| Message ID | 20170621220744.18908-3-peter@korsgaard.com |
|---|---|
| State | Accepted |
| Commit | 622ff3d6ea63ca7c7aab7e5609cfb1e4190eff8a |
| Headers | show |
Peter, All, On 2017-06-22 00:07 +0200, Peter Korsgaard spake thusly: > Fixes the following security issues: > > CVE-2015-3247: Race condition in the worker_update_monitors_config function > in SPICE 0.12.4 allows a remote authenticated guest user to cause a denial > of service (heap-based memory corruption and QEMU-KVM crash) or possibly > execute arbitrary code on the host via unspecified vectors. > > CVE-2015-5260: Heap-based buffer overflow in SPICE before 0.12.6 allows > guest OS users to cause a denial of service (heap-based memory corruption > and QEMU-KVM crash) or possibly execute arbitrary code on the host via QXL > commands related to the surface_id parameter. > > CVE-2015-5261: Heap-based buffer overflow in SPICE before 0.12.6 allows > guest OS users to read and write to arbitrary memory locations on the host > via guest QXL commands related to surface creation. > > Client/gui support is gone upstream (moved to spice-gtk / virt-viewer), so > add Config.in.legacy handling for them. > > Lz4 is a new optional dependency, so handle it. > > The spice protocol definition is no longer included and instead used from > spice-protocol. The build system uses pkg-config --variable=codegendir to > find the build time path of this, which doesn't take our STAGING_DIR prefix > into consideration, so it needs some help. The installed protocol > definition will likewise be newer than the generated files, so we need to > workaround that to ensure they are not regenerated (which needs host python > / pyparsing). > > Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Reviewed-by: "Yann E. MORIN" <yann.morin.1998@free.fr> Regards, Yann E. MORIN. > --- > Config.in.legacy | 16 ++++++++++++++++ > package/spice/Config.in | 35 ----------------------------------- > package/spice/spice.hash | 2 +- > package/spice/spice.mk | 40 +++++++++++++++++++--------------------- > 4 files changed, 36 insertions(+), 57 deletions(-) > > diff --git a/Config.in.legacy b/Config.in.legacy > index dc99b7c2eb..361d331dc9 100644 > --- a/Config.in.legacy > +++ b/Config.in.legacy > @@ -145,6 +145,22 @@ endif > ############################################################################### > comment "Legacy options removed in 2017.08" > > +config BR2_PACKAGE_SPICE_CLIENT > + bool "spice client support removed" > + select BR2_LEGACY > + help > + Spice client support has been removed upstream. The > + functionality now lives in the spice-gtk widget and > + virt-viewer. > + > +config BR2_PACKAGE_SPICE_GUI > + bool "spice gui support removed" > + select BR2_LEGACY > + help > + Spice gui support has been removed upstream. The > + functionality now lives in the spice-gtk widget and > + virt-viewer. > + > config BR2_PACKAGE_SPICE_TUNNEL > bool "spice network redirection removed" > select BR2_LEGACY > diff --git a/package/spice/Config.in b/package/spice/Config.in > index 220f9994da..2241b55b3d 100644 > --- a/package/spice/Config.in > +++ b/package/spice/Config.in > @@ -22,38 +22,3 @@ config BR2_PACKAGE_SPICE > This package implements the server-part of Spice. > > http://www.spice-space.org/ > - > -if BR2_PACKAGE_SPICE > - > -comment "client depends on X.org" > - depends on !BR2_PACKAGE_XORG7 > - > -config BR2_PACKAGE_SPICE_CLIENT > - bool "Enable client" > - depends on BR2_PACKAGE_XORG7 > - depends on BR2_TOOLCHAIN_HAS_THREADS > - depends on BR2_INSTALL_LIBSTDCPP > - select BR2_PACKAGE_XLIB_LIBXFIXES > - select BR2_PACKAGE_XLIB_LIBXRANDR > - select BR2_PACKAGE_XLIB_LIBX11 > - select BR2_PACKAGE_XLIB_LIBXEXT > - select BR2_PACKAGE_XLIB_LIBXRENDER > - select BR2_PACKAGE_ALSA_LIB > - > -comment "client needs a toolchain w/ threads, C++" > - depends on BR2_PACKAGE_XORG7 > - depends on !BR2_TOOLCHAIN_HAS_THREADS || !BR2_INSTALL_LIBSTDCPP > - > -config BR2_PACKAGE_SPICE_GUI > - bool "Enable GUI" > - depends on BR2_PACKAGE_SPICE_CLIENT > - depends on !BR2_STATIC_LIBS > - select BR2_PACKAGE_CEGUI06 > - help > - Say 'y' here to enable the Graphical User Interface (GUI) > - start dialog. > - > -comment "gui needs a toolchain w/ dynamic library" > - depends on BR2_STATIC_LIBS > - > -endif # BR2_PACKAGE_SPICE > diff --git a/package/spice/spice.hash b/package/spice/spice.hash > index 0a943f0332..04bd516689 100644 > --- a/package/spice/spice.hash > +++ b/package/spice/spice.hash > @@ -1,2 +1,2 @@ > # Locally calculated > -sha256 4209a20d8f67cb99a8a6ac499cfe79a18d4ca226360457954a223d6795c2f581 spice-0.12.5.tar.bz2 > +sha256 f148ea30135bf80a4f465ce723a1cd6d4ccb34c098b6298a020b378ace8569b6 spice-0.12.6.tar.bz2 > diff --git a/package/spice/spice.mk b/package/spice/spice.mk > index ba76a14d61..f1fb46d29c 100644 > --- a/package/spice/spice.mk > +++ b/package/spice/spice.mk > @@ -4,7 +4,7 @@ > # > ################################################################################ > > -SPICE_VERSION = 0.12.5 > +SPICE_VERSION = 0.12.6 > SPICE_SOURCE = spice-$(SPICE_VERSION).tar.bz2 > SPICE_SITE = http://www.spice-space.org/download/releases > SPICE_LICENSE = LGPL-2.1+ > @@ -35,38 +35,36 @@ else > SPICE_CONF_OPTS += --disable-celt051 > endif > > +ifeq ($(BR2_PACKAGE_LZ4),y) > +SPICE_CONF_OPTS += --enable-lz4 > +SPICE_DEPENDENCIES += lz4 > +else > +SPICE_CONF_OPTS += --disable-lz4 > +endif > + > # no enable/disable, detected using pkg-config > ifeq ($(BR2_PACKAGE_OPUS),y) > SPICE_DEPENDENCIES += opus > endif > > -ifeq ($(BR2_PACKAGE_SPICE_CLIENT),y) > -SPICE_CONF_OPTS += --enable-client > -SPICE_DEPENDENCIES += \ > - xlib_libXfixes \ > - xlib_libXrandr \ > - xlib_libX11 \ > - xlib_libXext \ > - xlib_libXrender \ > - alsa-lib > -else > -SPICE_CONF_OPTS += --disable-client > -endif > - > -ifeq ($(BR2_PACKAGE_SPICE_GUI),y) > -SPICE_CONF_OPTS += --enable-gui > -SPICE_DEPENDENCIES += cegui06 > -else > -SPICE_CONF_OPTS += --disable-gui > -endif > +# build system uses pkg-config --variable=codegendir spice-protocol which > +# returns the runtime path rather than build time, so it needs some help > +SPICE_MAKE_OPTS = CODE_GENERATOR_BASEDIR=$(STAGING_DIR)/usr/lib/spice-protocol > +SPICE_INSTALL_STAGING_OPTS = $(SPICE_MAKE_OPTS) DESTDIR=$(STAGING_DIR) install > +SPICE_INSTALL_TARGET_OPTS = $(SPICE_MAKE_OPTS) DESTDIR=$(TARGET_DIR) install > > # spice uses a number of source files that are generated with python / pyparsing. > # The generated files are part of the tarball, so python / pyparsing isn't needed > # when building from the tarball, but the configure script gets confused and looks > # for the wrong file name to know if it needs to check for python / pyparsing, > -# so convince it they aren't needed > +# so convince it they aren't needed. > +# It will also regenerate these files if the spice-protocol protocol definition > +# is newer than the generated files (which it will be when spice-protocol > +# installs it to staging), so ensure their timestamp is updated to skip this. > define SPICE_NO_PYTHON_PYPARSING > + mkdir -p $(@D)/client > touch $(@D)/client/generated_marshallers.cpp > + touch $(@D)/spice-common/common/generated_* > endef > > SPICE_PRE_CONFIGURE_HOOKS += SPICE_NO_PYTHON_PYPARSING > -- > 2.11.0 >
diff --git a/Config.in.legacy b/Config.in.legacy index dc99b7c2eb..361d331dc9 100644 --- a/Config.in.legacy +++ b/Config.in.legacy @@ -145,6 +145,22 @@ endif ############################################################################### comment "Legacy options removed in 2017.08" +config BR2_PACKAGE_SPICE_CLIENT + bool "spice client support removed" + select BR2_LEGACY + help + Spice client support has been removed upstream. The + functionality now lives in the spice-gtk widget and + virt-viewer. + +config BR2_PACKAGE_SPICE_GUI + bool "spice gui support removed" + select BR2_LEGACY + help + Spice gui support has been removed upstream. The + functionality now lives in the spice-gtk widget and + virt-viewer. + config BR2_PACKAGE_SPICE_TUNNEL bool "spice network redirection removed" select BR2_LEGACY diff --git a/package/spice/Config.in b/package/spice/Config.in index 220f9994da..2241b55b3d 100644 --- a/package/spice/Config.in +++ b/package/spice/Config.in @@ -22,38 +22,3 @@ config BR2_PACKAGE_SPICE This package implements the server-part of Spice. http://www.spice-space.org/ - -if BR2_PACKAGE_SPICE - -comment "client depends on X.org" - depends on !BR2_PACKAGE_XORG7 - -config BR2_PACKAGE_SPICE_CLIENT - bool "Enable client" - depends on BR2_PACKAGE_XORG7 - depends on BR2_TOOLCHAIN_HAS_THREADS - depends on BR2_INSTALL_LIBSTDCPP - select BR2_PACKAGE_XLIB_LIBXFIXES - select BR2_PACKAGE_XLIB_LIBXRANDR - select BR2_PACKAGE_XLIB_LIBX11 - select BR2_PACKAGE_XLIB_LIBXEXT - select BR2_PACKAGE_XLIB_LIBXRENDER - select BR2_PACKAGE_ALSA_LIB - -comment "client needs a toolchain w/ threads, C++" - depends on BR2_PACKAGE_XORG7 - depends on !BR2_TOOLCHAIN_HAS_THREADS || !BR2_INSTALL_LIBSTDCPP - -config BR2_PACKAGE_SPICE_GUI - bool "Enable GUI" - depends on BR2_PACKAGE_SPICE_CLIENT - depends on !BR2_STATIC_LIBS - select BR2_PACKAGE_CEGUI06 - help - Say 'y' here to enable the Graphical User Interface (GUI) - start dialog. - -comment "gui needs a toolchain w/ dynamic library" - depends on BR2_STATIC_LIBS - -endif # BR2_PACKAGE_SPICE diff --git a/package/spice/spice.hash b/package/spice/spice.hash index 0a943f0332..04bd516689 100644 --- a/package/spice/spice.hash +++ b/package/spice/spice.hash @@ -1,2 +1,2 @@ # Locally calculated -sha256 4209a20d8f67cb99a8a6ac499cfe79a18d4ca226360457954a223d6795c2f581 spice-0.12.5.tar.bz2 +sha256 f148ea30135bf80a4f465ce723a1cd6d4ccb34c098b6298a020b378ace8569b6 spice-0.12.6.tar.bz2 diff --git a/package/spice/spice.mk b/package/spice/spice.mk index ba76a14d61..f1fb46d29c 100644 --- a/package/spice/spice.mk +++ b/package/spice/spice.mk @@ -4,7 +4,7 @@ # ################################################################################ -SPICE_VERSION = 0.12.5 +SPICE_VERSION = 0.12.6 SPICE_SOURCE = spice-$(SPICE_VERSION).tar.bz2 SPICE_SITE = http://www.spice-space.org/download/releases SPICE_LICENSE = LGPL-2.1+ @@ -35,38 +35,36 @@ else SPICE_CONF_OPTS += --disable-celt051 endif +ifeq ($(BR2_PACKAGE_LZ4),y) +SPICE_CONF_OPTS += --enable-lz4 +SPICE_DEPENDENCIES += lz4 +else +SPICE_CONF_OPTS += --disable-lz4 +endif + # no enable/disable, detected using pkg-config ifeq ($(BR2_PACKAGE_OPUS),y) SPICE_DEPENDENCIES += opus endif -ifeq ($(BR2_PACKAGE_SPICE_CLIENT),y) -SPICE_CONF_OPTS += --enable-client -SPICE_DEPENDENCIES += \ - xlib_libXfixes \ - xlib_libXrandr \ - xlib_libX11 \ - xlib_libXext \ - xlib_libXrender \ - alsa-lib -else -SPICE_CONF_OPTS += --disable-client -endif - -ifeq ($(BR2_PACKAGE_SPICE_GUI),y) -SPICE_CONF_OPTS += --enable-gui -SPICE_DEPENDENCIES += cegui06 -else -SPICE_CONF_OPTS += --disable-gui -endif +# build system uses pkg-config --variable=codegendir spice-protocol which +# returns the runtime path rather than build time, so it needs some help +SPICE_MAKE_OPTS = CODE_GENERATOR_BASEDIR=$(STAGING_DIR)/usr/lib/spice-protocol +SPICE_INSTALL_STAGING_OPTS = $(SPICE_MAKE_OPTS) DESTDIR=$(STAGING_DIR) install +SPICE_INSTALL_TARGET_OPTS = $(SPICE_MAKE_OPTS) DESTDIR=$(TARGET_DIR) install # spice uses a number of source files that are generated with python / pyparsing. # The generated files are part of the tarball, so python / pyparsing isn't needed # when building from the tarball, but the configure script gets confused and looks # for the wrong file name to know if it needs to check for python / pyparsing, -# so convince it they aren't needed +# so convince it they aren't needed. +# It will also regenerate these files if the spice-protocol protocol definition +# is newer than the generated files (which it will be when spice-protocol +# installs it to staging), so ensure their timestamp is updated to skip this. define SPICE_NO_PYTHON_PYPARSING + mkdir -p $(@D)/client touch $(@D)/client/generated_marshallers.cpp + touch $(@D)/spice-common/common/generated_* endef SPICE_PRE_CONFIGURE_HOOKS += SPICE_NO_PYTHON_PYPARSING
Fixes the following security issues: CVE-2015-3247: Race condition in the worker_update_monitors_config function in SPICE 0.12.4 allows a remote authenticated guest user to cause a denial of service (heap-based memory corruption and QEMU-KVM crash) or possibly execute arbitrary code on the host via unspecified vectors. CVE-2015-5260: Heap-based buffer overflow in SPICE before 0.12.6 allows guest OS users to cause a denial of service (heap-based memory corruption and QEMU-KVM crash) or possibly execute arbitrary code on the host via QXL commands related to the surface_id parameter. CVE-2015-5261: Heap-based buffer overflow in SPICE before 0.12.6 allows guest OS users to read and write to arbitrary memory locations on the host via guest QXL commands related to surface creation. Client/gui support is gone upstream (moved to spice-gtk / virt-viewer), so add Config.in.legacy handling for them. Lz4 is a new optional dependency, so handle it. The spice protocol definition is no longer included and instead used from spice-protocol. The build system uses pkg-config --variable=codegendir to find the build time path of this, which doesn't take our STAGING_DIR prefix into consideration, so it needs some help. The installed protocol definition will likewise be newer than the generated files, so we need to workaround that to ensure they are not regenerated (which needs host python / pyparsing). Signed-off-by: Peter Korsgaard <peter@korsgaard.com> --- Config.in.legacy | 16 ++++++++++++++++ package/spice/Config.in | 35 ----------------------------------- package/spice/spice.hash | 2 +- package/spice/spice.mk | 40 +++++++++++++++++++--------------------- 4 files changed, 36 insertions(+), 57 deletions(-)