diff options
| author | Natanael Copa <ncopa@alpinelinux.org> | 2014-05-27 08:50:42 +0000 |
|---|---|---|
| committer | Natanael Copa <ncopa@alpinelinux.org> | 2015-10-13 13:37:31 +0000 |
| commit | 7ed15a61f657f577c4cf0eb5b6e428017553a149 (patch) | |
| tree | 1db9e1c6e721eff41914a3b5aea9c936bdee0574 | |
| parent | d6861bab718ded8dd45f7b27b69ff4beafcccb20 (diff) | |
| download | aports-7ed15a61f657f577c4cf0eb5b6e428017553a149.tar.bz2 aports-7ed15a61f657f577c4cf0eb5b6e428017553a149.tar.xz | |
main/spice: security upgrade to 0.12.6
| -rw-r--r-- | main/spice/APKBUILD | 31 | ||||
| -rw-r--r-- | main/spice/CVE-2013-4282.patch | 104 | ||||
| -rw-r--r-- | main/spice/cstdarg.patch | 10 |
3 files changed, 8 insertions, 137 deletions
diff --git a/main/spice/APKBUILD b/main/spice/APKBUILD index 06e548e726..3bff95adaa 100644 --- a/main/spice/APKBUILD +++ b/main/spice/APKBUILD @@ -1,8 +1,8 @@ # Contributor: Natanael Copa <ncopa@alpinelinux.org> # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=spice -pkgver=0.12.4 -pkgrel=1 +pkgver=0.12.6 +pkgrel=0 pkgdesc="Implements the SPICE protocol" url="http://www.spice-space.org/" arch="all" @@ -11,18 +11,16 @@ depends="" depends_dev="spice-protocol pixman-dev celt051-dev openssl-dev libxinerama-dev" makedepends="$depends_dev alsa-lib-dev libjpeg-turbo-dev libxrandr-dev cyrus-sasl-dev libxfixes-dev python-dev bash cegui06-dev py-parsing - glib-dev" + py-six glib-dev" install="" -subpackages="$pkgname-dev $pkgname-server $pkgname-client" +subpackages="$pkgname-dev $pkgname-server" source="http://www.spice-space.org/download/releases/spice-$pkgver.tar.bz2 - cstdarg.patch - CVE-2013-4282.patch" + " _builddir="$srcdir"/spice-$pkgver prepare() { local i cd "$_builddir" - update_config_sub || return 1 for i in $source; do case $i in *.patch) msg $i; patch -p1 -i "$srcdir"/$i || return 1;; @@ -45,7 +43,6 @@ build() { --disable-smartcard \ || return 1 make -C spice-common WARN_CFLAGS='' || return 1 - make -C client WARN_CFLAGS='' || return 1 make WARN_CFLAGS='' || return 1 } @@ -61,18 +58,6 @@ server() { mv "$pkgdir"/usr/lib/*server.so.* "$subpkgdir"/usr/lib/ } -client() { - pkgdesc="SPICE client" - mkdir -p "$subpkgdir"/usr/bin - mv "$pkgdir"/usr/bin/spicec "$subpkgdir"/usr/bin/ -} - -md5sums="325b1c42ce24e75de45a75876b73a8bd spice-0.12.4.tar.bz2 -3e61fdc18bf201a2b54b332fdbe2912e cstdarg.patch -24a1648e7c684b4444d7921b5534767e CVE-2013-4282.patch" -sha256sums="cf063e7df42e331a835529d2f613d8a01f8cb2963e8edaadf73a8d65c46fb387 spice-0.12.4.tar.bz2 -bc2219f68ed701e74a02c5196c934bb3e6fbf5813005f39e41e911668e0e622c cstdarg.patch -9f50c3435726f296cfa1aa5417d857289f0d2001b59b7f698a3b293b91dbaf1d CVE-2013-4282.patch" -sha512sums="9867c2ace6205b606eef4a04a7e1fa0533c8d419cbb063edf4ded12db24f76237487d3e9dd57dec0f5b952eef399aa395d8591e2d82cab4d13e0d3ce6c7fba74 spice-0.12.4.tar.bz2 -040f4104d9658465cb2ffa72101f958341497898d86ee82bdf31bd65e5f3497822be4b9b3e9eca2a9b965385481190a2fb4ca5fb26b89391ab1598fc23d300c9 cstdarg.patch -eaa097ee1ee692e406d911723549c383fa2ddc5de37e93afef7024d928ea2e715ac9034e5cef367d4a3a0aeae8d7edd3a4f059a82987df9960a66a7117746283 CVE-2013-4282.patch" +md5sums="605a8c8ea80bc95076c4b3539c6dd026 spice-0.12.6.tar.bz2" +sha256sums="f148ea30135bf80a4f465ce723a1cd6d4ccb34c098b6298a020b378ace8569b6 spice-0.12.6.tar.bz2" +sha512sums="877d9c447a09055c61db7839ae1a2bbd97ab1178d8fd30fff83883064f8a2f269479649e696732095833ed3fda2d0cc0cbe2a420decb89d36d2cf2f18ad9a3db spice-0.12.6.tar.bz2" diff --git a/main/spice/CVE-2013-4282.patch b/main/spice/CVE-2013-4282.patch deleted file mode 100644 index 3dfa1c8f2f..0000000000 --- a/main/spice/CVE-2013-4282.patch +++ /dev/null @@ -1,104 +0,0 @@ -From 8af619009660b24e0b41ad26b30289eea288fcc2 Mon Sep 17 00:00:00 2001 -From: Christophe Fergeau <cfergeau@redhat.com> -Date: Fri, 23 Aug 2013 09:29:44 +0000 -Subject: Fix buffer overflow when decrypting client SPICE ticket - -reds_handle_ticket uses a fixed size 'password' buffer for the decrypted -password whose size is SPICE_MAX_PASSWORD_LENGTH. However, -RSA_private_decrypt which we call for the decryption expects the -destination buffer to be at least RSA_size(link->tiTicketing.rsa) -bytes long. On my spice-server build, SPICE_MAX_PASSWORD_LENGTH -is 60 while RSA_size() is 128, so we end up overflowing 'password' -when using long passwords (this was reproduced using the string: -'fullscreen=1proxy=#enter proxy here; e.g spice_proxy = http://[proxy]:[port]' -as a password). - -When the overflow occurs, QEMU dies with: -*** stack smashing detected ***: qemu-system-x86_64 terminated - -This commit ensures we use a corectly sized 'password' buffer, -and that it's correctly nul-terminated so that we can use strcmp -instead of strncmp. To keep using strncmp, we'd need to figure out -which one of 'password' and 'taTicket.password' is the smaller buffer, -and use that size. - -This fixes rhbz#999839 ---- -diff --git a/server/reds.c b/server/reds.c -index 892d247..2a0002b 100644 ---- a/server/reds.c -+++ b/server/reds.c -@@ -1926,39 +1926,59 @@ static void reds_handle_link(RedLinkInfo *link) - static void reds_handle_ticket(void *opaque) - { - RedLinkInfo *link = (RedLinkInfo *)opaque; -- char password[SPICE_MAX_PASSWORD_LENGTH]; -+ char *password; - time_t ltime; -+ int password_size; - - //todo: use monotonic time - time(<ime); -- RSA_private_decrypt(link->tiTicketing.rsa_size, -- link->tiTicketing.encrypted_ticket.encrypted_data, -- (unsigned char *)password, link->tiTicketing.rsa, RSA_PKCS1_OAEP_PADDING); -+ if (RSA_size(link->tiTicketing.rsa) < SPICE_MAX_PASSWORD_LENGTH) { -+ spice_warning("RSA modulus size is smaller than SPICE_MAX_PASSWORD_LENGTH (%d < %d), " -+ "SPICE ticket sent from client may be truncated", -+ RSA_size(link->tiTicketing.rsa), SPICE_MAX_PASSWORD_LENGTH); -+ } -+ -+ password = g_malloc0(RSA_size(link->tiTicketing.rsa) + 1); -+ password_size = RSA_private_decrypt(link->tiTicketing.rsa_size, -+ link->tiTicketing.encrypted_ticket.encrypted_data, -+ (unsigned char *)password, -+ link->tiTicketing.rsa, -+ RSA_PKCS1_OAEP_PADDING); -+ if (password_size == -1) { -+ spice_warning("failed to decrypt RSA encrypted password: %s", -+ ERR_error_string(ERR_get_error(), NULL)); -+ goto error; -+ } -+ password[password_size] = '\0'; - - if (ticketing_enabled && !link->skip_auth) { - int expired = taTicket.expiration_time < ltime; - - if (strlen(taTicket.password) == 0) { -- reds_send_link_result(link, SPICE_LINK_ERR_PERMISSION_DENIED); - spice_warning("Ticketing is enabled, but no password is set. " -- "please set a ticket first"); -- reds_link_free(link); -- return; -+ "please set a ticket first"); -+ goto error; - } - -- if (expired || strncmp(password, taTicket.password, SPICE_MAX_PASSWORD_LENGTH) != 0) { -+ if (expired || strcmp(password, taTicket.password) != 0) { - if (expired) { - spice_warning("Ticket has expired"); - } else { - spice_warning("Invalid password"); - } -- reds_send_link_result(link, SPICE_LINK_ERR_PERMISSION_DENIED); -- reds_link_free(link); -- return; -+ goto error; - } - } - - reds_handle_link(link); -+ goto end; -+ -+error: -+ reds_send_link_result(link, SPICE_LINK_ERR_PERMISSION_DENIED); -+ reds_link_free(link); -+ -+end: -+ g_free(password); - } - - static inline void async_read_clear_handlers(AsyncRead *obj) --- -cgit v0.9.0.2-2-gbebe diff --git a/main/spice/cstdarg.patch b/main/spice/cstdarg.patch deleted file mode 100644 index 7a16dc579c..0000000000 --- a/main/spice/cstdarg.patch +++ /dev/null @@ -1,10 +0,0 @@ ---- ./client/common.h.orig -+++ ./client/common.h -@@ -39,6 +39,7 @@ - #include <exception> - #include <list> - #include <string.h> -+#include <cstdarg> - - #ifdef WIN32 - #ifdef __GNUC__ |