diff options
| author | Leonardo Arena <rnalrd@alpinelinux.org> | 2018-11-07 14:09:37 +0000 |
|---|---|---|
| committer | Leonardo Arena <rnalrd@alpinelinux.org> | 2018-11-07 14:09:37 +0000 |
| commit | 4c2af56913485da4fef6ab4f58ba5833a09fe234 (patch) | |
| tree | 541f36c31efacdd4dddaff318405321e2cbc5ddb /main | |
| parent | 8e0dfd98580cbf143a79a0637f683c76a2d3ddda (diff) | |
| download | aports-4c2af56913485da4fef6ab4f58ba5833a09fe234.tar.bz2 aports-4c2af56913485da4fef6ab4f58ba5833a09fe234.tar.xz | |
main/spice: security fix (CVE-2018-10873)
Fixes #9309
Diffstat (limited to 'main')
| -rw-r--r-- | main/spice/APKBUILD | 11 | ||||
| -rw-r--r-- | main/spice/CVE-2018-10873.patch | 74 |
2 files changed, 82 insertions, 3 deletions
diff --git a/main/spice/APKBUILD b/main/spice/APKBUILD index b10a21016e..b945c4260c 100644 --- a/main/spice/APKBUILD +++ b/main/spice/APKBUILD @@ -2,7 +2,7 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=spice pkgver=0.13.3 -pkgrel=2 +pkgrel=3 pkgdesc="Implements the SPICE protocol" url="http://www.spice-space.org/" arch="all" @@ -15,11 +15,15 @@ makedepends="$depends_dev alsa-lib-dev libjpeg-turbo-dev libxrandr-dev install="" subpackages="$pkgname-dev $pkgname-server" source="http://www.spice-space.org/download/releases/$pkgname-$pkgver.tar.bz2 - CVE-2017-7506.patch" + CVE-2017-7506.patch + CVE-2018-10873.patch + " builddir="$srcdir"/$pkgname-$pkgver # secfixes: +# 0.13.3-r3: +# - CVE-2018-10873 # 0.13.3-r2: # - CVE-2017-7506 @@ -54,4 +58,5 @@ server() { } sha512sums="63496fbd3df0fd453052cef8e1fb00a3a28f0105610676fdc4a58043cbc6da571ae4407701af2b817e410d05ce727d60d5ee0c93c8897231e25229897c51d95a spice-0.13.3.tar.bz2 -d752d6b72974f311c5f33c3e909d92cb67102869a4044e24dcd5e64056efefa96414936d2e673d4f1cf80913119cf601accd1a5c72ba1f90c350c402a0ae4e34 CVE-2017-7506.patch" +d752d6b72974f311c5f33c3e909d92cb67102869a4044e24dcd5e64056efefa96414936d2e673d4f1cf80913119cf601accd1a5c72ba1f90c350c402a0ae4e34 CVE-2017-7506.patch +fd6f797daa7ae9d518111c23c9b594f2ef4ccfeb3725373060668b244588681c147b9c407791a56b85e7abb438f7174a4de5a78cd3e8c90f018efb2bae9302b4 CVE-2018-10873.patch" diff --git a/main/spice/CVE-2018-10873.patch b/main/spice/CVE-2018-10873.patch new file mode 100644 index 0000000000..3395bab552 --- /dev/null +++ b/main/spice/CVE-2018-10873.patch @@ -0,0 +1,74 @@ +From bb15d4815ab586b4c4a20f4a565970a44824c42c Mon Sep 17 00:00:00 2001 +From: Frediano Ziglio <fziglio@redhat.com> +Date: Fri, 18 May 2018 11:41:57 +0100 +Subject: [PATCH] Fix flexible array buffer overflow + +This is kind of a DoS, possibly flexible array in the protocol +causes the network size check to be ignored due to integer overflows. + +The size of flexible array is computed as (message_end - position), +then this size is added to the number of bytes before the array and +this number is used to check if we overflow initial message. + +An example is: + + message { + uint32 dummy[2]; + uint8 data[] @end; + } LenMessage; + +which generated this (simplified remove useless code) code: + + { /* data */ + data__nelements = message_end - (start + 8); + + data__nw_size = data__nelements; + } + + nw_size = 8 + data__nw_size; + + /* Check if message fits in reported side */ + if (nw_size > (uintptr_t) (message_end - start)) { + return NULL; + } + +Following code: +- data__nelements == message_end - (start + 8) +- data__nw_size == data__nelements == message_end - (start + 8) +- nw_size == 8 + data__nw_size == 8 + message_end - (start + 8) == + 8 + message_end - start - 8 == message_end -start +- the check for overflow is (nw_size > (message_end - start)) but + nw_size == message_end - start so the check is doing + ((message_end - start) > (message_end - start)) which is always false. + +If message_end - start < 8 then data__nelements (number of element +on the array above) computation generate an integer underflow that +later create a buffer overflow. + +Add a check to make sure that the array starts before the message ends +to avoid the overflow. + +Signed-off-by: Frediano Ziglio <fziglio@redhat.com> +Signed-off-by: Christophe Fergeau <cfergeau@redhat.com> +--- + python_modules/demarshal.py | 1 + + tests/test-marshallers.c | 8 ++++++++ + tests/test-marshallers.h | 5 +++++ + tests/test-marshallers.proto | 5 +++++ + 4 files changed, 19 insertions(+) + +diff --git a/spice-commmon/python_modules/demarshal.py b/spice-common/python_modules/demarshal.py +index 7b53361..5a237a6 100644 +--- a/spice-common/python_modules/demarshal.py ++++ b/spice-common/python_modules/demarshal.py +@@ -331,6 +331,7 @@ def write_validate_array_item(writer, container, item, scope, parent_scope, star + writer.assign(nelements, array.size) + elif array.is_remaining_length(): + if element_type.is_fixed_nw_size(): ++ writer.error_check("%s > message_end" % item.get_position()) + if element_type.get_fixed_nw_size() == 1: + writer.assign(nelements, "message_end - %s" % item.get_position()) + else: +-- +2.18.1 + |