diff options
| author | Leonardo Arena <rnalrd@alpinelinux.org> | 2018-11-07 14:09:37 +0000 |
|---|---|---|
| committer | Leonardo Arena <rnalrd@alpinelinux.org> | 2018-11-07 14:12:42 +0000 |
| commit | 4e7f2805ed301344dfc227ec46ed3db0338fdd15 (patch) | |
| tree | 1c032c2cb780100887f8f2b77d21a00f48f32de1 | |
| parent | 8c2d71dd458536e9d5a49d021487f3e805b9d190 (diff) | |
| download | aports-4e7f2805ed301344dfc227ec46ed3db0338fdd15.tar.bz2 aports-4e7f2805ed301344dfc227ec46ed3db0338fdd15.tar.xz | |
main/spice: security fix (CVE-2018-10873)
Fixes #9313
| -rw-r--r-- | main/spice/APKBUILD | 17 | ||||
| -rw-r--r-- | main/spice/CVE-2018-10873.patch | 74 |
2 files changed, 86 insertions, 5 deletions
diff --git a/main/spice/APKBUILD b/main/spice/APKBUILD index 26b9778839..3bdf73450e 100644 --- a/main/spice/APKBUILD +++ b/main/spice/APKBUILD @@ -2,7 +2,7 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=spice pkgver=0.12.8 -pkgrel=3 +pkgrel=4 pkgdesc="Implements the SPICE protocol" url="http://www.spice-space.org/" arch="all" @@ -15,11 +15,15 @@ makedepends="$depends_dev alsa-lib-dev libjpeg-turbo-dev libxrandr-dev install="" subpackages="$pkgname-dev $pkgname-server" source="http://www.spice-space.org/download/releases/$pkgname-$pkgver.tar.bz2 - CVE-2017-7506.patch" + CVE-2017-7506.patch + CVE-2018-10873.patch + " builddir="$srcdir"/$pkgname-$pkgver # secfixes: +# 0.12.8-r4: +# - CVE-2018-10873 # 0.12.8-r3: # - CVE-2017-7506 @@ -54,8 +58,11 @@ server() { } md5sums="376853d11b9921aa34a06c4dbef81874 spice-0.12.8.tar.bz2 -47eef95ef416029b88e0d38ae9bf1c30 CVE-2017-7506.patch" +47eef95ef416029b88e0d38ae9bf1c30 CVE-2017-7506.patch +03d312fad101fe22230e5b4dcf5cec8d CVE-2018-10873.patch" sha256sums="f901a5c5873d61acac84642f9eea5c4d6386fc3e525c2b68792322794e1c407d spice-0.12.8.tar.bz2 -ec75c6a3c8a104aef22c040d945b52ecd31735e35a3f95078da5656bfc721704 CVE-2017-7506.patch" +ec75c6a3c8a104aef22c040d945b52ecd31735e35a3f95078da5656bfc721704 CVE-2017-7506.patch +997390924d5e964ce89c9a8c44f064dc40a375d6dc6b120f7a0f727ae2792bc8 CVE-2018-10873.patch" sha512sums="6485d3522af1cde93d2c0abad7f7ef9f2e4d3e5049314fb93b6dd4b86e33d67d353a3ff42a355c8fd991bad447bbde1e6320c083bbc6f02b576bd9cebe7269ed spice-0.12.8.tar.bz2 -8a7387fd297aa3d59e38af650f3f12d9b89e46283e2ceaf53ca6e01db6db3c2ac0df164fde05decc4a0d8a05296d3f31195e86e383029804e91b23c84e1292a2 CVE-2017-7506.patch" +8a7387fd297aa3d59e38af650f3f12d9b89e46283e2ceaf53ca6e01db6db3c2ac0df164fde05decc4a0d8a05296d3f31195e86e383029804e91b23c84e1292a2 CVE-2017-7506.patch +fd6f797daa7ae9d518111c23c9b594f2ef4ccfeb3725373060668b244588681c147b9c407791a56b85e7abb438f7174a4de5a78cd3e8c90f018efb2bae9302b4 CVE-2018-10873.patch" diff --git a/main/spice/CVE-2018-10873.patch b/main/spice/CVE-2018-10873.patch new file mode 100644 index 0000000000..3395bab552 --- /dev/null +++ b/main/spice/CVE-2018-10873.patch @@ -0,0 +1,74 @@ +From bb15d4815ab586b4c4a20f4a565970a44824c42c Mon Sep 17 00:00:00 2001 +From: Frediano Ziglio <fziglio@redhat.com> +Date: Fri, 18 May 2018 11:41:57 +0100 +Subject: [PATCH] Fix flexible array buffer overflow + +This is kind of a DoS, possibly flexible array in the protocol +causes the network size check to be ignored due to integer overflows. + +The size of flexible array is computed as (message_end - position), +then this size is added to the number of bytes before the array and +this number is used to check if we overflow initial message. + +An example is: + + message { + uint32 dummy[2]; + uint8 data[] @end; + } LenMessage; + +which generated this (simplified remove useless code) code: + + { /* data */ + data__nelements = message_end - (start + 8); + + data__nw_size = data__nelements; + } + + nw_size = 8 + data__nw_size; + + /* Check if message fits in reported side */ + if (nw_size > (uintptr_t) (message_end - start)) { + return NULL; + } + +Following code: +- data__nelements == message_end - (start + 8) +- data__nw_size == data__nelements == message_end - (start + 8) +- nw_size == 8 + data__nw_size == 8 + message_end - (start + 8) == + 8 + message_end - start - 8 == message_end -start +- the check for overflow is (nw_size > (message_end - start)) but + nw_size == message_end - start so the check is doing + ((message_end - start) > (message_end - start)) which is always false. + +If message_end - start < 8 then data__nelements (number of element +on the array above) computation generate an integer underflow that +later create a buffer overflow. + +Add a check to make sure that the array starts before the message ends +to avoid the overflow. + +Signed-off-by: Frediano Ziglio <fziglio@redhat.com> +Signed-off-by: Christophe Fergeau <cfergeau@redhat.com> +--- + python_modules/demarshal.py | 1 + + tests/test-marshallers.c | 8 ++++++++ + tests/test-marshallers.h | 5 +++++ + tests/test-marshallers.proto | 5 +++++ + 4 files changed, 19 insertions(+) + +diff --git a/spice-commmon/python_modules/demarshal.py b/spice-common/python_modules/demarshal.py +index 7b53361..5a237a6 100644 +--- a/spice-common/python_modules/demarshal.py ++++ b/spice-common/python_modules/demarshal.py +@@ -331,6 +331,7 @@ def write_validate_array_item(writer, container, item, scope, parent_scope, star + writer.assign(nelements, array.size) + elif array.is_remaining_length(): + if element_type.is_fixed_nw_size(): ++ writer.error_check("%s > message_end" % item.get_position()) + if element_type.get_fixed_nw_size() == 1: + writer.assign(nelements, "message_end - %s" % item.get_position()) + else: +-- +2.18.1 + |