From d6522d8cd069d95f1283258a3eddb1a5e267f54b Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Tue, 5 Nov 2019 14:42:09 -0500 Subject: [PATCH] import spice-0.14.2-1.el8 --- .gitignore | 4 +- .spice.metadata | 4 +- ...1-Fix-flexible-array-buffer-overflow.patch | 301 ------------------ ...by-one-error-in-group-slot-boundary-.patch | 100 ------ SOURCES/spice-0.14.0.tar.bz2.sign | 16 - SOURCES/spice-0.14.2.tar.bz2.sig | Bin 0 -> 566 bytes SPECS/spice.spec | 34 +- 7 files changed, 27 insertions(+), 432 deletions(-) delete mode 100644 SOURCES/0001-Fix-flexible-array-buffer-overflow.patch delete mode 100644 SOURCES/0002-memslot-Fix-off-by-one-error-in-group-slot-boundary-.patch delete mode 100644 SOURCES/spice-0.14.0.tar.bz2.sign create mode 100644 SOURCES/spice-0.14.2.tar.bz2.sig diff --git a/.gitignore b/.gitignore index f5eb8ca..407492b 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,2 @@ -SOURCES/cfergeau-29AC6C82.keyring -SOURCES/spice-0.14.0.tar.bz2 +SOURCES/spice-0.14.2.tar.bz2 +SOURCES/victortoso-E37A484F.keyring diff --git a/.spice.metadata b/.spice.metadata index 5408cf4..f6aea0d 100644 --- a/.spice.metadata +++ b/.spice.metadata @@ -1,2 +1,2 @@ -84d3abd436c6f4e194aa3f7a58be17ec9ced0a82 SOURCES/cfergeau-29AC6C82.keyring -93e42588d1aac0a3c127ada1e5d8f40be84776a9 SOURCES/spice-0.14.0.tar.bz2 +83a93e47546d496cf2dcc3f4641db3a285044b9e SOURCES/spice-0.14.2.tar.bz2 +da7a529db1ea28a1540c5892ea9836abeb378c3e SOURCES/victortoso-E37A484F.keyring diff --git a/SOURCES/0001-Fix-flexible-array-buffer-overflow.patch b/SOURCES/0001-Fix-flexible-array-buffer-overflow.patch deleted file mode 100644 index 6c5eaec..0000000 --- a/SOURCES/0001-Fix-flexible-array-buffer-overflow.patch +++ /dev/null @@ -1,301 +0,0 @@ -From c182f8e4a445e93842faf6c2bd8583894da36a1a Mon Sep 17 00:00:00 2001 -From: Frediano Ziglio -Date: Fri, 18 May 2018 11:41:57 +0100 -Subject: [PATCH] Fix flexible array buffer overflow - -This is kind of a DoS, possibly flexible array in the protocol -causes the network size check to be ignored due to integer overflows. - -The size of flexible array is computed as (message_end - position), -then this size is added to the number of bytes before the array and -this number is used to check if we overflow initial message. - -An example is: - - message { - uint32 dummy[2]; - uint8 data[] @end; - } LenMessage; - -which generated this (simplified remove useless code) code: - - { /* data */ - data__nelements = message_end - (start + 8); - - data__nw_size = data__nelements; - } - - nw_size = 8 + data__nw_size; - - /* Check if message fits in reported side */ - if (nw_size > (uintptr_t) (message_end - start)) { - return NULL; - } - -Following code: -- data__nelements == message_end - (start + 8) -- data__nw_size == data__nelements == message_end - (start + 8) -- nw_size == 8 + data__nw_size == 8 + message_end - (start + 8) == - 8 + message_end - start - 8 == message_end -start -- the check for overflow is (nw_size > (message_end - start)) but - nw_size == message_end - start so the check is doing - ((message_end - start) > (message_end - start)) which is always false. - -If message_end - start < 8 then data__nelements (number of element -on the array above) computation generate an integer underflow that -later create a buffer overflow. - -Add a check to make sure that the array starts before the message ends -to avoid the overflow. - -Difference is: - diff -u save/generated_client_demarshallers1.c common/generated_client_demarshallers1.c - --- save/generated_client_demarshallers1.c 2018-06-22 22:13:48.626793919 +0100 - +++ common/generated_client_demarshallers1.c 2018-06-22 22:14:03.408163291 +0100 - @@ -225,6 +225,9 @@ - uint64_t data__nelements; - - { /* data */ - + if (SPICE_UNLIKELY((start + 0) > message_end)) { - + goto error; - + } - data__nelements = message_end - (start + 0); - - data__nw_size = data__nelements; - @@ -243,6 +246,9 @@ - *free_message = nofree; - return data; - - + error: - + free(data); - + return NULL; - } - - static uint8_t * parse_msg_set_ack(uint8_t *message_start, uint8_t *message_end, SPICE_GNUC_UNUSED int minor, size_t *size, message_destructor_t *free_message) - @@ -301,6 +307,9 @@ - SpiceMsgPing *out; - - { /* data */ - + if (SPICE_UNLIKELY((start + 12) > message_end)) { - + goto error; - + } - data__nelements = message_end - (start + 12); - - data__nw_size = data__nelements; - @@ -5226,6 +5235,9 @@ - uint64_t cursor_data__nw_size; - uint64_t cursor_data__nelements; - { /* data */ - + if (SPICE_UNLIKELY((start2 + 22) > message_end)) { - + goto error; - + } - cursor_data__nelements = message_end - (start2 + 22); - - cursor_data__nw_size = cursor_data__nelements; - @@ -5305,6 +5317,9 @@ - uint64_t cursor_data__nw_size; - uint64_t cursor_data__nelements; - { /* data */ - + if (SPICE_UNLIKELY((start2 + 22) > message_end)) { - + goto error; - + } - cursor_data__nelements = message_end - (start2 + 22); - - cursor_data__nw_size = cursor_data__nelements; - @@ -5540,6 +5555,9 @@ - SpiceMsgPlaybackPacket *out; - - { /* data */ - + if (SPICE_UNLIKELY((start + 4) > message_end)) { - + goto error; - + } - data__nelements = message_end - (start + 4); - - data__nw_size = data__nelements; - @@ -5594,6 +5612,9 @@ - SpiceMsgPlaybackMode *out; - - { /* data */ - + if (SPICE_UNLIKELY((start + 8) > message_end)) { - + goto error; - + } - data__nelements = message_end - (start + 8); - - data__nw_size = data__nelements; - diff -u save/generated_client_demarshallers.c common/generated_client_demarshallers.c - --- save/generated_client_demarshallers.c 2018-06-22 22:13:48.626793919 +0100 - +++ common/generated_client_demarshallers.c 2018-06-22 22:14:03.004153195 +0100 - @@ -225,6 +225,9 @@ - uint64_t data__nelements; - - { /* data */ - + if (SPICE_UNLIKELY((start + 0) > message_end)) { - + goto error; - + } - data__nelements = message_end - (start + 0); - - data__nw_size = data__nelements; - @@ -243,6 +246,9 @@ - *free_message = nofree; - return data; - - + error: - + free(data); - + return NULL; - } - - static uint8_t * parse_msg_set_ack(uint8_t *message_start, uint8_t *message_end, SPICE_GNUC_UNUSED int minor, size_t *size, message_destructor_t *free_message) - @@ -301,6 +307,9 @@ - SpiceMsgPing *out; - - { /* data */ - + if (SPICE_UNLIKELY((start + 12) > message_end)) { - + goto error; - + } - data__nelements = message_end - (start + 12); - - data__nw_size = data__nelements; - @@ -6574,6 +6583,9 @@ - } - - { /* data */ - + if (SPICE_UNLIKELY((start2 + 2 + cursor_u__nw_size) > message_end)) { - + goto error; - + } - cursor_data__nelements = message_end - (start2 + 2 + cursor_u__nw_size); - - cursor_data__nw_size = cursor_data__nelements; - @@ -6670,6 +6682,9 @@ - } - - { /* data */ - + if (SPICE_UNLIKELY((start2 + 2 + cursor_u__nw_size) > message_end)) { - + goto error; - + } - cursor_data__nelements = message_end - (start2 + 2 + cursor_u__nw_size); - - cursor_data__nw_size = cursor_data__nelements; - @@ -6907,6 +6922,9 @@ - SpiceMsgPlaybackPacket *out; - - { /* data */ - + if (SPICE_UNLIKELY((start + 4) > message_end)) { - + goto error; - + } - data__nelements = message_end - (start + 4); - - data__nw_size = data__nelements; - @@ -6961,6 +6979,9 @@ - SpiceMsgPlaybackMode *out; - - { /* data */ - + if (SPICE_UNLIKELY((start + 6) > message_end)) { - + goto error; - + } - data__nelements = message_end - (start + 6); - - data__nw_size = data__nelements; - @@ -7559,6 +7580,9 @@ - SpiceMsgTunnelSocketData *out; - - { /* data */ - + if (SPICE_UNLIKELY((start + 2) > message_end)) { - + goto error; - + } - data__nelements = message_end - (start + 2); - - data__nw_size = data__nelements; - @@ -7840,6 +7864,9 @@ - } - - { /* compressed_data */ - + if (SPICE_UNLIKELY((start + 1 + u__nw_size) > message_end)) { - + goto error; - + } - compressed_data__nelements = message_end - (start + 1 + u__nw_size); - - compressed_data__nw_size = compressed_data__nelements; - diff -u save/generated_server_demarshallers.c common/generated_server_demarshallers.c - --- save/generated_server_demarshallers.c 2018-06-22 22:13:48.627793944 +0100 - +++ common/generated_server_demarshallers.c 2018-06-22 22:14:05.231208847 +0100 - @@ -306,6 +306,9 @@ - uint64_t data__nelements; - - { /* data */ - + if (SPICE_UNLIKELY((start + 0) > message_end)) { - + goto error; - + } - data__nelements = message_end - (start + 0); - - data__nw_size = data__nelements; - @@ -324,6 +327,9 @@ - *free_message = nofree; - return data; - - + error: - + free(data); - + return NULL; - } - - static uint8_t * parse_msgc_disconnecting(uint8_t *message_start, uint8_t *message_end, SPICE_GNUC_UNUSED int minor, size_t *size, message_destructor_t *free_message) - @@ -1259,6 +1265,9 @@ - SpiceMsgcRecordPacket *out; - - { /* data */ - + if (SPICE_UNLIKELY((start + 4) > message_end)) { - + goto error; - + } - data__nelements = message_end - (start + 4); - - data__nw_size = data__nelements; - @@ -1313,6 +1322,9 @@ - SpiceMsgcRecordMode *out; - - { /* data */ - + if (SPICE_UNLIKELY((start + 6) > message_end)) { - + goto error; - + } - data__nelements = message_end - (start + 6); - - data__nw_size = data__nelements; - @@ -1841,6 +1853,9 @@ - SpiceMsgcTunnelSocketData *out; - - { /* data */ - + if (SPICE_UNLIKELY((start + 2) > message_end)) { - + goto error; - + } - data__nelements = message_end - (start + 2); - - data__nw_size = data__nelements; - @@ -2057,6 +2072,9 @@ - } - - { /* compressed_data */ - + if (SPICE_UNLIKELY((start + 1 + u__nw_size) > message_end)) { - + goto error; - + } - compressed_data__nelements = message_end - (start + 1 + u__nw_size); - - compressed_data__nw_size = compressed_data__nelements; - -Signed-off-by: Frediano Ziglio ---- - spice-common/python_modules/demarshal.py | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/spice-common/python_modules/demarshal.py b/spice-common/python_modules/demarshal.py -index 1ea131d..7172762 100644 ---- a/spice-common/python_modules/demarshal.py -+++ b/spice-common/python_modules/demarshal.py -@@ -318,6 +318,7 @@ def write_validate_array_item(writer, container, item, scope, parent_scope, star - writer.assign(nelements, array.size) - elif array.is_remaining_length(): - if element_type.is_fixed_nw_size(): -+ writer.error_check("%s > message_end" % item.get_position()) - if element_type.get_fixed_nw_size() == 1: - writer.assign(nelements, "message_end - %s" % item.get_position()) - else: --- -2.17.1 - diff --git a/SOURCES/0002-memslot-Fix-off-by-one-error-in-group-slot-boundary-.patch b/SOURCES/0002-memslot-Fix-off-by-one-error-in-group-slot-boundary-.patch deleted file mode 100644 index ad8a9aa..0000000 --- a/SOURCES/0002-memslot-Fix-off-by-one-error-in-group-slot-boundary-.patch +++ /dev/null @@ -1,100 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Christophe Fergeau -Date: Thu, 29 Nov 2018 14:18:39 +0100 -Subject: [PATCH] memslot: Fix off-by-one error in group/slot boundary check - -RedMemSlotInfo keeps an array of groups, and each group contains an -array of slots. Unfortunately, these checks are off by 1, they check -that the index is greater or equal to the number of elements in the -array, while these arrays are 0 based. The check should only check for -strictly greater than the number of elements. - -For the group array, this is not a big issue, as these memslot groups -are created by spice-server users (eg QEMU), and the group ids used to -index that array are also generated by the spice-server user, so it -should not be possible for the guest to set them to arbitrary values. - -The slot id is more problematic, as it's calculated from a QXLPHYSICAL -address, and such addresses are usually set by the guest QXL driver, so -the guest can set these to arbitrary values, including malicious values, -which are probably easy to build from the guest PCI configuration. - -This patch fixes the arrays bound check, and adds a test case for this. - -Signed-off-by: Christophe Fergeau ---- - server/memslot.c | 4 ++-- - server/tests/test-qxl-parsing.c | 32 ++++++++++++++++++++++++++++++++ - 2 files changed, 34 insertions(+), 2 deletions(-) - -diff --git a/server/memslot.c b/server/memslot.c -index 7074b43..8c59c38 100644 ---- a/server/memslot.c -+++ b/server/memslot.c -@@ -99,14 +99,14 @@ unsigned long memslot_get_virt(RedMemSlotInfo *info, QXLPHYSICAL addr, uint32_t - MemSlot *slot; - - *error = 0; -- if (group_id > info->num_memslots_groups) { -+ if (group_id >= info->num_memslots_groups) { - spice_critical("group_id too big"); - *error = 1; - return 0; - } - - slot_id = memslot_get_id(info, addr); -- if (slot_id > info->num_memslots) { -+ if (slot_id >= info->num_memslots) { - print_memslots(info); - spice_critical("slot_id %d too big, addr=%" PRIx64, slot_id, addr); - *error = 1; -diff --git a/server/tests/test-qxl-parsing.c b/server/tests/test-qxl-parsing.c -index 9c0c3b1..83f2083 100644 ---- a/server/tests/test-qxl-parsing.c -+++ b/server/tests/test-qxl-parsing.c -@@ -85,6 +85,33 @@ static void deinit_qxl_surface(QXLSurfaceCmd *qxl) - free(from_physical(qxl->u.surface_create.data)); - } - -+static void test_memslot_invalid_group_id(void) -+{ -+ RedMemSlotInfo mem_info; -+ int error; -+ init_meminfo(&mem_info); -+ -+ memslot_get_virt(&mem_info, 0, 16, 1, &error); -+} -+ -+static void test_memslot_invalid_slot_id(void) -+{ -+ RedMemSlotInfo mem_info; -+ int error; -+ init_meminfo(&mem_info); -+ -+ memslot_get_virt(&mem_info, 1 << mem_info.memslot_id_shift, 16, 0, &error); -+} -+ -+static void test_memslot_invalid_addresses(void) -+{ -+ g_test_trap_subprocess("/server/memslot-invalid-addresses/subprocess/group_id", 0, 0); -+ g_test_trap_assert_stderr("*group_id too big*"); -+ -+ g_test_trap_subprocess("/server/memslot-invalid-addresses/subprocess/slot_id", 0, 0); -+ g_test_trap_assert_stderr("*slot_id 1 too big*"); -+} -+ - static void test_no_issues(void) - { - RedMemSlotInfo mem_info; -@@ -262,6 +289,11 @@ int main(int argc, char *argv[]) - { - g_test_init(&argc, &argv, NULL); - -+ /* try to use invalid memslot group/slot */ -+ g_test_add_func("/server/memslot-invalid-addresses", test_memslot_invalid_addresses); -+ g_test_add_func("/server/memslot-invalid-addresses/subprocess/group_id", test_memslot_invalid_group_id); -+ g_test_add_func("/server/memslot-invalid-addresses/subprocess/slot_id", test_memslot_invalid_slot_id); -+ - /* try to create a surface with no issues, should succeed */ - g_test_add_func("/server/qxl-parsing-no-issues", test_no_issues); - diff --git a/SOURCES/spice-0.14.0.tar.bz2.sign b/SOURCES/spice-0.14.0.tar.bz2.sign deleted file mode 100644 index 37d8fe2..0000000 --- a/SOURCES/spice-0.14.0.tar.bz2.sign +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQIzBAABCAAdFiEElKn3VmH3emFoZJsjqdjCFCmsbIIFAlneAaYACgkQqdjCFCms -bIJupA//TUYdq6tx777hplIgm4q6M8Szh8XnYEvmj8UUrVWJ2Js4fRgtIRnR/u0I -Drwn2pf5QIjpfhf7EFFhyAuErG9MeiL5Z9SM2WmOgNkPfATJ7tf0VsKQjH11axip -n9atFPz6Jb6IEI56oidhySYz9Rgvicw45yEui7ncMKsST3zTQlWfI+n6Mv48dkiJ -bUYauebvEzPuG5ecaILmHreVxDLh9/SyTKOc3+F46epkyyCxPQDX7JLK/+081Z3l -jUaMlyb0GROsY43c88Lb4H0jbsLlqfUNk5ztxvplwMXOFAgrOwbrIsLaOHSwzegc -5ZknyTwbQOx8CGLS91pgqbyyRKLMrTbMYU4KDfizQIqkNKDvQUohENcKe66aeUAk -LLEvud0VVFZSg+VEm/ISU/8Rua7DSR2tcA04bQg6ei0d/QM0hpXsL7AOB+H3ha0m -vqBrz3ivfvDh17pFCpaSCuRi5DSlT5OW6nML1Pd8w+MbrJmu/757bNpdfhynDSq+ -KWmhPIChvChA0f8LfmxGXYqcfNAZ9Ss59SkFLHEaPT49TQR9jZT9jtiHre0GV4WU -RS+CmivFB7fPlONYVOJ2i8mGT9dtVf5SfHwLLgaWzUG5aDK0KSK2o21G4Ajr6bXl -yVDP2EeAjK4WsyD8AvWM3tzSbqnGryA8ErijFZCYuP+HNzrIUeE= -=ufAb ------END PGP SIGNATURE----- diff --git a/SOURCES/spice-0.14.2.tar.bz2.sig b/SOURCES/spice-0.14.2.tar.bz2.sig new file mode 100644 index 0000000000000000000000000000000000000000..d14583950a017bc1bf2a5d402ee97254bcb63a67 GIT binary patch literal 566 zcmV-60?GY}0y6{v0SEvc79j*6Z96qDR&P5FWpe44*%CeDdPq+N0$j)ukN^q^5SQ5! zJ>z;vPo%LA{ScgV!fzoj7O^h{#d~ig0BG71Xp#hm|7g$eqJISo$YD2z5jE++*rsPuXr5HPB40{8f`tm)P*C>?1amqs zX<->gwXS*wUS;8|;kCigTn4SLZkqT-!w5QNr*RUk?XL$wLs2}{C(0E%BS)q~Nj#%k z@|#d>GQjv9m*y-mDh5O@bUz^GDCGsuu=AtL?ku;F=CU%EBV{J@6S?mdnyhoR6>07` z=`oB#PF=(UyS85Y56eJ*p3Oy~$U-NFvpsLo!##Q5TO2?Mei-%XJ>ywXllC~n1vYkb zE`c|3?ql}fr$Q7gE3GazL;>-K^?Sav^K&-l73c~s=slOf>Hz=JeqVExKi{plv1dlj zCypecUvN@$0IIl^59GJeea{5)sVli6ZsHAy1HAAJ^nHX!+^(`)_v|cEaTZ!a9H-`) E90u+Q%m4rY literal 0 HcmV?d00001 diff --git a/SPECS/spice.spec b/SPECS/spice.spec index ddc6cd9..725f405 100644 --- a/SPECS/spice.spec +++ b/SPECS/spice.spec @@ -1,15 +1,13 @@ Name: spice -Version: 0.14.0 -Release: 7%{?dist} +Version: 0.14.2 +Release: 1%{?dist} Summary: Implements the SPICE protocol Group: User Interface/Desktops License: LGPLv2+ -URL: http://www.spice-space.org/ -Source0: http://www.spice-space.org/download/releases/%{name}-%{version}.tar.bz2 -Source1: http://www.spice-space.org/download/releases/%{name}-%{version}.tar.bz2.sign -Source2: cfergeau-29AC6C82.keyring -Patch1: 0001-Fix-flexible-array-buffer-overflow.patch -Patch2: 0002-memslot-Fix-off-by-one-error-in-group-slot-boundary-.patch +URL: https://www.spice-space.org/ +Source0: https://www.spice-space.org/download/releases/%{name}-%{version}.tar.bz2 +Source1: https://www.spice-space.org/download/releases/%{name}-%{version}.tar.bz2.sig +Source2: victortoso-E37A484F.keyring # https://bugzilla.redhat.com/show_bug.cgi?id=613529 %if 0%{?rhel} && 0%{?rhel} <= 7 @@ -19,8 +17,8 @@ ExclusiveArch: %{ix86} x86_64 %{arm} aarch64 %endif BuildRequires: pkgconfig -BuildRequires: glib2-devel >= 2.22 -BuildRequires: spice-protocol >= 0.12.3 +BuildRequires: glib2-devel >= 2.38 +BuildRequires: spice-protocol >= 0.14.0 BuildRequires: celt051-devel BuildRequires: opus-devel BuildRequires: pixman-devel openssl-devel libjpeg-devel @@ -76,7 +74,12 @@ gpgv2 --quiet --keyring %{SOURCE2} %{SOURCE1} %{SOURCE0} %build %define configure_client --disable-client -%configure --enable-smartcard --disable-client --enable-lz4 --enable-gstreamer=1.0 +%configure \ + --enable-smartcard \ + --disable-client \ + --enable-lz4 \ + --enable-celt051 \ + --enable-gstreamer=1.0 make %{?_smp_mflags} WARN_CFLAGS='' V=1 @@ -103,6 +106,15 @@ mkdir -p %{buildroot}%{_libexecdir} %changelog +* Fri May 17 2019 Victor Toso - 0.14.2-1 +- Update to 0.14.2 + Resolves: rhbz#1562123 + +* Fri May 10 2019 Victor Toso - 0.14.0-8 +- Fix builds on 8.1.0 branch +- Fix gating test (add bug) + Resolves: rhbz#1686518 + * Tue Dec 18 2018 Christophe Fergeau - 0.14.0-7 - Fix off-by-one error during guest-to-host memory address conversion Resolves: CVE-2019-3813