diff options
author | Matthias Maier <tamiko@gentoo.org> | 2017-07-11 22:15:39 -0500 |
---|---|---|
committer | Matthias Maier <tamiko@gentoo.org> | 2017-07-11 22:24:40 -0500 |
commit | 6358afe4bc71986be333712044569acb853e110a (patch) | |
tree | cd51a80f4a2f8c54f5f0eb01dfdd4aa3e782e96f /app-emulation | |
parent | net-misc/gns3-server: revbump with gns3-gui (diff) | |
download | gentoo-6358afe4bc71986be333712044569acb853e110a.tar.gz gentoo-6358afe4bc71986be333712044569acb853e110a.tar.bz2 gentoo-6358afe4bc71986be333712044569acb853e110a.zip |
app-emulation/spice: Apply patches for CVE-2017-7506
Package-Manager: Portage-2.3.6, Repoman-2.3.2
Diffstat (limited to 'app-emulation')
4 files changed, 256 insertions, 0 deletions
diff --git a/app-emulation/spice/files/spice-0.13.3-reds-Avoid-buffer-overflows-handling-monitor-configu.patch b/app-emulation/spice/files/spice-0.13.3-reds-Avoid-buffer-overflows-handling-monitor-configu.patch new file mode 100644 index 000000000000..8792395977e9 --- /dev/null +++ b/app-emulation/spice/files/spice-0.13.3-reds-Avoid-buffer-overflows-handling-monitor-configu.patch @@ -0,0 +1,47 @@ +Matthias Maier <tamiko@gentoo.org> + + - Ported to 0.13.3 + + +From fbbcdad773e2791cfb988f4748faa41943551ca6 Mon Sep 17 00:00:00 2001 +From: Frediano Ziglio <fziglio@redhat.com> +Date: Mon, 15 May 2017 15:57:28 +0100 +Subject: [PATCH 3/3] reds: Avoid buffer overflows handling monitor + configuration + +It was also possible for a malicious client to set +VDAgentMonitorsConfig::num_of_monitors to a number larger +than the actual size of VDAgentMOnitorsConfig::monitors. +This would lead to buffer overflows, which could allow the guest to +read part of the host memory. This might cause write overflows in the +host as well, but controlling the content of such buffers seems +complicated. + +Signed-off-by: Frediano Ziglio <fziglio@redhat.com> +--- + +diff --git a/server/reds.c b/server/reds.c +index ec89105..fd1457f 100644 +--- a/server/reds.c ++++ b/server/reds.c +@@ -1084,6 +1084,7 @@ static void reds_on_main_agent_monitors_config(RedsState *reds, + VDAgentMessage *msg_header; + VDAgentMonitorsConfig *monitors_config; + RedsClientMonitorsConfig *cmc = &reds->client_monitors_config; ++ uint32_t max_monitors; + + // limit size of message sent by the client as this can cause a DoS through + // memory exhaustion, or potentially some integer overflows +@@ -1113,6 +1114,12 @@ static void reds_on_main_agent_monitors_config(RedsState *reds, + goto overflow; + } + monitors_config = (VDAgentMonitorsConfig *)(cmc->buffer + sizeof(*msg_header)); ++ // limit the monitor number to avoid buffer overflows ++ max_monitors = (msg_header->size - sizeof(VDAgentMonitorsConfig)) / ++ sizeof(VDAgentMonConfig); ++ if (monitors_config->num_of_monitors > max_monitors) { ++ goto overflow; ++ } + spice_debug("%s: %d", __func__, monitors_config->num_of_monitors); + reds_client_monitors_config(reds, monitors_config); + reds_client_monitors_config_cleanup(reds); diff --git a/app-emulation/spice/files/spice-0.13.3-reds-Avoid-integer-overflows-handling-monitor-config.patch b/app-emulation/spice/files/spice-0.13.3-reds-Avoid-integer-overflows-handling-monitor-config.patch new file mode 100644 index 000000000000..f05e55c7354a --- /dev/null +++ b/app-emulation/spice/files/spice-0.13.3-reds-Avoid-integer-overflows-handling-monitor-config.patch @@ -0,0 +1,30 @@ +From 571cec91e71c2aae0d5f439ea2d8439d0c3d75eb Mon Sep 17 00:00:00 2001 +From: Frediano Ziglio <fziglio@redhat.com> +Date: Mon, 15 May 2017 15:57:28 +0100 +Subject: [PATCH 2/3] reds: Avoid integer overflows handling monitor + configuration + +Avoid VDAgentMessage::size integer overflows. + +Signed-off-by: Frediano Ziglio <fziglio@redhat.com> +--- + server/reds.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/server/reds.c b/server/reds.c +index ec2b6f47..656f518f 100644 +--- a/server/reds.c ++++ b/server/reds.c +@@ -1131,6 +1131,9 @@ static void reds_on_main_agent_monitors_config(RedsState *reds, + spice_debug("not enough data yet. %zd", cmc->offset); + return; + } ++ if (msg_header->size < sizeof(VDAgentMonitorsConfig)) { ++ goto overflow; ++ } + monitors_config = (VDAgentMonitorsConfig *)(cmc->buffer + sizeof(*msg_header)); + spice_debug("monitors_config->num_of_monitors: %d", monitors_config->num_of_monitors); + reds_client_monitors_config(reds, monitors_config); +-- +2.13.0 + diff --git a/app-emulation/spice/files/spice-0.13.3-reds-Disconnect-when-receiving-overly-big-ClientMoni.patch b/app-emulation/spice/files/spice-0.13.3-reds-Disconnect-when-receiving-overly-big-ClientMoni.patch new file mode 100644 index 000000000000..2cd186482ad9 --- /dev/null +++ b/app-emulation/spice/files/spice-0.13.3-reds-Disconnect-when-receiving-overly-big-ClientMoni.patch @@ -0,0 +1,75 @@ +Matthias Maier <tamiko@gentoo.org> + + - Ported to 0.13.3 + + +From 111ab38611cef5012f1565a65fa2d8a8a05cce37 Mon Sep 17 00:00:00 2001 +From: Frediano Ziglio <fziglio@redhat.com> +Date: Mon, 15 May 2017 15:57:28 +0100 +Subject: [PATCH 1/3] reds: Disconnect when receiving overly big + ClientMonitorsConfig + +Total message size received from the client was unlimited. There is +a 2kiB size check on individual agent messages, but the MonitorsConfig +message can be split in multiple chunks, and the size of the +non-chunked MonitorsConfig message was never checked. This could easily +lead to memory exhaustion on the host. + +Signed-off-by: Frediano Ziglio <fziglio@redhat.com> +--- + +diff --git a/server/reds.c b/server/reds.c +index 92feea1..286993b 100644 +--- a/server/reds.c ++++ b/server/reds.c +@@ -1077,19 +1077,35 @@ static void reds_client_monitors_config_cleanup(RedsState *reds) + static void reds_on_main_agent_monitors_config(RedsState *reds, + MainChannelClient *mcc, void *message, size_t size) + { ++ const unsigned int MAX_MONITORS = 256; ++ const unsigned int MAX_MONITOR_CONFIG_SIZE = ++ sizeof(VDAgentMonitorsConfig) + MAX_MONITORS * sizeof(VDAgentMonConfig); ++ + VDAgentMessage *msg_header; + VDAgentMonitorsConfig *monitors_config; + RedsClientMonitorsConfig *cmc = &reds->client_monitors_config; + ++ // limit size of message sent by the client as this can cause a DoS through ++ // memory exhaustion, or potentially some integer overflows ++ if (sizeof(VDAgentMessage) + MAX_MONITOR_CONFIG_SIZE - cmc->buffer_size < size) { ++ goto overflow; ++ } ++ + cmc->buffer_size += size; + cmc->buffer = realloc(cmc->buffer, cmc->buffer_size); + spice_assert(cmc->buffer); + cmc->mcc = mcc; + memcpy(cmc->buffer + cmc->buffer_pos, message, size); + cmc->buffer_pos += size; ++ if (sizeof(VDAgentMessage) > cmc->buffer_size) { ++ spice_debug("not enough data yet. %d", cmc->buffer_size); ++ return; ++ } + msg_header = (VDAgentMessage *)cmc->buffer; +- if (sizeof(VDAgentMessage) > cmc->buffer_size || +- msg_header->size > cmc->buffer_size - sizeof(VDAgentMessage)) { ++ if (msg_header->size > MAX_MONITOR_CONFIG_SIZE) { ++ goto overflow; ++ } ++ if (msg_header->size > cmc->buffer_size - sizeof(VDAgentMessage)) { + spice_debug("not enough data yet. %d", cmc->buffer_size); + return; + } +@@ -1097,6 +1113,12 @@ static void reds_on_main_agent_monitors_config(RedsState *reds, + spice_debug("%s: %d", __func__, monitors_config->num_of_monitors); + reds_client_monitors_config(reds, monitors_config); + reds_client_monitors_config_cleanup(reds); ++ return; ++ ++overflow: ++ spice_warning("received invalid MonitorsConfig request from client, disconnecting"); ++ red_channel_client_disconnect(RED_CHANNEL_CLIENT(mcc)); ++ reds_client_monitors_config_cleanup(reds); + } + + void reds_on_main_agent_data(RedsState *reds, MainChannelClient *mcc, void *message, size_t size) diff --git a/app-emulation/spice/spice-0.13.3-r2.ebuild b/app-emulation/spice/spice-0.13.3-r2.ebuild new file mode 100644 index 000000000000..ea5dc49692fa --- /dev/null +++ b/app-emulation/spice/spice-0.13.3-r2.ebuild @@ -0,0 +1,104 @@ +# Copyright 1999-2017 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +EAPI=6 +PYTHON_COMPAT=( python{2_7,3_4,3_5,3_6} ) + +inherit autotools ltprune python-any-r1 readme.gentoo-r1 xdg-utils + +DESCRIPTION="SPICE server" +HOMEPAGE="http://spice-space.org/" +SRC_URI="http://spice-space.org/download/releases/${P}.tar.bz2" + +LICENSE="LGPL-2.1" +SLOT="0" +KEYWORDS="~amd64 ~arm64 ~x86" +IUSE="libressl lz4 sasl smartcard static-libs gstreamer" + +# the libspice-server only uses the headers of libcacard +RDEPEND=" + >=dev-libs/glib-2.22:2[static-libs(+)?] + >=media-libs/celt-0.5.1.1:0.5.1[static-libs(+)?] + media-libs/opus[static-libs(+)?] + sys-libs/zlib[static-libs(+)?] + virtual/jpeg:0=[static-libs(+)?] + >=x11-libs/pixman-0.17.7[static-libs(+)?] + !libressl? ( dev-libs/openssl:0=[static-libs(+)?] ) + libressl? ( dev-libs/libressl:0=[static-libs(+)?] ) + lz4? ( app-arch/lz4:0=[static-libs(+)?] ) + smartcard? ( >=app-emulation/libcacard-0.1.2 ) + sasl? ( dev-libs/cyrus-sasl[static-libs(+)?] ) + gstreamer? ( + media-libs/gstreamer:1.0 + media-libs/gst-plugins-base:1.0 + )" +DEPEND="${RDEPEND} + ${PYTHON_DEPS} + >=app-emulation/spice-protocol-0.12.12 + virtual/pkgconfig + $(python_gen_any_dep ' + >=dev-python/pyparsing-1.5.6-r2[${PYTHON_USEDEP}] + dev-python/six[${PYTHON_USEDEP}] + ') + smartcard? ( app-emulation/qemu[smartcard] )" + +PATCHES=( + "${FILESDIR}"/${PN}-0.13.3-skip_faulty_lz4_check.patch + "${FILESDIR}"/${PN}-0.13.3-reds-Disconnect-when-receiving-overly-big-ClientMoni.patch + "${FILESDIR}"/${PN}-0.13.3-reds-Avoid-integer-overflows-handling-monitor-config.patch + "${FILESDIR}"/${PN}-0.13.3-reds-Avoid-buffer-overflows-handling-monitor-configu.patch +) + +python_check_deps() { + has_version ">=dev-python/pyparsing-1.5.6-r2[${PYTHON_USEDEP}]" + has_version "dev-python/six[${PYTHON_USEDEP}]" +} + +pkg_setup() { + [[ ${MERGE_TYPE} != binary ]] && python-any-r1_pkg_setup +} + +src_prepare() { + default + + eautoreconf +} + +src_configure() { + # Prevent sandbox violations, bug #586560 + # https://bugzilla.gnome.org/show_bug.cgi?id=744134 + # https://bugzilla.gnome.org/show_bug.cgi?id=744135 + addpredict /dev + + xdg_environment_reset + + local myconf=" + $(use_enable static-libs static) + $(use_enable lz4) + $(use_with sasl) + $(use_enable smartcard) + --enable-gstreamer=$(usex gstreamer "1.0" "no") + --enable-celt051 + --disable-gui + " + econf ${myconf} +} + +src_compile() { + # Prevent sandbox violations, bug #586560 + # https://bugzilla.gnome.org/show_bug.cgi?id=744134 + # https://bugzilla.gnome.org/show_bug.cgi?id=744135 + addpredict /dev + + default +} + +src_install() { + default + use static-libs || prune_libtool_files + readme.gentoo_create_doc +} + +pkg_postinst() { + readme.gentoo_print_elog +} |