import spice-0.14.2-1.el8_2.1
This commit is contained in:
CentOS Sources
parent
d6522d8cd0
commit
d9b32335c0
|
|
@ -0,0 +1,34 @@
|
|||
From d9cc2d4659950df230dfe30e5445b91d4c15604e Mon Sep 17 00:00:00 2001
|
||||
From: Frediano Ziglio <freddy77@gmail.com>
|
||||
Date: Wed, 29 Apr 2020 15:09:13 +0100
|
||||
Subject: [PATCH spice-common 1/4] quic: Check we have some data to start
|
||||
decoding quic image
|
||||
|
||||
All paths already pass some data to quic_decode_begin but for the
|
||||
test check it, it's not that expensive test.
|
||||
Checking for not 0 is enough, all other words will potentially be
|
||||
read calling more_io_words but we need one to avoid a potential
|
||||
initial buffer overflow or deferencing an invalid pointer.
|
||||
|
||||
Signed-off-by: Frediano Ziglio <freddy77@gmail.com>
|
||||
Acked-by: Uri Lublin <uril@redhat.com>
|
||||
---
|
||||
common/quic.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/subprojects/spice-common/common/quic.c b/subprojects/spice-common/common/quic.c
|
||||
index 55a5d6c..e03f3af 100644
|
||||
--- a/subprojects/spice-common/common/quic.c
|
||||
+++ b/subprojects/spice-common/common/quic.c
|
||||
@@ -1136,7 +1136,7 @@ int quic_decode_begin(QuicContext *quic, uint32_t *io_ptr, unsigned int num_io_w
|
||||
int channels;
|
||||
int bpc;
|
||||
|
||||
- if (!encoder_reset(encoder, io_ptr, io_ptr_end)) {
|
||||
+ if (!num_io_words || !encoder_reset(encoder, io_ptr, io_ptr_end)) {
|
||||
return QUIC_ERROR;
|
||||
}
|
||||
|
||||
--
|
||||
2.25.4
|
||||
|
||||
|
|
@ -0,0 +1,48 @@
|
|||
From 19cd6fe85610b424349db2d97e2dd0e2761a4a05 Mon Sep 17 00:00:00 2001
|
||||
From: Frediano Ziglio <freddy77@gmail.com>
|
||||
Date: Wed, 29 Apr 2020 15:10:24 +0100
|
||||
Subject: [PATCH spice-common 2/4] quic: Check image size in quic_decode_begin
|
||||
|
||||
Avoid some overflow in code due to images too big or
|
||||
negative numbers.
|
||||
|
||||
Signed-off-by: Frediano Ziglio <freddy77@gmail.com>
|
||||
Acked-by: Uri Lublin <uril@redhat.com>
|
||||
---
|
||||
common/quic.c | 13 +++++++++++++
|
||||
1 file changed, 13 insertions(+)
|
||||
|
||||
diff --git a/subprojects/spice-common/common/quic.c b/subprojects/spice-common/common/quic.c
|
||||
index e03f3af..890f128 100644
|
||||
--- a/subprojects/spice-common/common/quic.c
|
||||
+++ b/subprojects/spice-common/common/quic.c
|
||||
@@ -56,6 +56,9 @@ typedef uint8_t BYTE;
|
||||
#define MINwminext 1
|
||||
#define MAXwminext 100000000
|
||||
|
||||
+/* Maximum image size in pixels, mainly to avoid possible integer overflows */
|
||||
+#define SPICE_MAX_IMAGE_SIZE (512 * 1024 * 1024 - 1)
|
||||
+
|
||||
typedef struct QuicFamily {
|
||||
unsigned int nGRcodewords[MAXNUMCODES]; /* indexed by code number, contains number of
|
||||
unmodified GR codewords in the code */
|
||||
@@ -1165,6 +1168,16 @@ int quic_decode_begin(QuicContext *quic, uint32_t *io_ptr, unsigned int num_io_w
|
||||
height = encoder->io_word;
|
||||
decode_eat32bits(encoder);
|
||||
|
||||
+ if (width <= 0 || height <= 0) {
|
||||
+ encoder->usr->warn(encoder->usr, "invalid size\n");
|
||||
+ return QUIC_ERROR;
|
||||
+ }
|
||||
+
|
||||
+ /* avoid too big images */
|
||||
+ if ((uint64_t) width * height > SPICE_MAX_IMAGE_SIZE) {
|
||||
+ encoder->usr->error(encoder->usr, "image too large\n");
|
||||
+ }
|
||||
+
|
||||
quic_image_params(encoder, type, &channels, &bpc);
|
||||
|
||||
if (!encoder_reset_channels(encoder, channels, width, bpc)) {
|
||||
--
|
||||
2.25.4
|
||||
|
||||
|
|
@ -0,0 +1,35 @@
|
|||
From d45a4954d73b41a255b8b4ec57c01ae87ec2936e Mon Sep 17 00:00:00 2001
|
||||
From: Frediano Ziglio <freddy77@gmail.com>
|
||||
Date: Wed, 29 Apr 2020 15:11:38 +0100
|
||||
Subject: [PATCH spice-common 3/4] quic: Check RLE lengths
|
||||
|
||||
Avoid buffer overflows decoding images. On compression we compute
|
||||
lengths till end of line so it won't cause regressions.
|
||||
Proved by fuzzing the code.
|
||||
|
||||
Signed-off-by: Frediano Ziglio <freddy77@gmail.com>
|
||||
Acked-by: Uri Lublin <uril@redhat.com>
|
||||
---
|
||||
common/quic_tmpl.c | 6 +++++-
|
||||
1 file changed, 5 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/subprojects/spice-common/common/quic_tmpl.c b/subprojects/spice-common/common/quic_tmpl.c
|
||||
index f0a4927..11e09f5 100644
|
||||
--- a/subprojects/spice-common/common/quic_tmpl.c
|
||||
+++ b/subprojects/spice-common/common/quic_tmpl.c
|
||||
@@ -570,7 +570,11 @@ static void FNAME_DECL(uncompress_row_seg)(const PIXEL * const prev_row,
|
||||
do_run:
|
||||
state->waitcnt = stopidx - i;
|
||||
run_index = i;
|
||||
- run_end = i + decode_state_run(encoder, state);
|
||||
+ run_end = decode_state_run(encoder, state);
|
||||
+ if (run_end < 0 || run_end > (end - i)) {
|
||||
+ encoder->usr->error(encoder->usr, "wrong RLE\n");
|
||||
+ }
|
||||
+ run_end += i;
|
||||
|
||||
for (; i < run_end; i++) {
|
||||
UNCOMPRESS_PIX_START(&cur_row[i]);
|
||||
--
|
||||
2.25.4
|
||||
|
||||
|
|
@ -0,0 +1,35 @@
|
|||
From 57c6e6b00247ad289a27648213d7ad2306fe3931 Mon Sep 17 00:00:00 2001
|
||||
From: Frediano Ziglio <freddy77@gmail.com>
|
||||
Date: Thu, 30 Apr 2020 10:19:09 +0100
|
||||
Subject: [PATCH spice-common 4/4] quic: Avoid possible buffer overflow in
|
||||
find_bucket
|
||||
|
||||
Proved by fuzzing the code.
|
||||
|
||||
Signed-off-by: Frediano Ziglio <freddy77@gmail.com>
|
||||
Acked-by: Uri Lublin <uril@redhat.com>
|
||||
---
|
||||
common/quic_family_tmpl.c | 7 ++++++-
|
||||
1 file changed, 6 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/subprojects/spice-common/common/quic_family_tmpl.c b/subprojects/spice-common/common/quic_family_tmpl.c
|
||||
index 8a5f7d2..6cc051b 100644
|
||||
--- a/subprojects/spice-common/common/quic_family_tmpl.c
|
||||
+++ b/subprojects/spice-common/common/quic_family_tmpl.c
|
||||
@@ -103,7 +103,12 @@ static s_bucket *FNAME(find_bucket)(Channel *channel, const unsigned int val)
|
||||
spice_assert(val < (0x1U << BPC));
|
||||
}
|
||||
|
||||
- return channel->_buckets_ptrs[val];
|
||||
+ /* The and (&) here is to avoid buffer overflows in case of garbage or malicious
|
||||
+ * attempts. Is much faster then using comparisons and save us from such situations.
|
||||
+ * Note that on normal build the check above won't be compiled as this code path
|
||||
+ * is pretty hot and would cause speed regressions.
|
||||
+ */
|
||||
+ return channel->_buckets_ptrs[val & ((1U << BPC) - 1)];
|
||||
}
|
||||
|
||||
#undef FNAME
|
||||
--
|
||||
2.25.4
|
||||
|
||||
|
|
@ -1,6 +1,6 @@
|
|||
Name: spice
|
||||
Version: 0.14.2
|
||||
Release: 1%{?dist}
|
||||
Release: 1%{?dist}.1
|
||||
Summary: Implements the SPICE protocol
|
||||
Group: User Interface/Desktops
|
||||
License: LGPLv2+
|
||||
|
|
@ -8,6 +8,10 @@ URL: https://www.spice-space.org/
|
|||
Source0: https://www.spice-space.org/download/releases/%{name}-%{version}.tar.bz2
|
||||
Source1: https://www.spice-space.org/download/releases/%{name}-%{version}.tar.bz2.sig
|
||||
Source2: victortoso-E37A484F.keyring
|
||||
Patch1: 0001-quic-Check-we-have-some-data-to-start-decoding-quic-.patch
|
||||
Patch2: 0002-quic-Check-image-size-in-quic_decode_begin.patch
|
||||
Patch3: 0003-quic-Check-RLE-lengths.patch
|
||||
Patch4: 0004-quic-Avoid-possible-buffer-overflow-in-find_bucket.patch
|
||||
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=613529
|
||||
%if 0%{?rhel} && 0%{?rhel} <= 7
|
||||
|
|
@ -106,6 +110,10 @@ mkdir -p %{buildroot}%{_libexecdir}
|
|||
|
||||
|
||||
%changelog
|
||||
* Wed Sep 2 2020 Frediano Ziglio <fziglio@redhat.com> - 0.14.2-1.1
|
||||
- Fix multiple buffer overflows in QUIC decoding code
|
||||
Resolves: CVE-2020-14355
|
||||
|
||||
* Fri May 17 2019 Victor Toso <victortoso@redhat.com> - 0.14.2-1
|
||||
- Update to 0.14.2
|
||||
Resolves: rhbz#1562123
|
||||
|
|
|
|||
Loading…
Reference in New Issue