main/spice: security fix for CVE-2013-4282

ref #2595
author: Natanael Copa <ncopa@alpinelinux.org> 2014-01-14 15:04:41 +0000
committer: Natanael Copa <ncopa@alpinelinux.org> 2014-01-14 15:04:41 +0000
commit: ce226a62f71dead174acea9eb908ef3e81db49b2 (patch)
tree: 057f6e6d9112ddfc91546ec857edc7dc6f872f10 /main/spice
parent: 1249958798051440a3bd830c4d97bd0c7102040c (diff)
download: aports-ce226a62f71dead174acea9eb908ef3e81db49b2.tar.bz2
aports-ce226a62f71dead174acea9eb908ef3e81db49b2.tar.xz
2 files changed, 113 insertions, 5 deletions
diff --git a/main/spice/APKBUILD b/main/spice/APKBUILD
index 5b5c73a4a7..b2e4e7f09c 100644
--- a/main/spice/APKBUILD
+++ b/main/spice/APKBUILD
@@ -2,7 +2,7 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=spice
 pkgver=0.12.4
-pkgrel=0
+pkgrel=1
 pkgdesc="Implements the SPICE protocol"
 url="http://www.spice-space.org/"
 arch="all"
@@ -15,7 +15,8 @@ makedepends="$depends_dev alsa-lib-dev libjpeg-turbo-dev libxrandr-dev
 install=""
 subpackages="$pkgname-dev $pkgname-server $pkgname-client"
 source="http://www.spice-space.org/download/releases/spice-$pkgver.tar.bz2
-	cstdarg.patch"
+	cstdarg.patch
+	CVE-2013-4282.patch"
 
 _builddir="$srcdir"/spice-$pkgver
 prepare() {
@@ -63,8 +64,11 @@ client() {
 }
 
 md5sums="325b1c42ce24e75de45a75876b73a8bd  spice-0.12.4.tar.bz2
-3e61fdc18bf201a2b54b332fdbe2912e  cstdarg.patch"
+3e61fdc18bf201a2b54b332fdbe2912e  cstdarg.patch
+24a1648e7c684b4444d7921b5534767e  CVE-2013-4282.patch"
 sha256sums="cf063e7df42e331a835529d2f613d8a01f8cb2963e8edaadf73a8d65c46fb387  spice-0.12.4.tar.bz2
-bc2219f68ed701e74a02c5196c934bb3e6fbf5813005f39e41e911668e0e622c  cstdarg.patch"
+bc2219f68ed701e74a02c5196c934bb3e6fbf5813005f39e41e911668e0e622c  cstdarg.patch
+9f50c3435726f296cfa1aa5417d857289f0d2001b59b7f698a3b293b91dbaf1d  CVE-2013-4282.patch"
 sha512sums="9867c2ace6205b606eef4a04a7e1fa0533c8d419cbb063edf4ded12db24f76237487d3e9dd57dec0f5b952eef399aa395d8591e2d82cab4d13e0d3ce6c7fba74  spice-0.12.4.tar.bz2
-040f4104d9658465cb2ffa72101f958341497898d86ee82bdf31bd65e5f3497822be4b9b3e9eca2a9b965385481190a2fb4ca5fb26b89391ab1598fc23d300c9  cstdarg.patch"
+040f4104d9658465cb2ffa72101f958341497898d86ee82bdf31bd65e5f3497822be4b9b3e9eca2a9b965385481190a2fb4ca5fb26b89391ab1598fc23d300c9  cstdarg.patch
+eaa097ee1ee692e406d911723549c383fa2ddc5de37e93afef7024d928ea2e715ac9034e5cef367d4a3a0aeae8d7edd3a4f059a82987df9960a66a7117746283  CVE-2013-4282.patch"
diff --git a/main/spice/CVE-2013-4282.patch b/main/spice/CVE-2013-4282.patch
new file mode 100644
index 0000000000..3dfa1c8f2f
--- /dev/null
+++ b/main/spice/CVE-2013-4282.patch
@@ -0,0 +1,104 @@
+From 8af619009660b24e0b41ad26b30289eea288fcc2 Mon Sep 17 00:00:00 2001
+From: Christophe Fergeau <cfergeau@redhat.com>
+Date: Fri, 23 Aug 2013 09:29:44 +0000
+Subject: Fix buffer overflow when decrypting client SPICE ticket
+
+reds_handle_ticket uses a fixed size 'password' buffer for the decrypted
+password whose size is SPICE_MAX_PASSWORD_LENGTH. However,
+RSA_private_decrypt which we call for the decryption expects the
+destination buffer to be at least RSA_size(link->tiTicketing.rsa)
+bytes long. On my spice-server build, SPICE_MAX_PASSWORD_LENGTH
+is 60 while RSA_size() is 128, so we end up overflowing 'password'
+when using long passwords (this was reproduced using the string:
+'fullscreen=1proxy=#enter proxy here; e.g spice_proxy = http://[proxy]:[port]'
+as a password).
+
+When the overflow occurs, QEMU dies with:
+*** stack smashing detected ***: qemu-system-x86_64 terminated
+
+This commit ensures we use a corectly sized 'password' buffer,
+and that it's correctly nul-terminated so that we can use strcmp
+instead of strncmp. To keep using strncmp, we'd need to figure out
+which one of 'password' and 'taTicket.password' is the smaller buffer,
+and use that size.
+
+This fixes rhbz#999839
+---
+diff --git a/server/reds.c b/server/reds.c
+index 892d247..2a0002b 100644
+--- a/server/reds.c
++++ b/server/reds.c
+@@ -1926,39 +1926,59 @@ static void reds_handle_link(RedLinkInfo *link)
+ static void reds_handle_ticket(void *opaque)
+ {
+     RedLinkInfo *link = (RedLinkInfo *)opaque;
+-    char password[SPICE_MAX_PASSWORD_LENGTH];
++    char *password;
+     time_t ltime;
++    int password_size;
+ 
+     //todo: use monotonic time
+     time(&ltime);
+-    RSA_private_decrypt(link->tiTicketing.rsa_size,
+-                        link->tiTicketing.encrypted_ticket.encrypted_data,
+-                        (unsigned char *)password, link->tiTicketing.rsa, RSA_PKCS1_OAEP_PADDING);
++    if (RSA_size(link->tiTicketing.rsa) < SPICE_MAX_PASSWORD_LENGTH) {
++        spice_warning("RSA modulus size is smaller than SPICE_MAX_PASSWORD_LENGTH (%d < %d), "
++                      "SPICE ticket sent from client may be truncated",
++                      RSA_size(link->tiTicketing.rsa), SPICE_MAX_PASSWORD_LENGTH);
++    }
++
++    password = g_malloc0(RSA_size(link->tiTicketing.rsa) + 1);
++    password_size = RSA_private_decrypt(link->tiTicketing.rsa_size,
++                                        link->tiTicketing.encrypted_ticket.encrypted_data,
++                                        (unsigned char *)password,
++                                        link->tiTicketing.rsa,
++                                        RSA_PKCS1_OAEP_PADDING);
++    if (password_size == -1) {
++        spice_warning("failed to decrypt RSA encrypted password: %s",
++                      ERR_error_string(ERR_get_error(), NULL));
++        goto error;
++    }
++    password[password_size] = '\0';
+ 
+     if (ticketing_enabled && !link->skip_auth) {
+         int expired =  taTicket.expiration_time < ltime;
+ 
+         if (strlen(taTicket.password) == 0) {
+-            reds_send_link_result(link, SPICE_LINK_ERR_PERMISSION_DENIED);
+             spice_warning("Ticketing is enabled, but no password is set. "
+-                        "please set a ticket first");
+-            reds_link_free(link);
+-            return;
++                          "please set a ticket first");
++            goto error;
+         }
+ 
+-        if (expired || strncmp(password, taTicket.password, SPICE_MAX_PASSWORD_LENGTH) != 0) {
++        if (expired || strcmp(password, taTicket.password) != 0) {
+             if (expired) {
+                 spice_warning("Ticket has expired");
+             } else {
+                 spice_warning("Invalid password");
+             }
+-            reds_send_link_result(link, SPICE_LINK_ERR_PERMISSION_DENIED);
+-            reds_link_free(link);
+-            return;
++            goto error;
+         }
+     }
+ 
+     reds_handle_link(link);
++    goto end;
++
++error:
++    reds_send_link_result(link, SPICE_LINK_ERR_PERMISSION_DENIED);
++    reds_link_free(link);
++
++end:
++    g_free(password);
+ }
+ 
+ static inline void async_read_clear_handlers(AsyncRead *obj)
+--
+cgit v0.9.0.2-2-gbebe
author	Natanael Copa <ncopa@alpinelinux.org>	2014-01-14 15:04:41 +0000
committer	Natanael Copa <ncopa@alpinelinux.org>	2014-01-14 15:04:41 +0000
commit	ce226a62f71dead174acea9eb908ef3e81db49b2 (patch)
tree	057f6e6d9112ddfc91546ec857edc7dc6f872f10 /main/spice
parent	1249958798051440a3bd830c4d97bd0c7102040c (diff)
download	aports-ce226a62f71dead174acea9eb908ef3e81db49b2.tar.bz2 aports-ce226a62f71dead174acea9eb908ef3e81db49b2.tar.xz