From ce226a62f71dead174acea9eb908ef3e81db49b2 Mon Sep 17 00:00:00 2001 From: Natanael Copa Date: Tue, 14 Jan 2014 15:04:41 +0000 Subject: main/spice: security fix for CVE-2013-4282 ref #2595 --- main/spice/APKBUILD | 14 ++++-- main/spice/CVE-2013-4282.patch | 104 +++++++++++++++++++++++++++++++++++++++++ 2 files changed, 113 insertions(+), 5 deletions(-) create mode 100644 main/spice/CVE-2013-4282.patch (limited to 'main/spice') diff --git a/main/spice/APKBUILD b/main/spice/APKBUILD index 5b5c73a4a7..b2e4e7f09c 100644 --- a/main/spice/APKBUILD +++ b/main/spice/APKBUILD @@ -2,7 +2,7 @@ # Maintainer: Natanael Copa pkgname=spice pkgver=0.12.4 -pkgrel=0 +pkgrel=1 pkgdesc="Implements the SPICE protocol" url="http://www.spice-space.org/" arch="all" @@ -15,7 +15,8 @@ makedepends="$depends_dev alsa-lib-dev libjpeg-turbo-dev libxrandr-dev install="" subpackages="$pkgname-dev $pkgname-server $pkgname-client" source="http://www.spice-space.org/download/releases/spice-$pkgver.tar.bz2 - cstdarg.patch" + cstdarg.patch + CVE-2013-4282.patch" _builddir="$srcdir"/spice-$pkgver prepare() { @@ -63,8 +64,11 @@ client() { } md5sums="325b1c42ce24e75de45a75876b73a8bd spice-0.12.4.tar.bz2 -3e61fdc18bf201a2b54b332fdbe2912e cstdarg.patch" +3e61fdc18bf201a2b54b332fdbe2912e cstdarg.patch +24a1648e7c684b4444d7921b5534767e CVE-2013-4282.patch" sha256sums="cf063e7df42e331a835529d2f613d8a01f8cb2963e8edaadf73a8d65c46fb387 spice-0.12.4.tar.bz2 -bc2219f68ed701e74a02c5196c934bb3e6fbf5813005f39e41e911668e0e622c cstdarg.patch" +bc2219f68ed701e74a02c5196c934bb3e6fbf5813005f39e41e911668e0e622c cstdarg.patch +9f50c3435726f296cfa1aa5417d857289f0d2001b59b7f698a3b293b91dbaf1d CVE-2013-4282.patch" sha512sums="9867c2ace6205b606eef4a04a7e1fa0533c8d419cbb063edf4ded12db24f76237487d3e9dd57dec0f5b952eef399aa395d8591e2d82cab4d13e0d3ce6c7fba74 spice-0.12.4.tar.bz2 -040f4104d9658465cb2ffa72101f958341497898d86ee82bdf31bd65e5f3497822be4b9b3e9eca2a9b965385481190a2fb4ca5fb26b89391ab1598fc23d300c9 cstdarg.patch" +040f4104d9658465cb2ffa72101f958341497898d86ee82bdf31bd65e5f3497822be4b9b3e9eca2a9b965385481190a2fb4ca5fb26b89391ab1598fc23d300c9 cstdarg.patch +eaa097ee1ee692e406d911723549c383fa2ddc5de37e93afef7024d928ea2e715ac9034e5cef367d4a3a0aeae8d7edd3a4f059a82987df9960a66a7117746283 CVE-2013-4282.patch" diff --git a/main/spice/CVE-2013-4282.patch b/main/spice/CVE-2013-4282.patch new file mode 100644 index 0000000000..3dfa1c8f2f --- /dev/null +++ b/main/spice/CVE-2013-4282.patch @@ -0,0 +1,104 @@ +From 8af619009660b24e0b41ad26b30289eea288fcc2 Mon Sep 17 00:00:00 2001 +From: Christophe Fergeau +Date: Fri, 23 Aug 2013 09:29:44 +0000 +Subject: Fix buffer overflow when decrypting client SPICE ticket + +reds_handle_ticket uses a fixed size 'password' buffer for the decrypted +password whose size is SPICE_MAX_PASSWORD_LENGTH. However, +RSA_private_decrypt which we call for the decryption expects the +destination buffer to be at least RSA_size(link->tiTicketing.rsa) +bytes long. On my spice-server build, SPICE_MAX_PASSWORD_LENGTH +is 60 while RSA_size() is 128, so we end up overflowing 'password' +when using long passwords (this was reproduced using the string: +'fullscreen=1proxy=#enter proxy here; e.g spice_proxy = http://[proxy]:[port]' +as a password). + +When the overflow occurs, QEMU dies with: +*** stack smashing detected ***: qemu-system-x86_64 terminated + +This commit ensures we use a corectly sized 'password' buffer, +and that it's correctly nul-terminated so that we can use strcmp +instead of strncmp. To keep using strncmp, we'd need to figure out +which one of 'password' and 'taTicket.password' is the smaller buffer, +and use that size. + +This fixes rhbz#999839 +--- +diff --git a/server/reds.c b/server/reds.c +index 892d247..2a0002b 100644 +--- a/server/reds.c ++++ b/server/reds.c +@@ -1926,39 +1926,59 @@ static void reds_handle_link(RedLinkInfo *link) + static void reds_handle_ticket(void *opaque) + { + RedLinkInfo *link = (RedLinkInfo *)opaque; +- char password[SPICE_MAX_PASSWORD_LENGTH]; ++ char *password; + time_t ltime; ++ int password_size; + + //todo: use monotonic time + time(<ime); +- RSA_private_decrypt(link->tiTicketing.rsa_size, +- link->tiTicketing.encrypted_ticket.encrypted_data, +- (unsigned char *)password, link->tiTicketing.rsa, RSA_PKCS1_OAEP_PADDING); ++ if (RSA_size(link->tiTicketing.rsa) < SPICE_MAX_PASSWORD_LENGTH) { ++ spice_warning("RSA modulus size is smaller than SPICE_MAX_PASSWORD_LENGTH (%d < %d), " ++ "SPICE ticket sent from client may be truncated", ++ RSA_size(link->tiTicketing.rsa), SPICE_MAX_PASSWORD_LENGTH); ++ } ++ ++ password = g_malloc0(RSA_size(link->tiTicketing.rsa) + 1); ++ password_size = RSA_private_decrypt(link->tiTicketing.rsa_size, ++ link->tiTicketing.encrypted_ticket.encrypted_data, ++ (unsigned char *)password, ++ link->tiTicketing.rsa, ++ RSA_PKCS1_OAEP_PADDING); ++ if (password_size == -1) { ++ spice_warning("failed to decrypt RSA encrypted password: %s", ++ ERR_error_string(ERR_get_error(), NULL)); ++ goto error; ++ } ++ password[password_size] = '\0'; + + if (ticketing_enabled && !link->skip_auth) { + int expired = taTicket.expiration_time < ltime; + + if (strlen(taTicket.password) == 0) { +- reds_send_link_result(link, SPICE_LINK_ERR_PERMISSION_DENIED); + spice_warning("Ticketing is enabled, but no password is set. " +- "please set a ticket first"); +- reds_link_free(link); +- return; ++ "please set a ticket first"); ++ goto error; + } + +- if (expired || strncmp(password, taTicket.password, SPICE_MAX_PASSWORD_LENGTH) != 0) { ++ if (expired || strcmp(password, taTicket.password) != 0) { + if (expired) { + spice_warning("Ticket has expired"); + } else { + spice_warning("Invalid password"); + } +- reds_send_link_result(link, SPICE_LINK_ERR_PERMISSION_DENIED); +- reds_link_free(link); +- return; ++ goto error; + } + } + + reds_handle_link(link); ++ goto end; ++ ++error: ++ reds_send_link_result(link, SPICE_LINK_ERR_PERMISSION_DENIED); ++ reds_link_free(link); ++ ++end: ++ g_free(password); + } + + static inline void async_read_clear_handlers(AsyncRead *obj) +-- +cgit v0.9.0.2-2-gbebe -- cgit v1.2.3