Update to latest upstream release (0.13.90)
This commit is contained in:
Christophe Fergeau
parent
ce94aca9f4
commit
e155d36012
@ -1,56 +0,0 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Frediano Ziglio <fziglio@redhat.com>
|
||||
Date: Tue, 13 Dec 2016 14:39:48 +0000
|
||||
Subject: [spice-server] Prevent possible DoS attempts during protocol
|
||||
handshake
|
||||
|
||||
The limit for link message is specified using a 32 bit unsigned integer.
|
||||
This could cause possible DoS due to excessive memory allocations and
|
||||
some possible crashes.
|
||||
For instance a value >= 2^31 causes a spice_assert to be triggered in
|
||||
async_read_handler (reds-stream.c) due to an integer overflow at this
|
||||
line:
|
||||
|
||||
int n = async->end - async->now;
|
||||
|
||||
This could be easily triggered with a program like
|
||||
|
||||
#!/usr/bin/env python
|
||||
|
||||
import socket
|
||||
import time
|
||||
from struct import pack
|
||||
|
||||
server = '127.0.0.1'
|
||||
port = 5900
|
||||
|
||||
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
||||
s.connect((server, port))
|
||||
data = pack('<4sIII', 'REDQ', 2, 2, 0xaaaaaaaa)
|
||||
s.send(data)
|
||||
|
||||
time.sleep(1)
|
||||
|
||||
without requiring any authentication (the same can be done
|
||||
with TLS).
|
||||
|
||||
Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
|
||||
Acked-by: Christophe Fergeau <cfergeau@redhat.com>
|
||||
---
|
||||
server/reds.c | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/server/reds.c b/server/reds.c
|
||||
index 8ef4efe..e7ebc43 100644
|
||||
--- a/server/reds.c
|
||||
+++ b/server/reds.c
|
||||
@@ -2270,7 +2270,8 @@ static void reds_handle_read_header_done(void *opaque)
|
||||
return;
|
||||
}
|
||||
|
||||
- if (header->size < sizeof(SpiceLinkMess)) {
|
||||
+ /* the check for 4096 is to avoid clients to cause arbitrary big memory allocations */
|
||||
+ if (header->size < sizeof(SpiceLinkMess) || header->size > 4096) {
|
||||
reds_send_link_error(link, SPICE_LINK_ERR_INVALID_DATA);
|
||||
spice_warning("bad size %u", header->size);
|
||||
reds_link_free(link);
|
||||
@ -1,38 +0,0 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Frediano Ziglio <fziglio@redhat.com>
|
||||
Date: Tue, 13 Dec 2016 14:40:10 +0000
|
||||
Subject: [spice-server] Prevent integer overflows in capability checks
|
||||
|
||||
The limits for capabilities are specified using 32 bit unsigned integers.
|
||||
This could cause possible integer overflows causing buffer overflows.
|
||||
For instance the sum of num_common_caps and num_caps can be 0 avoiding
|
||||
additional checks.
|
||||
As the link message is now capped to 4096 and the capabilities are
|
||||
contained in the link message limit the capabilities to 1024
|
||||
(capabilities are expressed in number of uint32_t items).
|
||||
|
||||
Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
|
||||
Acked-by: Christophe Fergeau <cfergeau@redhat.com>
|
||||
---
|
||||
server/reds.c | 8 ++++++++
|
||||
1 file changed, 8 insertions(+)
|
||||
|
||||
diff --git a/server/reds.c b/server/reds.c
|
||||
index e7ebc43..953a95a 100644
|
||||
--- a/server/reds.c
|
||||
+++ b/server/reds.c
|
||||
@@ -2186,6 +2186,14 @@ static void reds_handle_read_link_done(void *opaque)
|
||||
link_mess->num_channel_caps = GUINT32_FROM_LE(link_mess->num_channel_caps);
|
||||
link_mess->num_common_caps = GUINT32_FROM_LE(link_mess->num_common_caps);
|
||||
|
||||
+ /* Prevent DoS. Currently we defined only 13 capabilities,
|
||||
+ * I expect 1024 to be valid for quite a lot time */
|
||||
+ if (link_mess->num_channel_caps > 1024 || link_mess->num_common_caps > 1024) {
|
||||
+ reds_send_link_error(link, SPICE_LINK_ERR_INVALID_DATA);
|
||||
+ reds_link_free(link);
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
num_caps = link_mess->num_common_caps + link_mess->num_channel_caps;
|
||||
caps = (uint32_t *)((uint8_t *)link_mess + link_mess->caps_offset);
|
||||
|
||||
@ -1,29 +0,0 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Frediano Ziglio <fziglio@redhat.com>
|
||||
Date: Tue, 29 Nov 2016 16:46:56 +0000
|
||||
Subject: [spice-server] main-channel: Prevent overflow reading messages from
|
||||
client
|
||||
|
||||
Caller is supposed the function return a buffer able to store
|
||||
size bytes.
|
||||
|
||||
Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
|
||||
Acked-by: Christophe Fergeau <cfergeau@redhat.com>
|
||||
---
|
||||
server/main-channel.c | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
|
||||
diff --git a/server/main-channel.c b/server/main-channel.c
|
||||
index 24dd448..1124506 100644
|
||||
--- a/server/main-channel.c
|
||||
+++ b/server/main-channel.c
|
||||
@@ -258,6 +258,9 @@ static uint8_t *main_channel_alloc_msg_rcv_buf(RedChannelClient *rcc,
|
||||
|
||||
if (type == SPICE_MSGC_MAIN_AGENT_DATA) {
|
||||
return reds_get_agent_data_buffer(red_channel_get_server(channel), mcc, size);
|
||||
+ } else if (size > sizeof(main_chan->recv_buf)) {
|
||||
+ /* message too large, caller will log a message and close the connection */
|
||||
+ return NULL;
|
||||
} else {
|
||||
return main_chan->recv_buf;
|
||||
}
|
||||
4
sources
4
sources
@ -1,2 +1,2 @@
|
||||
81113782704848d3afefa43bb93f2184 spice-0.13.3.tar.bz2
|
||||
20b09cd89cda0d824dfd73f0301c4ac6 spice-0.13.3.tar.bz2.sign
|
||||
SHA512 (spice-0.13.90.tar.bz2) = a5a6ab328a2d3cb405ead6eef40a1b896432f35accf1f8b015fc9deadcc4e5eb5f6d8d575a94fa3b2505e206986887badecf721ab015efd88dad174d7340c01c
|
||||
SHA512 (spice-0.13.90.tar.bz2.sign) = dd0cd5df5689db3f67bc136024091211e4d4a0b825bd490b6ec6033f5c83e22546225f9d891e432ab48ab8cb89dce3a6069b0fd3ed6a8af987f9e6e6619632ca
|
||||
|
||||
10
spice.spec
10
spice.spec
@ -1,6 +1,6 @@
|
||||
Name: spice
|
||||
Version: 0.13.3
|
||||
Release: 2%{?dist}
|
||||
Version: 0.13.90
|
||||
Release: 1%{?dist}
|
||||
Summary: Implements the SPICE protocol
|
||||
Group: User Interface/Desktops
|
||||
License: LGPLv2+
|
||||
@ -8,9 +8,6 @@ URL: http://www.spice-space.org/
|
||||
Source0: http://www.spice-space.org/download/releases/%{name}-%{version}.tar.bz2
|
||||
Source1: http://www.spice-space.org/download/releases/%{name}-%{version}.tar.bz2.sign
|
||||
Source2: cfergeau-29AC6C82.keyring
|
||||
Patch1: 0001-Prevent-possible-DoS-attempts-during-protocol-handsh.patch
|
||||
Patch2: 0002-Prevent-integer-overflows-in-capability-checks.patch
|
||||
Patch3: 0003-main-channel-Prevent-overflow-reading-messages-from-.patch
|
||||
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=613529
|
||||
%if 0%{?rhel}
|
||||
@ -102,6 +99,9 @@ mkdir -p %{buildroot}%{_libexecdir}
|
||||
|
||||
|
||||
%changelog
|
||||
* Wed Jul 26 2017 Christophe Fergeau <cfergeau@redhat.com> 0.13.90-1
|
||||
- Update to latest upstream release (0.13.90)
|
||||
|
||||
* Mon Feb 06 2017 Christophe Fergeau <cfergeau@redhat.com> 0.13.3-2
|
||||
- Add upstream patches fixing CVE-2016-9577 and CVE-2016-9578
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user