CVE-2015-1779 qemu: vnc: insufficient resource limiting in VNC websockets decoder

[Petr Matousek <pmatouse () redhat com>]

It was found that the QEMU's websocket frame decoder processed incoming
frames without limiting resources used to process the header and
payload. An attacker able to access a guest's VNC console could use this
flaw to trigger a denial of service on the host by exhausting all
available memory and CPU.

Acknowledgements:

This issue was discovered by Daniel P. Berrange of Red Hat.

Upstream patch submission:
https://lists.gnu.org/archive/html/qemu-devel/2015-03/msg04894.html

-- 
Petr Matousek / Red Hat Product Security
PGP: 0xC44977CA 8107 AF16 A416 F9AF 18F3  D874 3E78 6F42 C449 77CA