2013-0420.patch 1970-01-01 01:00:00.000000000 +0100 +++ virtualbox-4.1.12-dfsg/debian/patches/CVE-2013-0420.patch 2013-03-31 20:28:32.000000000 +0200 @@ -0,0 +1,15 @@ +Description: DevVGA: Do not draw more lines than necessary. +Origin: upstream, https://www.virtualbox.org/changeset/44055/vbox +Bug-Debian: http://bugs.debian.org/698292 + +--- virtualbox-4.1.18-dfsg.orig/src/VBox/Devices/Graphics/DevVGA.cpp ++++ virtualbox-4.1.18-dfsg/src/VBox/Devices/Graphics/DevVGA.cpp +@@ -1795,7 +1795,7 @@ static int vga_draw_text(VGAState *s, in + cx_max_upd = -1; + cx_min_upd = width; + +- for(cy = 0; cy < height; cy = cy + (1 << dscan)) { ++ for(cy = 0; cy < (height - dscan); cy = cy + (1 << dscan)) { + d1 = dest; + src = s1; + cx_min = width; diff -Nru virtualbox-4.1.12-dfsg/debian/patches/CVE-2014-0981.patch virtualbox-4.1.12-dfsg/debian/patches/CVE-2014-0981.patch --- virtualbox-4.1.12-dfsg/debian/patches/CVE-2014-0981.patch 1970-01-01 01:00:00.000000000 +0100 +++ virtualbox-4.1.12-dfsg/debian/patches/CVE-2014-0981.patch 2014-04-14 11:18:57.000000000 +0200 @@ -0,0 +1,53 @@ +diff -Nur VirtualBox-4.1.30/src/VBox/GuestHost/OpenGL/util/net.c VirtualBox-4.1.32/src/VBox/GuestHost/OpenGL/util/net.c +--- VirtualBox-4.1.30/src/VBox/GuestHost/OpenGL/util/net.c 2014-01-10 17:21:21.000000000 +0100 ++++ VirtualBox-4.1.32/src/VBox/GuestHost/OpenGL/util/net.c 2014-03-14 08:18:19.000000000 +0100 +@@ -957,7 +957,7 @@ + conn->InstantReclaim( conn, (CRMessage *) msg ); + } + +- ++#ifdef IN_GUEST + /** + * Called by the main receive function when we get a CR_MESSAGE_WRITEBACK + * message. Writeback is used to implement glGet*() functions. +@@ -990,7 +990,7 @@ + (*writeback)--; + crMemcpy( dest_ptr, ((char *)rb) + sizeof(*rb), payload_len ); + } +- ++#endif + + /** + * This is used by the SPUs that do packing (such as Pack, Tilesort and +@@ -1068,13 +1068,21 @@ + } + break; + case CR_MESSAGE_READ_PIXELS: +- crError( "Can't handle read pixels" ); ++ crWarning( "Can't handle read pixels" ); + return; + case CR_MESSAGE_WRITEBACK: ++#ifdef IN_GUEST + crNetRecvWriteback( &(pRealMsg->writeback) ); ++#else ++ crWarning("CR_MESSAGE_WRITEBACK not expected\n"); ++#endif + return; + case CR_MESSAGE_READBACK: ++#ifdef IN_GUEST + crNetRecvReadback( &(pRealMsg->readback), len ); ++#else ++ crWarning("CR_MESSAGE_READBACK not expected\n"); ++#endif + return; + case CR_MESSAGE_CRUT: + /* nothing */ +@@ -1092,7 +1100,7 @@ + { + char string[128]; + crBytesToString( string, sizeof(string), msg, len ); +- crError("crNetDefaultRecv: received a bad message: type=%d buf=[%s]\n" ++ crWarning("crNetDefaultRecv: received a bad message: type=%d buf=[%s]\n" + "Did you add a new message type and forget to tell " + "crNetDefaultRecv() about it?\n", + msg->header.type, string ); diff -Nru virtualbox-4.1.12-dfsg/debian/patches/CVE-2014-0983.patch virtualbox-4.1.12-dfsg/debian/patches/CVE-2014-0983.patch --- virtualbox-4.1.12-dfsg/debian/patches/CVE-2014-0983.patch 1970-01-01 01:00:00.000000000 +0100 +++ virtualbox-4.1.12-dfsg/debian/patches/CVE-2014-0983.patch 2014-04-14 11:18:29.000000000 +0200 @@ -0,0 +1,62 @@ +--- a/src/VBox/HostServices/SharedOpenGL/crserverlib/server_dispatch.py ++++ b/src/VBox/HostServices/SharedOpenGL/crserverlib/server_dispatch.py +@@ -46,6 +46,7 @@ + for func_name in keys: + current = 0 + array = "" ++ condition = "" + m = re.search( r"^(Color|Normal)([1234])(ub|b|us|s|ui|i|f|d)$", func_name ) + if m : + current = 1 +@@ -68,6 +69,7 @@ + name = "texCoord" + type = m.group(3) + m.group(2) + array = "[texture-GL_TEXTURE0_ARB]" ++ condition = "if (texture >= GL_TEXTURE0_ARB && texture < GL_TEXTURE0_ARB + CR_MAX_TEXTURE_UNITS)" + m = re.match( r"^(Index)(ub|b|us|s|ui|i|f|d)$", func_name ) + if m : + current = 1 +@@ -91,18 +93,23 @@ + name = string.lower( m.group(1)[:1] ) + m.group(1)[1:] + type = m.group(3) + m.group(2) + array = "[index]" ++ condition = "if (index < CR_MAX_VERTEX_ATTRIBS)" + if func_name == "VertexAttrib4NubARB": + current = 1 + name = "vertexAttrib" + type = "ub4" + array = "[index]" ++ condition = "if (index < CR_MAX_VERTEX_ATTRIBS)" + + if current: + params = apiutil.Parameters(func_name) + print 'void SERVER_DISPATCH_APIENTRY crServerDispatch%s( %s )' % ( func_name, apiutil.MakeDeclarationString(params) ) + print '{' +- print '\tcr_server.head_spu->dispatch_table.%s( %s );' % (func_name, apiutil.MakeCallString(params) ) +- print "\tcr_server.current.c.%s.%s%s = cr_unpackData;" % (name,type,array) ++ print '\t%s' % (condition) ++ print '\t{' ++ print '\t\tcr_server.head_spu->dispatch_table.%s( %s );' % (func_name, apiutil.MakeCallString(params) ) ++ print "\t\tcr_server.current.c.%s.%s%s = cr_unpackData;" % (name,type,array) ++ print '\t}' + print '}\n' + + print """ +--- a/src/VBox/HostServices/SharedOpenGL/crserverlib/server_simpleget.py ++++ b/src/VBox/HostServices/SharedOpenGL/crserverlib/server_simpleget.py +@@ -113,7 +113,14 @@ + *get_values = (%s)CR_MAX_TEXTURE_UNITS; + } + } +- """ % (types[index], types[index], types[index], types[index], types[index], types[index], types[index], types[index], types[index], types[index], types[index]) ++ else if (GL_MAX_VERTEX_ATTRIBS_ARB==pname) ++ { ++ if (CR_MAX_VERTEX_ATTRIBS < (GLuint)*get_values) ++ { ++ *get_values = (%s)CR_MAX_VERTEX_ATTRIBS; ++ } ++ } ++ """ % (types[index], types[index], types[index], types[index], types[index], types[index], types[index], types[index], types[index], types[index], types[index], types[index]) + print '\tcrServerReturnValue( get_values, tablesize );' + print '\tcrFree(get_values);' + print '}\n' diff -Nru virtualbox-4.1.12-dfsg/debian/patches/series virtualbox-4.1.12-dfsg/debian/patches/series --- virtualbox-4.1.12-dfsg/debian/patches/series 2013-09-10 13:26:42.000000000 +0200 +++ virtualbox-4.1.12-dfsg/debian/patches/series 2014-04-14 17:37:31.000000000 +0200 @@ -24,3 +24,7 @@ 43-add-support-for-linux-3-9.patch 44-add-support-for-linux-3-6.patch 45-add-support-for-linux-3-11.patch +CVE-2013-0420.patch +38-security-fixes-2014-01.patch +CVE-2014-0981.patch +CVE-2014-0983.patch