commit 509a2d2fe94e57e5aa219224566678df057c2c5f Author: CentOS Sources Date: Tue May 7 07:33:52 2019 -0400 import spice-0.14.0-7.el8 diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..f5eb8ca --- /dev/null +++ b/.gitignore @@ -0,0 +1,2 @@ +SOURCES/cfergeau-29AC6C82.keyring +SOURCES/spice-0.14.0.tar.bz2 diff --git a/.spice.metadata b/.spice.metadata new file mode 100644 index 0000000..5408cf4 --- /dev/null +++ b/.spice.metadata @@ -0,0 +1,2 @@ +84d3abd436c6f4e194aa3f7a58be17ec9ced0a82 SOURCES/cfergeau-29AC6C82.keyring +93e42588d1aac0a3c127ada1e5d8f40be84776a9 SOURCES/spice-0.14.0.tar.bz2 diff --git a/SOURCES/0001-Fix-flexible-array-buffer-overflow.patch b/SOURCES/0001-Fix-flexible-array-buffer-overflow.patch new file mode 100644 index 0000000..6c5eaec --- /dev/null +++ b/SOURCES/0001-Fix-flexible-array-buffer-overflow.patch @@ -0,0 +1,301 @@ +From c182f8e4a445e93842faf6c2bd8583894da36a1a Mon Sep 17 00:00:00 2001 +From: Frediano Ziglio +Date: Fri, 18 May 2018 11:41:57 +0100 +Subject: [PATCH] Fix flexible array buffer overflow + +This is kind of a DoS, possibly flexible array in the protocol +causes the network size check to be ignored due to integer overflows. + +The size of flexible array is computed as (message_end - position), +then this size is added to the number of bytes before the array and +this number is used to check if we overflow initial message. + +An example is: + + message { + uint32 dummy[2]; + uint8 data[] @end; + } LenMessage; + +which generated this (simplified remove useless code) code: + + { /* data */ + data__nelements = message_end - (start + 8); + + data__nw_size = data__nelements; + } + + nw_size = 8 + data__nw_size; + + /* Check if message fits in reported side */ + if (nw_size > (uintptr_t) (message_end - start)) { + return NULL; + } + +Following code: +- data__nelements == message_end - (start + 8) +- data__nw_size == data__nelements == message_end - (start + 8) +- nw_size == 8 + data__nw_size == 8 + message_end - (start + 8) == + 8 + message_end - start - 8 == message_end -start +- the check for overflow is (nw_size > (message_end - start)) but + nw_size == message_end - start so the check is doing + ((message_end - start) > (message_end - start)) which is always false. + +If message_end - start < 8 then data__nelements (number of element +on the array above) computation generate an integer underflow that +later create a buffer overflow. + +Add a check to make sure that the array starts before the message ends +to avoid the overflow. + +Difference is: + diff -u save/generated_client_demarshallers1.c common/generated_client_demarshallers1.c + --- save/generated_client_demarshallers1.c 2018-06-22 22:13:48.626793919 +0100 + +++ common/generated_client_demarshallers1.c 2018-06-22 22:14:03.408163291 +0100 + @@ -225,6 +225,9 @@ + uint64_t data__nelements; + + { /* data */ + + if (SPICE_UNLIKELY((start + 0) > message_end)) { + + goto error; + + } + data__nelements = message_end - (start + 0); + + data__nw_size = data__nelements; + @@ -243,6 +246,9 @@ + *free_message = nofree; + return data; + + + error: + + free(data); + + return NULL; + } + + static uint8_t * parse_msg_set_ack(uint8_t *message_start, uint8_t *message_end, SPICE_GNUC_UNUSED int minor, size_t *size, message_destructor_t *free_message) + @@ -301,6 +307,9 @@ + SpiceMsgPing *out; + + { /* data */ + + if (SPICE_UNLIKELY((start + 12) > message_end)) { + + goto error; + + } + data__nelements = message_end - (start + 12); + + data__nw_size = data__nelements; + @@ -5226,6 +5235,9 @@ + uint64_t cursor_data__nw_size; + uint64_t cursor_data__nelements; + { /* data */ + + if (SPICE_UNLIKELY((start2 + 22) > message_end)) { + + goto error; + + } + cursor_data__nelements = message_end - (start2 + 22); + + cursor_data__nw_size = cursor_data__nelements; + @@ -5305,6 +5317,9 @@ + uint64_t cursor_data__nw_size; + uint64_t cursor_data__nelements; + { /* data */ + + if (SPICE_UNLIKELY((start2 + 22) > message_end)) { + + goto error; + + } + cursor_data__nelements = message_end - (start2 + 22); + + cursor_data__nw_size = cursor_data__nelements; + @@ -5540,6 +5555,9 @@ + SpiceMsgPlaybackPacket *out; + + { /* data */ + + if (SPICE_UNLIKELY((start + 4) > message_end)) { + + goto error; + + } + data__nelements = message_end - (start + 4); + + data__nw_size = data__nelements; + @@ -5594,6 +5612,9 @@ + SpiceMsgPlaybackMode *out; + + { /* data */ + + if (SPICE_UNLIKELY((start + 8) > message_end)) { + + goto error; + + } + data__nelements = message_end - (start + 8); + + data__nw_size = data__nelements; + diff -u save/generated_client_demarshallers.c common/generated_client_demarshallers.c + --- save/generated_client_demarshallers.c 2018-06-22 22:13:48.626793919 +0100 + +++ common/generated_client_demarshallers.c 2018-06-22 22:14:03.004153195 +0100 + @@ -225,6 +225,9 @@ + uint64_t data__nelements; + + { /* data */ + + if (SPICE_UNLIKELY((start + 0) > message_end)) { + + goto error; + + } + data__nelements = message_end - (start + 0); + + data__nw_size = data__nelements; + @@ -243,6 +246,9 @@ + *free_message = nofree; + return data; + + + error: + + free(data); + + return NULL; + } + + static uint8_t * parse_msg_set_ack(uint8_t *message_start, uint8_t *message_end, SPICE_GNUC_UNUSED int minor, size_t *size, message_destructor_t *free_message) + @@ -301,6 +307,9 @@ + SpiceMsgPing *out; + + { /* data */ + + if (SPICE_UNLIKELY((start + 12) > message_end)) { + + goto error; + + } + data__nelements = message_end - (start + 12); + + data__nw_size = data__nelements; + @@ -6574,6 +6583,9 @@ + } + + { /* data */ + + if (SPICE_UNLIKELY((start2 + 2 + cursor_u__nw_size) > message_end)) { + + goto error; + + } + cursor_data__nelements = message_end - (start2 + 2 + cursor_u__nw_size); + + cursor_data__nw_size = cursor_data__nelements; + @@ -6670,6 +6682,9 @@ + } + + { /* data */ + + if (SPICE_UNLIKELY((start2 + 2 + cursor_u__nw_size) > message_end)) { + + goto error; + + } + cursor_data__nelements = message_end - (start2 + 2 + cursor_u__nw_size); + + cursor_data__nw_size = cursor_data__nelements; + @@ -6907,6 +6922,9 @@ + SpiceMsgPlaybackPacket *out; + + { /* data */ + + if (SPICE_UNLIKELY((start + 4) > message_end)) { + + goto error; + + } + data__nelements = message_end - (start + 4); + + data__nw_size = data__nelements; + @@ -6961,6 +6979,9 @@ + SpiceMsgPlaybackMode *out; + + { /* data */ + + if (SPICE_UNLIKELY((start + 6) > message_end)) { + + goto error; + + } + data__nelements = message_end - (start + 6); + + data__nw_size = data__nelements; + @@ -7559,6 +7580,9 @@ + SpiceMsgTunnelSocketData *out; + + { /* data */ + + if (SPICE_UNLIKELY((start + 2) > message_end)) { + + goto error; + + } + data__nelements = message_end - (start + 2); + + data__nw_size = data__nelements; + @@ -7840,6 +7864,9 @@ + } + + { /* compressed_data */ + + if (SPICE_UNLIKELY((start + 1 + u__nw_size) > message_end)) { + + goto error; + + } + compressed_data__nelements = message_end - (start + 1 + u__nw_size); + + compressed_data__nw_size = compressed_data__nelements; + diff -u save/generated_server_demarshallers.c common/generated_server_demarshallers.c + --- save/generated_server_demarshallers.c 2018-06-22 22:13:48.627793944 +0100 + +++ common/generated_server_demarshallers.c 2018-06-22 22:14:05.231208847 +0100 + @@ -306,6 +306,9 @@ + uint64_t data__nelements; + + { /* data */ + + if (SPICE_UNLIKELY((start + 0) > message_end)) { + + goto error; + + } + data__nelements = message_end - (start + 0); + + data__nw_size = data__nelements; + @@ -324,6 +327,9 @@ + *free_message = nofree; + return data; + + + error: + + free(data); + + return NULL; + } + + static uint8_t * parse_msgc_disconnecting(uint8_t *message_start, uint8_t *message_end, SPICE_GNUC_UNUSED int minor, size_t *size, message_destructor_t *free_message) + @@ -1259,6 +1265,9 @@ + SpiceMsgcRecordPacket *out; + + { /* data */ + + if (SPICE_UNLIKELY((start + 4) > message_end)) { + + goto error; + + } + data__nelements = message_end - (start + 4); + + data__nw_size = data__nelements; + @@ -1313,6 +1322,9 @@ + SpiceMsgcRecordMode *out; + + { /* data */ + + if (SPICE_UNLIKELY((start + 6) > message_end)) { + + goto error; + + } + data__nelements = message_end - (start + 6); + + data__nw_size = data__nelements; + @@ -1841,6 +1853,9 @@ + SpiceMsgcTunnelSocketData *out; + + { /* data */ + + if (SPICE_UNLIKELY((start + 2) > message_end)) { + + goto error; + + } + data__nelements = message_end - (start + 2); + + data__nw_size = data__nelements; + @@ -2057,6 +2072,9 @@ + } + + { /* compressed_data */ + + if (SPICE_UNLIKELY((start + 1 + u__nw_size) > message_end)) { + + goto error; + + } + compressed_data__nelements = message_end - (start + 1 + u__nw_size); + + compressed_data__nw_size = compressed_data__nelements; + +Signed-off-by: Frediano Ziglio +--- + spice-common/python_modules/demarshal.py | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/spice-common/python_modules/demarshal.py b/spice-common/python_modules/demarshal.py +index 1ea131d..7172762 100644 +--- a/spice-common/python_modules/demarshal.py ++++ b/spice-common/python_modules/demarshal.py +@@ -318,6 +318,7 @@ def write_validate_array_item(writer, container, item, scope, parent_scope, star + writer.assign(nelements, array.size) + elif array.is_remaining_length(): + if element_type.is_fixed_nw_size(): ++ writer.error_check("%s > message_end" % item.get_position()) + if element_type.get_fixed_nw_size() == 1: + writer.assign(nelements, "message_end - %s" % item.get_position()) + else: +-- +2.17.1 + diff --git a/SOURCES/0002-memslot-Fix-off-by-one-error-in-group-slot-boundary-.patch b/SOURCES/0002-memslot-Fix-off-by-one-error-in-group-slot-boundary-.patch new file mode 100644 index 0000000..ad8a9aa --- /dev/null +++ b/SOURCES/0002-memslot-Fix-off-by-one-error-in-group-slot-boundary-.patch @@ -0,0 +1,100 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Christophe Fergeau +Date: Thu, 29 Nov 2018 14:18:39 +0100 +Subject: [PATCH] memslot: Fix off-by-one error in group/slot boundary check + +RedMemSlotInfo keeps an array of groups, and each group contains an +array of slots. Unfortunately, these checks are off by 1, they check +that the index is greater or equal to the number of elements in the +array, while these arrays are 0 based. The check should only check for +strictly greater than the number of elements. + +For the group array, this is not a big issue, as these memslot groups +are created by spice-server users (eg QEMU), and the group ids used to +index that array are also generated by the spice-server user, so it +should not be possible for the guest to set them to arbitrary values. + +The slot id is more problematic, as it's calculated from a QXLPHYSICAL +address, and such addresses are usually set by the guest QXL driver, so +the guest can set these to arbitrary values, including malicious values, +which are probably easy to build from the guest PCI configuration. + +This patch fixes the arrays bound check, and adds a test case for this. + +Signed-off-by: Christophe Fergeau +--- + server/memslot.c | 4 ++-- + server/tests/test-qxl-parsing.c | 32 ++++++++++++++++++++++++++++++++ + 2 files changed, 34 insertions(+), 2 deletions(-) + +diff --git a/server/memslot.c b/server/memslot.c +index 7074b43..8c59c38 100644 +--- a/server/memslot.c ++++ b/server/memslot.c +@@ -99,14 +99,14 @@ unsigned long memslot_get_virt(RedMemSlotInfo *info, QXLPHYSICAL addr, uint32_t + MemSlot *slot; + + *error = 0; +- if (group_id > info->num_memslots_groups) { ++ if (group_id >= info->num_memslots_groups) { + spice_critical("group_id too big"); + *error = 1; + return 0; + } + + slot_id = memslot_get_id(info, addr); +- if (slot_id > info->num_memslots) { ++ if (slot_id >= info->num_memslots) { + print_memslots(info); + spice_critical("slot_id %d too big, addr=%" PRIx64, slot_id, addr); + *error = 1; +diff --git a/server/tests/test-qxl-parsing.c b/server/tests/test-qxl-parsing.c +index 9c0c3b1..83f2083 100644 +--- a/server/tests/test-qxl-parsing.c ++++ b/server/tests/test-qxl-parsing.c +@@ -85,6 +85,33 @@ static void deinit_qxl_surface(QXLSurfaceCmd *qxl) + free(from_physical(qxl->u.surface_create.data)); + } + ++static void test_memslot_invalid_group_id(void) ++{ ++ RedMemSlotInfo mem_info; ++ int error; ++ init_meminfo(&mem_info); ++ ++ memslot_get_virt(&mem_info, 0, 16, 1, &error); ++} ++ ++static void test_memslot_invalid_slot_id(void) ++{ ++ RedMemSlotInfo mem_info; ++ int error; ++ init_meminfo(&mem_info); ++ ++ memslot_get_virt(&mem_info, 1 << mem_info.memslot_id_shift, 16, 0, &error); ++} ++ ++static void test_memslot_invalid_addresses(void) ++{ ++ g_test_trap_subprocess("/server/memslot-invalid-addresses/subprocess/group_id", 0, 0); ++ g_test_trap_assert_stderr("*group_id too big*"); ++ ++ g_test_trap_subprocess("/server/memslot-invalid-addresses/subprocess/slot_id", 0, 0); ++ g_test_trap_assert_stderr("*slot_id 1 too big*"); ++} ++ + static void test_no_issues(void) + { + RedMemSlotInfo mem_info; +@@ -262,6 +289,11 @@ int main(int argc, char *argv[]) + { + g_test_init(&argc, &argv, NULL); + ++ /* try to use invalid memslot group/slot */ ++ g_test_add_func("/server/memslot-invalid-addresses", test_memslot_invalid_addresses); ++ g_test_add_func("/server/memslot-invalid-addresses/subprocess/group_id", test_memslot_invalid_group_id); ++ g_test_add_func("/server/memslot-invalid-addresses/subprocess/slot_id", test_memslot_invalid_slot_id); ++ + /* try to create a surface with no issues, should succeed */ + g_test_add_func("/server/qxl-parsing-no-issues", test_no_issues); + diff --git a/SOURCES/spice-0.14.0.tar.bz2.sign b/SOURCES/spice-0.14.0.tar.bz2.sign new file mode 100644 index 0000000..37d8fe2 --- /dev/null +++ b/SOURCES/spice-0.14.0.tar.bz2.sign @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCAAdFiEElKn3VmH3emFoZJsjqdjCFCmsbIIFAlneAaYACgkQqdjCFCms +bIJupA//TUYdq6tx777hplIgm4q6M8Szh8XnYEvmj8UUrVWJ2Js4fRgtIRnR/u0I +Drwn2pf5QIjpfhf7EFFhyAuErG9MeiL5Z9SM2WmOgNkPfATJ7tf0VsKQjH11axip +n9atFPz6Jb6IEI56oidhySYz9Rgvicw45yEui7ncMKsST3zTQlWfI+n6Mv48dkiJ +bUYauebvEzPuG5ecaILmHreVxDLh9/SyTKOc3+F46epkyyCxPQDX7JLK/+081Z3l +jUaMlyb0GROsY43c88Lb4H0jbsLlqfUNk5ztxvplwMXOFAgrOwbrIsLaOHSwzegc +5ZknyTwbQOx8CGLS91pgqbyyRKLMrTbMYU4KDfizQIqkNKDvQUohENcKe66aeUAk +LLEvud0VVFZSg+VEm/ISU/8Rua7DSR2tcA04bQg6ei0d/QM0hpXsL7AOB+H3ha0m +vqBrz3ivfvDh17pFCpaSCuRi5DSlT5OW6nML1Pd8w+MbrJmu/757bNpdfhynDSq+ +KWmhPIChvChA0f8LfmxGXYqcfNAZ9Ss59SkFLHEaPT49TQR9jZT9jtiHre0GV4WU +RS+CmivFB7fPlONYVOJ2i8mGT9dtVf5SfHwLLgaWzUG5aDK0KSK2o21G4Ajr6bXl +yVDP2EeAjK4WsyD8AvWM3tzSbqnGryA8ErijFZCYuP+HNzrIUeE= +=ufAb +-----END PGP SIGNATURE----- diff --git a/SPECS/spice.spec b/SPECS/spice.spec new file mode 100644 index 0000000..ddc6cd9 --- /dev/null +++ b/SPECS/spice.spec @@ -0,0 +1,356 @@ +Name: spice +Version: 0.14.0 +Release: 7%{?dist} +Summary: Implements the SPICE protocol +Group: User Interface/Desktops +License: LGPLv2+ +URL: http://www.spice-space.org/ +Source0: http://www.spice-space.org/download/releases/%{name}-%{version}.tar.bz2 +Source1: http://www.spice-space.org/download/releases/%{name}-%{version}.tar.bz2.sign +Source2: cfergeau-29AC6C82.keyring +Patch1: 0001-Fix-flexible-array-buffer-overflow.patch +Patch2: 0002-memslot-Fix-off-by-one-error-in-group-slot-boundary-.patch + +# https://bugzilla.redhat.com/show_bug.cgi?id=613529 +%if 0%{?rhel} && 0%{?rhel} <= 7 +ExclusiveArch: x86_64 +%else +ExclusiveArch: %{ix86} x86_64 %{arm} aarch64 +%endif + +BuildRequires: pkgconfig +BuildRequires: glib2-devel >= 2.22 +BuildRequires: spice-protocol >= 0.12.3 +BuildRequires: celt051-devel +BuildRequires: opus-devel +BuildRequires: pixman-devel openssl-devel libjpeg-devel +BuildRequires: libcacard-devel cyrus-sasl-devel +BuildRequires: lz4-devel +BuildRequires: gstreamer1-devel gstreamer1-plugins-base-devel +BuildRequires: orc-devel +BuildRequires: gnupg2 +BuildRequires: git-core +BuildRequires: python3-devel +BuildRequires: python3-pyparsing python3-six + +%description +The Simple Protocol for Independent Computing Environments (SPICE) is +a remote display system built for virtual environments which allows +you to view a computing 'desktop' environment not only on the machine +where it is running, but from anywhere on the Internet and from a wide +variety of machine architectures. + + +%package server +Summary: Implements the server side of the SPICE protocol +Group: System Environment/Libraries +Obsoletes: spice-client < %{version}-%{release} + +%description server +The Simple Protocol for Independent Computing Environments (SPICE) is +a remote display system built for virtual environments which allows +you to view a computing 'desktop' environment not only on the machine +where it is running, but from anywhere on the Internet and from a wide +variety of machine architectures. + +This package contains the run-time libraries for any application that wishes +to be a SPICE server. + + +%package server-devel +Summary: Header files, libraries and development documentation for spice-server +Group: Development/Libraries +Requires: %{name}-server%{?_isa} = %{version}-%{release} +Requires: pkgconfig + +%description server-devel +This package contains the header files, static libraries and development +documentation for spice-server. If you like to develop programs +using spice-server, you will need to install spice-server-devel. + + +%prep +gpgv2 --quiet --keyring %{SOURCE2} %{SOURCE1} %{SOURCE0} +%autosetup -S git_am + + +%build +%define configure_client --disable-client +%configure --enable-smartcard --disable-client --enable-lz4 --enable-gstreamer=1.0 +make %{?_smp_mflags} WARN_CFLAGS='' V=1 + + +%install +make DESTDIR=%{buildroot} install +rm -f %{buildroot}%{_libdir}/libspice-server.a +rm -f %{buildroot}%{_libdir}/libspice-server.la +mkdir -p %{buildroot}%{_libexecdir} + + +%ldconfig_scriptlets server + + +%files server +%{!?_licensedir:%global license %%doc} +%license COPYING +%doc README NEWS +%{_libdir}/libspice-server.so.1* + +%files server-devel +%{_includedir}/spice-server +%{_libdir}/libspice-server.so +%{_libdir}/pkgconfig/spice-server.pc + + +%changelog +* Tue Dec 18 2018 Christophe Fergeau - 0.14.0-7 +- Fix off-by-one error during guest-to-host memory address conversion + Resolves: CVE-2019-3813 + +* Fri Aug 17 2018 Frediano Ziglio - 0.14.0-6 +- Fix flexible array buffer overflow + Resolves: rhbz#1618555 + +* Mon Aug 13 2018 Victor Toso - 0.14.0-5 +- Include python3-devel to not fail on rhel-8.0 builds +- Resolves: rhbz#1615570 + +* Fri Feb 09 2018 Fedora Release Engineering - 0.14.0-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Sat Feb 03 2018 Igor Gnatenko - 0.14.0-3 +- Switch to %%ldconfig_scriptlets + +* Wed Nov 08 2017 Merlin Mathesius - 0.14.0-2 +- Cleanup spec file conditionals + +* Wed Oct 11 2017 Christophe Fergeau - 0.14.0-1 +- Update to new stable release + +* Tue Sep 26 2017 Christophe Fergeau - 0.13.91-1 +- Update to latest upstream release + +* Thu Aug 24 2017 Christophe Fergeau - 0.13.90-3 +- Add missing (new) BuildRequires, remove obsolete one + +* Thu Aug 03 2017 Fedora Release Engineering - 0.13.90-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Wed Jul 26 2017 Christophe Fergeau 0.13.90-1 +- Update to latest upstream release (0.13.90) + +* Mon Feb 06 2017 Christophe Fergeau 0.13.3-2 +- Add upstream patches fixing CVE-2016-9577 and CVE-2016-9578 + +* Mon Nov 21 2016 Christophe Fergeau 0.13.3-1 +- Update to spice 0.13.3 + +* Fri Aug 05 2016 Christophe Fergeau - 0.13.2-1 +- Update to spice 0.13.2 + +* Tue Jun 14 2016 Peter Robinson 0.13.1-2 +- Use %%license +- Build on aarch64 + +* Wed Apr 13 2016 Christophe Fergeau 0.13.1-1 +- Update to 0.13.1 release. This is a development release, but by the + time Fedora 25 gets released, a stable 0.14.0 should be released. + +* Fri Feb 05 2016 Fedora Release Engineering - 0.12.6-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Tue Oct 06 2015 Christophe Fergeau 0.12.6-1 +- Update to new 0.12.6 upstream release + +* Wed Jul 29 2015 Christophe Fergeau 0.12.5-9 +- Drop patch added in previous build which is no longer needed with + spice-protocol 0.12.9 (and actually is actually breaking QEMU compilation + without an additional patch) + +* Fri Jul 03 2015 Christophe Fergeau 0.12.5-8 +- Add upstream patch avoiding a regression in spice-protocol 0.12.8 which + breaks SPICE support in QEMU + +* Thu Jul 02 2015 Christophe Fergeau 0.12.5-7 +- Fix migration race condition which causes a crash when triggered + Resolves: rhbz#1238212 + +* Fri Jun 19 2015 Fedora Release Engineering - 0.12.5-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Mon Aug 25 2014 Christophe Fergeau 0.12.5-5 +- Fix advertised sound playback/recording rates in public headers + Resolves: rhbz#1129961 (QEMU would need a rebuild though) + +* Mon Aug 18 2014 Fedora Release Engineering - 0.12.5-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild + +* Sun Jun 08 2014 Fedora Release Engineering - 0.12.5-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Mon May 19 2014 Christophe Fergeau 0.12.5-2 +- Add missing BuildRequires in order to enable Opus support + +* Mon May 19 2014 Christophe Fergeau 0.12.5-1 +- Update to new 0.12.5 release + +* Wed Oct 30 2013 Christophe Fergeau 0.12.4-3 +- Add patch fixing CVE-2013-4282 + +* Fri Sep 13 2013 Christophe Fergeau 0.12.4-2 +- Add upstream patch fixing rhbz#995041 + +* Fri Aug 2 2013 Hans de Goede - 0.12.4-1 +- New upstream bug-fix release 0.12.4 +- Add patches from upstream git to fix sound-channel-free crash (rhbz#986407) +- Add Obsoletes for dropped spice-client sub-package + +* Thu May 23 2013 Christophe Fergeau 0.12.3-2 +- Stop building spicec, it's obsolete and superseded by remote-viewer + (part of virt-viewer) + +* Tue May 21 2013 Christophe Fergeau 0.12.3-1 +- New upstream release 0.12.3 +- Drop all patches (they were all upstreamed) + +* Mon Apr 15 2013 Hans de Goede - 0.12.2-4 +- Add fix from upstream for a crash when the guest uses RGBA (rhbz#952242) + +* Thu Mar 07 2013 Adam Jackson 0.12.2-4 +- Rebuild for new libsasl2 soname in F19 + +* Mon Jan 21 2013 Hans de Goede - 0.12.2-3 +- Add a number of misc. bug-fixes from upstream + +* Fri Dec 21 2012 Adam Tkac - 0.12.2-2 +- rebuild against new libjpeg + +* Thu Dec 20 2012 Hans de Goede - 0.12.2-1 +- New upstream release 0.12.2 + +* Fri Sep 28 2012 Hans de Goede - 0.12.0-1 +- New upstream release 0.12.0 +- Some minor spec file cleanups +- Enable building on arm + +* Thu Sep 6 2012 Soren Sandmann - 0.11.3-1 +- BuildRequire pyparsing + +* Thu Sep 6 2012 Soren Sandmann - 0.11.3-1 +- Add capability patches +- Add capability patches to the included copy of spice-protocol + + Please see the comment above Patch6 and Patch7 + regarding this situation. + +* Thu Sep 6 2012 Soren Sandmann - 0.11.3-1 +- Update to 0.11.3 and drop upstreamed patches +- BuildRequire spice-protocol 0.12.1 + +* Sat Jul 21 2012 Fedora Release Engineering - 0.10.1-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Mon May 14 2012 Alon Levy +- Fix mjpeg memory leak and bad behavior. +- Add usbredir to list of channels for security purposes. (#819484) + +* Sun May 13 2012 Alon Levy +- Add double free fix. (#808936) + +* Tue Apr 24 2012 Alon Levy +- Add 32 bit fixes from git master. (#815717) + +* Tue Feb 28 2012 Fedora Release Engineering - 0.10.1-2 +- Rebuilt for c++ ABI breakage + +* Mon Jan 23 2012 Hans de Goede - 0.10.1-1 +- New upstream release 0.10.1 + +* Sat Jan 14 2012 Fedora Release Engineering - 0.10.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild + +* Thu Nov 10 2011 Alon Levy - 0.10.0-1 +- New upstream release 0.10.0 +- support spice-server.i686 + +* Wed Sep 28 2011 Marc-André Lureau - 0.9.1-2 +- Provides spice-xpi-client alternative in spice-client + +* Thu Aug 25 2011 Hans de Goede - 0.9.1-1 +- New upstream release 0.9.1 + +* Mon Jul 25 2011 Marc-André Lureau - 0.9.0-1 +- New upstream release 0.9.0 + +* Wed Apr 20 2011 Hans de Goede - 0.8.1-1 +- New upstream release 0.8.1 + +* Fri Mar 11 2011 Hans de Goede - 0.8.0-2 +- Fix being unable to send ctrl+alt+key when release mouse is bound to + ctrl+alt (which can happen when used from RHEV-M) + +* Tue Mar 1 2011 Hans de Goede - 0.8.0-1 +- New upstream release 0.8.0 + +* Fri Feb 11 2011 Hans de Goede - 0.7.3-1 +- New upstream release 0.7.3 + +* Wed Feb 09 2011 Fedora Release Engineering - 0.7.2-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Wed Jan 19 2011 Hans de Goede - 0.7.2-1 +- New upstream release 0.7.2 + +* Fri Dec 17 2010 Hans de Goede - 0.7.1-1 +- New upstream release 0.7.1 +- Drop all patches (all upstreamed) +- Enable smartcard (CAC) support + +* Wed Nov 17 2010 Hans de Goede - 0.6.3-4 +- Fix the info layer not showing when used through the XPI +- Do not let the connection gui flash by when a hostname has been specified + on the cmdline +- Fix spice client locking up when dealing with XIM input (#654265) +- Fix modifier keys getting stuck (#655048) +- Fix spice client crashing when dealing with XIM ibus input (#655836) +- Fix spice client only showing a white screen in full screen mode + +* Sat Nov 6 2010 Hans de Goede - 0.6.3-3 +- Log to ~/.spicec/cegui.log rather then to CEGUI.log in the cwd, this + fixes spicec from aborting when run in a non writable dir (#650253) + +* Fri Nov 5 2010 Hans de Goede - 0.6.3-2 +- Various bugfixes from upstream git: + - Make spicec work together with the Firefox XPI for RHEV-M + - Make sure the spicec window gets properly raised when first shown + +* Mon Oct 18 2010 Hans de Goede - 0.6.3-1 +- Update to 0.6.3 +- Enable GUI + +* Thu Sep 30 2010 Gerd Hoffmann - 0.6.1-1 +- Update to 0.6.1. + +* Tue Aug 31 2010 Alexander Larsson - 0.6.0-1 +- Update to 0.6.0 (stable release) + +* Tue Jul 20 2010 Alexander Larsson - 0.5.3-1 +- Update to 0.5.3 + +* Tue Jul 13 2010 Gerd Hoffmann - 0.5.2-4 +- Quote %% in changelog to avoid macro expansion. + +* Mon Jul 12 2010 Gerd Hoffmann - 0.5.2-3 +- %%configure handles CFLAGS automatically, no need to fiddle + with %%{optflags} manually. + +* Mon Jul 12 2010 Gerd Hoffmann - 0.5.2-2 +- Fix license: LGPL. +- Cleanup specfile, drop bits not needed any more with + recent rpm versions (F13+). +- Use optflags as-is. +- + +* Fri Jul 9 2010 Gerd Hoffmann - 0.5.2-1 +- initial package. +