rpms/spice-gtk
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Add patch fixing CVE 2012-4425

Browse Source
This commit is contained in:
Christophe Fergeau 2012-09-14 11:09:09 +02:00
parent e57e20462b
commit 001df26918
2 changed files with 68 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

60
0003-CVE-2012-4425.patch Normal file
View File

@ -0,0 +1,60 @@
diff --git a/configure.ac b/configure.ac
index 3841c56..b2defd3 100644
--- a/configure.ac
+++ b/configure.ac
@@ -243,6 +243,8 @@ else
EXTERNAL_PNP_IDS="$with_pnp_ids_path"
fi
+AC_CHECK_FUNCS(clearenv)
+
PKG_CHECK_MODULES(GLIB2, glib-2.0 >= 2.22)
AC_SUBST(GLIB2_CFLAGS)
AC_SUBST(GLIB2_LIBS)
diff --git a/gtk/spice-client-glib-usb-acl-helper.c b/gtk/spice-client-glib-usb-acl-helper.c
index 724d62a..93b9b3a 100644
--- a/gtk/spice-client-glib-usb-acl-helper.c
+++ b/gtk/spice-client-glib-usb-acl-helper.c
@@ -158,7 +158,8 @@ static void cleanup(void)
if (state == STATE_WAITING_FOR_STDIN_EOF)
set_facl(path, getuid(), 0);
- g_main_loop_quit(loop);
+ if (loop)
+ g_main_loop_quit(loop);
}
/* Not available in polkit < 0.101 */
@@ -311,11 +312,32 @@ polkit_authority_get_sync (GCancellable *cancellable, GError **error)
}
#endif
+#ifndef HAVE_CLEARENV
+extern char **environ;
+
+static int
+clearenv (void)
+{
+ if (environ != NULL)
+ environ[0] = NULL;
+ return 0;
+}
+#endif
+
int main(void)
{
pid_t parent_pid;
GInputStream *stdin_unix_stream;
+ /* Nuke the environment to get a well-known and sanitized
+ * environment to avoid attacks via e.g. the DBUS_SYSTEM_BUS_ADDRESS
+ * environment variable and similar.
+ */
+ if (clearenv () != 0) {
+ FATAL_ERROR("Error clearing environment: %s\n", g_strerror (errno));
+ return 1;
+ }
+
g_type_init();
loop = g_main_loop_new(NULL, FALSE);

11
spice-gtk.spec
View File

@ -13,7 +13,7 @@
Name: spice-gtk Name: spice-gtk
Version: 0.13.29 Version: 0.13.29
Release: 3%{?dist} Release: 4%{?dist}
Summary: A GTK+ widget for SPICE clients Summary: A GTK+ widget for SPICE clients
Group: System Environment/Libraries Group: System Environment/Libraries
@ -23,6 +23,7 @@ URL: http://spice-space.org/page/Spice-Gtk
Source0: http://www.spice-space.org/download/gtk/%{name}-%{version}%{?_version_suffix}.tar.bz2 Source0: http://www.spice-space.org/download/gtk/%{name}-%{version}%{?_version_suffix}.tar.bz2
Patch1: 0001-G_GNUC_DEPRECATED_FOR-must-be-defined-publicly.patch Patch1: 0001-G_GNUC_DEPRECATED_FOR-must-be-defined-publicly.patch
Patch2: 0002-build-sys-Fix-symbol-versioning.patch Patch2: 0002-build-sys-Fix-symbol-versioning.patch
Patch3: 0003-CVE-2012-4425.patch
BuildRequires: intltool BuildRequires: intltool
BuildRequires: gtk2-devel >= 2.14 BuildRequires: gtk2-devel >= 2.14
@ -50,7 +51,7 @@ BuildRequires: pyparsing
BuildRequires: spice-protocol BuildRequires: spice-protocol
# Hack because of bz #613466 # Hack because of bz #613466
BuildRequires: libtool BuildRequires: libtool
# For patch #2 # For patch #2 and #3
BuildRequires: autoconf automake BuildRequires: autoconf automake
Requires: spice-glib%{?_isa} = %{version}-%{release} Requires: spice-glib%{?_isa} = %{version}-%{release}
@ -153,7 +154,8 @@ fi
pushd spice-gtk-%{version} pushd spice-gtk-%{version}
%patch1 -p1 %patch1 -p1
%patch2 -p1 %patch2 -p1
# Patch 2 changes Makefile.am %patch3 -p1
# Patch 2 changes Makefile.am and patch 3 changes configure.ac
autoreconf -fi autoreconf -fi
popd popd
@ -274,6 +276,9 @@ rm -rf %{buildroot}%{_datadir}/pkgconfig/spice-protocol.pc
%{_bindir}/spicy-stats %{_bindir}/spicy-stats
%changelog %changelog
* Fri Sep 14 2012 Christophe Fergeau <cfergeau@redhat.com> - 0.13.29-4
- Add patch fixing CVE 2012-4425
* Thu Sep 13 2012 Christophe Fergeau <cfergeau@redhat.com> - 0.13.29-3 * Thu Sep 13 2012 Christophe Fergeau <cfergeau@redhat.com> - 0.13.29-3
- Run autoreconf after applying patch 2 as it only modifies Makefile.am - Run autoreconf after applying patch 2 as it only modifies Makefile.am