Fix CVE-2013-4130, bug #477010. Add epatch_user during the source prepare phase.

Package-Manager: portage-2.1.12.2/cvs/Linux x86_64
Manifest-Sign-Key: 0xD7DFA8D318FA9AEF!

4 files changed, 96 insertions, 13 deletions

diff --git a/app-emulation/spice/ChangeLog b/app-emulation/spice/ChangeLog
index 500587c2a5d3..22813a6db34a 100644
--- a/app-emulation/spice/ChangeLog
+++ b/app-emulation/spice/ChangeLog
@@ -1,6 +1,14 @@
 # ChangeLog for app-emulation/spice
 # Copyright 1999-2013 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/app-emulation/spice/ChangeLog,v 1.48 2013/06/06 02:34:05 cardoe Exp $
+# $Header: /var/cvsroot/gentoo-x86/app-emulation/spice/ChangeLog,v 1.49 2013/07/24 14:25:15 cardoe Exp $
+
+*spice-0.12.3-r1 (24 Jul 2013)
+
+  24 Jul 2013; Doug Goldstein <cardoe@gentoo.org>
+  +files/spice-0.12.3-CVE-2013-4130.patch, +spice-0.12.3-r1.ebuild,
+  -spice-0.12.3.ebuild:
+  Fix CVE-2013-4130, bug #477010. Add epatch_user during the source prepare
+  phase.
 
   06 Jun 2013; Doug Goldstein <cardoe@gentoo.org> spice-0.12.3.ebuild:
   Fix typo
diff --git a/app-emulation/spice/Manifest b/app-emulation/spice/Manifest
index 4abf31f7c846..76040faf5999 100644
--- a/app-emulation/spice/Manifest
+++ b/app-emulation/spice/Manifest
@@ -2,22 +2,23 @@
 Hash: SHA256
 
 AUX 0.11.0-gold.patch 989 SHA256 195835efd27a7f41896380b1543ed044d1e82dc501eb35932adb8730136fa2e4 SHA512 e115fcab5a87e5d54b7fd6fbef4a8dae635780410b206d8fc2a46fd52c1bb87378efc0b60fcb9f13127f713e36402b531e09579abe2390eaedf2744ff128b0d1 WHIRLPOOL 6a5574eef98bb3867442a7f9689cb620e6f74266ddc736b6a6c58bc5a795b4d7fb30a49fb49c0883608bc1db22e831c0dfb9913dfc8c96361a320c6f42e67960
+AUX spice-0.12.3-CVE-2013-4130.patch 2719 SHA256 942ec8c1d5c420f7667f220be87b1df293488dfc7ce717f3c5162f70f4014dae SHA512 2272b12b3204dc0a1403b2cd96d06e938c501a044f979594f0f18d43a36f4c3584b1aafa1a3a911c7a3326df2af2675aa437a69a10ac9d42f6ac827fb6bdc7f1 WHIRLPOOL 9719a2764a5961faa586cfc396657df50eac76e1b717da744cdc9f1b011747a3306403a99ff617b51f90ca0b525736bf5d5d6617ebfeea9fb1ff79d4c5ba6aa6
 DIST spice-0.12.2.tar.bz2 1685684 SHA256 5654fac02f5568088ea01979088d539f4e95551568dd709ec197e965cf8612d5 SHA512 5381ab15568d0bbe998dfa2e4bab64ea2255664f466545c16d77708fbe8b9c4627e837c4c4d229fed501665c90b38e8c31f12ccb434f5c7e96eb89ac61bd9a9b WHIRLPOOL 6ae9fcb5b6cd89176cc657f8c19e6424c1c85624229eff7ec168db57a580680042c22e8daf43a78ccd5076568a1db91dc7a3dfcfc6b9f24380af04ab0f4e44b7
 DIST spice-0.12.3.tar.bz2 1606683 SHA256 bfd65e1c466524f9469cb58764904eeec1dae27c4901c4dbd0bf1ec419048546 SHA512 92d5871cd154d863ee54657e8064f6093bd5ab47e277a1398fed46b8592f44416d6d04be2d85a4ada90d4bfb5ef94dbc618a818219023416d3f8a82acbd3009e WHIRLPOOL bd431acefde4a3dd9c2fea5fa31c1ab2e1b2a34a1021d401510cb98307f8703922015d10db09795f26d514dbd49b147cd598dca2df16c784780530ab960a181b
 EBUILD spice-0.12.2.ebuild 2116 SHA256 9895ed65e11ad177fdea1ee7492e46edf4266ccdd844018b49ff8dda6b91aad0 SHA512 22d8dfff2e76ecbfe0ab2a8d56f1cb82252f40964fec9cc9d09d99f80ca9eecafdda7b95672d941fdfb77bcb58907c8f406e350ce1ef3d4854408f19c18f562f WHIRLPOOL 63bfcb92e17665cd448e0ae9518defa129fbb1f4587ce9c107120cc56a5446bcfd185f33cdf8c4ef9f9c7ca78dca353ae6d7feb397aab55d6d281e3775a6ce72
-EBUILD spice-0.12.3.ebuild 2477 SHA256 05a54eb2298c7963f40df2d67511d8f470cfa4db3c622ecd3f3797aca2990644 SHA512 1a2214dd5ae4758a49ec87c9224ff7155e20c70ee150698719e80b5692d8800fcd691261df71824d0eeed4f97096a4e1f377b7fb257d020804297426baf42978 WHIRLPOOL bd0fb855136da477ea3649737c4fe678b4de31a95a44251f6037020b5787435c9e85338d967eecab9a6642cb00bb93866fde4f6da2dd3d851feee19cacc9c518
-MISC ChangeLog 7732 SHA256 2f46b60433dafae85db9f5887a686db693f1c7a28176689d9d69cc0d35a8d902 SHA512 5b0c32c57592475c9b7709e4a57055db8b3d2366b4c8078d810ec66305a4ff563de159084ea8f5a3967bfbf8afd276077f4de0ee03cce42a9668b1c94cd9119b WHIRLPOOL 2ad6a325cc2fd7a5df22c52ce6cf31c4e7282c5c63e403e60c722b5aac1386be6831c7ee41503f7d1b1e52481d2eae992f719e1f91e3cd9a752a339c52926a71
+EBUILD spice-0.12.3-r1.ebuild 2542 SHA256 e280add9ab0ad473e48759889809f67b5e2a4d9fba9ef76a7ed808528ab254c6 SHA512 303bb36be6e066ed7258b3f8d97dd645194370405179c418d2ff8c3480d86a2e54af2fdee2eefa8849eeb5b222237b12690e581c2ac1753cc2489c67e5f07725 WHIRLPOOL e4522a7e452c884f184dbb25fe7297d0b26a949100b4bbc8613a72facf0cfd7f012ec06a4f67b527df275d00af99a653051afd4e3878833bddaa6da8831b1e5b
+MISC ChangeLog 7992 SHA256 dd8a0530464f79431d53b4556d9ec7835f65448f53f9dc4ffa31fc4b6a6ffd40 SHA512 8255d70ceff8a056cc41476bacac2de846e67ef243687c894619c5d81a8c74dcb11e8b6f648d441b6abf89205a927e5fdb168c7926dcd67191b8d5047e541597 WHIRLPOOL 53da76b6d64b041624601673e520e160d2fd3766b74515c9787a0acb8c031a6c36f46a0469c9bd98382d08767c8696a977a61c1dceaf90b4870fb4369898a7a4
 MISC metadata.xml 561 SHA256 ac20a9018d473e0ac3aa7e0cb80bc542dd1a9b704b843e09a17b16b706fa339f SHA512 bb22c2e14eca34330891a56add2a39a2debc65fb0d9d037fd4b27be15adf5be2667166fff123e0e5e3cb5e201b523172737f537d2258216106c1e2dd86703bae WHIRLPOOL da950e23ccd706f068478c1e7d4de70dc3c871f9784a55af8db5061ce28ecede29e6153b6325818a301b9cab10059d380e9c93881c9df75815cd5eaa1f3c8d66
 -----BEGIN PGP SIGNATURE-----
-Version: GnuPG v2.0.19 (GNU/Linux)
+Version: GnuPG v2.0.20 (GNU/Linux)
 
-iQF8BAEBCABmBQJRr/UgXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
+iQF8BAEBCABmBQJR7+PYXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
 ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRDMDRGNEJFMDZEQTJGRUY3NkI4MEM3NTlE
-N0RGQThEMzE4RkE5QUVGAAoJENffqNMY+prv3IoIAJUctO2xxPhd5wTs1ZJvTEqx
-pffY7jdAzZMTPxDKXrWlHQRG/mFwI072FsVd7ES9XNduIwdYA9/1W3j6qdXQZd0f
-Clxx1jtm0ehYsZ+t5Xee/KtRtMx+IzYBHWzhEWn0avw8Iv0ZzZim57gieMnEJEoj
-JutLkYQvKa75upJPzRolg61GVFaePuiRDwm4W3yz4z7O6nXjf4hBifbg6Cvi7Yeu
-AhFfoBaK+wXZFBSbEpfW1stRDgfeRhUdMzml3Xp7wNzumpW7SqbhcDPJ7d3sIWP/
-FUv+YNLppob54aPFkSppRxTcxn0d3tqqvW4NHJ9otXEmIh2N4pvSkO7gbXLwE04=
-=1Wqn
+N0RGQThEMzE4RkE5QUVGAAoJENffqNMY+prvmhUH/A7az3NOnR1kWyU8flISDZjz
+L1eUf2rdK/2PSXQxkwUEFa0e3F0ZRzJuhJ3cn9JWWgM6VIQxJQ0KlyUsq5l0PcNO
+myAyPVj9Lu8QUgPFSREmy/xkSO8288UrTSOudI9a/JAUVF6O7IJ2YnrCMAvLo1zT
+l2HlObQz1trWzz/DbKrpy6cdeEMZM6V512Bop2braRnQ+wo3mc1m+b/IOit8rZ+I
+ovBF8UNGsaJTZC4aCISIcc2XifcE8ZLaGar/uhvaag3JFpMkO8GuatB4kJETD5yI
+4ZcEnaENy2tBLpP/hI+9GojAseimh8D8P1vf4hEMqMiDf3y0HvgpM4SN0Ta1dKw=
+=S0m0
 -----END PGP SIGNATURE-----
diff --git a/app-emulation/spice/files/spice-0.12.3-CVE-2013-4130.patch b/app-emulation/spice/files/spice-0.12.3-CVE-2013-4130.patch
new file mode 100644
index 000000000000..f18b40fe7707
--- /dev/null
+++ b/app-emulation/spice/files/spice-0.12.3-CVE-2013-4130.patch
@@ -0,0 +1,70 @@
+From 53488f0275d6c8a121af49f7ac817d09ce68090d Mon Sep 17 00:00:00 2001
+From: David Gibson <david@gibson.dropbear.id.au>
+Date: Fri, 05 Jul 2013 07:11:46 +0000
+Subject: Use RING_FOREACH_SAFE in red_channel.c functions which are missing it
+
+Currently, both red_channel_pipes_add_type() and
+red_channel_pipes_add_empty_msg() use plaing RING_FOREACH() which is not
+safe versus removals from the ring within the loop body.
+
+Although it's rare, such a removal can occur in both cases.  In the case
+of red_channel_pipes_add_type() we have:
+    red_channel_pipes_add_type()
+    -> red_channel_client_pipe_add_type()
+        -> red_channel_client_push()
+
+And in the case of red_channel_client_pipes_add_empty_msg() we have:
+    red_channel_client_pipes_add_empty_msg()
+    -> red_channel_client_pipe_add_empty_msg()
+        -> red_channel_client_push()
+
+But red_channel_client_push() can cause a removal from the clients ring if
+a network error occurs:
+    red_channel_client_push()
+    -> red_channel_client_send()
+        -> red_peer_handle_outgoing()
+            -> handler->cb->on_error callback
+            =  red_channel_client_default_peer_on_error()
+                -> red_channel_client_disconnect()
+                    -> red_channel_remove_client()
+                        -> ring_remove()
+
+When this error path does occur, the assertion in RING_FOREACH()'s
+ring_next() trips, and the process containing the spice server is aborted.
+i.e. your whole VM dies, as a result of an unfortunately timed network
+error on the spice channel.
+
+Please apply.
+
+Signed-off-by: David Gibson <dgibson@redhat.com>
+---
+diff --git a/server/red_channel.c b/server/red_channel.c
+index c0b1781..8742008 100644
+--- a/server/red_channel.c
++++ b/server/red_channel.c
+@@ -1572,9 +1572,9 @@ void red_channel_client_pipe_add_type(RedChannelClient *rcc, int pipe_item_type)
+ 
+ void red_channel_pipes_add_type(RedChannel *channel, int pipe_item_type)
+ {
+-    RingItem *link;
++    RingItem *link, *next;
+ 
+-    RING_FOREACH(link, &channel->clients) {
++    RING_FOREACH_SAFE(link, next, &channel->clients) {
+         red_channel_client_pipe_add_type(
+             SPICE_CONTAINEROF(link, RedChannelClient, channel_link),
+             pipe_item_type);
+@@ -1593,9 +1593,9 @@ void red_channel_client_pipe_add_empty_msg(RedChannelClient *rcc, int msg_type)
+ 
+ void red_channel_pipes_add_empty_msg(RedChannel *channel, int msg_type)
+ {
+-    RingItem *link;
++    RingItem *link, *next;
+ 
+-    RING_FOREACH(link, &channel->clients) {
++    RING_FOREACH_SAFE(link, next, &channel->clients) {
+         red_channel_client_pipe_add_empty_msg(
+             SPICE_CONTAINEROF(link, RedChannelClient, channel_link),
+             msg_type);
+--
+cgit v0.9.0.2-2-gbebe
diff --git a/app-emulation/spice/spice-0.12.3.ebuild b/app-emulation/spice/spice-0.12.3-r1.ebuild
index 24bf5f6b4344..f9f7cfb4c2f6 100644
--- a/app-emulation/spice/spice-0.12.3.ebuild
+++ b/app-emulation/spice/spice-0.12.3-r1.ebuild
@@ -1,6 +1,6 @@
 # Copyright 1999-2013 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/app-emulation/spice/spice-0.12.3.ebuild,v 1.3 2013/06/06 02:34:05 cardoe Exp $
+# $Header: /var/cvsroot/gentoo-x86/app-emulation/spice/spice-0.12.3-r1.ebuild,v 1.1 2013/07/24 14:25:15 cardoe Exp $
 
 EAPI=5
 
@@ -71,6 +71,10 @@ pkg_setup() {
 src_prepare() {
 	epatch \
 		"${FILESDIR}/0.11.0-gold.patch"
+
+	epatch "${FILESDIR}/${P}-CVE-2013-4130.patch"
+
+	epatch_user
 }
 
 src_configure() {