diff options
Diffstat (limited to 'gnu/packages/patches')
| -rw-r--r-- | gnu/packages/patches/bazaar-CVE-2017-14176.patch | 166 | ||||
| -rw-r--r-- | gnu/packages/patches/clementine-use-openssl.patch | 67 | ||||
| -rw-r--r-- | gnu/packages/patches/libmygpo-qt-fix-jsoncreatortest.patch | 41 | ||||
| -rw-r--r-- | gnu/packages/patches/libvirt-CVE-2017-1000256.patch | 84 | ||||
| -rw-r--r-- | gnu/packages/patches/spice-CVE-2016-9577.patch | 33 | ||||
| -rw-r--r-- | gnu/packages/patches/spice-CVE-2016-9578-1.patch | 33 | ||||
| -rw-r--r-- | gnu/packages/patches/spice-CVE-2016-9578-2.patch | 38 | ||||
| -rw-r--r-- | gnu/packages/patches/spice-CVE-2017-7506.patch | 158 |
8 files changed, 274 insertions, 346 deletions
diff --git a/gnu/packages/patches/bazaar-CVE-2017-14176.patch b/gnu/packages/patches/bazaar-CVE-2017-14176.patch new file mode 100644 index 0000000000..0e9083b97d --- /dev/null +++ b/gnu/packages/patches/bazaar-CVE-2017-14176.patch @@ -0,0 +1,166 @@ +Fix CVE-2017-14176: + +https://bugs.launchpad.net/bzr/+bug/1710979 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14176 + +Patch copied from Debian's Bazaar package version bzr_2.7.0+bzr6619-7+deb9u1: + +https://alioth.debian.org/scm/loggerhead/pkg-bazaar/bzr/2.7/revision/4204 + +Description: Prevent SSH command line options from being specified in bzr+ssh:// URLs +Bug: https://bugs.launchpad.net/brz/+bug/1710979 +Bug-Debian: https://bugs.debian.org/874429 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-14176 +Forwarded: no +Author: Jelmer Vernooij <jelmer@jelmer.uk> +Last-Update: 2017-11-26 + +=== modified file 'bzrlib/tests/test_ssh_transport.py' +--- old/bzrlib/tests/test_ssh_transport.py 2010-10-07 12:45:51 +0000 ++++ new/bzrlib/tests/test_ssh_transport.py 2017-08-20 01:59:20 +0000 +@@ -22,6 +22,7 @@ + SSHCorpSubprocessVendor, + LSHSubprocessVendor, + SSHVendorManager, ++ StrangeHostname, + ) + + +@@ -161,6 +162,19 @@ + + class SubprocessVendorsTests(TestCase): + ++ def test_openssh_command_tricked(self): ++ vendor = OpenSSHSubprocessVendor() ++ self.assertEqual( ++ vendor._get_vendor_specific_argv( ++ "user", "-oProxyCommand=blah", 100, command=["bzr"]), ++ ["ssh", "-oForwardX11=no", "-oForwardAgent=no", ++ "-oClearAllForwardings=yes", ++ "-oNoHostAuthenticationForLocalhost=yes", ++ "-p", "100", ++ "-l", "user", ++ "--", ++ "-oProxyCommand=blah", "bzr"]) ++ + def test_openssh_command_arguments(self): + vendor = OpenSSHSubprocessVendor() + self.assertEqual( +@@ -171,6 +185,7 @@ + "-oNoHostAuthenticationForLocalhost=yes", + "-p", "100", + "-l", "user", ++ "--", + "host", "bzr"] + ) + +@@ -184,9 +199,16 @@ + "-oNoHostAuthenticationForLocalhost=yes", + "-p", "100", + "-l", "user", +- "-s", "host", "sftp"] ++ "-s", "--", "host", "sftp"] + ) + ++ def test_openssh_command_tricked(self): ++ vendor = SSHCorpSubprocessVendor() ++ self.assertRaises( ++ StrangeHostname, ++ vendor._get_vendor_specific_argv, ++ "user", "-oProxyCommand=host", 100, command=["bzr"]) ++ + def test_sshcorp_command_arguments(self): + vendor = SSHCorpSubprocessVendor() + self.assertEqual( +@@ -209,6 +231,13 @@ + "-s", "sftp", "host"] + ) + ++ def test_lsh_command_tricked(self): ++ vendor = LSHSubprocessVendor() ++ self.assertRaises( ++ StrangeHostname, ++ vendor._get_vendor_specific_argv, ++ "user", "-oProxyCommand=host", 100, command=["bzr"]) ++ + def test_lsh_command_arguments(self): + vendor = LSHSubprocessVendor() + self.assertEqual( +@@ -231,6 +260,13 @@ + "--subsystem", "sftp", "host"] + ) + ++ def test_plink_command_tricked(self): ++ vendor = PLinkSubprocessVendor() ++ self.assertRaises( ++ StrangeHostname, ++ vendor._get_vendor_specific_argv, ++ "user", "-oProxyCommand=host", 100, command=["bzr"]) ++ + def test_plink_command_arguments(self): + vendor = PLinkSubprocessVendor() + self.assertEqual( + +=== modified file 'bzrlib/transport/ssh.py' +--- old/bzrlib/transport/ssh.py 2015-07-31 01:04:41 +0000 ++++ new/bzrlib/transport/ssh.py 2017-08-20 01:59:20 +0000 +@@ -46,6 +46,10 @@ + from paramiko.sftp_client import SFTPClient + + ++class StrangeHostname(errors.BzrError): ++ _fmt = "Refusing to connect to strange SSH hostname %(hostname)s" ++ ++ + SYSTEM_HOSTKEYS = {} + BZR_HOSTKEYS = {} + +@@ -360,6 +364,11 @@ + # tests, but beware of using PIPE which may hang due to not being read. + _stderr_target = None + ++ @staticmethod ++ def _check_hostname(arg): ++ if arg.startswith('-'): ++ raise StrangeHostname(hostname=arg) ++ + def _connect(self, argv): + # Attempt to make a socketpair to use as stdin/stdout for the SSH + # subprocess. We prefer sockets to pipes because they support +@@ -424,9 +433,9 @@ + if username is not None: + args.extend(['-l', username]) + if subsystem is not None: +- args.extend(['-s', host, subsystem]) ++ args.extend(['-s', '--', host, subsystem]) + else: +- args.extend([host] + command) ++ args.extend(['--', host] + command) + return args + + register_ssh_vendor('openssh', OpenSSHSubprocessVendor()) +@@ -439,6 +448,7 @@ + + def _get_vendor_specific_argv(self, username, host, port, subsystem=None, + command=None): ++ self._check_hostname(host) + args = [self.executable_path, '-x'] + if port is not None: + args.extend(['-p', str(port)]) +@@ -460,6 +470,7 @@ + + def _get_vendor_specific_argv(self, username, host, port, subsystem=None, + command=None): ++ self._check_hostname(host) + args = [self.executable_path] + if port is not None: + args.extend(['-p', str(port)]) +@@ -481,6 +492,7 @@ + + def _get_vendor_specific_argv(self, username, host, port, subsystem=None, + command=None): ++ self._check_hostname(host) + args = [self.executable_path, '-x', '-a', '-ssh', '-2', '-batch'] + if port is not None: + args.extend(['-P', str(port)]) + diff --git a/gnu/packages/patches/clementine-use-openssl.patch b/gnu/packages/patches/clementine-use-openssl.patch new file mode 100644 index 0000000000..1fbf3d2b8a --- /dev/null +++ b/gnu/packages/patches/clementine-use-openssl.patch @@ -0,0 +1,67 @@ +diff --git a/CMakeLists.txt b/CMakeLists.txt +index 4022c383b..3202b8b69 100644 +--- a/CMakeLists.txt ++++ b/CMakeLists.txt +@@ -83,6 +83,7 @@ pkg_check_modules(LIBPULSE libpulse) + pkg_check_modules(LIBXML libxml-2.0) + pkg_check_modules(SPOTIFY libspotify>=12.1.45) + pkg_check_modules(TAGLIB REQUIRED taglib>=1.6) ++pkg_check_modules(OPENSSL REQUIRED openssl) + + if (WIN32) + find_package(ZLIB REQUIRED) +@@ -381,20 +382,6 @@ if(GMOCK_INCLUDE_DIRS) + endif(GTEST_INCLUDE_DIRS) + endif(GMOCK_INCLUDE_DIRS) + +-# Use the system's sha2 if it's available. +-find_path(SHA2_INCLUDE_DIRS sha2.h) +-find_library(SHA2_LIBRARIES sha2) +-if(SHA2_LIBRARIES AND SHA2_INCLUDE_DIRS) +- message(STATUS "Using system sha2 library") +- set(USE_SYSTEM_SHA2 ON) +-else() +- message(STATUS "Using builtin sha2 library") +- set(USE_SYSTEM_SHA2 OFF) +- add_subdirectory(3rdparty/sha2) +- set(SHA2_INCLUDE_DIRS ${CMAKE_CURRENT_SOURCE_DIR}/3rdparty/sha2) +- set(SHA2_LIBRARIES sha2) +-endif() +- + # Use the system libmygpo-qt5 if a recent enough version was found + if(LIBMYGPO_QT5_FOUND) + set(MYGPOQT5_LIBRARIES ${LIBMYGPO_QT5_LIBRARIES}) +diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt +index 6e24c9726..104d044d9 100644 +--- a/src/CMakeLists.txt ++++ b/src/CMakeLists.txt +@@ -29,7 +29,6 @@ include_directories(${LIBPROJECTM_INCLUDE_DIRS}) + include_directories(${QTSINGLEAPPLICATION_INCLUDE_DIRS}) + include_directories(${QTIOCOMPRESSOR_INCLUDE_DIRS}) + include_directories(${QXT_INCLUDE_DIRS}) +-include_directories(${SHA2_INCLUDE_DIRS}) + include_directories(${CHROMAPRINT_INCLUDE_DIRS}) + include_directories(${MYGPOQT5_INCLUDE_DIRS}) + +@@ -1223,7 +1222,7 @@ target_link_libraries(clementine_lib + libclementine-common + libclementine-tagreader + libclementine-remote +- ${SHA2_LIBRARIES} ++ ${OPENSSL_LIBRARIES} + ${TAGLIB_LIBRARIES} + ${MYGPOQT5_LIBRARIES} + ${CHROMAPRINT_LIBRARIES} +diff --git a/src/core/utilities.cpp b/src/core/utilities.cpp +index ce76f22da..80bf623fb 100644 +--- a/src/core/utilities.cpp ++++ b/src/core/utilities.cpp +@@ -52,7 +52,7 @@ + #include "config.h" + #include "timeconstants.h" + +-#include "sha2.h" ++#include <openssl/sha.h> + + #if defined(Q_OS_UNIX) + #include <sys/statvfs.h> diff --git a/gnu/packages/patches/libmygpo-qt-fix-jsoncreatortest.patch b/gnu/packages/patches/libmygpo-qt-fix-jsoncreatortest.patch new file mode 100644 index 0000000000..c457d592cc --- /dev/null +++ b/gnu/packages/patches/libmygpo-qt-fix-jsoncreatortest.patch @@ -0,0 +1,41 @@ +From ebe2323727f8d646590245b0bf06dbc92b5808d6 Mon Sep 17 00:00:00 2001 +From: Golubev Alexander <fatzer2@gmail.com> +Date: Tue, 20 Sep 2016 15:33:30 +0400 +Subject: [PATCH] JsonCreatorTest failed due to extra space + +JsonCreatorTest failed with next message: +``` +********* Start testing of mygpo::JsonCreatorTest ********* +Config: Using QTest library 4.8.6, Qt 4.8.6 +PASS : mygpo::JsonCreatorTest::initTestCase() +PASS : mygpo::JsonCreatorTest::testAddRemoveSubsToJSON() +PASS : mygpo::JsonCreatorTest::testSaveSettingsToJSON() +FAIL! : mygpo::JsonCreatorTest::testEpisodeActionListToJSON() Compared values are not the same + Actual (outString2): [{"action":"download","device":"device1","episode":"http://episode.url","podcast":"http://podcast.url","timestamp":"1998-01-01T00:01:02"},{"action":"delete","device":"device3","episode":"http://episode2.url","podcast":"http://podcast2.url","timestamp":"1920-01-01T12:01:02"},{"action":"new","device":"foodev","episode":"http://www.podtrac.com","podcast":"http://leo.am","timestamp":"1998-01-01T00:01:02"},{"action":"play","device":"foodev","episode":"http://www.podtrac.com","podcast":"http://leo.am","timestamp":"1920-01-01T12:01:02"},{"action":"play","device":"foodev","episode":"http://www.podtrac.com","podcast":"http://leo.am","position":123,"started":10,"timestamp":"1998-01-01T00:01:02","total":321},{"action":"play","device":"foodev","episode":"http://www.podtrac.com","podcast":"http://leo.am","position":10,"timestamp":"1998-01-01T00:01:02"}] + Expected (expected2): [{"action":"download","device":"device1","episode":"http://episode.url","podcast":"http: + Loc: [/var/tmp/portage/media-libs/libmygpo-qt-1.0.9-r1/work/libmygpo-qt-1.0.9/tests/JsonCreatorTest.cpp(138)] +PASS : mygpo::JsonCreatorTest::testRenameDeviceStringToJSON() +PASS : mygpo::JsonCreatorTest::testDeviceSynchronizationListsToJSON() +PASS : mygpo::JsonCreatorTest::cleanupTestCase() +Totals: 6 passed, 1 failed, 0 skipped +********* Finished testing of mygpo::JsonCreatorTest ********* +``` + +This was caused by extra space in the expected string. +--- + tests/JsonCreatorTest.cpp | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tests/JsonCreatorTest.cpp b/tests/JsonCreatorTest.cpp +index b15b006..feb03d5 100644 +--- a/tests/JsonCreatorTest.cpp ++++ b/tests/JsonCreatorTest.cpp +@@ -133,7 +133,7 @@ void JsonCreatorTest::testEpisodeActionListToJSON() + + output = JsonCreator::episodeActionListToJSON(episodeActions); + QString outString2 = QString::fromLatin1( output ).replace( QLatin1String(" "), QLatin1String("") ); +- QString expected2( QLatin1String( "[{\"action\":\"download\",\"device\":\"device1\",\"episode\":\"http://episode.url\",\"podcast\":\"http://podcast.url\",\"timestamp\":\"1998-01-01T00:01:02\"},{\"action\":\"delete\",\"device\":\"device3\",\"episode\":\"http://episode2.url\",\"podcast\":\"http://podcast2.url\",\"timestamp\":\"1920-01-01T12:01:02\"},{\"action\":\"new\",\"device\":\"foodev\",\"episode\":\"http://www.podtrac.com\",\"podcast\":\"http://leo.am\",\"timestamp\":\"1998-01-01T00:01:02\"},{\"action\":\"play\",\"device\":\"foodev\",\"episode\":\"http://www.podtrac.com\",\"podcast\":\"http://leo.am\",\"timestamp\":\"1920-01-01T12:01:02\" },{\"action\":\"play\",\"device\":\"foodev\",\"episode\":\"http://www.podtrac.com\",\"podcast\":\"http://leo.am\",\"position\":123,\"started\":10,\"timestamp\":\"1998-01-01T00:01:02\",\"total\":321},{\"action\":\"play\",\"device\":\"foodev\",\"episode\":\"http://www.podtrac.com\",\"podcast\":\"http://leo.am\",\"position\":10,\"timestamp\":\"1998-01-01T00:01:02\"}]" ) ); ++ QString expected2( QLatin1String( "[{\"action\":\"download\",\"device\":\"device1\",\"episode\":\"http://episode.url\",\"podcast\":\"http://podcast.url\",\"timestamp\":\"1998-01-01T00:01:02\"},{\"action\":\"delete\",\"device\":\"device3\",\"episode\":\"http://episode2.url\",\"podcast\":\"http://podcast2.url\",\"timestamp\":\"1920-01-01T12:01:02\"},{\"action\":\"new\",\"device\":\"foodev\",\"episode\":\"http://www.podtrac.com\",\"podcast\":\"http://leo.am\",\"timestamp\":\"1998-01-01T00:01:02\"},{\"action\":\"play\",\"device\":\"foodev\",\"episode\":\"http://www.podtrac.com\",\"podcast\":\"http://leo.am\",\"timestamp\":\"1920-01-01T12:01:02\"},{\"action\":\"play\",\"device\":\"foodev\",\"episode\":\"http://www.podtrac.com\",\"podcast\":\"http://leo.am\",\"position\":123,\"started\":10,\"timestamp\":\"1998-01-01T00:01:02\",\"total\":321},{\"action\":\"play\",\"device\":\"foodev\",\"episode\":\"http://www.podtrac.com\",\"podcast\":\"http://leo.am\",\"position\":10,\"timestamp\":\"1998-01-01T00:01:02\"}]" ) ); + + QCOMPARE(outString2, expected2 ); + } diff --git a/gnu/packages/patches/libvirt-CVE-2017-1000256.patch b/gnu/packages/patches/libvirt-CVE-2017-1000256.patch deleted file mode 100644 index d577e1eb50..0000000000 --- a/gnu/packages/patches/libvirt-CVE-2017-1000256.patch +++ /dev/null @@ -1,84 +0,0 @@ -Fix CVE-2017-1000256: - -https://security.libvirt.org/2017/0002.html -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000256 - -Patch copied from upstream source repository: - -https://libvirt.org/git/?p=libvirt.git;a=commit;h=dc6c41798d1eb5c52c75365ffa22f7672709dfa7 - -From dc6c41798d1eb5c52c75365ffa22f7672709dfa7 Mon Sep 17 00:00:00 2001 -From: Daniel P. Berrange <berrange@redhat.com> -Date: Thu, 5 Oct 2017 17:54:28 +0100 -Subject: [PATCH] qemu: ensure TLS clients always verify the server certificate - -The default_tls_x509_verify (and related) parameters in qemu.conf -control whether the QEMU TLS servers request & verify certificates -from clients. This works as a simple access control system for -servers by requiring the CA to issue certs to permitted clients. -This use of client certificates is disabled by default, since it -requires extra work to issue client certificates. - -Unfortunately the code was using this configuration parameter when -setting up both TLS clients and servers in QEMU. The result was that -TLS clients for character devices and disk devices had verification -turned off, meaning they would ignore errors while validating the -server certificate. - -This allows for trivial MITM attacks between client and server, -as any certificate returned by the attacker will be accepted by -the client. - -This is assigned CVE-2017-1000256 / LSN-2017-0002 - -Reviewed-by: Eric Blake <eblake@redhat.com> -Signed-off-by: Daniel P. Berrange <berrange@redhat.com> -(cherry picked from commit 441d3eb6d1be940a67ce45a286602a967601b157) ---- - src/qemu/qemu_command.c | 2 +- - .../qemuxml2argv-serial-tcp-tlsx509-chardev.args | 2 +- - ...xml2argv-serial-tcp-tlsx509-secret-chardev.args | 2 +- - 3 files changed, 3 insertions(+), 3 deletions(-) - -diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c -index 9a27987..ae78cd1 100644 ---- a/src/qemu/qemu_command.c -+++ b/src/qemu/qemu_command.c -@@ -718,7 +718,7 @@ qemuBuildTLSx509BackendProps(const char *tlspath, - if (virJSONValueObjectCreate(propsret, - "s:dir", path, - "s:endpoint", (isListen ? "server": "client"), -- "b:verify-peer", verifypeer, -+ "b:verify-peer", (isListen ? verifypeer : true), - NULL) < 0) - goto cleanup; - -diff --git a/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev.args b/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev.args -index 5aff773..ab5f7e2 100644 ---- a/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev.args -+++ b/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-chardev.args -@@ -26,7 +26,7 @@ server,nowait \ - localport=1111 \ - -device isa-serial,chardev=charserial0,id=serial0 \ - -object tls-creds-x509,id=objcharserial1_tls0,dir=/etc/pki/libvirt-chardev,\ --endpoint=client,verify-peer=no \ -+endpoint=client,verify-peer=yes \ - -chardev socket,id=charserial1,host=127.0.0.1,port=5555,\ - tls-creds=objcharserial1_tls0 \ - -device isa-serial,chardev=charserial1,id=serial1 \ -diff --git a/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-secret-chardev.args b/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-secret-chardev.args -index 91f1fe0..2567abb 100644 ---- a/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-secret-chardev.args -+++ b/tests/qemuxml2argvdata/qemuxml2argv-serial-tcp-tlsx509-secret-chardev.args -@@ -31,7 +31,7 @@ localport=1111 \ - data=9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1,\ - keyid=masterKey0,iv=AAECAwQFBgcICQoLDA0ODw==,format=base64 \ - -object tls-creds-x509,id=objcharserial1_tls0,dir=/etc/pki/libvirt-chardev,\ --endpoint=client,verify-peer=no,passwordid=charserial1-secret0 \ -+endpoint=client,verify-peer=yes,passwordid=charserial1-secret0 \ - -chardev socket,id=charserial1,host=127.0.0.1,port=5555,\ - tls-creds=objcharserial1_tls0 \ - -device isa-serial,chardev=charserial1,id=serial1 \ --- -1.7.1 - diff --git a/gnu/packages/patches/spice-CVE-2016-9577.patch b/gnu/packages/patches/spice-CVE-2016-9577.patch deleted file mode 100644 index a2cb558cd3..0000000000 --- a/gnu/packages/patches/spice-CVE-2016-9577.patch +++ /dev/null @@ -1,33 +0,0 @@ -Prevent buffer overflow when reading large messages. - -https://bugzilla.redhat.com/show_bug.cgi?id=1401603 -https://access.redhat.com/security/cve/CVE-2016-9577 -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9577 -https://security-tracker.debian.org/tracker/CVE-2016-9577 - -Patch copied from upstream source repository: - -https://cgit.freedesktop.org/spice/spice/commit/?h=0.12&id=5f96b596353d73bdf4bb3cd2de61e48a7fd5b4c3 - -From 5f96b596353d73bdf4bb3cd2de61e48a7fd5b4c3 Mon Sep 17 00:00:00 2001 -From: Frediano Ziglio <fziglio@redhat.com> -Date: Tue, 29 Nov 2016 16:46:56 +0000 -Subject: main-channel: Prevent overflow reading messages from client - -diff --git a/server/main_channel.c b/server/main_channel.c -index 0ecc9df..1fc3915 100644 ---- a/server/main_channel.c -+++ b/server/main_channel.c -@@ -1026,6 +1026,9 @@ static uint8_t *main_channel_alloc_msg_rcv_buf(RedChannelClient *rcc, - - if (type == SPICE_MSGC_MAIN_AGENT_DATA) { - return reds_get_agent_data_buffer(mcc, size); -+ } else if (size > sizeof(main_chan->recv_buf)) { -+ /* message too large, caller will log a message and close the connection */ -+ return NULL; - } else { - return main_chan->recv_buf; - } --- -cgit v0.10.2 - diff --git a/gnu/packages/patches/spice-CVE-2016-9578-1.patch b/gnu/packages/patches/spice-CVE-2016-9578-1.patch deleted file mode 100644 index f86cdb4eb1..0000000000 --- a/gnu/packages/patches/spice-CVE-2016-9578-1.patch +++ /dev/null @@ -1,33 +0,0 @@ -Prevent possible DoS during protocol handshake. - -https://bugzilla.redhat.com/show_bug.cgi?id=1399566 -https://access.redhat.com/security/cve/CVE-2016-9578 -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9578 -https://security-tracker.debian.org/tracker/CVE-2016-9578 - -Patch copied from upstream source repository: - -https://cgit.freedesktop.org/spice/spice/commit/?h=0.12&id=f66dc643635518e53dfbe5262f814a64eec54e4a - -From 1c6517973095a67c8cb57f3550fc1298404ab556 Mon Sep 17 00:00:00 2001 -From: Frediano Ziglio <fziglio@redhat.com> -Date: Tue, 13 Dec 2016 14:39:48 +0000 -Subject: Prevent possible DoS attempts during protocol handshake - -diff --git a/server/reds.c b/server/reds.c -index f40b65c..86a33d5 100644 ---- a/server/reds.c -+++ b/server/reds.c -@@ -2202,7 +2202,8 @@ static void reds_handle_read_header_done(void *opaque) - - reds->peer_minor_version = header->minor_version; - -- if (header->size < sizeof(SpiceLinkMess)) { -+ /* the check for 4096 is to avoid clients to cause arbitrary big memory allocations */ -+ if (header->size < sizeof(SpiceLinkMess) || header->size > 4096) { - reds_send_link_error(link, SPICE_LINK_ERR_INVALID_DATA); - spice_warning("bad size %u", header->size); - reds_link_free(link); --- -cgit v0.10.2 - diff --git a/gnu/packages/patches/spice-CVE-2016-9578-2.patch b/gnu/packages/patches/spice-CVE-2016-9578-2.patch deleted file mode 100644 index 76f7ec7ffb..0000000000 --- a/gnu/packages/patches/spice-CVE-2016-9578-2.patch +++ /dev/null @@ -1,38 +0,0 @@ -Fixes a potential buffer overflow in the protocol handling. - -https://bugzilla.redhat.com/show_bug.cgi?id=1399566 -https://access.redhat.com/security/cve/CVE-2016-9578 -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9578 -https://security-tracker.debian.org/tracker/CVE-2016-9578 - -Patch copied from upstream source repository: - -https://cgit.freedesktop.org/spice/spice/commit/?h=0.12&id=f66dc643635518e53dfbe5262f814a64eec54e4a - -From f66dc643635518e53dfbe5262f814a64eec54e4a Mon Sep 17 00:00:00 2001 -From: Frediano Ziglio <fziglio@redhat.com> -Date: Tue, 13 Dec 2016 14:40:10 +0000 -Subject: Prevent integer overflows in capability checks - -diff --git a/server/reds.c b/server/reds.c -index 86a33d5..9150454 100644 ---- a/server/reds.c -+++ b/server/reds.c -@@ -2110,6 +2110,14 @@ static void reds_handle_read_link_done(void *opaque) - link_mess->num_channel_caps = GUINT32_FROM_LE(link_mess->num_channel_caps); - link_mess->num_common_caps = GUINT32_FROM_LE(link_mess->num_common_caps); - -+ /* Prevent DoS. Currently we defined only 13 capabilities, -+ * I expect 1024 to be valid for quite a lot time */ -+ if (link_mess->num_channel_caps > 1024 || link_mess->num_common_caps > 1024) { -+ reds_send_link_error(link, SPICE_LINK_ERR_INVALID_DATA); -+ reds_link_free(link); -+ return; -+ } -+ - num_caps = link_mess->num_common_caps + link_mess->num_channel_caps; - caps = (uint32_t *)((uint8_t *)link_mess + link_mess->caps_offset); - --- -cgit v0.10.2 - diff --git a/gnu/packages/patches/spice-CVE-2017-7506.patch b/gnu/packages/patches/spice-CVE-2017-7506.patch deleted file mode 100644 index 37d8f02831..0000000000 --- a/gnu/packages/patches/spice-CVE-2017-7506.patch +++ /dev/null @@ -1,158 +0,0 @@ -Fix CVE-2017-7506: - -https://bugzilla.redhat.com/show_bug.cgi?id=1452606 -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7506 - -Patches copied from Debian spice package version -'spice_0.12.8-2.1+deb9u1.debian.tar.xz': -http://security.debian.org/debian-security/pool/updates/main/s/spice/spice_0.12.8-2.1+deb9u1.debian.tar.xz - -The patches had to be adapted to apply to the latest spice tarball, and -are based on these upstream commits: - -https://cgit.freedesktop.org/spice/spice/commit/?id=111ab38611cef5012f1565a65fa2d8a8a05cce37 -https://cgit.freedesktop.org/spice/spice/commit/?id=571cec91e71c2aae0d5f439ea2d8439d0c3d75eb -https://cgit.freedesktop.org/spice/spice/commit/?id=fbbcdad773e2791cfb988f4748faa41943551ca6 - -From 257f69d619fed407493156c8a7b952abc8a51314 Mon Sep 17 00:00:00 2001 -Date: Mon, 15 May 2017 15:57:28 +0100 -Subject: [spice-server 1/3] reds: Disconnect when receiving overly big - ClientMonitorsConfig - -Total message size received from the client was unlimited. There is -a 2kiB size check on individual agent messages, but the MonitorsConfig -message can be split in multiple chunks, and the size of the -non-chunked MonitorsConfig message was never checked. This could easily -lead to memory exhaustion on the host. - ---- - server/reds.c | 25 +++++++++++++++++++++++-- - 1 file changed, 23 insertions(+), 2 deletions(-) - -diff --git a/server/reds.c b/server/reds.c -index f439a3668..7be85fdfc 100644 ---- a/server/reds.c -+++ b/server/reds.c -@@ -993,19 +993,34 @@ static void reds_client_monitors_config_cleanup(void) - static void reds_on_main_agent_monitors_config( - MainChannelClient *mcc, void *message, size_t size) - { -+ const unsigned int MAX_MONITORS = 256; -+ const unsigned int MAX_MONITOR_CONFIG_SIZE = -+ sizeof(VDAgentMonitorsConfig) + MAX_MONITORS * sizeof(VDAgentMonConfig); -+ - VDAgentMessage *msg_header; - VDAgentMonitorsConfig *monitors_config; - RedsClientMonitorsConfig *cmc = &reds->client_monitors_config; - -+ // limit size of message sent by the client as this can cause a DoS through -+ // memory exhaustion, or potentially some integer overflows -+ if (sizeof(VDAgentMessage) + MAX_MONITOR_CONFIG_SIZE - cmc->buffer_size < size) { -+ goto overflow; -+ } - cmc->buffer_size += size; - cmc->buffer = realloc(cmc->buffer, cmc->buffer_size); - spice_assert(cmc->buffer); - cmc->mcc = mcc; - memcpy(cmc->buffer + cmc->buffer_pos, message, size); - cmc->buffer_pos += size; -+ if (sizeof(VDAgentMessage) > cmc->buffer_size) { -+ spice_debug("not enough data yet. %d", cmc->buffer_size); -+ return; -+ } - msg_header = (VDAgentMessage *)cmc->buffer; -- if (sizeof(VDAgentMessage) > cmc->buffer_size || -- msg_header->size > cmc->buffer_size - sizeof(VDAgentMessage)) { -+ if (msg_header->size > MAX_MONITOR_CONFIG_SIZE) { -+ goto overflow; -+ } -+ if (msg_header->size > cmc->buffer_size - sizeof(VDAgentMessage)) { - spice_debug("not enough data yet. %d", cmc->buffer_size); - return; - } -@@ -1013,6 +1028,12 @@ static void reds_on_main_agent_monitors_config( - spice_debug("%s: %d", __func__, monitors_config->num_of_monitors); - red_dispatcher_client_monitors_config(monitors_config); - reds_client_monitors_config_cleanup(); -+ return; -+ -+overflow: -+ spice_warning("received invalid MonitorsConfig request from client, disconnecting"); -+ red_channel_client_disconnect(main_channel_client_get_base(mcc)); -+ reds_client_monitors_config_cleanup(); - } - - void reds_on_main_agent_data(MainChannelClient *mcc, void *message, size_t size) --- -2.13.0 -From ff2b4ef70181087d5abd50bad76d026ec5088a93 Mon Sep 17 00:00:00 2001 -Date: Mon, 15 May 2017 15:57:28 +0100 -Subject: [spice-server 2/3] reds: Avoid integer overflows handling monitor - configuration - -Avoid VDAgentMessage::size integer overflows. - ---- - server/reds.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/server/reds.c b/server/reds.c -index 7be85fdfc..e1c8c1086 100644 ---- a/server/reds.c -+++ b/server/reds.c -@@ -1024,6 +1024,9 @@ static void reds_on_main_agent_monitors_config( - spice_debug("not enough data yet. %d", cmc->buffer_size); - return; - } -+ if (msg_header->size < sizeof(VDAgentMonitorsConfig)) { -+ goto overflow; -+ } - monitors_config = (VDAgentMonitorsConfig *)(cmc->buffer + sizeof(*msg_header)); - spice_debug("%s: %d", __func__, monitors_config->num_of_monitors); - red_dispatcher_client_monitors_config(monitors_config); --- -2.13.0 -From 8cc3d7df2792751939cc832f4110c57e2addfca5 Mon Sep 17 00:00:00 2001 -Date: Mon, 15 May 2017 15:57:28 +0100 -Subject: [spice-server 3/3] reds: Avoid buffer overflows handling monitor - configuration - -It was also possible for a malicious client to set -VDAgentMonitorsConfig::num_of_monitors to a number larger -than the actual size of VDAgentMOnitorsConfig::monitors. -This would lead to buffer overflows, which could allow the guest to -read part of the host memory. This might cause write overflows in the -host as well, but controlling the content of such buffers seems -complicated. - ---- - server/reds.c | 7 +++++++ - 1 file changed, 7 insertions(+) - -diff --git a/server/reds.c b/server/reds.c -index e1c8c1086..3a42c3755 100644 ---- a/server/reds.c -+++ b/server/reds.c -@@ -1000,6 +1000,7 @@ static void reds_on_main_agent_monitors_config( - VDAgentMessage *msg_header; - VDAgentMonitorsConfig *monitors_config; - RedsClientMonitorsConfig *cmc = &reds->client_monitors_config; -+ uint32_t max_monitors; - - // limit size of message sent by the client as this can cause a DoS through - // memory exhaustion, or potentially some integer overflows -@@ -1028,6 +1029,12 @@ static void reds_on_main_agent_monitors_config( - goto overflow; - } - monitors_config = (VDAgentMonitorsConfig *)(cmc->buffer + sizeof(*msg_header)); -+ // limit the monitor number to avoid buffer overflows -+ max_monitors = (msg_header->size - sizeof(VDAgentMonitorsConfig)) / -+ sizeof(VDAgentMonConfig); -+ if (monitors_config->num_of_monitors > max_monitors) { -+ goto overflow; -+ } - spice_debug("%s: %d", __func__, monitors_config->num_of_monitors); - red_dispatcher_client_monitors_config(monitors_config); - reds_client_monitors_config_cleanup(); --- -2.13.0 |