diff --git a/.gitignore b/.gitignore index dbed308..8847226 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,2 @@ -SOURCES/spice-gtk-0.35.tar.bz2 +SOURCES/spice-gtk-0.37.tar.bz2 +SOURCES/victortoso-E37A484F.keyring diff --git a/.spice-gtk.metadata b/.spice-gtk.metadata index 25d362a..41bb860 100644 --- a/.spice-gtk.metadata +++ b/.spice-gtk.metadata @@ -1 +1,2 @@ -ce859f77e625928a147b7ae73e5af45166861d16 SOURCES/spice-gtk-0.35.tar.bz2 +044a5266a613f2605f4f3f7359d7251b2141d203 SOURCES/spice-gtk-0.37.tar.bz2 +da7a529db1ea28a1540c5892ea9836abeb378c3e SOURCES/victortoso-E37A484F.keyring diff --git a/SOURCES/0001-lz-Avoid-buffer-reading-overflow-checking-for-image-.patch b/SOURCES/0001-lz-Avoid-buffer-reading-overflow-checking-for-image-.patch deleted file mode 100644 index 2ecfa91..0000000 --- a/SOURCES/0001-lz-Avoid-buffer-reading-overflow-checking-for-image-.patch +++ /dev/null @@ -1,29 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Frediano Ziglio -Date: Fri, 22 Dec 2017 18:43:00 +0000 -Subject: [PATCH spice-common 1/2] lz: Avoid buffer reading overflow checking - for image type - -The type of the image is just copied from network without -any check and later used for array indexing. - -Signed-off-by: Frediano Ziglio -Acked-by: Uri Lublin ---- - common/lz.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/spice-common/common/lz.c b/spice-common/common/lz.c -index 87c13db..2c5d5e2 100644 ---- a/spice-common/common/lz.c -+++ b/spice-common/common/lz.c -@@ -593,6 +593,9 @@ void lz_decode_begin(LzContext *lz, uint8_t *io_ptr, unsigned int num_io_bytes, - } - - encoder->type = (LzImageType)decode_32(encoder); -+ if (encoder->type <= LZ_IMAGE_TYPE_INVALID || encoder->type > LZ_IMAGE_TYPE_A8) { -+ encoder->usr->error(encoder->usr, "invalid lz type %d\n", encoder->type); -+ } - encoder->width = decode_32(encoder); - encoder->height = decode_32(encoder); - encoder->stride = decode_32(encoder); diff --git a/SOURCES/0002-lz-More-checks-on-image-sizes.patch b/SOURCES/0002-lz-More-checks-on-image-sizes.patch deleted file mode 100644 index 422c9d7..0000000 --- a/SOURCES/0002-lz-More-checks-on-image-sizes.patch +++ /dev/null @@ -1,121 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Frediano Ziglio -Date: Mon, 25 Jun 2018 14:16:10 +0100 -Subject: [PATCH spice-common 2/2] lz: More checks on image sizes - -Extend sizes check also to decoding, actually the source data -decoding images should be less safe than encoding. -This avoids different integer overflows and buffer overflows. -To avoid potential issues images are limited to 1GB. - -Signed-off-by: Frediano Ziglio -Acked-by: Christophe Fergeau ---- - common/lz.c | 68 ++++++++++++++++++++++++++++++++++++----------------- - 1 file changed, 46 insertions(+), 22 deletions(-) - -diff --git a/spice-common/common/lz.c b/spice-common/common/lz.c -index 2c5d5e2..167e118 100644 ---- a/spice-common/common/lz.c -+++ b/spice-common/common/lz.c -@@ -53,6 +53,8 @@ - #define HASH_SIZE (1 << HASH_LOG) - #define HASH_MASK (HASH_SIZE - 1) - -+/* Maximum image size, mainly to avoid possible integer overflows */ -+#define SPICE_MAX_IMAGE_SIZE (1024 * 1024 * 1024 - 1) - - typedef struct LzImageSegment LzImageSegment; - struct LzImageSegment { -@@ -481,33 +483,53 @@ typedef uint16_t rgb16_pixel_t; - #undef LZ_UNEXPECT_CONDITIONAL - #undef LZ_EXPECT_CONDITIONAL - --int lz_encode(LzContext *lz, LzImageType type, int width, int height, int top_down, -- uint8_t *lines, unsigned int num_lines, int stride, -- uint8_t *io_ptr, unsigned int num_io_bytes) -+static void lz_set_sizes(Encoder *encoder, int type, int width, int height, int stride) - { -- Encoder *encoder = (Encoder *)lz; -- uint8_t *io_ptr_end = io_ptr + num_io_bytes; -- -- encoder->type = type; -- encoder->width = width; -- encoder->height = height; -- encoder->stride = stride; -+ if (width < 0) { -+ encoder->usr->error(encoder->usr, "invalid lz width %d\n", width); -+ } -+ if (height < 0) { -+ encoder->usr->error(encoder->usr, "invalid lz height %d\n", height); -+ } -+ if (stride < 0) { -+ encoder->usr->error(encoder->usr, "invalid lz stride %d\n", stride); -+ } - -- if (IS_IMAGE_TYPE_PLT[encoder->type]) { -- if (encoder->stride > (width / PLT_PIXELS_PER_BYTE[encoder->type])) { -- if (((width % PLT_PIXELS_PER_BYTE[encoder->type]) == 0) || ( -- (encoder->stride - (width / PLT_PIXELS_PER_BYTE[encoder->type])) > 1)) { -+ if (IS_IMAGE_TYPE_PLT[type]) { -+ if (stride > (width / PLT_PIXELS_PER_BYTE[type])) { -+ if (((width % PLT_PIXELS_PER_BYTE[type]) == 0) || ( -+ (stride - (width / PLT_PIXELS_PER_BYTE[type])) > 1)) { - encoder->usr->error(encoder->usr, "stride overflows (plt)\n"); - } - } - } else { -- if (encoder->stride != width * RGB_BYTES_PER_PIXEL[encoder->type]) { -+ if (stride != width * RGB_BYTES_PER_PIXEL[type]) { - encoder->usr->error(encoder->usr, "stride != width*bytes_per_pixel (rgb) %d != %d * %d (%d)\n", -- encoder->stride, width, RGB_BYTES_PER_PIXEL[encoder->type], -- encoder->type); -+ stride, width, RGB_BYTES_PER_PIXEL[type], -+ type); - } - } - -+ // avoid too big images -+ if ((uint64_t) stride * height > SPICE_MAX_IMAGE_SIZE) { -+ encoder->usr->error(encoder->usr, "image too large\n"); -+ } -+ -+ encoder->type = type; -+ encoder->width = width; -+ encoder->height = height; -+ encoder->stride = stride; -+} -+ -+int lz_encode(LzContext *lz, LzImageType type, int width, int height, int top_down, -+ uint8_t *lines, unsigned int num_lines, int stride, -+ uint8_t *io_ptr, unsigned int num_io_bytes) -+{ -+ Encoder *encoder = (Encoder *)lz; -+ uint8_t *io_ptr_end = io_ptr + num_io_bytes; -+ -+ lz_set_sizes(encoder, type, width, height, stride); -+ - // assign the output buffer - if (!encoder_reset(encoder, io_ptr, io_ptr_end)) { - encoder->usr->error(encoder->usr, "lz encoder io reset failed\n"); -@@ -592,13 +614,15 @@ void lz_decode_begin(LzContext *lz, uint8_t *io_ptr, unsigned int num_io_bytes, - encoder->usr->error(encoder->usr, "bad version\n"); - } - -- encoder->type = (LzImageType)decode_32(encoder); -- if (encoder->type <= LZ_IMAGE_TYPE_INVALID || encoder->type > LZ_IMAGE_TYPE_A8) { -+ int type = decode_32(encoder); -+ if (type <= LZ_IMAGE_TYPE_INVALID || type > LZ_IMAGE_TYPE_A8) { - encoder->usr->error(encoder->usr, "invalid lz type %d\n", encoder->type); - } -- encoder->width = decode_32(encoder); -- encoder->height = decode_32(encoder); -- encoder->stride = decode_32(encoder); -+ int width = decode_32(encoder); -+ int height = decode_32(encoder); -+ int stride = decode_32(encoder); -+ lz_set_sizes(encoder, type, width, height, stride); -+ - *out_top_down = decode_32(encoder); - - *out_width = encoder->width; diff --git a/SOURCES/0003-canvas_base-Check-for-overflows-decoding-LZ4.patch b/SOURCES/0003-canvas_base-Check-for-overflows-decoding-LZ4.patch deleted file mode 100644 index c115376..0000000 --- a/SOURCES/0003-canvas_base-Check-for-overflows-decoding-LZ4.patch +++ /dev/null @@ -1,72 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Frediano Ziglio -Date: Wed, 27 Jun 2018 10:55:05 +0100 -Subject: [PATCH spice-common] canvas_base: Check for overflows decoding LZ4 - -Check that we have enough data before reading. -This could lead to read buffer overflows being undetected. -This is not a security issue, read happens only in the client not causing -any information leakage, maximum can generate a crash or some garbage on -the screen. - -Signed-off-by: Frediano Ziglio -Acked-by: Jonathon Jongsma ---- - common/canvas_base.c | 24 ++++++++++++++++++++---- - 1 file changed, 20 insertions(+), 4 deletions(-) - -diff --git a/spice-common/common/canvas_base.c b/spice-common/common/canvas_base.c -index 2fd60aa..3283e88 100644 ---- a/spice-common/common/canvas_base.c -+++ b/spice-common/common/canvas_base.c -@@ -537,6 +537,10 @@ static pixman_image_t *canvas_get_lz4(CanvasBase *canvas, SpiceImage *image) - width = image->descriptor.width; - stride_encoded = width; - height = image->descriptor.height; -+ if (data + 2 > data_end) { -+ g_warning("missing header in LZ4 data"); -+ return NULL; -+ } - top_down = *(data++); - spice_format = *(data++); - switch (spice_format) { -@@ -579,16 +583,22 @@ static pixman_image_t *canvas_get_lz4(CanvasBase *canvas, SpiceImage *image) - bits = dest; - - do { -+ if (data + 4 > data_end) { -+ goto format_error; -+ } - // Read next compressed block - enc_size = ntohl(*SPICE_UNALIGNED_CAST(uint32_t *, data)); - data += 4; -+ /* check overflow. This check is a bit different to avoid -+ * possible overflows. From previous check data_end - data cannot overflow. -+ * Computing data + enc_size on 32 bit could cause overflows. */ -+ if (enc_size < 0 || data_end - data < (unsigned int) enc_size) { -+ goto format_error; -+ } - dec_size = LZ4_decompress_safe_continue(stream, (const char *) data, - (char *) dest, enc_size, available); - if (dec_size <= 0) { -- spice_warning("Error decoding LZ4 block\n"); -- pixman_image_unref(surface); -- surface = NULL; -- break; -+ goto format_error; - } - dest += dec_size; - available -= dec_size; -@@ -599,6 +609,12 @@ static pixman_image_t *canvas_get_lz4(CanvasBase *canvas, SpiceImage *image) - - LZ4_freeStreamDecode(stream); - return surface; -+ -+format_error: -+ spice_warning("Error decoding LZ4 block\n"); -+ LZ4_freeStreamDecode(stream); -+ pixman_image_unref(surface); -+ return NULL; - } - #endif - diff --git a/SOURCES/spice-gtk-0.37.tar.bz2.sig b/SOURCES/spice-gtk-0.37.tar.bz2.sig new file mode 100644 index 0000000..bb32b06 Binary files /dev/null and b/SOURCES/spice-gtk-0.37.tar.bz2.sig differ diff --git a/SPECS/spice-gtk.spec b/SPECS/spice-gtk.spec index 4ff2c0c..fa2dc8a 100644 --- a/SPECS/spice-gtk.spec +++ b/SPECS/spice-gtk.spec @@ -1,24 +1,23 @@ #define _version_suffix Name: spice-gtk -Version: 0.35 -Release: 7%{?dist} +Version: 0.37 +Release: 1%{?dist} Summary: A GTK+ widget for SPICE clients Group: System Environment/Libraries License: LGPLv2+ URL: http://spice-space.org/page/Spice-Gtk #VCS: git:git://anongit.freedesktop.org/spice/spice-gtk -Source0: http://www.spice-space.org/download/gtk/%{name}-%{version}%{?_version_suffix}.tar.bz2 - -Patch0001: 0001-lz-Avoid-buffer-reading-overflow-checking-for-image-.patch -Patch0002: 0002-lz-More-checks-on-image-sizes.patch -Patch0003: 0003-canvas_base-Check-for-overflows-decoding-LZ4.patch +Source0: https://www.spice-space.org/download/gtk/%{name}-%{version}%{?_version_suffix}.tar.bz2 +Source1: https://www.spice-space.org/download/gtk/%{name}-%{version}%{?_version_suffix}.tar.bz2.sig +Source2: victortoso-E37A484F.keyring BuildRequires: git-core +BuildRequires: gnupg2 BuildRequires: intltool -BuildRequires: usbredir-devel >= 0.5.2 -BuildRequires: libusb1-devel >= 1.0.9 +BuildRequires: usbredir-devel >= 0.7.1 +BuildRequires: libusb1-devel >= 1.0.16 BuildRequires: libgudev1-devel BuildRequires: pixman-devel libjpeg-turbo-devel BuildRequires: celt051-devel pulseaudio-libs-devel opus-devel @@ -34,8 +33,9 @@ BuildRequires: usbutils BuildRequires: libsoup-devel >= 2.49.91 BuildRequires: lz4-devel BuildRequires: gtk3-devel -BuildRequires: spice-protocol >= 0.12.14 -BuildRequires: gstreamer1-devel gstreamer1-plugins-base-devel +BuildRequires: json-glib-devel +BuildRequires: spice-protocol >= 0.14.0 +BuildRequires: gstreamer1-devel >= 1.10.0 gstreamer1-plugins-base-devel >= 1.10.0 BuildRequires: python3-devel Obsoletes: spice-gtk-python < 0.32 @@ -109,6 +109,7 @@ spicy-screenshot is a tool to capture screen-shots of a SPICE desktop. %prep +gpgv2 --quiet --keyring %{SOURCE2} %{SOURCE1} %{SOURCE0} %autosetup -S git_am %build @@ -140,8 +141,8 @@ rm -f %{buildroot}%{_libdir}/*.la %files %doc AUTHORS %doc COPYING -%doc README -%doc NEWS +%doc README.md +%doc CHANGELOG.md %{_mandir}/man1/spice-client.1* %files -n spice-glib -f %{name}.lang @@ -180,6 +181,11 @@ rm -f %{buildroot}%{_libdir}/*.la %{_bindir}/spicy-stats %changelog +* Fri May 17 2019 Victor Toso - 0.37-1 +- Update to 0.37 + Resolves: rhbz#1711370 +- Use gpg to check that tarball matches upstream release + * Fri Oct 12 2018 Frediano Ziglio - 0.35-7 - Check for overflows decoding LZ4 Resolves: rhbz#1598242