From c3f4538a8003925ce39dfedaec8ed241e80865a8 Mon Sep 17 00:00:00 2001
From: Daniel P. Berrange <berrange@fedoraproject.org>
Date: Mar 14 2007 20:30:05 +0000
Subject: Disable access to QEMU monitor over VNC


---

diff --git a/xen-remove-vnc-monitor.patch b/xen-remove-vnc-monitor.patch
new file mode 100644
index 0000000..ffeca48
--- /dev/null
+++ b/xen-remove-vnc-monitor.patch
@@ -0,0 +1,159 @@
+diff -rup xen-3.0.4_1-src.orig/tools/ioemu/vnc.c xen-3.0.4_1-src.new/tools/ioemu/vnc.c
+--- xen-3.0.4_1-src.orig/tools/ioemu/vnc.c	2007-03-14 15:12:23.000000000 -0400
++++ xen-3.0.4_1-src.new/tools/ioemu/vnc.c	2007-03-14 15:15:36.000000000 -0400
+@@ -113,8 +113,6 @@ struct VncState
+     int visible_w;
+     int visible_h;
+ 
+-    int ctl_keys;               /* Ctrl+Alt starts calibration */
+-    int shift_keys;             /* Shift / CapsLock keys */
+     int numlock;
+ };
+ 
+@@ -863,119 +861,40 @@ static void press_key(VncState *vs, int 
+ 
+ static void do_key_event(VncState *vs, int down, uint32_t sym)
+ {
++    int keycode;
++    int numlock;
++
+     sym &= 0xFFFF;
+ 
+-    if (is_graphic_console()) {
+-	int keycode;
+-	int numlock;
+-
+-	keycode = keysym2scancode(vs->kbd_layout, sym);
+-	numlock = keysym2numlock(vs->kbd_layout, sym);
+-
+-        /* If the numlock state needs to change then simulate an additional
+-           keypress before sending this one.  This will happen if the user
+-           toggles numlock away from the VNC window.
+-        */
+-	if (numlock == 1) {
+-	    if (!vs->numlock) {
+-		vs->numlock = 1;
+-		press_key(vs, XK_Num_Lock);
+-	    }
+-	}
+-	else if (numlock == -1) {
+-	    if (vs->numlock) {
+-		vs->numlock = 0;
+-		press_key(vs, XK_Num_Lock);
+-	    }
+-        }
++    keycode = keysym2scancode(vs->kbd_layout, sym);
++    numlock = keysym2numlock(vs->kbd_layout, sym);
+ 
+-	if (keycode & 0x80)
+-	    kbd_put_keycode(0xe0);
+-	if (down)
+-	    kbd_put_keycode(keycode & 0x7f);
+-	else
+-	    kbd_put_keycode(keycode | 0x80);
+-    } else if (down) {
+-	int qemu_keysym = 0;
+-
+-	if (sym <= 128) { /* normal ascii */
+-	    int shifted = vs->shift_keys == 1 || vs->shift_keys == 2;
+-	    qemu_keysym = sym;
+-	    if (sym >= 'a' && sym <= 'z' && shifted)
+-	        qemu_keysym -= 'a' - 'A';
+-	} else {
+-	    switch (sym) {
+-	    case XK_Up: qemu_keysym = QEMU_KEY_UP; break;
+-	    case XK_Down: qemu_keysym = QEMU_KEY_DOWN; break;
+-	    case XK_Left: qemu_keysym = QEMU_KEY_LEFT; break;
+-	    case XK_Right: qemu_keysym = QEMU_KEY_RIGHT; break;
+-	    case XK_Home: qemu_keysym = QEMU_KEY_HOME; break;
+-	    case XK_End: qemu_keysym = QEMU_KEY_END; break;
+-	    case XK_Page_Up: qemu_keysym = QEMU_KEY_PAGEUP; break;
+-	    case XK_Page_Down: qemu_keysym = QEMU_KEY_PAGEDOWN; break;
+-	    case XK_BackSpace: qemu_keysym = QEMU_KEY_BACKSPACE; break;
+-	    case XK_Delete: qemu_keysym = QEMU_KEY_DELETE; break;
+-	    case XK_Return:
+-	    case XK_Linefeed: qemu_keysym = sym; break;
+-	    default: break;
+-	    }
++    /* If the numlock state needs to change then simulate an additional
++       keypress before sending this one.  This will happen if the user
++       toggles numlock away from the VNC window.
++    */
++    if (numlock == 1) {
++        if (!vs->numlock) {
++	    vs->numlock = 1;
++	    press_key(vs, XK_Num_Lock);
+ 	}
+-	if (qemu_keysym != 0)
+-	    kbd_put_keysym(qemu_keysym);
+     }
+-
+-    if (down) {
+-	switch (sym) {
+-	case XK_Control_L:
+-	    vs->ctl_keys |= 1;
+-	    break;
+-
+-	case XK_Alt_L:
+-	    vs->ctl_keys |= 2;
+-	    break;
+-
+-	case XK_Shift_L:
+-	    vs->shift_keys |= 1;
+-	    break;
+-
+-	default:
+-	    break;
++    else if (numlock == -1) {
++        if (vs->numlock) {
++	    vs->numlock = 0;
++	    press_key(vs, XK_Num_Lock);
+ 	}
+-    } else {
+-	switch (sym) {
+-	case XK_Control_L:
+-	    vs->ctl_keys &= ~1;
+-	    break;
+-
+-	case XK_Alt_L:
+-	    vs->ctl_keys &= ~2;
+-	    break;
+-
+-	case XK_Shift_L:
+-	    vs->shift_keys &= ~1;
+-	    break;
+-
+-	case XK_Caps_Lock:
+-	    vs->shift_keys ^= 2;
+-	    break;
++    }
+ 
+-	case XK_Num_Lock:
+-	    vs->numlock = !vs->numlock;
+-	    break;
++    if (keycode & 0x80)
++        kbd_put_keycode(0xe0);
++    if (down)
++        kbd_put_keycode(keycode & 0x7f);
++    else
++        kbd_put_keycode(keycode | 0x80);
+ 
+-	case XK_1 ... XK_9:
+-	    if ((vs->ctl_keys & 3) != 3)
+-		break;
+-
+-	    console_select(sym - XK_1);
+-	    if (is_graphic_console()) {
+-		/* tell the vga console to redisplay itself */
+-		vga_hw_invalidate();
+-		vnc_dpy_update(vs->ds, 0, 0, vs->ds->width, vs->ds->height);
+-	    }
+-	    break;
+-	}
+-    }
++    if (!down && sym == XK_Num_Lock)
++        vs->numlock = !vs->numlock;
+ }
+ 
+ static void key_event(VncState *vs, int down, uint32_t sym)
+Only in xen-3.0.4_1-src.new/tools/ioemu: vnc.c~
diff --git a/xen.spec b/xen.spec
index e3c172b..8821f2b 100644
--- a/xen.spec
+++ b/xen.spec
@@ -3,7 +3,7 @@
 Summary: Xen is a virtual machine monitor
 Name:    xen
 Version: 3.0.4
-Release: 8%{dist}
+Release: 9%{dist}
 Group:   Development/Libraries
 License: GPL
 URL:     http://www.cl.cam.ac.uk/Research/SRG/netos/xen/index.html
@@ -22,6 +22,7 @@ Patch20: xen-blktap-no-aio-epoll.patch
 Patch21: xen-blktap-error-returns.patch
 Patch22: xen-boot-raw-tap.patch
 Patch23: xen-qemu-close-fds.patch
+Patch24: xen-remove-vnc-monitor.patch
 
 # Patches to modify the default config of xend
 Patch100: xen-config-dom0-minmem.patch
@@ -110,6 +111,7 @@ virtual machines.
 %patch21 -p1
 %patch22 -p1
 %patch23 -p1
+%patch24 -p1
 
 # config patches
 %patch100 -p1
@@ -241,6 +243,9 @@ rm -rf $RPM_BUILD_ROOT
 %{_libdir}/*.a
 
 %changelog
+* Wed Mar 14 2007 Daniel P. Berrange <berrange@redhat.com> - 3.0.4-9.fc7
+- Disable access to QEMU monitor over VNC (CVE-2007-0998, bz 230295)
+
 * Tue Mar  6 2007 Daniel P. Berrange <berrange@redhat.com> - 3.0.4-8.fc7
 - Close QEMU file handles when running network script