import spice-gtk-0.37-1.el8_2.2

This commit is contained in:
CentOS Sources 2020-10-06 08:58:38 -04:00 committed by Andrew Lukoshko
parent 8a334aa6e5
commit 83e43b085d
5 changed files with 162 additions and 1 deletions

View File

@ -0,0 +1,34 @@
From d9cc2d4659950df230dfe30e5445b91d4c15604e Mon Sep 17 00:00:00 2001
From: Frediano Ziglio <freddy77@gmail.com>
Date: Wed, 29 Apr 2020 15:09:13 +0100
Subject: [PATCH spice-common 1/4] quic: Check we have some data to start
decoding quic image
All paths already pass some data to quic_decode_begin but for the
test check it, it's not that expensive test.
Checking for not 0 is enough, all other words will potentially be
read calling more_io_words but we need one to avoid a potential
initial buffer overflow or deferencing an invalid pointer.
Signed-off-by: Frediano Ziglio <freddy77@gmail.com>
Acked-by: Uri Lublin <uril@redhat.com>
---
common/quic.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/subprojects/spice-common/common/quic.c b/subprojects/spice-common/common/quic.c
index 55a5d6c..e03f3af 100644
--- a/subprojects/spice-common/common/quic.c
+++ b/subprojects/spice-common/common/quic.c
@@ -1136,7 +1136,7 @@ int quic_decode_begin(QuicContext *quic, uint32_t *io_ptr, unsigned int num_io_w
int channels;
int bpc;
- if (!encoder_reset(encoder, io_ptr, io_ptr_end)) {
+ if (!num_io_words || !encoder_reset(encoder, io_ptr, io_ptr_end)) {
return QUIC_ERROR;
}
--
2.25.4

View File

@ -0,0 +1,48 @@
From 19cd6fe85610b424349db2d97e2dd0e2761a4a05 Mon Sep 17 00:00:00 2001
From: Frediano Ziglio <freddy77@gmail.com>
Date: Wed, 29 Apr 2020 15:10:24 +0100
Subject: [PATCH spice-common 2/4] quic: Check image size in quic_decode_begin
Avoid some overflow in code due to images too big or
negative numbers.
Signed-off-by: Frediano Ziglio <freddy77@gmail.com>
Acked-by: Uri Lublin <uril@redhat.com>
---
common/quic.c | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/subprojects/spice-common/common/quic.c b/subprojects/spice-common/common/quic.c
index e03f3af..890f128 100644
--- a/subprojects/spice-common/common/quic.c
+++ b/subprojects/spice-common/common/quic.c
@@ -56,6 +56,9 @@ typedef uint8_t BYTE;
#define MINwminext 1
#define MAXwminext 100000000
+/* Maximum image size in pixels, mainly to avoid possible integer overflows */
+#define SPICE_MAX_IMAGE_SIZE (512 * 1024 * 1024 - 1)
+
typedef struct QuicFamily {
unsigned int nGRcodewords[MAXNUMCODES]; /* indexed by code number, contains number of
unmodified GR codewords in the code */
@@ -1165,6 +1168,16 @@ int quic_decode_begin(QuicContext *quic, uint32_t *io_ptr, unsigned int num_io_w
height = encoder->io_word;
decode_eat32bits(encoder);
+ if (width <= 0 || height <= 0) {
+ encoder->usr->warn(encoder->usr, "invalid size\n");
+ return QUIC_ERROR;
+ }
+
+ /* avoid too big images */
+ if ((uint64_t) width * height > SPICE_MAX_IMAGE_SIZE) {
+ encoder->usr->error(encoder->usr, "image too large\n");
+ }
+
quic_image_params(encoder, type, &channels, &bpc);
if (!encoder_reset_channels(encoder, channels, width, bpc)) {
--
2.25.4

View File

@ -0,0 +1,35 @@
From d45a4954d73b41a255b8b4ec57c01ae87ec2936e Mon Sep 17 00:00:00 2001
From: Frediano Ziglio <freddy77@gmail.com>
Date: Wed, 29 Apr 2020 15:11:38 +0100
Subject: [PATCH spice-common 3/4] quic: Check RLE lengths
Avoid buffer overflows decoding images. On compression we compute
lengths till end of line so it won't cause regressions.
Proved by fuzzing the code.
Signed-off-by: Frediano Ziglio <freddy77@gmail.com>
Acked-by: Uri Lublin <uril@redhat.com>
---
common/quic_tmpl.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/subprojects/spice-common/common/quic_tmpl.c b/subprojects/spice-common/common/quic_tmpl.c
index f0a4927..11e09f5 100644
--- a/subprojects/spice-common/common/quic_tmpl.c
+++ b/subprojects/spice-common/common/quic_tmpl.c
@@ -570,7 +570,11 @@ static void FNAME_DECL(uncompress_row_seg)(const PIXEL * const prev_row,
do_run:
state->waitcnt = stopidx - i;
run_index = i;
- run_end = i + decode_state_run(encoder, state);
+ run_end = decode_state_run(encoder, state);
+ if (run_end < 0 || run_end > (end - i)) {
+ encoder->usr->error(encoder->usr, "wrong RLE\n");
+ }
+ run_end += i;
for (; i < run_end; i++) {
UNCOMPRESS_PIX_START(&cur_row[i]);
--
2.25.4

View File

@ -0,0 +1,34 @@
From 57c6e6b00247ad289a27648213d7ad2306fe3931 Mon Sep 17 00:00:00 2001
From: Frediano Ziglio <freddy77@gmail.com>
Date: Thu, 30 Apr 2020 10:19:09 +0100
Subject: [PATCH spice-common 4/4] quic: Avoid possible buffer overflow in
find_bucket
Proved by fuzzing the code.
Signed-off-by: Frediano Ziglio <freddy77@gmail.com>
Acked-by: Uri Lublin <uril@redhat.com>
---
common/quic_family_tmpl.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/subprojects/spice-common/common/quic_family_tmpl.c b/subprojects/spice-common/common/quic_family_tmpl.c
index 8a5f7d2..6cc051b 100644
--- a/subprojects/spice-common/common/quic_family_tmpl.c
+++ b/subprojects/spice-common/common/quic_family_tmpl.c
@@ -107,7 +107,12 @@ static s_bucket *FNAME(find_bucket)(Channel *channel, const unsigned int val)
spice_assert(val < (0x1U << BPC));
}
- return channel->_buckets_ptrs[val];
+ /* The and (&) here is to avoid buffer overflows in case of garbage or malicious
+ * attempts. Is much faster then using comparisons and save us from such situations.
+ * Note that on normal build the check above won't be compiled as this code path
+ * is pretty hot and would cause speed regressions.
+ */
+ return channel->_buckets_ptrs[val & ((1U << BPC) - 1)];
}
#undef FNAME
--
2.25.4

View File

@ -2,7 +2,7 @@
Name: spice-gtk Name: spice-gtk
Version: 0.37 Version: 0.37
Release: 1%{?dist} Release: 1%{?dist}.2
Summary: A GTK+ widget for SPICE clients Summary: A GTK+ widget for SPICE clients
Group: System Environment/Libraries Group: System Environment/Libraries
@ -13,6 +13,11 @@ Source0: https://www.spice-space.org/download/gtk/%{name}-%{version}%{?_v
Source1: https://www.spice-space.org/download/gtk/%{name}-%{version}%{?_version_suffix}.tar.bz2.sig Source1: https://www.spice-space.org/download/gtk/%{name}-%{version}%{?_version_suffix}.tar.bz2.sig
Source2: victortoso-E37A484F.keyring Source2: victortoso-E37A484F.keyring
Patch0001: 0001-quic-Check-we-have-some-data-to-start-decoding-quic-.patch
Patch0002: 0002-quic-Check-image-size-in-quic_decode_begin.patch
Patch0003: 0003-quic-Check-RLE-lengths.patch
Patch0004: 0004-quic-Avoid-possible-buffer-overflow-in-find_bucket.patch
BuildRequires: git-core BuildRequires: git-core
BuildRequires: gnupg2 BuildRequires: gnupg2
BuildRequires: intltool BuildRequires: intltool
@ -37,6 +42,7 @@ BuildRequires: json-glib-devel
BuildRequires: spice-protocol >= 0.14.0 BuildRequires: spice-protocol >= 0.14.0
BuildRequires: gstreamer1-devel >= 1.10.0 gstreamer1-plugins-base-devel >= 1.10.0 BuildRequires: gstreamer1-devel >= 1.10.0 gstreamer1-plugins-base-devel >= 1.10.0
BuildRequires: python3-devel BuildRequires: python3-devel
BuildRequires: libdrm-devel
Obsoletes: spice-gtk-python < 0.32 Obsoletes: spice-gtk-python < 0.32
Requires: spice-glib%{?_isa} = %{version}-%{release} Requires: spice-glib%{?_isa} = %{version}-%{release}
@ -181,6 +187,10 @@ rm -f %{buildroot}%{_libdir}/*.la
%{_bindir}/spicy-stats %{_bindir}/spicy-stats
%changelog %changelog
* Wed Sep 2 2020 Frediano Ziglio <fziglio@redhat.com> - 0.37-1.2
- Fix multiple buffer overflows in QUIC decoding code
Resolves: CVE-2020-14355
* Fri May 17 2019 Victor Toso <victortoso@redhat.com> - 0.37-1 * Fri May 17 2019 Victor Toso <victortoso@redhat.com> - 0.37-1
- Update to 0.37 - Update to 0.37
Resolves: rhbz#1711370 Resolves: rhbz#1711370