Update to 0.14.3

2020-02-27 13:50:01 +01:00 · 2020-02-27 13:50:01 +01:00 · 28d8705203
commit 28d8705203
parent 61e4e136e0
3 changed files with 8 additions and 103 deletions
--- a/0001-memslot-Fix-off-by-one-error-in-group-slot-boundary-.patch
+++ b/0001-memslot-Fix-off-by-one-error-in-group-slot-boundary-.patch
@ -1,98 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Christophe Fergeau <cfergeau@redhat.com>
-Date: Thu, 29 Nov 2018 14:18:39 +0100
-Subject: [PATCH] memslot: Fix off-by-one error in group/slot boundary check
-
-RedMemSlotInfo keeps an array of groups, and each group contains an
-array of slots. Unfortunately, these checks are off by 1, they check
-that the index is greater or equal to the number of elements in the
-array, while these arrays are 0 based. The check should only check for
-strictly greater than the number of elements.
-
-For the group array, this is not a big issue, as these memslot groups
-are created by spice-server users (eg QEMU), and the group ids used to
-index that array are also generated by the spice-server user, so it
-should not be possible for the guest to set them to arbitrary values.
-
-The slot id is more problematic, as it's calculated from a QXLPHYSICAL
-address, and such addresses are usually set by the guest QXL driver, so
-the guest can set these to arbitrary values, including malicious values,
-which are probably easy to build from the guest PCI configuration.
-
-This patch fixes the arrays bound check, and adds a test case for this.
-This fixes CVE-2019-3813.
-
-Signed-off-by: Christophe Fergeau <cfergeau@redhat.com>
---
- server/memslot.c                |  4 ++--
- server/tests/test-qxl-parsing.c | 30 ++++++++++++++++++++++++++++++
- 2 files changed, 32 insertions(+), 2 deletions(-)
-
-diff --git a/server/memslot.c b/server/memslot.c
-index ede77e7..ea6f981 100644
--- a/server/memslot.c
-+++ b/server/memslot.c
-@@ -97,13 +97,13 @@ void *memslot_get_virt(RedMemSlotInfo *info, QXLPHYSICAL addr, uint32_t add_size
- 
-     MemSlot *slot;
- 
-    if (group_id > info->num_memslots_groups) {
-+    if (group_id >= info->num_memslots_groups) {
-         spice_critical("group_id too big");
-         return NULL;
-     }
- 
-     slot_id = memslot_get_id(info, addr);
-    if (slot_id > info->num_memslots) {
-+    if (slot_id >= info->num_memslots) {
-         print_memslots(info);
-         spice_critical("slot_id %d too big, addr=%" PRIx64, slot_id, addr);
-         return NULL;
-diff --git a/server/tests/test-qxl-parsing.c b/server/tests/test-qxl-parsing.c
-index 47139a4..5b8d0f2 100644
--- a/server/tests/test-qxl-parsing.c
-+++ b/server/tests/test-qxl-parsing.c
-@@ -85,6 +85,31 @@ static void deinit_qxl_surface(QXLSurfaceCmd *qxl)
-     g_free(from_physical(qxl->u.surface_create.data));
- }
- 
-+static void test_memslot_invalid_group_id(void)
-+{
-+    RedMemSlotInfo mem_info;
-+    init_meminfo(&mem_info);
-+
-+    memslot_get_virt(&mem_info, 0, 16, 1);
-+}
-+
-+static void test_memslot_invalid_slot_id(void)
-+{
-+    RedMemSlotInfo mem_info;
-+    init_meminfo(&mem_info);
-+
-+    memslot_get_virt(&mem_info, 1 << mem_info.memslot_id_shift, 16, 0);
-+}
-+
-+static void test_memslot_invalid_addresses(void)
-+{
-+    g_test_trap_subprocess("/server/memslot-invalid-addresses/subprocess/group_id", 0, 0);
-+    g_test_trap_assert_stderr("*group_id too big*");
-+
-+    g_test_trap_subprocess("/server/memslot-invalid-addresses/subprocess/slot_id", 0, 0);
-+    g_test_trap_assert_stderr("*slot_id 1 too big*");
-+}
-+
- static void test_no_issues(void)
- {
-     RedMemSlotInfo mem_info;
-@@ -262,6 +287,11 @@ int main(int argc, char *argv[])
- {
-     g_test_init(&argc, &argv, NULL);
- 
-+    /* try to use invalid memslot group/slot */
-+    g_test_add_func("/server/memslot-invalid-addresses", test_memslot_invalid_addresses);
-+    g_test_add_func("/server/memslot-invalid-addresses/subprocess/group_id", test_memslot_invalid_group_id);
-+    g_test_add_func("/server/memslot-invalid-addresses/subprocess/slot_id", test_memslot_invalid_slot_id);
-+
-     /* try to create a surface with no issues, should succeed */
-     g_test_add_func("/server/qxl-parsing-no-issues", test_no_issues);
- 
--- a/4
+++ b/4
@ -1,3 +1,3 @@
-SHA512 (spice-0.14.2.tar.bz2) = 1093b618ea4a7ff31944429ce2903abecfc8d20c35f2d9c8c837a6e053ee429c0115e40665542637a717869209523ac05d15cdb5e77563102d5d3915e4aaaf76
-SHA512 (spice-0.14.2.tar.bz2.sign) = ef7f6806d4c050014e22d9c43b0364766ae98c4b505ecdebd7975e820863e663363b1e19d25bcc20453239a3817e96f9e8ac37c01ec231a06b0ea8129e40af36
+SHA512 (spice-0.14.3.tar.bz2) = 9ecdc455ff25c71ac1fe6c576654b51efbfb860110bd6828065d23f7462d5c5cac772074d1a40f033386258d970b77275b2007bcfdffb23fdff2137154ea46e4
+SHA512 (spice-0.14.3.tar.bz2.sign) = 1f1fadebe7b4ecedcc98b6c622d83a39e7cbd6e67699dfde0ed6c3f443ef228578c16e409e2b6d0ef4e2d2b3d54b1d5c1798ac7817db50902a03cc323ba24181
 SHA512 (victortoso-E37A484F.keyring) = 091755da8a358c8c8ebd3b5443b4b5eb3c260afed943454c085d48c973de6a42763547c321c64e4da5c1b2983ad0c5146aaeddeb1d54ef414f7e6a530a3bf14a
--- a/spice.spec
+++ b/spice.spec
@ -1,6 +1,6 @@
 Name:           spice
-Version:        0.14.2
-Release:        3%{?dist}
+Version:        0.14.3
+Release:        1%{?dist}
 Summary:        Implements the SPICE protocol
 License:        LGPLv2+
 URL:            http://www.spice-space.org/
@ -86,7 +86,7 @@ mkdir -p %{buildroot}%{_libexecdir}
 %files server
 %{!?_licensedir:%global license %%doc}
 %license COPYING
-%doc README NEWS
+%doc README CHANGELOG.md
 %{_libdir}/libspice-server.so.1*

 %files server-devel
@ -96,6 +96,9 @@ mkdir -p %{buildroot}%{_libexecdir}


 %changelog
+* Thu Feb 27 2020 Victor Toso <victortoso@redhat.com> - 0.14.3-1
+- Update to 0.14.3
+
 * Fri Jan 31 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.14.2-3
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild