From 1af3513c36a0040c0f09f9d448890656004204d9 Mon Sep 17 00:00:00 2001 From: Natanael Copa Date: Tue, 13 Oct 2015 08:55:18 +0000 Subject: main/spice: enable opus support --- main/spice/APKBUILD | 5 +- main/spice/CVE-2015-3247.patch | 116 +++++++++++++++++++++++++++++++++++++++++ 2 files changed, 119 insertions(+), 2 deletions(-) create mode 100644 main/spice/CVE-2015-3247.patch (limited to 'main/spice') diff --git a/main/spice/APKBUILD b/main/spice/APKBUILD index 3c8d88532..fca99cee8 100644 --- a/main/spice/APKBUILD +++ b/main/spice/APKBUILD @@ -2,7 +2,7 @@ # Maintainer: Natanael Copa pkgname=spice pkgver=0.12.6 -pkgrel=0 +pkgrel=1 pkgdesc="Implements the SPICE protocol" url="http://www.spice-space.org/" arch="all" @@ -11,7 +11,7 @@ depends="" depends_dev="spice-protocol pixman-dev celt051-dev openssl-dev libxinerama-dev" makedepends="$depends_dev alsa-lib-dev libjpeg-turbo-dev libxrandr-dev cyrus-sasl-dev libxfixes-dev python-dev bash cegui06-dev py-parsing - py-six glib-dev" + py-six glib-dev opus-dev" install="" subpackages="$pkgname-dev $pkgname-server" source="http://www.spice-space.org/download/releases/spice-$pkgver.tar.bz2 @@ -41,6 +41,7 @@ build() { --enable-gui \ --enable-client \ --disable-smartcard \ + --enable-opus \ || return 1 make -C spice-common WARN_CFLAGS='' || return 1 make WARN_CFLAGS='' || return 1 diff --git a/main/spice/CVE-2015-3247.patch b/main/spice/CVE-2015-3247.patch new file mode 100644 index 000000000..47ee3c4f9 --- /dev/null +++ b/main/spice/CVE-2015-3247.patch @@ -0,0 +1,116 @@ +From bd6ea0db84949ac903c27708166604de892f4671 Mon Sep 17 00:00:00 2001 +From: Frediano Ziglio +Date: Tue, 9 Jun 2015 08:50:46 +0100 +Subject: Avoid race conditions reading monitor configs from guest + +For security reasons do not assume guest do not change structures it +pass to Qemu. +Guest could change count field while Qemu is copying QXLMonitorsConfig +structure leading to heap corruption. +This patch avoid it reading count only once. + +This patch solves CVE-2015-3247. + +Signed-off-by: Frediano Ziglio +Acked-by: Christophe Fergeau + +diff --git a/server/red_worker.c b/server/red_worker.c +index 2f2d5a9..e2feb23 100644 +--- a/server/red_worker.c ++++ b/server/red_worker.c +@@ -11222,19 +11222,18 @@ static inline void red_monitors_config_item_add(DisplayChannelClient *dcc) + + static void worker_update_monitors_config(RedWorker *worker, + QXLMonitorsConfig *dev_monitors_config, +- unsigned int max_monitors) ++ uint16_t count, uint16_t max_allowed) + { + int heads_size; + MonitorsConfig *monitors_config; + int i; +- unsigned int count = MIN(dev_monitors_config->count, max_monitors); + + monitors_config_decref(worker->monitors_config); + + spice_debug("monitors config %d(%d)", +- dev_monitors_config->count, +- dev_monitors_config->max_allowed); +- for (i = 0; i < dev_monitors_config->count; i++) { ++ count, ++ max_allowed); ++ for (i = 0; i < count; i++) { + spice_debug("+%d+%d %dx%d", + dev_monitors_config->heads[i].x, + dev_monitors_config->heads[i].y, +@@ -11247,7 +11246,7 @@ static void worker_update_monitors_config(RedWorker *worker, + monitors_config->refs = 1; + monitors_config->worker = worker; + monitors_config->count = count; +- monitors_config->max_allowed = MIN(dev_monitors_config->max_allowed, max_monitors); ++ monitors_config->max_allowed = max_allowed; + memcpy(monitors_config->heads, dev_monitors_config->heads, heads_size); + } + +@@ -11636,33 +11635,52 @@ void handle_dev_display_migrate(void *opaque, void *payload) + red_migrate_display(worker, rcc); + } + ++static inline uint32_t qxl_monitors_config_size(uint32_t heads) ++{ ++ return sizeof(QXLMonitorsConfig) + sizeof(QXLHead) * heads; ++} ++ + static void handle_dev_monitors_config_async(void *opaque, void *payload) + { + RedWorkerMessageMonitorsConfigAsync *msg = payload; + RedWorker *worker = opaque; +- int min_size = sizeof(QXLMonitorsConfig) + sizeof(QXLHead); + int error; ++ uint16_t count, max_allowed; + QXLMonitorsConfig *dev_monitors_config = + (QXLMonitorsConfig*)get_virt(&worker->mem_slots, msg->monitors_config, +- min_size, msg->group_id, &error); ++ qxl_monitors_config_size(1), ++ msg->group_id, &error); + + if (error) { + /* TODO: raise guest bug (requires added QXL interface) */ + return; + } + worker->driver_cap_monitors_config = 1; +- if (dev_monitors_config->count == 0) { ++ count = dev_monitors_config->count; ++ max_allowed = dev_monitors_config->max_allowed; ++ if (count == 0) { + spice_warning("ignoring an empty monitors config message from driver"); + return; + } +- if (dev_monitors_config->count > dev_monitors_config->max_allowed) { ++ if (count > max_allowed) { + spice_warning("ignoring malformed monitors_config from driver, " + "count > max_allowed %d > %d", +- dev_monitors_config->count, +- dev_monitors_config->max_allowed); ++ count, ++ max_allowed); ++ return; ++ } ++ /* get pointer again to check virtual size */ ++ dev_monitors_config = ++ (QXLMonitorsConfig*)get_virt(&worker->mem_slots, msg->monitors_config, ++ qxl_monitors_config_size(count), ++ msg->group_id, &error); ++ if (error) { ++ /* TODO: raise guest bug (requires added QXL interface) */ + return; + } +- worker_update_monitors_config(worker, dev_monitors_config, msg->max_monitors); ++ worker_update_monitors_config(worker, dev_monitors_config, ++ MIN(count, msg->max_monitors), ++ MIN(max_allowed, msg->max_monitors)); + red_worker_push_monitors_config(worker); + } + +-- +cgit v0.10.2 + -- cgit v1.2.3