aboutsummaryrefslogtreecommitdiffstats
path: root/main
diff options
context:
space:
mode:
authorNatanael Copa <ncopa@alpinelinux.org>2015-10-13 08:55:18 +0000
committerNatanael Copa <ncopa@alpinelinux.org>2015-10-13 09:01:43 +0000
commit1af3513c36a0040c0f09f9d448890656004204d9 (patch)
tree805347c4d3e9a42b61ea9e10eaddfc974571d68c /main
parenta887645297d9345a54253c577ef27a9998557145 (diff)
downloadaports-1af3513c36a0040c0f09f9d448890656004204d9.tar.bz2
aports-1af3513c36a0040c0f09f9d448890656004204d9.tar.xz
main/spice: enable opus support
Diffstat (limited to 'main')
-rw-r--r--main/spice/APKBUILD5
-rw-r--r--main/spice/CVE-2015-3247.patch116
2 files changed, 119 insertions, 2 deletions
diff --git a/main/spice/APKBUILD b/main/spice/APKBUILD
index 3c8d885321..fca99cee8f 100644
--- a/main/spice/APKBUILD
+++ b/main/spice/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=spice
pkgver=0.12.6
-pkgrel=0
+pkgrel=1
pkgdesc="Implements the SPICE protocol"
url="http://www.spice-space.org/"
arch="all"
@@ -11,7 +11,7 @@ depends=""
depends_dev="spice-protocol pixman-dev celt051-dev openssl-dev libxinerama-dev"
makedepends="$depends_dev alsa-lib-dev libjpeg-turbo-dev libxrandr-dev
cyrus-sasl-dev libxfixes-dev python-dev bash cegui06-dev py-parsing
- py-six glib-dev"
+ py-six glib-dev opus-dev"
install=""
subpackages="$pkgname-dev $pkgname-server"
source="http://www.spice-space.org/download/releases/spice-$pkgver.tar.bz2
@@ -41,6 +41,7 @@ build() {
--enable-gui \
--enable-client \
--disable-smartcard \
+ --enable-opus \
|| return 1
make -C spice-common WARN_CFLAGS='' || return 1
make WARN_CFLAGS='' || return 1
diff --git a/main/spice/CVE-2015-3247.patch b/main/spice/CVE-2015-3247.patch
new file mode 100644
index 0000000000..47ee3c4f91
--- /dev/null
+++ b/main/spice/CVE-2015-3247.patch
@@ -0,0 +1,116 @@
+From bd6ea0db84949ac903c27708166604de892f4671 Mon Sep 17 00:00:00 2001
+From: Frediano Ziglio <fziglio@redhat.com>
+Date: Tue, 9 Jun 2015 08:50:46 +0100
+Subject: Avoid race conditions reading monitor configs from guest
+
+For security reasons do not assume guest do not change structures it
+pass to Qemu.
+Guest could change count field while Qemu is copying QXLMonitorsConfig
+structure leading to heap corruption.
+This patch avoid it reading count only once.
+
+This patch solves CVE-2015-3247.
+
+Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
+Acked-by: Christophe Fergeau <cfergeau@redhat.com>
+
+diff --git a/server/red_worker.c b/server/red_worker.c
+index 2f2d5a9..e2feb23 100644
+--- a/server/red_worker.c
++++ b/server/red_worker.c
+@@ -11222,19 +11222,18 @@ static inline void red_monitors_config_item_add(DisplayChannelClient *dcc)
+
+ static void worker_update_monitors_config(RedWorker *worker,
+ QXLMonitorsConfig *dev_monitors_config,
+- unsigned int max_monitors)
++ uint16_t count, uint16_t max_allowed)
+ {
+ int heads_size;
+ MonitorsConfig *monitors_config;
+ int i;
+- unsigned int count = MIN(dev_monitors_config->count, max_monitors);
+
+ monitors_config_decref(worker->monitors_config);
+
+ spice_debug("monitors config %d(%d)",
+- dev_monitors_config->count,
+- dev_monitors_config->max_allowed);
+- for (i = 0; i < dev_monitors_config->count; i++) {
++ count,
++ max_allowed);
++ for (i = 0; i < count; i++) {
+ spice_debug("+%d+%d %dx%d",
+ dev_monitors_config->heads[i].x,
+ dev_monitors_config->heads[i].y,
+@@ -11247,7 +11246,7 @@ static void worker_update_monitors_config(RedWorker *worker,
+ monitors_config->refs = 1;
+ monitors_config->worker = worker;
+ monitors_config->count = count;
+- monitors_config->max_allowed = MIN(dev_monitors_config->max_allowed, max_monitors);
++ monitors_config->max_allowed = max_allowed;
+ memcpy(monitors_config->heads, dev_monitors_config->heads, heads_size);
+ }
+
+@@ -11636,33 +11635,52 @@ void handle_dev_display_migrate(void *opaque, void *payload)
+ red_migrate_display(worker, rcc);
+ }
+
++static inline uint32_t qxl_monitors_config_size(uint32_t heads)
++{
++ return sizeof(QXLMonitorsConfig) + sizeof(QXLHead) * heads;
++}
++
+ static void handle_dev_monitors_config_async(void *opaque, void *payload)
+ {
+ RedWorkerMessageMonitorsConfigAsync *msg = payload;
+ RedWorker *worker = opaque;
+- int min_size = sizeof(QXLMonitorsConfig) + sizeof(QXLHead);
+ int error;
++ uint16_t count, max_allowed;
+ QXLMonitorsConfig *dev_monitors_config =
+ (QXLMonitorsConfig*)get_virt(&worker->mem_slots, msg->monitors_config,
+- min_size, msg->group_id, &error);
++ qxl_monitors_config_size(1),
++ msg->group_id, &error);
+
+ if (error) {
+ /* TODO: raise guest bug (requires added QXL interface) */
+ return;
+ }
+ worker->driver_cap_monitors_config = 1;
+- if (dev_monitors_config->count == 0) {
++ count = dev_monitors_config->count;
++ max_allowed = dev_monitors_config->max_allowed;
++ if (count == 0) {
+ spice_warning("ignoring an empty monitors config message from driver");
+ return;
+ }
+- if (dev_monitors_config->count > dev_monitors_config->max_allowed) {
++ if (count > max_allowed) {
+ spice_warning("ignoring malformed monitors_config from driver, "
+ "count > max_allowed %d > %d",
+- dev_monitors_config->count,
+- dev_monitors_config->max_allowed);
++ count,
++ max_allowed);
++ return;
++ }
++ /* get pointer again to check virtual size */
++ dev_monitors_config =
++ (QXLMonitorsConfig*)get_virt(&worker->mem_slots, msg->monitors_config,
++ qxl_monitors_config_size(count),
++ msg->group_id, &error);
++ if (error) {
++ /* TODO: raise guest bug (requires added QXL interface) */
+ return;
+ }
+- worker_update_monitors_config(worker, dev_monitors_config, msg->max_monitors);
++ worker_update_monitors_config(worker, dev_monitors_config,
++ MIN(count, msg->max_monitors),
++ MIN(max_allowed, msg->max_monitors));
+ red_worker_push_monitors_config(worker);
+ }
+
+--
+cgit v0.10.2
+