gnu: spice: Update to 0.14.0.

This is a follow-up to commit 9a187b39b7.

* gnu/packages/spice.scm (spice): Update to 0.14.0.
[source]: Remove obsolete patches. Use HTTPS URL.
[inputs]: Add orc.
[home-page]: Update to use https.
* gnu/packages/patches/spice-CVE-2016-9577.patch,
gnu/packages/patches/spice-CVE-2016-9578-1.patch,
gnu/packages/patches/spice-CVE-2016-9578-2.patch,
gnu/packages/patches/spice-CVE-2017-7506.patch: Delete files.
* gnu/local.mk (dist_patch_DATA): Remove them.
This commit is contained in:
Andy Patterson 2017-12-02 17:23:27 -05:00 committed by Leo Famulari
parent 982caeab6f
commit b142756d9c
No known key found for this signature in database
GPG Key ID: 2646FA30BACA7F08
6 changed files with 4 additions and 274 deletions

View File

@ -1071,10 +1071,6 @@ dist_patch_DATA = \
%D%/packages/patches/slim-login.patch \
%D%/packages/patches/slurm-configure-remove-nonfree-contribs.patch \
%D%/packages/patches/sooperlooper-build-with-wx-30.patch \
%D%/packages/patches/spice-CVE-2016-9577.patch \
%D%/packages/patches/spice-CVE-2016-9578-1.patch \
%D%/packages/patches/spice-CVE-2016-9578-2.patch \
%D%/packages/patches/spice-CVE-2017-7506.patch \
%D%/packages/patches/steghide-fixes.patch \
%D%/packages/patches/superlu-dist-scotchmetis.patch \
%D%/packages/patches/swish-e-search.patch \

View File

@ -1,33 +0,0 @@
Prevent buffer overflow when reading large messages.
https://bugzilla.redhat.com/show_bug.cgi?id=1401603
https://access.redhat.com/security/cve/CVE-2016-9577
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9577
https://security-tracker.debian.org/tracker/CVE-2016-9577
Patch copied from upstream source repository:
https://cgit.freedesktop.org/spice/spice/commit/?h=0.12&id=5f96b596353d73bdf4bb3cd2de61e48a7fd5b4c3
From 5f96b596353d73bdf4bb3cd2de61e48a7fd5b4c3 Mon Sep 17 00:00:00 2001
From: Frediano Ziglio <fziglio@redhat.com>
Date: Tue, 29 Nov 2016 16:46:56 +0000
Subject: main-channel: Prevent overflow reading messages from client
diff --git a/server/main_channel.c b/server/main_channel.c
index 0ecc9df..1fc3915 100644
--- a/server/main_channel.c
+++ b/server/main_channel.c
@@ -1026,6 +1026,9 @@ static uint8_t *main_channel_alloc_msg_rcv_buf(RedChannelClient *rcc,
if (type == SPICE_MSGC_MAIN_AGENT_DATA) {
return reds_get_agent_data_buffer(mcc, size);
+ } else if (size > sizeof(main_chan->recv_buf)) {
+ /* message too large, caller will log a message and close the connection */
+ return NULL;
} else {
return main_chan->recv_buf;
}
--
cgit v0.10.2

View File

@ -1,33 +0,0 @@
Prevent possible DoS during protocol handshake.
https://bugzilla.redhat.com/show_bug.cgi?id=1399566
https://access.redhat.com/security/cve/CVE-2016-9578
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9578
https://security-tracker.debian.org/tracker/CVE-2016-9578
Patch copied from upstream source repository:
https://cgit.freedesktop.org/spice/spice/commit/?h=0.12&id=f66dc643635518e53dfbe5262f814a64eec54e4a
From 1c6517973095a67c8cb57f3550fc1298404ab556 Mon Sep 17 00:00:00 2001
From: Frediano Ziglio <fziglio@redhat.com>
Date: Tue, 13 Dec 2016 14:39:48 +0000
Subject: Prevent possible DoS attempts during protocol handshake
diff --git a/server/reds.c b/server/reds.c
index f40b65c..86a33d5 100644
--- a/server/reds.c
+++ b/server/reds.c
@@ -2202,7 +2202,8 @@ static void reds_handle_read_header_done(void *opaque)
reds->peer_minor_version = header->minor_version;
- if (header->size < sizeof(SpiceLinkMess)) {
+ /* the check for 4096 is to avoid clients to cause arbitrary big memory allocations */
+ if (header->size < sizeof(SpiceLinkMess) || header->size > 4096) {
reds_send_link_error(link, SPICE_LINK_ERR_INVALID_DATA);
spice_warning("bad size %u", header->size);
reds_link_free(link);
--
cgit v0.10.2

View File

@ -1,38 +0,0 @@
Fixes a potential buffer overflow in the protocol handling.
https://bugzilla.redhat.com/show_bug.cgi?id=1399566
https://access.redhat.com/security/cve/CVE-2016-9578
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9578
https://security-tracker.debian.org/tracker/CVE-2016-9578
Patch copied from upstream source repository:
https://cgit.freedesktop.org/spice/spice/commit/?h=0.12&id=f66dc643635518e53dfbe5262f814a64eec54e4a
From f66dc643635518e53dfbe5262f814a64eec54e4a Mon Sep 17 00:00:00 2001
From: Frediano Ziglio <fziglio@redhat.com>
Date: Tue, 13 Dec 2016 14:40:10 +0000
Subject: Prevent integer overflows in capability checks
diff --git a/server/reds.c b/server/reds.c
index 86a33d5..9150454 100644
--- a/server/reds.c
+++ b/server/reds.c
@@ -2110,6 +2110,14 @@ static void reds_handle_read_link_done(void *opaque)
link_mess->num_channel_caps = GUINT32_FROM_LE(link_mess->num_channel_caps);
link_mess->num_common_caps = GUINT32_FROM_LE(link_mess->num_common_caps);
+ /* Prevent DoS. Currently we defined only 13 capabilities,
+ * I expect 1024 to be valid for quite a lot time */
+ if (link_mess->num_channel_caps > 1024 || link_mess->num_common_caps > 1024) {
+ reds_send_link_error(link, SPICE_LINK_ERR_INVALID_DATA);
+ reds_link_free(link);
+ return;
+ }
+
num_caps = link_mess->num_common_caps + link_mess->num_channel_caps;
caps = (uint32_t *)((uint8_t *)link_mess + link_mess->caps_offset);
--
cgit v0.10.2

View File

@ -1,158 +0,0 @@
Fix CVE-2017-7506:
https://bugzilla.redhat.com/show_bug.cgi?id=1452606
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7506
Patches copied from Debian spice package version
'spice_0.12.8-2.1+deb9u1.debian.tar.xz':
http://security.debian.org/debian-security/pool/updates/main/s/spice/spice_0.12.8-2.1+deb9u1.debian.tar.xz
The patches had to be adapted to apply to the latest spice tarball, and
are based on these upstream commits:
https://cgit.freedesktop.org/spice/spice/commit/?id=111ab38611cef5012f1565a65fa2d8a8a05cce37
https://cgit.freedesktop.org/spice/spice/commit/?id=571cec91e71c2aae0d5f439ea2d8439d0c3d75eb
https://cgit.freedesktop.org/spice/spice/commit/?id=fbbcdad773e2791cfb988f4748faa41943551ca6
From 257f69d619fed407493156c8a7b952abc8a51314 Mon Sep 17 00:00:00 2001
Date: Mon, 15 May 2017 15:57:28 +0100
Subject: [spice-server 1/3] reds: Disconnect when receiving overly big
ClientMonitorsConfig
Total message size received from the client was unlimited. There is
a 2kiB size check on individual agent messages, but the MonitorsConfig
message can be split in multiple chunks, and the size of the
non-chunked MonitorsConfig message was never checked. This could easily
lead to memory exhaustion on the host.
---
server/reds.c | 25 +++++++++++++++++++++++--
1 file changed, 23 insertions(+), 2 deletions(-)
diff --git a/server/reds.c b/server/reds.c
index f439a3668..7be85fdfc 100644
--- a/server/reds.c
+++ b/server/reds.c
@@ -993,19 +993,34 @@ static void reds_client_monitors_config_cleanup(void)
static void reds_on_main_agent_monitors_config(
MainChannelClient *mcc, void *message, size_t size)
{
+ const unsigned int MAX_MONITORS = 256;
+ const unsigned int MAX_MONITOR_CONFIG_SIZE =
+ sizeof(VDAgentMonitorsConfig) + MAX_MONITORS * sizeof(VDAgentMonConfig);
+
VDAgentMessage *msg_header;
VDAgentMonitorsConfig *monitors_config;
RedsClientMonitorsConfig *cmc = &reds->client_monitors_config;
+ // limit size of message sent by the client as this can cause a DoS through
+ // memory exhaustion, or potentially some integer overflows
+ if (sizeof(VDAgentMessage) + MAX_MONITOR_CONFIG_SIZE - cmc->buffer_size < size) {
+ goto overflow;
+ }
cmc->buffer_size += size;
cmc->buffer = realloc(cmc->buffer, cmc->buffer_size);
spice_assert(cmc->buffer);
cmc->mcc = mcc;
memcpy(cmc->buffer + cmc->buffer_pos, message, size);
cmc->buffer_pos += size;
+ if (sizeof(VDAgentMessage) > cmc->buffer_size) {
+ spice_debug("not enough data yet. %d", cmc->buffer_size);
+ return;
+ }
msg_header = (VDAgentMessage *)cmc->buffer;
- if (sizeof(VDAgentMessage) > cmc->buffer_size ||
- msg_header->size > cmc->buffer_size - sizeof(VDAgentMessage)) {
+ if (msg_header->size > MAX_MONITOR_CONFIG_SIZE) {
+ goto overflow;
+ }
+ if (msg_header->size > cmc->buffer_size - sizeof(VDAgentMessage)) {
spice_debug("not enough data yet. %d", cmc->buffer_size);
return;
}
@@ -1013,6 +1028,12 @@ static void reds_on_main_agent_monitors_config(
spice_debug("%s: %d", __func__, monitors_config->num_of_monitors);
red_dispatcher_client_monitors_config(monitors_config);
reds_client_monitors_config_cleanup();
+ return;
+
+overflow:
+ spice_warning("received invalid MonitorsConfig request from client, disconnecting");
+ red_channel_client_disconnect(main_channel_client_get_base(mcc));
+ reds_client_monitors_config_cleanup();
}
void reds_on_main_agent_data(MainChannelClient *mcc, void *message, size_t size)
--
2.13.0
From ff2b4ef70181087d5abd50bad76d026ec5088a93 Mon Sep 17 00:00:00 2001
Date: Mon, 15 May 2017 15:57:28 +0100
Subject: [spice-server 2/3] reds: Avoid integer overflows handling monitor
configuration
Avoid VDAgentMessage::size integer overflows.
---
server/reds.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/server/reds.c b/server/reds.c
index 7be85fdfc..e1c8c1086 100644
--- a/server/reds.c
+++ b/server/reds.c
@@ -1024,6 +1024,9 @@ static void reds_on_main_agent_monitors_config(
spice_debug("not enough data yet. %d", cmc->buffer_size);
return;
}
+ if (msg_header->size < sizeof(VDAgentMonitorsConfig)) {
+ goto overflow;
+ }
monitors_config = (VDAgentMonitorsConfig *)(cmc->buffer + sizeof(*msg_header));
spice_debug("%s: %d", __func__, monitors_config->num_of_monitors);
red_dispatcher_client_monitors_config(monitors_config);
--
2.13.0
From 8cc3d7df2792751939cc832f4110c57e2addfca5 Mon Sep 17 00:00:00 2001
Date: Mon, 15 May 2017 15:57:28 +0100
Subject: [spice-server 3/3] reds: Avoid buffer overflows handling monitor
configuration
It was also possible for a malicious client to set
VDAgentMonitorsConfig::num_of_monitors to a number larger
than the actual size of VDAgentMOnitorsConfig::monitors.
This would lead to buffer overflows, which could allow the guest to
read part of the host memory. This might cause write overflows in the
host as well, but controlling the content of such buffers seems
complicated.
---
server/reds.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/server/reds.c b/server/reds.c
index e1c8c1086..3a42c3755 100644
--- a/server/reds.c
+++ b/server/reds.c
@@ -1000,6 +1000,7 @@ static void reds_on_main_agent_monitors_config(
VDAgentMessage *msg_header;
VDAgentMonitorsConfig *monitors_config;
RedsClientMonitorsConfig *cmc = &reds->client_monitors_config;
+ uint32_t max_monitors;
// limit size of message sent by the client as this can cause a DoS through
// memory exhaustion, or potentially some integer overflows
@@ -1028,6 +1029,12 @@ static void reds_on_main_agent_monitors_config(
goto overflow;
}
monitors_config = (VDAgentMonitorsConfig *)(cmc->buffer + sizeof(*msg_header));
+ // limit the monitor number to avoid buffer overflows
+ max_monitors = (msg_header->size - sizeof(VDAgentMonitorsConfig)) /
+ sizeof(VDAgentMonConfig);
+ if (monitors_config->num_of_monitors > max_monitors) {
+ goto overflow;
+ }
spice_debug("%s: %d", __func__, monitors_config->num_of_monitors);
red_dispatcher_client_monitors_config(monitors_config);
reds_client_monitors_config_cleanup();
--
2.13.0

View File

@ -203,20 +203,15 @@ which allows users to view a desktop computing environment.")
(define-public spice
(package
(name "spice")
(version "0.12.8")
(version "0.14.0")
(source (origin
(method url-fetch)
(uri (string-append
"http://www.spice-space.org/download/releases/"
"https://www.spice-space.org/download/releases/"
"spice-" version ".tar.bz2"))
(sha256
(base32
"0za03i77j8i3g5l2np2j7vy8cqsdbkm9wbv4hjnaqq9xhz2sa0gr"))
(patches
(search-patches "spice-CVE-2017-7506.patch"
"spice-CVE-2016-9577.patch"
"spice-CVE-2016-9578-1.patch"
"spice-CVE-2016-9578-2.patch"))))
"0j5q7cp5p95jk8fp48gz76rz96lifimdsx1wnpmfal0nnnar9nrs"))))
(build-system gnu-build-system)
(propagated-inputs
`(("openssl" ,openssl)
@ -228,6 +223,7 @@ which allows users to view a desktop computing environment.")
("libjpeg-turbo" ,libjpeg-turbo)
("lz4" ,lz4)
("opus" ,opus)
("orc" ,orc)
("zlib" ,zlib)))
(native-inputs
`(("pkg-config" ,pkg-config)