From patchwork Wed Oct 17 09:45:18 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Korsgaard X-Patchwork-Id: 985292 Return-Path: X-Original-To: incoming-buildroot@patchwork.ozlabs.org Delivered-To: patchwork-incoming-buildroot@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=busybox.net (client-ip=140.211.166.136; helo=silver.osuosl.org; envelope-from=buildroot-bounces@busybox.net; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=korsgaard.com Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="QyqZBx5E"; dkim-atps=neutral Received: from silver.osuosl.org (smtp3.osuosl.org [140.211.166.136]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 42ZnNy1hnxz9s9h for ; Wed, 17 Oct 2018 20:45:52 +1100 (AEDT) Received: from localhost (localhost [127.0.0.1]) by silver.osuosl.org (Postfix) with ESMTP id 1B77E2661B; Wed, 17 Oct 2018 09:45:50 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from silver.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BXR6XS8b9CBR; Wed, 17 Oct 2018 09:45:49 +0000 (UTC) Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34]) by silver.osuosl.org (Postfix) with ESMTP id 27D3721FFD; Wed, 17 Oct 2018 09:45:49 +0000 (UTC) X-Original-To: buildroot@lists.busybox.net Delivered-To: buildroot@osuosl.org Received: from hemlock.osuosl.org (smtp2.osuosl.org [140.211.166.133]) by ash.osuosl.org (Postfix) with ESMTP id 993131BF3EF for ; Wed, 17 Oct 2018 09:45:48 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by hemlock.osuosl.org (Postfix) with ESMTP id 9579E877ED for ; Wed, 17 Oct 2018 09:45:48 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from hemlock.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id n0AskiFaiJv8 for ; Wed, 17 Oct 2018 09:45:47 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from mail-ed1-f66.google.com (mail-ed1-f66.google.com [209.85.208.66]) by hemlock.osuosl.org (Postfix) with ESMTPS id 770AF877B9 for ; Wed, 17 Oct 2018 09:45:47 +0000 (UTC) Received: by mail-ed1-f66.google.com with SMTP id c1-v6so24229452ede.5 for ; Wed, 17 Oct 2018 02:45:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=sender:from:to:cc:subject:date:message-id; bh=jsj8mrpW8EV3lQrt7rNW4ujjQR7h/9thN5gSyr5tS0A=; b=QyqZBx5EeBR9y03Gk8HZ4VbsmmYbdLkZ38KFi0MeUmAs+AnwqLvNamxo04iMJyypSU 1n6P9zT2B7B20uJ6W6mcKDIuNelMeCVzeQ5bsnz7A2RDVT5XfHa1Y+umkLHDuhzBtRsz rv7Q+KnbPn9/Ha01Er84BPvKr62JRfFCULm/MqCbU2uhA8p23oPf3PdvYNVcK+US9v7I xSibncUC9SvGKPYqsihpIE3GBTwlm05K9OlOANCJbZyj+4JbJiwdeNwIP5UsP54h3Al+ XmJDJTH060FoQ6iEleoNBXVdpSH5jIB9eT0NP9Xlp2pl0VF8Yr1chZ3R3zORwi9rutIB TWDA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:from:to:cc:subject:date:message-id; bh=jsj8mrpW8EV3lQrt7rNW4ujjQR7h/9thN5gSyr5tS0A=; b=QQ3SLwE8axU4NODqdDjROI1WB3MjQLfoJmOYDa5+Cyv0xBUgXS3TtnQS7P5ze8A04O iGUdsMcvvS9oNY0MEOuMauWPg2g4qBWf6Tfa1AQozyfFBVTScBjlKaNyf0WhR9iPoxyh wdFWnO/WnnwcQ+x0T8k5iB886jRMy43w4K+hIbqOfs/GByR1HnWIJQMUU0LcqfxBwwB3 z4s+I01wHTr761vYhR9OLGp90G8ZGqpEimIiwGmI5PWlqf3Bm+Pu83sBsIC5pBVMWuV5 PKJtYQX3eNnArlVfRwtwPOt4FbzcBG/7RD3fEOW+m83xy+DD5uiVnKgr9FK+n6zJAvUE Rf4w== X-Gm-Message-State: ABuFfohxn1JU9o1CElB1fjHnPOByUFtC5J1jh17D/CxBqP746NcaL8ho YG0Iu2ANG4cOojV/735rrf3Uqj7C X-Google-Smtp-Source: ACcGV62dKkYhmHqIpbFdNcb2nXnG/wLNzESBm9weEz9CDwQwM3EZNig7ACvKXN2XGiTka4+0oUAFeg== X-Received: by 2002:a50:b7b7:: with SMTP id h52-v6mr104470ede.17.1539769545149; Wed, 17 Oct 2018 02:45:45 -0700 (PDT) Received: from dell.be.48ers.dk (d528f5fe4.static.telenet.be. [82.143.95.228]) by smtp.gmail.com with ESMTPSA id 31-v6sm6425419edr.12.2018.10.17.02.45.44 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Wed, 17 Oct 2018 02:45:44 -0700 (PDT) Received: from peko by dell.be.48ers.dk with local (Exim 4.89) (envelope-from ) id 1gCiOd-00018S-AB; Wed, 17 Oct 2018 11:45:43 +0200 From: Peter Korsgaard To: buildroot@buildroot.org Date: Wed, 17 Oct 2018 11:45:18 +0200 Message-Id: <20181017094520.4187-1-peter@korsgaard.com> X-Mailer: git-send-email 2.11.0 Subject: [Buildroot] [PATCH 1/2] spice-protocol: bump version to 0.12.14 X-BeenThere: buildroot@busybox.net X-Mailman-Version: 2.1.29 Precedence: list List-Id: Discussion and development of buildroot List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: "Yann E. MORIN" MIME-Version: 1.0 Errors-To: buildroot-bounces@busybox.net Sender: "buildroot" Needed by spice 0.14.x Signed-off-by: Peter Korsgaard --- package/spice-protocol/spice-protocol.hash | 2 +- package/spice-protocol/spice-protocol.mk | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/package/spice-protocol/spice-protocol.hash b/package/spice-protocol/spice-protocol.hash index c75c095cbf..e72bb2d712 100644 --- a/package/spice-protocol/spice-protocol.hash +++ b/package/spice-protocol/spice-protocol.hash @@ -1,2 +1,2 @@ # Locally calculated after checking pgp signature -sha256 788f0d7195bec5b14371732b562eb55ca82712aab12273b0e87529fb30532efb spice-protocol-0.12.10.tar.bz2 +sha256 20350bc4309039fdf0d29ee4fd0033cde27bccf33501e13b3c1befafde9d0c9c spice-protocol-0.12.14.tar.bz2 diff --git a/package/spice-protocol/spice-protocol.mk b/package/spice-protocol/spice-protocol.mk index dcc6feeb13..7392e9533d 100644 --- a/package/spice-protocol/spice-protocol.mk +++ b/package/spice-protocol/spice-protocol.mk @@ -4,7 +4,7 @@ # ################################################################################ -SPICE_PROTOCOL_VERSION = 0.12.10 +SPICE_PROTOCOL_VERSION = 0.12.14 SPICE_PROTOCOL_SOURCE = spice-protocol-$(SPICE_PROTOCOL_VERSION).tar.bz2 SPICE_PROTOCOL_SITE = http://www.spice-space.org/download/releases SPICE_PROTOCOL_LICENSE = BSD-3-Clause From patchwork Wed Oct 17 09:45:19 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Korsgaard X-Patchwork-Id: 985293 Return-Path: X-Original-To: incoming-buildroot@patchwork.ozlabs.org Delivered-To: patchwork-incoming-buildroot@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=busybox.net (client-ip=140.211.166.133; helo=hemlock.osuosl.org; envelope-from=buildroot-bounces@busybox.net; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=korsgaard.com Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="JI+UMgx6"; dkim-atps=neutral Received: from hemlock.osuosl.org (smtp2.osuosl.org [140.211.166.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 42ZnP03jKQz9s9h for ; Wed, 17 Oct 2018 20:45:56 +1100 (AEDT) Received: from localhost (localhost [127.0.0.1]) by hemlock.osuosl.org (Postfix) with ESMTP id 001CE877B9; Wed, 17 Oct 2018 09:45:54 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from hemlock.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jp3AN2OwOCYC; Wed, 17 Oct 2018 09:45:52 +0000 (UTC) Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34]) by hemlock.osuosl.org (Postfix) with ESMTP id CF4C0877ED; Wed, 17 Oct 2018 09:45:52 +0000 (UTC) X-Original-To: buildroot@lists.busybox.net Delivered-To: buildroot@osuosl.org Received: from fraxinus.osuosl.org (smtp4.osuosl.org [140.211.166.137]) by ash.osuosl.org (Postfix) with ESMTP id 8C52A1BF3EF for ; Wed, 17 Oct 2018 09:45:50 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by fraxinus.osuosl.org (Postfix) with ESMTP id 89563866C8 for ; Wed, 17 Oct 2018 09:45:50 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from fraxinus.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vHvNyrg-6-fa for ; Wed, 17 Oct 2018 09:45:49 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from mail-ed1-f46.google.com (mail-ed1-f46.google.com [209.85.208.46]) by fraxinus.osuosl.org (Postfix) with ESMTPS id 7E6AF85E92 for ; Wed, 17 Oct 2018 09:45:48 +0000 (UTC) Received: by mail-ed1-f46.google.com with SMTP id g32-v6so24182650edg.13 for ; Wed, 17 Oct 2018 02:45:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=sender:from:to:cc:subject:date:message-id:in-reply-to:references; bh=l//ZPoxkpcS0BuQ+hOZ7YfBGnj5rxlZPSElEYxLUSec=; b=JI+UMgx63SO2vZkJi8ZupWFRTHJznA4YLxD0EhbS0mSth8ibcQKjlEdmsg/nZUsUm0 +WKErKS6wNAt+4ZCgNvTXp/5qQ1WU4srUbCi0VNwSJJz1LZ4P9FAUdU3tbNxui3iGt5u ryzHYqCuvvI0CR3G754EXk36o8aLFJhWW7DTKdnJPpEjSSZBtWsFCcAbAml2vwmb2P84 aoVm5jL140TyKnNy+izzVfNW8F2mxFyCIDmeAg1pPfz0nsY+JsydbgY8FKprr1ySz+ZT URb25R1M6mRsM0hts7CvMRKDfA+KXO2TiNzMj/3tQfcT02YgG8UCHNd1SsGRq15nnm/A x3NA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:from:to:cc:subject:date:message-id :in-reply-to:references; bh=l//ZPoxkpcS0BuQ+hOZ7YfBGnj5rxlZPSElEYxLUSec=; b=R++TtgpCySBR5MYeUywplTMKYu5Qinw9+wtzrFSQJOPYZDv9IpCm8pK7LXRV6y6oO7 Wt6UeH2L8v99AwsfGiArhsEgh03l9jPhE6PTpe70GmhqnKRv9dK4it2AGY7CYt//ziLG 5yxSE0j2KMg6vWLDTnYQ35M1bM08Ekg0hyDbOlWgGPjT6H3acNz+J3u+aLFdArzsCkXe +adau5lT+/RpvzRaF0SWzq4xdZNOpvijhW/d1tQw1c1Wlgwh2/8Dx7+GN+rY39rufEob v4g1wfAHFOPLXCCpoA23invz9M5JSwfFMpj7eZ+FDdqjiZYO8dfHylT9MMgSX+IzJApu yeRA== X-Gm-Message-State: ABuFfog5wqfHbhmrwIRqj6rYUZ7ktt7fpnEEJ8WjTugABe8rnasWtXCw qDJS8TxOcFC/GkyCznvLy/K0V2Rt X-Google-Smtp-Source: ACcGV617Rh/Dypk9Z10CQl0phhD5utCM7tMGjc6VsR8jMi5yNCwTfYBQ1q/K7vY/7iuCd7b5Gwu5Ng== X-Received: by 2002:a50:e38d:: with SMTP id b13-v6mr84151edm.263.1539769546254; Wed, 17 Oct 2018 02:45:46 -0700 (PDT) Received: from dell.be.48ers.dk (d528f5fe4.static.telenet.be. [82.143.95.228]) by smtp.gmail.com with ESMTPSA id j15-v6sm3560612ejy.3.2018.10.17.02.45.44 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Wed, 17 Oct 2018 02:45:45 -0700 (PDT) Received: from peko by dell.be.48ers.dk with local (Exim 4.89) (envelope-from ) id 1gCiOd-00018X-I3; Wed, 17 Oct 2018 11:45:43 +0200 From: Peter Korsgaard To: buildroot@buildroot.org Date: Wed, 17 Oct 2018 11:45:19 +0200 Message-Id: <20181017094520.4187-2-peter@korsgaard.com> X-Mailer: git-send-email 2.11.0 In-Reply-To: <20181017094520.4187-1-peter@korsgaard.com> References: <20181017094520.4187-1-peter@korsgaard.com> Subject: [Buildroot] [PATCH 2/2] spice: security bump to version 0.14.1 X-BeenThere: buildroot@busybox.net X-Mailman-Version: 2.1.29 Precedence: list List-Id: Discussion and development of buildroot List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: "Yann E. MORIN" MIME-Version: 1.0 Errors-To: buildroot-bounces@busybox.net Sender: "buildroot" Fixes CVE-2018-10873: A vulnerability was discovered in SPICE before version 0.14.1 where the generated code used for demarshalling messages lacked sufficient bounds checks. A malicious client or server, after authentication, could send specially crafted messages to its peer which would result in a crash or, potentially, other impacts. Drop patches as they are now upstream. Add host-pkgconf as the configure script uses pkg-config. Drop removed --disable-automated-tests configure flag. Add optional opus support, as that is now supported and needs to be explicitly disabled to not use. Explicitly disable optional gstreamer support for now as the dependency tree is fairly complicated. Signed-off-by: Peter Korsgaard --- ...sible-DoS-attempts-during-protocol-handsh.patch | 60 ----------------- ...nt-integer-overflows-in-capability-checks.patch | 43 ------------- ...l-Prevent-overflow-reading-messages-from-.patch | 33 ---------- ...nect-when-receiving-overly-big-ClientMoni.patch | 75 ---------------------- ...integer-overflows-handling-monitor-config.patch | 31 --------- ...buffer-overflows-handling-monitor-configu.patch | 48 -------------- package/spice/spice.hash | 2 +- package/spice/spice.mk | 14 +++- 8 files changed, 12 insertions(+), 294 deletions(-) delete mode 100644 package/spice/0001-Prevent-possible-DoS-attempts-during-protocol-handsh.patch delete mode 100644 package/spice/0002-Prevent-integer-overflows-in-capability-checks.patch delete mode 100644 package/spice/0003-main-channel-Prevent-overflow-reading-messages-from-.patch delete mode 100644 package/spice/0004-reds-Disconnect-when-receiving-overly-big-ClientMoni.patch delete mode 100644 package/spice/0005-reds-Avoid-integer-overflows-handling-monitor-config.patch delete mode 100644 package/spice/0006-reds-Avoid-buffer-overflows-handling-monitor-configu.patch diff --git a/package/spice/0001-Prevent-possible-DoS-attempts-during-protocol-handsh.patch b/package/spice/0001-Prevent-possible-DoS-attempts-during-protocol-handsh.patch deleted file mode 100644 index 57a64d96b7..0000000000 --- a/package/spice/0001-Prevent-possible-DoS-attempts-during-protocol-handsh.patch +++ /dev/null @@ -1,60 +0,0 @@ -From 1c6517973095a67c8cb57f3550fc1298404ab556 Mon Sep 17 00:00:00 2001 -From: Frediano Ziglio -Date: Tue, 13 Dec 2016 14:39:48 +0000 -Subject: [PATCH] Prevent possible DoS attempts during protocol handshake - -The limit for link message is specified using a 32 bit unsigned integer. -This could cause possible DoS due to excessive memory allocations and -some possible crashes. -For instance a value >= 2^31 causes a spice_assert to be triggered in -async_read_handler (reds-stream.c) due to an integer overflow at this -line: - - int n = async->end - async->now; - -This could be easily triggered with a program like - - #!/usr/bin/env python - - import socket - import time - from struct import pack - - server = '127.0.0.1' - port = 5900 - - s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) - s.connect((server, port)) - data = pack('<4sIII', 'REDQ', 2, 2, 0xaaaaaaaa) - s.send(data) - - time.sleep(1) - -without requiring any authentication (the same can be done -with TLS). - -[Peter: fixes CVE-2016-9578] -Signed-off-by: Frediano Ziglio -Acked-by: Christophe Fergeau -Signed-off-by: Peter Korsgaard ---- - server/reds.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/server/reds.c b/server/reds.c -index f40b65c1..86a33d53 100644 ---- a/server/reds.c -+++ b/server/reds.c -@@ -2202,7 +2202,8 @@ static void reds_handle_read_header_done(void *opaque) - - reds->peer_minor_version = header->minor_version; - -- if (header->size < sizeof(SpiceLinkMess)) { -+ /* the check for 4096 is to avoid clients to cause arbitrary big memory allocations */ -+ if (header->size < sizeof(SpiceLinkMess) || header->size > 4096) { - reds_send_link_error(link, SPICE_LINK_ERR_INVALID_DATA); - spice_warning("bad size %u", header->size); - reds_link_free(link); --- -2.11.0 - diff --git a/package/spice/0002-Prevent-integer-overflows-in-capability-checks.patch b/package/spice/0002-Prevent-integer-overflows-in-capability-checks.patch deleted file mode 100644 index 5bf9b89d17..0000000000 --- a/package/spice/0002-Prevent-integer-overflows-in-capability-checks.patch +++ /dev/null @@ -1,43 +0,0 @@ -From f66dc643635518e53dfbe5262f814a64eec54e4a Mon Sep 17 00:00:00 2001 -From: Frediano Ziglio -Date: Tue, 13 Dec 2016 14:40:10 +0000 -Subject: [PATCH] Prevent integer overflows in capability checks - -The limits for capabilities are specified using 32 bit unsigned integers. -This could cause possible integer overflows causing buffer overflows. -For instance the sum of num_common_caps and num_caps can be 0 avoiding -additional checks. -As the link message is now capped to 4096 and the capabilities are -contained in the link message limit the capabilities to 1024 -(capabilities are expressed in number of uint32_t items). - -[Peter: fixes CVE-2016-9578] -Signed-off-by: Frediano Ziglio -Acked-by: Christophe Fergeau -Signed-off-by: Peter Korsgaard ---- - server/reds.c | 8 ++++++++ - 1 file changed, 8 insertions(+) - -diff --git a/server/reds.c b/server/reds.c -index 86a33d53..91504544 100644 ---- a/server/reds.c -+++ b/server/reds.c -@@ -2110,6 +2110,14 @@ static void reds_handle_read_link_done(void *opaque) - link_mess->num_channel_caps = GUINT32_FROM_LE(link_mess->num_channel_caps); - link_mess->num_common_caps = GUINT32_FROM_LE(link_mess->num_common_caps); - -+ /* Prevent DoS. Currently we defined only 13 capabilities, -+ * I expect 1024 to be valid for quite a lot time */ -+ if (link_mess->num_channel_caps > 1024 || link_mess->num_common_caps > 1024) { -+ reds_send_link_error(link, SPICE_LINK_ERR_INVALID_DATA); -+ reds_link_free(link); -+ return; -+ } -+ - num_caps = link_mess->num_common_caps + link_mess->num_channel_caps; - caps = (uint32_t *)((uint8_t *)link_mess + link_mess->caps_offset); - --- -2.11.0 - diff --git a/package/spice/0003-main-channel-Prevent-overflow-reading-messages-from-.patch b/package/spice/0003-main-channel-Prevent-overflow-reading-messages-from-.patch deleted file mode 100644 index f602d5f3b1..0000000000 --- a/package/spice/0003-main-channel-Prevent-overflow-reading-messages-from-.patch +++ /dev/null @@ -1,33 +0,0 @@ -From 5f96b596353d73bdf4bb3cd2de61e48a7fd5b4c3 Mon Sep 17 00:00:00 2001 -From: Frediano Ziglio -Date: Tue, 29 Nov 2016 16:46:56 +0000 -Subject: [PATCH] main-channel: Prevent overflow reading messages from client - -Caller is supposed the function return a buffer able to store -size bytes. - -[Peter: fixes CVE-2016-9577] -Signed-off-by: Frediano Ziglio -Acked-by: Christophe Fergeau -Signed-off-by: Peter Korsgaard ---- - server/main_channel.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/server/main_channel.c b/server/main_channel.c -index 0ecc9df8..1fc39155 100644 ---- a/server/main_channel.c -+++ b/server/main_channel.c -@@ -1026,6 +1026,9 @@ static uint8_t *main_channel_alloc_msg_rcv_buf(RedChannelClient *rcc, - - if (type == SPICE_MSGC_MAIN_AGENT_DATA) { - return reds_get_agent_data_buffer(mcc, size); -+ } else if (size > sizeof(main_chan->recv_buf)) { -+ /* message too large, caller will log a message and close the connection */ -+ return NULL; - } else { - return main_chan->recv_buf; - } --- -2.11.0 - diff --git a/package/spice/0004-reds-Disconnect-when-receiving-overly-big-ClientMoni.patch b/package/spice/0004-reds-Disconnect-when-receiving-overly-big-ClientMoni.patch deleted file mode 100644 index 070259f2bb..0000000000 --- a/package/spice/0004-reds-Disconnect-when-receiving-overly-big-ClientMoni.patch +++ /dev/null @@ -1,75 +0,0 @@ -From f1e7ec03e26ab6b8ca9b7ec060846a5b706a963d Mon Sep 17 00:00:00 2001 -From: Frediano Ziglio -Date: Mon, 15 May 2017 15:57:28 +0100 -Subject: [PATCH] reds: Disconnect when receiving overly big - ClientMonitorsConfig - -Total message size received from the client was unlimited. There is -a 2kiB size check on individual agent messages, but the MonitorsConfig -message can be split in multiple chunks, and the size of the -non-chunked MonitorsConfig message was never checked. This could easily -lead to memory exhaustion on the host. - -Signed-off-by: Frediano Ziglio -Signed-off-by: Peter Korsgaard ---- - server/reds.c | 25 +++++++++++++++++++++++-- - 1 file changed, 23 insertions(+), 2 deletions(-) - -diff --git a/server/reds.c b/server/reds.c -index f439a366..7be85fdf 100644 ---- a/server/reds.c -+++ b/server/reds.c -@@ -993,19 +993,34 @@ static void reds_client_monitors_config_cleanup(void) - static void reds_on_main_agent_monitors_config( - MainChannelClient *mcc, void *message, size_t size) - { -+ const unsigned int MAX_MONITORS = 256; -+ const unsigned int MAX_MONITOR_CONFIG_SIZE = -+ sizeof(VDAgentMonitorsConfig) + MAX_MONITORS * sizeof(VDAgentMonConfig); -+ - VDAgentMessage *msg_header; - VDAgentMonitorsConfig *monitors_config; - RedsClientMonitorsConfig *cmc = &reds->client_monitors_config; - -+ // limit size of message sent by the client as this can cause a DoS through -+ // memory exhaustion, or potentially some integer overflows -+ if (sizeof(VDAgentMessage) + MAX_MONITOR_CONFIG_SIZE - cmc->buffer_size < size) { -+ goto overflow; -+ } - cmc->buffer_size += size; - cmc->buffer = realloc(cmc->buffer, cmc->buffer_size); - spice_assert(cmc->buffer); - cmc->mcc = mcc; - memcpy(cmc->buffer + cmc->buffer_pos, message, size); - cmc->buffer_pos += size; -+ if (sizeof(VDAgentMessage) > cmc->buffer_size) { -+ spice_debug("not enough data yet. %d", cmc->buffer_size); -+ return; -+ } - msg_header = (VDAgentMessage *)cmc->buffer; -- if (sizeof(VDAgentMessage) > cmc->buffer_size || -- msg_header->size > cmc->buffer_size - sizeof(VDAgentMessage)) { -+ if (msg_header->size > MAX_MONITOR_CONFIG_SIZE) { -+ goto overflow; -+ } -+ if (msg_header->size > cmc->buffer_size - sizeof(VDAgentMessage)) { - spice_debug("not enough data yet. %d", cmc->buffer_size); - return; - } -@@ -1013,6 +1028,12 @@ static void reds_on_main_agent_monitors_config( - spice_debug("%s: %d", __func__, monitors_config->num_of_monitors); - red_dispatcher_client_monitors_config(monitors_config); - reds_client_monitors_config_cleanup(); -+ return; -+ -+overflow: -+ spice_warning("received invalid MonitorsConfig request from client, disconnecting"); -+ red_channel_client_disconnect(main_channel_client_get_base(mcc)); -+ reds_client_monitors_config_cleanup(); - } - - void reds_on_main_agent_data(MainChannelClient *mcc, void *message, size_t size) --- -2.11.0 - diff --git a/package/spice/0005-reds-Avoid-integer-overflows-handling-monitor-config.patch b/package/spice/0005-reds-Avoid-integer-overflows-handling-monitor-config.patch deleted file mode 100644 index 98740520c1..0000000000 --- a/package/spice/0005-reds-Avoid-integer-overflows-handling-monitor-config.patch +++ /dev/null @@ -1,31 +0,0 @@ -From ec6229c79abe05d731953df5f7e9a05ec9f6df79 Mon Sep 17 00:00:00 2001 -From: Frediano Ziglio -Date: Mon, 15 May 2017 15:57:28 +0100 -Subject: [PATCH] reds: Avoid integer overflows handling monitor - configuration - -Avoid VDAgentMessage::size integer overflows. - -Signed-off-by: Frediano Ziglio -Signed-off-by: Peter Korsgaard ---- - server/reds.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/server/reds.c b/server/reds.c -index 7be85fdf..e1c8c108 100644 ---- a/server/reds.c -+++ b/server/reds.c -@@ -1024,6 +1024,9 @@ static void reds_on_main_agent_monitors_config( - spice_debug("not enough data yet. %d", cmc->buffer_size); - return; - } -+ if (msg_header->size < sizeof(VDAgentMonitorsConfig)) { -+ goto overflow; -+ } - monitors_config = (VDAgentMonitorsConfig *)(cmc->buffer + sizeof(*msg_header)); - spice_debug("%s: %d", __func__, monitors_config->num_of_monitors); - red_dispatcher_client_monitors_config(monitors_config); --- -2.11.0 - diff --git a/package/spice/0006-reds-Avoid-buffer-overflows-handling-monitor-configu.patch b/package/spice/0006-reds-Avoid-buffer-overflows-handling-monitor-configu.patch deleted file mode 100644 index 212645b44f..0000000000 --- a/package/spice/0006-reds-Avoid-buffer-overflows-handling-monitor-configu.patch +++ /dev/null @@ -1,48 +0,0 @@ -From a957a90baf2c62d31f3547e56bba7d0e812d2331 Mon Sep 17 00:00:00 2001 -From: Frediano Ziglio -Date: Mon, 15 May 2017 15:57:28 +0100 -Subject: [PATCH] reds: Avoid buffer overflows handling monitor - configuration - -It was also possible for a malicious client to set -VDAgentMonitorsConfig::num_of_monitors to a number larger -than the actual size of VDAgentMOnitorsConfig::monitors. -This would lead to buffer overflows, which could allow the guest to -read part of the host memory. This might cause write overflows in the -host as well, but controlling the content of such buffers seems -complicated. - -Signed-off-by: Frediano Ziglio -Signed-off-by: Peter Korsgaard ---- - server/reds.c | 7 +++++++ - 1 file changed, 7 insertions(+) - -diff --git a/server/reds.c b/server/reds.c -index e1c8c108..3a42c375 100644 ---- a/server/reds.c -+++ b/server/reds.c -@@ -1000,6 +1000,7 @@ static void reds_on_main_agent_monitors_config( - VDAgentMessage *msg_header; - VDAgentMonitorsConfig *monitors_config; - RedsClientMonitorsConfig *cmc = &reds->client_monitors_config; -+ uint32_t max_monitors; - - // limit size of message sent by the client as this can cause a DoS through - // memory exhaustion, or potentially some integer overflows -@@ -1028,6 +1029,12 @@ static void reds_on_main_agent_monitors_config( - goto overflow; - } - monitors_config = (VDAgentMonitorsConfig *)(cmc->buffer + sizeof(*msg_header)); -+ // limit the monitor number to avoid buffer overflows -+ max_monitors = (msg_header->size - sizeof(VDAgentMonitorsConfig)) / -+ sizeof(VDAgentMonConfig); -+ if (monitors_config->num_of_monitors > max_monitors) { -+ goto overflow; -+ } - spice_debug("%s: %d", __func__, monitors_config->num_of_monitors); - red_dispatcher_client_monitors_config(monitors_config); - reds_client_monitors_config_cleanup(); --- -2.11.0 - diff --git a/package/spice/spice.hash b/package/spice/spice.hash index c9b591f41d..1a25926ab2 100644 --- a/package/spice/spice.hash +++ b/package/spice/spice.hash @@ -1,2 +1,2 @@ # Locally calculated -sha256 f901a5c5873d61acac84642f9eea5c4d6386fc3e525c2b68792322794e1c407d spice-0.12.8.tar.bz2 +sha256 1ead5de63d06eededed4017db37240f07bef0abffbaf621899647e7e685a1519 spice-0.14.1.tar.bz2 diff --git a/package/spice/spice.mk b/package/spice/spice.mk index 7b09f39fe7..16e57441a8 100644 --- a/package/spice/spice.mk +++ b/package/spice/spice.mk @@ -4,13 +4,14 @@ # ################################################################################ -SPICE_VERSION = 0.12.8 +SPICE_VERSION = 0.14.1 SPICE_SOURCE = spice-$(SPICE_VERSION).tar.bz2 -SPICE_SITE = http://www.spice-space.org/download/releases +SPICE_SITE = http://www.spice-space.org/download/releases/spice-server SPICE_LICENSE = LGPL-2.1+ SPICE_LICENSE_FILES = COPYING SPICE_INSTALL_STAGING = YES SPICE_DEPENDENCIES = \ + host-pkgconf \ jpeg \ libglib2 \ openssl \ @@ -20,9 +21,9 @@ SPICE_DEPENDENCIES = \ # We disable everything for now, because the dependency tree can become # quite deep if we try to enable some features, and I have not tested that. SPICE_CONF_OPTS = \ + --disable-gstreamer \ --disable-opengl \ --disable-smartcard \ - --disable-automated-tests \ --without-sasl \ --disable-manual @@ -42,6 +43,13 @@ else SPICE_CONF_OPTS += --disable-lz4 endif +ifeq ($(BR2_PACKAGE_OPUS),y) +SPICE_CONF_OPTS += --enable-opus +SPICE_DEPENDENCIES += opus +else +SPICE_CONF_OPTS += --disable-opus +endif + # no enable/disable, detected using pkg-config ifeq ($(BR2_PACKAGE_OPUS),y) SPICE_DEPENDENCIES += opus