main/spice: security fix (CVE-2019-3813)

Fixes #9943 Disable test-qxl-parsing failing on armv7 and ppc64le due to CVE fix
author: Leonardo Arena <rnalrd@alpinelinux.org> 2019-01-30 16:04:13 +0000
committer: Leonardo Arena <rnalrd@alpinelinux.org> 2019-01-31 12:47:33 +0000
commit: 298d6f5b5993500c896213f6961102423cde08dc (patch)
tree: c833a4fc4f65bca893755498076aa237c9b41dc3
parent: 3629c9dc90b9eab8a91378b33634ae9b19f9e0b0 (diff)
download: aports-298d6f5b5993500c896213f6961102423cde08dc.tar.bz2
aports-298d6f5b5993500c896213f6961102423cde08dc.tar.xz
3 files changed, 363 insertions, 2 deletions
diff --git a/main/spice/0001-Disable-failing-tests-on-some-arches.patch b/main/spice/0001-Disable-failing-tests-on-some-arches.patch
new file mode 100644
index 0000000000..21a081eaf7
--- /dev/null
+++ b/main/spice/0001-Disable-failing-tests-on-some-arches.patch
@@ -0,0 +1,300 @@
+From 5c306b874c847e6ae6750c55d097467ea89905b7 Mon Sep 17 00:00:00 2001
+From: Leonardo Arena <rnalrd@alpinelinux.org>
+Date: Thu, 31 Jan 2019 07:13:01 +0000
+Subject: [PATCH] Disable failing tests on some arches
+
+Missing logs for the last two tests
+
+FAIL: test-listen
+=================
+
+/server/listen/connect_plain: OK
+/server/listen/connect_tls: **
+Spice:ERROR:test-listen.c:117:fake_client_connect_tls: assertion failed (*error == NULL): TLS support is not available (g-tls-error-quark, 0)
+Aborted
+FAIL test-listen (exit status: 134)
+
+FAIL: test-sasl
+===============
+
+(process:27479): Spice-WARNING **: 10:54:41.853: red-stream.c:725:addr_to_string: Cannot resolve address -6: Unrecognized address family or invalid length
+**
+Spice:ERROR:test-sasl.c:516:client_emulator: assertion failed (read_u32_err(sock, &mechlen) == sizeof(uint32_t)): (0 == 4)
+
+---
+ server/tests/Makefile.am |   7 ---
+ server/tests/Makefile.in | 122 +++------------------------------------
+ 2 files changed, 9 insertions(+), 120 deletions(-)
+
+diff --git a/server/tests/Makefile.am b/server/tests/Makefile.am
+index 238f25a..51dbad0 100644
+--- a/server/tests/Makefile.am
++++ b/server/tests/Makefile.am
+@@ -53,15 +53,11 @@ check_PROGRAMS =				\
+ 	test-stream				\
+ 	test-agent-msg-filter			\
+ 	test-loop				\
+-	test-qxl-parsing			\
+ 	test-stat-file				\
+-	test-leaks				\
+-	test-vdagent				\
+ 	test-fail-on-null-core-interface	\
+ 	test-empty-success			\
+ 	test-channel				\
+ 	test-stream-device			\
+-	test-listen				\
+ 	$(NULL)
+ 
+ noinst_PROGRAMS =				\
+@@ -144,6 +140,3 @@ endif
+ 
+ EXTRA_DIST += video-encoders
+ 
+-if HAVE_SASL
+-check_PROGRAMS += test-sasl
+-endif
+diff --git a/server/tests/Makefile.in b/server/tests/Makefile.in
+index bd2c74b..eeda989 100644
+--- a/server/tests/Makefile.in
++++ b/server/tests/Makefile.in
+@@ -92,11 +92,10 @@ host_triplet = @host@
+ check_PROGRAMS = test-codecs-parsing$(EXEEXT) test-options$(EXEEXT) \
+ 	test-stat$(EXEEXT) test-stream$(EXEEXT) \
+ 	test-agent-msg-filter$(EXEEXT) test-loop$(EXEEXT) \
+-	test-qxl-parsing$(EXEEXT) test-stat-file$(EXEEXT) \
+-	test-leaks$(EXEEXT) test-vdagent$(EXEEXT) \
++	test-stat-file$(EXEEXT) \
+ 	test-fail-on-null-core-interface$(EXEEXT) \
+ 	test-empty-success$(EXEEXT) test-channel$(EXEEXT) \
+-	test-stream-device$(EXEEXT) test-listen$(EXEEXT) \
++	test-stream-device$(EXEEXT) \
+ 	$(am__EXEEXT_1) $(am__EXEEXT_2)
+ noinst_PROGRAMS = test-display-no-ssl$(EXEEXT) \
+ 	test-display-streaming$(EXEEXT) test-playback$(EXEEXT) \
+@@ -107,7 +106,6 @@ noinst_PROGRAMS = test-display-no-ssl$(EXEEXT) \
+ TESTS = $(check_PROGRAMS) $(am__EXEEXT_1) $(am__append_2)
+ @HAVE_GSTREAMER_TRUE@am__append_1 = test-gst
+ @ENABLE_EXTRA_CHECKS_TRUE@@HAVE_GSTREAMER_TRUE@am__append_2 = video-encoders
+-@HAVE_SASL_TRUE@am__append_3 = test-sasl
+ subdir = server/tests
+ ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+ am__aclocal_m4_deps = $(top_srcdir)/m4/ax_valgrind_check.m4 \
+@@ -158,7 +156,6 @@ am_libtest_a_OBJECTS = basic-event-loop.$(OBJEXT) \
+ 	$(am__objects_1)
+ libtest_a_OBJECTS = $(am_libtest_a_OBJECTS)
+ am__EXEEXT_1 =
+-@HAVE_SASL_TRUE@am__EXEEXT_2 = test-sasl$(EXEEXT)
+ @HAVE_GSTREAMER_TRUE@am__EXEEXT_3 = test-gst$(EXEEXT)
+ PROGRAMS = $(noinst_PROGRAMS)
+ am__dirstamp = $(am__leading_dot)dirstamp
+@@ -263,22 +260,6 @@ test_gst_DEPENDENCIES = libtest.a \
+ 	$(top_builddir)/server/libserver.la $(am__DEPENDENCIES_1) \
+ 	$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \
+ 	$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1)
+-test_leaks_SOURCES = test-leaks.c
+-test_leaks_OBJECTS = test-leaks.$(OBJEXT)
+-test_leaks_LDADD = $(LDADD)
+-test_leaks_DEPENDENCIES = libtest.a \
+-	$(SPICE_COMMON_DIR)/common/libspice-common.la \
+-	$(top_builddir)/server/libserver.la $(am__DEPENDENCIES_1) \
+-	$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \
+-	$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1)
+-test_listen_SOURCES = test-listen.c
+-test_listen_OBJECTS = test-listen.$(OBJEXT)
+-test_listen_LDADD = $(LDADD)
+-test_listen_DEPENDENCIES = libtest.a \
+-	$(SPICE_COMMON_DIR)/common/libspice-common.la \
+-	$(top_builddir)/server/libserver.la $(am__DEPENDENCIES_1) \
+-	$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \
+-	$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1)
+ test_loop_SOURCES = test-loop.c
+ test_loop_OBJECTS = test-loop.$(OBJEXT)
+ test_loop_LDADD = $(LDADD)
+@@ -303,22 +284,6 @@ test_playback_DEPENDENCIES = libtest.a \
+ 	$(top_builddir)/server/libserver.la $(am__DEPENDENCIES_1) \
+ 	$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \
+ 	$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1)
+-test_qxl_parsing_SOURCES = test-qxl-parsing.c
+-test_qxl_parsing_OBJECTS = test-qxl-parsing.$(OBJEXT)
+-test_qxl_parsing_LDADD = $(LDADD)
+-test_qxl_parsing_DEPENDENCIES = libtest.a \
+-	$(SPICE_COMMON_DIR)/common/libspice-common.la \
+-	$(top_builddir)/server/libserver.la $(am__DEPENDENCIES_1) \
+-	$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \
+-	$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1)
+-test_sasl_SOURCES = test-sasl.c
+-test_sasl_OBJECTS = test-sasl.$(OBJEXT)
+-test_sasl_LDADD = $(LDADD)
+-test_sasl_DEPENDENCIES = libtest.a \
+-	$(SPICE_COMMON_DIR)/common/libspice-common.la \
+-	$(top_builddir)/server/libserver.la $(am__DEPENDENCIES_1) \
+-	$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \
+-	$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1)
+ am_test_stat_OBJECTS = test-stat.$(OBJEXT)
+ test_stat_OBJECTS = $(am_test_stat_OBJECTS)
+ am__DEPENDENCIES_2 = libtest.a \
+@@ -361,14 +326,6 @@ test_two_servers_DEPENDENCIES = libtest.a \
+ 	$(top_builddir)/server/libserver.la $(am__DEPENDENCIES_1) \
+ 	$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \
+ 	$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1)
+-test_vdagent_SOURCES = test-vdagent.c
+-test_vdagent_OBJECTS = test-vdagent.$(OBJEXT)
+-test_vdagent_LDADD = $(LDADD)
+-test_vdagent_DEPENDENCIES = libtest.a \
+-	$(SPICE_COMMON_DIR)/common/libspice-common.la \
+-	$(top_builddir)/server/libserver.la $(am__DEPENDENCIES_1) \
+-	$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \
+-	$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1)
+ AM_V_P = $(am__v_P_@AM_V@)
+ am__v_P_ = $(am__v_P_@AM_DEFAULT_V@)
+ am__v_P_0 = false
+@@ -410,10 +367,10 @@ SOURCES = $(libtest_stat1_a_SOURCES) $(libtest_stat2_a_SOURCES) \
+ 	test-display-no-ssl.c test-display-resolution-changes.c \
+ 	test-display-streaming.c test-display-width-stride.c \
+ 	test-empty-success.c test-fail-on-null-core-interface.c \
+-	$(test_gst_SOURCES) test-leaks.c test-listen.c test-loop.c \
+-	test-options.c test-playback.c test-qxl-parsing.c test-sasl.c \
++	$(test_gst_SOURCES) test-loop.c \
++	test-options.c test-playback.c \
+ 	$(test_stat_SOURCES) test-stat-file.c test-stream.c \
+-	test-stream-device.c test-two-servers.c test-vdagent.c
++	test-stream-device.c test-two-servers.c
+ DIST_SOURCES = $(libtest_stat1_a_SOURCES) $(libtest_stat2_a_SOURCES) \
+ 	$(libtest_stat3_a_SOURCES) $(libtest_stat4_a_SOURCES) \
+ 	$(libtest_a_SOURCES) $(spice_server_replay_SOURCES) \
+@@ -421,11 +378,10 @@ DIST_SOURCES = $(libtest_stat1_a_SOURCES) $(libtest_stat2_a_SOURCES) \
+ 	test-display-no-ssl.c test-display-resolution-changes.c \
+ 	test-display-streaming.c test-display-width-stride.c \
+ 	test-empty-success.c test-fail-on-null-core-interface.c \
+-	$(am__test_gst_SOURCES_DIST) test-leaks.c test-listen.c \
+-	test-loop.c test-options.c test-playback.c test-qxl-parsing.c \
+-	test-sasl.c $(test_stat_SOURCES) test-stat-file.c \
+-	test-stream.c test-stream-device.c test-two-servers.c \
+-	test-vdagent.c
++	$(am__test_gst_SOURCES_DIST) \
++	test-loop.c test-options.c test-playback.c \
++	$(test_stat_SOURCES) test-stat-file.c \
++	test-stream.c test-stream-device.c test-two-servers.c
+ am__can_run_installinfo = \
+   case $$AM_UPDATE_INFO_DIR in \
+     n|no|NO) false;; \
+@@ -1046,14 +1002,6 @@ test-gst$(EXEEXT): $(test_gst_OBJECTS) $(test_gst_DEPENDENCIES) $(EXTRA_test_gst
+ 	@rm -f test-gst$(EXEEXT)
+ 	$(AM_V_CCLD)$(LINK) $(test_gst_OBJECTS) $(test_gst_LDADD) $(LIBS)
+ 
+-test-leaks$(EXEEXT): $(test_leaks_OBJECTS) $(test_leaks_DEPENDENCIES) $(EXTRA_test_leaks_DEPENDENCIES) 
+-	@rm -f test-leaks$(EXEEXT)
+-	$(AM_V_CCLD)$(LINK) $(test_leaks_OBJECTS) $(test_leaks_LDADD) $(LIBS)
+-
+-test-listen$(EXEEXT): $(test_listen_OBJECTS) $(test_listen_DEPENDENCIES) $(EXTRA_test_listen_DEPENDENCIES) 
+-	@rm -f test-listen$(EXEEXT)
+-	$(AM_V_CCLD)$(LINK) $(test_listen_OBJECTS) $(test_listen_LDADD) $(LIBS)
+-
+ test-loop$(EXEEXT): $(test_loop_OBJECTS) $(test_loop_DEPENDENCIES) $(EXTRA_test_loop_DEPENDENCIES) 
+ 	@rm -f test-loop$(EXEEXT)
+ 	$(AM_V_CCLD)$(LINK) $(test_loop_OBJECTS) $(test_loop_LDADD) $(LIBS)
+@@ -1066,14 +1014,6 @@ test-playback$(EXEEXT): $(test_playback_OBJECTS) $(test_playback_DEPENDENCIES) $
+ 	@rm -f test-playback$(EXEEXT)
+ 	$(AM_V_CCLD)$(LINK) $(test_playback_OBJECTS) $(test_playback_LDADD) $(LIBS)
+ 
+-test-qxl-parsing$(EXEEXT): $(test_qxl_parsing_OBJECTS) $(test_qxl_parsing_DEPENDENCIES) $(EXTRA_test_qxl_parsing_DEPENDENCIES) 
+-	@rm -f test-qxl-parsing$(EXEEXT)
+-	$(AM_V_CCLD)$(LINK) $(test_qxl_parsing_OBJECTS) $(test_qxl_parsing_LDADD) $(LIBS)
+-
+-test-sasl$(EXEEXT): $(test_sasl_OBJECTS) $(test_sasl_DEPENDENCIES) $(EXTRA_test_sasl_DEPENDENCIES) 
+-	@rm -f test-sasl$(EXEEXT)
+-	$(AM_V_CCLD)$(LINK) $(test_sasl_OBJECTS) $(test_sasl_LDADD) $(LIBS)
+-
+ test-stat$(EXEEXT): $(test_stat_OBJECTS) $(test_stat_DEPENDENCIES) $(EXTRA_test_stat_DEPENDENCIES) 
+ 	@rm -f test-stat$(EXEEXT)
+ 	$(AM_V_CCLD)$(LINK) $(test_stat_OBJECTS) $(test_stat_LDADD) $(LIBS)
+@@ -1094,10 +1034,6 @@ test-two-servers$(EXEEXT): $(test_two_servers_OBJECTS) $(test_two_servers_DEPEND
+ 	@rm -f test-two-servers$(EXEEXT)
+ 	$(AM_V_CCLD)$(LINK) $(test_two_servers_OBJECTS) $(test_two_servers_LDADD) $(LIBS)
+ 
+-test-vdagent$(EXEEXT): $(test_vdagent_OBJECTS) $(test_vdagent_DEPENDENCIES) $(EXTRA_test_vdagent_DEPENDENCIES) 
+-	@rm -f test-vdagent$(EXEEXT)
+-	$(AM_V_CCLD)$(LINK) $(test_vdagent_OBJECTS) $(test_vdagent_LDADD) $(LIBS)
+-
+ mostlyclean-compile:
+ 	-rm -f *.$(OBJEXT)
+ 	-rm -f ../*.$(OBJEXT)
+@@ -1123,19 +1059,14 @@ distclean-compile:
+ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test-empty-success.Po@am__quote@
+ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test-fail-on-null-core-interface.Po@am__quote@
+ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test-glib-compat.Po@am__quote@
+-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test-leaks.Po@am__quote@
+-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test-listen.Po@am__quote@
+ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test-loop.Po@am__quote@
+ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test-options.Po@am__quote@
+ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test-playback.Po@am__quote@
+-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test-qxl-parsing.Po@am__quote@
+-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test-sasl.Po@am__quote@
+ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test-stat-file.Po@am__quote@
+ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test-stat.Po@am__quote@
+ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test-stream-device.Po@am__quote@
+ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test-stream.Po@am__quote@
+ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test-two-servers.Po@am__quote@
+-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test-vdagent.Po@am__quote@
+ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_gst-test-gst.Po@am__quote@
+ 
+ .c.o:
+@@ -1473,13 +1404,6 @@ test-loop.log: test-loop$(EXEEXT)
+ 	--log-file $$b.log --trs-file $$b.trs \
+ 	$(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
+ 	"$$tst" $(AM_TESTS_FD_REDIRECT)
+-test-qxl-parsing.log: test-qxl-parsing$(EXEEXT)
+-	@p='test-qxl-parsing$(EXEEXT)'; \
+-	b='test-qxl-parsing'; \
+-	$(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \
+-	--log-file $$b.log --trs-file $$b.trs \
+-	$(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
+-	"$$tst" $(AM_TESTS_FD_REDIRECT)
+ test-stat-file.log: test-stat-file$(EXEEXT)
+ 	@p='test-stat-file$(EXEEXT)'; \
+ 	b='test-stat-file'; \
+@@ -1487,20 +1411,6 @@ test-stat-file.log: test-stat-file$(EXEEXT)
+ 	--log-file $$b.log --trs-file $$b.trs \
+ 	$(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
+ 	"$$tst" $(AM_TESTS_FD_REDIRECT)
+-test-leaks.log: test-leaks$(EXEEXT)
+-	@p='test-leaks$(EXEEXT)'; \
+-	b='test-leaks'; \
+-	$(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \
+-	--log-file $$b.log --trs-file $$b.trs \
+-	$(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
+-	"$$tst" $(AM_TESTS_FD_REDIRECT)
+-test-vdagent.log: test-vdagent$(EXEEXT)
+-	@p='test-vdagent$(EXEEXT)'; \
+-	b='test-vdagent'; \
+-	$(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \
+-	--log-file $$b.log --trs-file $$b.trs \
+-	$(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
+-	"$$tst" $(AM_TESTS_FD_REDIRECT)
+ test-fail-on-null-core-interface.log: test-fail-on-null-core-interface$(EXEEXT)
+ 	@p='test-fail-on-null-core-interface$(EXEEXT)'; \
+ 	b='test-fail-on-null-core-interface'; \
+@@ -1529,20 +1439,6 @@ test-stream-device.log: test-stream-device$(EXEEXT)
+ 	--log-file $$b.log --trs-file $$b.trs \
+ 	$(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
+ 	"$$tst" $(AM_TESTS_FD_REDIRECT)
+-test-listen.log: test-listen$(EXEEXT)
+-	@p='test-listen$(EXEEXT)'; \
+-	b='test-listen'; \
+-	$(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \
+-	--log-file $$b.log --trs-file $$b.trs \
+-	$(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
+-	"$$tst" $(AM_TESTS_FD_REDIRECT)
+-test-sasl.log: test-sasl$(EXEEXT)
+-	@p='test-sasl$(EXEEXT)'; \
+-	b='test-sasl'; \
+-	$(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \
+-	--log-file $$b.log --trs-file $$b.trs \
+-	$(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \
+-	"$$tst" $(AM_TESTS_FD_REDIRECT)
+ video-encoders.log: video-encoders
+ 	@p='video-encoders'; \
+ 	b='video-encoders'; \
+-- 
+2.20.1
+
diff --git a/main/spice/APKBUILD b/main/spice/APKBUILD
index b945c4260c..a98e1022e5 100644
--- a/main/spice/APKBUILD
+++ b/main/spice/APKBUILD
@@ -2,7 +2,7 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=spice
 pkgver=0.13.3
-pkgrel=3
+pkgrel=4
 pkgdesc="Implements the SPICE protocol"
 url="http://www.spice-space.org/"
 arch="all"
@@ -17,11 +17,14 @@ subpackages="$pkgname-dev $pkgname-server"
 source="http://www.spice-space.org/download/releases/$pkgname-$pkgver.tar.bz2
 	CVE-2017-7506.patch
 	CVE-2018-10873.patch
+	CVE-2019-3813.patch
 	"
 
 builddir="$srcdir"/$pkgname-$pkgver
 
 # secfixes:
+#   0.13.3-r4:
+#     - CVE-2019-3813
 #   0.13.3-r3:
 #     - CVE-2018-10873
 #   0.13.3-r2:
@@ -59,4 +62,5 @@ server() {
 
 sha512sums="63496fbd3df0fd453052cef8e1fb00a3a28f0105610676fdc4a58043cbc6da571ae4407701af2b817e410d05ce727d60d5ee0c93c8897231e25229897c51d95a  spice-0.13.3.tar.bz2
 d752d6b72974f311c5f33c3e909d92cb67102869a4044e24dcd5e64056efefa96414936d2e673d4f1cf80913119cf601accd1a5c72ba1f90c350c402a0ae4e34  CVE-2017-7506.patch
-fd6f797daa7ae9d518111c23c9b594f2ef4ccfeb3725373060668b244588681c147b9c407791a56b85e7abb438f7174a4de5a78cd3e8c90f018efb2bae9302b4  CVE-2018-10873.patch"
+fd6f797daa7ae9d518111c23c9b594f2ef4ccfeb3725373060668b244588681c147b9c407791a56b85e7abb438f7174a4de5a78cd3e8c90f018efb2bae9302b4  CVE-2018-10873.patch
+a2e68a0f83eb0f9d9f4f8e2e5be84ef2301ee895ddda8d06406f3b1729d167e2bd9498d5c16214ec919f78e2f020d9f053d4c171b80d2f33fd7e1b5319958e24  CVE-2019-3813.patch"
diff --git a/main/spice/CVE-2019-3813.patch b/main/spice/CVE-2019-3813.patch
new file mode 100644
index 0000000000..4a62e179a0
--- /dev/null
+++ b/main/spice/CVE-2019-3813.patch
@@ -0,0 +1,57 @@
+From 6eff47e72cb2f23d168be58bab8bdd60df49afd0 Mon Sep 17 00:00:00 2001
+From: Christophe Fergeau <cfergeau@redhat.com>
+Date: Thu, 29 Nov 2018 14:18:39 +0100
+Subject: [spice-server] memslot: Fix off-by-one error in group/slot boundary
+ check
+
+RedMemSlotInfo keeps an array of groups, and each group contains an
+array of slots. Unfortunately, these checks are off by 1, they check
+that the index is greater or equal to the number of elements in the
+array, while these arrays are 0 based. The check should only check for
+strictly greater than the number of elements.
+
+For the group array, this is not a big issue, as these memslot groups
+are created by spice-server users (eg QEMU), and the group ids used to
+index that array are also generated by the spice-server user, so it
+should not be possible for the guest to set them to arbitrary values.
+
+The slot id is more problematic, as it's calculated from a QXLPHYSICAL
+address, and such addresses are usually set by the guest QXL driver, so
+the guest can set these to arbitrary values, including malicious values,
+which are probably easy to build from the guest PCI configuration.
+
+This patch fixes the arrays bound check, and adds a test case for this.
+
+Signed-off-by: Christophe Fergeau <cfergeau@redhat.com>
+---
+ server/memslot.c                |  4 ++--
+ server/tests/test-qxl-parsing.c | 30 ++++++++++++++++++++++++++++++
+ 2 files changed, 32 insertions(+), 2 deletions(-)
+
+diff --git a/server/memslot.c b/server/memslot.c
+index 75cb75f..6e02430 100644
+--- a/server/memslot.c
++++ b/server/memslot.c
+@@ -99,14 +99,14 @@ unsigned long memslot_get_virt(RedMemSlotInfo *info, QXLPHYSICAL addr, uint32_t
+     MemSlot *slot;
+ 
+     *error = 0;
+-    if (group_id > info->num_memslots_groups) {
++    if (group_id >= info->num_memslots_groups) {
+         spice_critical("group_id too big");
+         *error = 1;
+         return 0;
+     }
+ 
+     slot_id = memslot_get_id(info, addr);
+-    if (slot_id > info->num_memslots) {
++    if (slot_id >= info->num_memslots) {
+         print_memslots(info);
+         spice_critical("slot_id %d too big, addr=%" PRIx64, slot_id, addr);
+         *error = 1;
+ 
+-- 
+2.19.2
+
+
+
author	Leonardo Arena <rnalrd@alpinelinux.org>	2019-01-30 16:04:13 +0000
committer	Leonardo Arena <rnalrd@alpinelinux.org>	2019-01-31 12:47:33 +0000
commit	298d6f5b5993500c896213f6961102423cde08dc (patch)
tree	c833a4fc4f65bca893755498076aa237c9b41dc3
parent	3629c9dc90b9eab8a91378b33634ae9b19f9e0b0 (diff)
download	aports-298d6f5b5993500c896213f6961102423cde08dc.tar.bz2 aports-298d6f5b5993500c896213f6961102423cde08dc.tar.xz