On Tue, Oct 10, 2017 at 11:51:00AM -0500, Eric Blake wrote: > On 10/10/2017 10:43 AM, Daniel P. Berrange wrote: > > The websocket GSource is monitoring the size of the rawoutput > > buffer to determine if the channel can accepts more writes. > > The rawoutput buffer, however, is merely a temporary staging > > buffer before data is copied into the encoutput buffer. This > > s/This/Thus/ > > > its size will always be zero when the GSource runs. > > > > This flaw causes the encoutput buffer to grow without bound > > if the other end of the underlying data channel doesn't > > read data being sent. This can be seen with VNC if a client > > is on a slow WAN link and the guest OS is sending many screen > > updates. A malicious VNC client can act like it is on a slow > > link by playing a video in the guest and then reading data > > very slowly, causing QEMU host memory to expand arbitrarily. > > > > This issue is assigned CVE-2017-????, publically reported in > > If we get the assignment in time, I'm sure you'll update this before the > PULL request.
Yes, exactly the plan... Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
