diff options
author | Daniel Sabogal <dsabogalcc@gmail.com> | 2016-08-17 00:07:49 -0400 |
---|---|---|
committer | Natanael Copa <ncopa@alpinelinux.org> | 2016-08-26 17:27:39 +0000 |
commit | a56e4e3c1e2f4297d2771d28dac70e5afc81839e (patch) | |
tree | 213c0d6ca0182bf5dc26ffc63d8f9b4ddddfcbca /main | |
parent | 5bb854b78247cfca2f9c179b2cce5f9d8a8f57eb (diff) | |
download | aports-a56e4e3c1e2f4297d2771d28dac70e5afc81839e.tar.bz2 aports-a56e4e3c1e2f4297d2771d28dac70e5afc81839e.tar.xz |
main/spice: security upgrade to 0.12.8
CVE-2016-0749
CVE-2016-2150
Removed unused patch (CVE-2015-3247 fixed in 0.12.6)
https://cgit.freedesktop.org/spice/spice/tree/NEWS?h=0.12
Diffstat (limited to 'main')
-rw-r--r-- | main/spice/APKBUILD | 28 | ||||
-rw-r--r-- | main/spice/CVE-2015-3247.patch | 116 |
2 files changed, 9 insertions, 135 deletions
diff --git a/main/spice/APKBUILD b/main/spice/APKBUILD index 53ef2b13a2..de6d052ebe 100644 --- a/main/spice/APKBUILD +++ b/main/spice/APKBUILD @@ -1,8 +1,8 @@ # Contributor: Natanael Copa <ncopa@alpinelinux.org> # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=spice -pkgver=0.12.7 -pkgrel=1 +pkgver=0.12.8 +pkgrel=0 pkgdesc="Implements the SPICE protocol" url="http://www.spice-space.org/" arch="all" @@ -14,22 +14,12 @@ makedepends="$depends_dev alsa-lib-dev libjpeg-turbo-dev libxrandr-dev py-six glib-dev opus-dev" install="" subpackages="$pkgname-dev $pkgname-server" -source="http://www.spice-space.org/download/releases/spice-$pkgver.tar.bz2 +source="http://www.spice-space.org/download/releases/$pkgname-$pkgver.tar.bz2 " -_builddir="$srcdir"/spice-$pkgver -prepare() { - local i - cd "$_builddir" - for i in $source; do - case $i in - *.patch) msg $i; patch -p1 -i "$srcdir"/$i || return 1;; - esac - done -} - +builddir="$srcdir"/$pkgname-$pkgver build() { - cd "$_builddir" + cd "$builddir" ./configure \ --build=$CBUILD \ --host=$CHOST \ @@ -48,7 +38,7 @@ build() { } package() { - cd "$_builddir" + cd "$builddir" make DESTDIR="$pkgdir" install || return 1 } @@ -58,6 +48,6 @@ server() { mv "$pkgdir"/usr/lib/*server.so.* "$subpkgdir"/usr/lib/ } -md5sums="28d4294e6d055de3b6ce5b8f2b7ca03b spice-0.12.7.tar.bz2" -sha256sums="1c8e96cb9e833e23372e2f461508135903b697fd8c6daff565e9e87f6d2f6aba spice-0.12.7.tar.bz2" -sha512sums="a740d500d0ccad3edd1f2f71e51c5a120d6ae98e44125f33870c12f5d1eeb30b809e588d05b2d0cadb4216e889b38e57d2278916817538311b875ff22e3b31ae spice-0.12.7.tar.bz2" +md5sums="376853d11b9921aa34a06c4dbef81874 spice-0.12.8.tar.bz2" +sha256sums="f901a5c5873d61acac84642f9eea5c4d6386fc3e525c2b68792322794e1c407d spice-0.12.8.tar.bz2" +sha512sums="6485d3522af1cde93d2c0abad7f7ef9f2e4d3e5049314fb93b6dd4b86e33d67d353a3ff42a355c8fd991bad447bbde1e6320c083bbc6f02b576bd9cebe7269ed spice-0.12.8.tar.bz2" diff --git a/main/spice/CVE-2015-3247.patch b/main/spice/CVE-2015-3247.patch deleted file mode 100644 index 47ee3c4f91..0000000000 --- a/main/spice/CVE-2015-3247.patch +++ /dev/null @@ -1,116 +0,0 @@ -From bd6ea0db84949ac903c27708166604de892f4671 Mon Sep 17 00:00:00 2001 -From: Frediano Ziglio <fziglio@redhat.com> -Date: Tue, 9 Jun 2015 08:50:46 +0100 -Subject: Avoid race conditions reading monitor configs from guest - -For security reasons do not assume guest do not change structures it -pass to Qemu. -Guest could change count field while Qemu is copying QXLMonitorsConfig -structure leading to heap corruption. -This patch avoid it reading count only once. - -This patch solves CVE-2015-3247. - -Signed-off-by: Frediano Ziglio <fziglio@redhat.com> -Acked-by: Christophe Fergeau <cfergeau@redhat.com> - -diff --git a/server/red_worker.c b/server/red_worker.c -index 2f2d5a9..e2feb23 100644 ---- a/server/red_worker.c -+++ b/server/red_worker.c -@@ -11222,19 +11222,18 @@ static inline void red_monitors_config_item_add(DisplayChannelClient *dcc) - - static void worker_update_monitors_config(RedWorker *worker, - QXLMonitorsConfig *dev_monitors_config, -- unsigned int max_monitors) -+ uint16_t count, uint16_t max_allowed) - { - int heads_size; - MonitorsConfig *monitors_config; - int i; -- unsigned int count = MIN(dev_monitors_config->count, max_monitors); - - monitors_config_decref(worker->monitors_config); - - spice_debug("monitors config %d(%d)", -- dev_monitors_config->count, -- dev_monitors_config->max_allowed); -- for (i = 0; i < dev_monitors_config->count; i++) { -+ count, -+ max_allowed); -+ for (i = 0; i < count; i++) { - spice_debug("+%d+%d %dx%d", - dev_monitors_config->heads[i].x, - dev_monitors_config->heads[i].y, -@@ -11247,7 +11246,7 @@ static void worker_update_monitors_config(RedWorker *worker, - monitors_config->refs = 1; - monitors_config->worker = worker; - monitors_config->count = count; -- monitors_config->max_allowed = MIN(dev_monitors_config->max_allowed, max_monitors); -+ monitors_config->max_allowed = max_allowed; - memcpy(monitors_config->heads, dev_monitors_config->heads, heads_size); - } - -@@ -11636,33 +11635,52 @@ void handle_dev_display_migrate(void *opaque, void *payload) - red_migrate_display(worker, rcc); - } - -+static inline uint32_t qxl_monitors_config_size(uint32_t heads) -+{ -+ return sizeof(QXLMonitorsConfig) + sizeof(QXLHead) * heads; -+} -+ - static void handle_dev_monitors_config_async(void *opaque, void *payload) - { - RedWorkerMessageMonitorsConfigAsync *msg = payload; - RedWorker *worker = opaque; -- int min_size = sizeof(QXLMonitorsConfig) + sizeof(QXLHead); - int error; -+ uint16_t count, max_allowed; - QXLMonitorsConfig *dev_monitors_config = - (QXLMonitorsConfig*)get_virt(&worker->mem_slots, msg->monitors_config, -- min_size, msg->group_id, &error); -+ qxl_monitors_config_size(1), -+ msg->group_id, &error); - - if (error) { - /* TODO: raise guest bug (requires added QXL interface) */ - return; - } - worker->driver_cap_monitors_config = 1; -- if (dev_monitors_config->count == 0) { -+ count = dev_monitors_config->count; -+ max_allowed = dev_monitors_config->max_allowed; -+ if (count == 0) { - spice_warning("ignoring an empty monitors config message from driver"); - return; - } -- if (dev_monitors_config->count > dev_monitors_config->max_allowed) { -+ if (count > max_allowed) { - spice_warning("ignoring malformed monitors_config from driver, " - "count > max_allowed %d > %d", -- dev_monitors_config->count, -- dev_monitors_config->max_allowed); -+ count, -+ max_allowed); -+ return; -+ } -+ /* get pointer again to check virtual size */ -+ dev_monitors_config = -+ (QXLMonitorsConfig*)get_virt(&worker->mem_slots, msg->monitors_config, -+ qxl_monitors_config_size(count), -+ msg->group_id, &error); -+ if (error) { -+ /* TODO: raise guest bug (requires added QXL interface) */ - return; - } -- worker_update_monitors_config(worker, dev_monitors_config, msg->max_monitors); -+ worker_update_monitors_config(worker, dev_monitors_config, -+ MIN(count, msg->max_monitors), -+ MIN(max_allowed, msg->max_monitors)); - red_worker_push_monitors_config(worker); - } - --- -cgit v0.10.2 - |