Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package usbredir for openSUSE:Factory checked in at 2022-06-09 14:09:26 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/usbredir (Old) and /work/SRC/openSUSE:Factory/.usbredir.new.1548 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "usbredir" Thu Jun 9 14:09:26 2022 rev:19 rq:981283 version:0.12.0 Changes: -------- --- /work/SRC/openSUSE:Factory/usbredir/usbredir.changes 2022-04-14 17:23:45.855144087 +0200 +++ /work/SRC/openSUSE:Factory/.usbredir.new.1548/usbredir.changes 2022-06-09 14:09:33.280348000 +0200 @@ -1,0 +2,7 @@ +Wed Jun 8 10:13:43 UTC 2022 - Dominique Leuenberger <dims...@opensuse.org> + +- Add upstream backported patches: + + 9426fdb1.patch: Check header length unserialising data. + + dffc41c3.patch: usbredirect: fix leak on bad input. + +------------------------------------------------------------------- New: ---- 9426fdb1.patch dffc41c3.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ usbredir.spec ++++++ --- /var/tmp/diff_new_pack.kjzTvX/_old 2022-06-09 14:09:33.840348751 +0200 +++ /var/tmp/diff_new_pack.kjzTvX/_new 2022-06-09 14:09:33.844348756 +0200 @@ -26,7 +26,9 @@ URL: https://www.spice-space.org/usbredir.html Source: https://www.spice-space.org/download/usbredir/%{name}-%{version}.tar.xz Source1: https://www.spice-space.org/download/usbredir/%{name}-%{version}.tar.xz.sig -Patch0: 0001-Use-D_FORTIFY_SOURCE-instead-of-Wp-D_FORTIFY_SOURCE.patch +Patch0: https://gitlab.freedesktop.org/spice/usbredir/-/commit/9426fdb1.patch +Patch1: https://gitlab.freedesktop.org/spice/usbredir/-/commit/dffc41c3.patch +Patch2: 0001-Use-D_FORTIFY_SOURCE-instead-of-Wp-D_FORTIFY_SOURCE.patch BuildRequires: gcc-c++ BuildRequires: glib2-devel >= 2.44 BuildRequires: meson >= 0.48 @@ -74,7 +76,7 @@ of this protocol. %prep -%autosetup -n %{name}-%{version} +%autosetup -n %{name}-%{version} -p1 %build %meson ++++++ 9426fdb1.patch ++++++ >From 9426fdb1a5d362b51c2c946681e94dba7e3bf3d9 Mon Sep 17 00:00:00 2001 From: Frediano Ziglio <fredd...@gmail.com> Date: Thu, 9 Sep 2021 11:02:24 +0100 Subject: [PATCH] Check header length unserialising data Avoid unwanted packets. The test for header length is moved outside the if. If the header is not complete the number will contain 0 bytes so a smaller number. This avoids potential excessive allocations if the header length is very high. Signed-off-by: Frediano Ziglio <fredd...@gmail.com> --- usbredirparser/usbredirparser.c | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/usbredirparser/usbredirparser.c b/usbredirparser/usbredirparser.c index b36608a..cd1136b 100644 --- a/usbredirparser/usbredirparser.c +++ b/usbredirparser/usbredirparser.c @@ -1881,21 +1881,22 @@ int usbredirparser_unserialize(struct usbredirparser *parser_pub, header_len = usbredirparser_get_header_len(parser_pub); data = (uint8_t *)&parser->header; i = header_len; + memset(&parser->header, 0, sizeof(parser->header)); if (unserialize_data(parser, &state, &remain, &data, &i, "header")) { usbredirparser_assert_invariants(parser); return -1; } + if (parser->header.length > MAX_PACKET_SIZE) { + ERROR("packet length of %d larger than permitted %d bytes", + parser->header.length, MAX_PACKET_SIZE); + usbredirparser_assert_invariants(parser); + return -1; + } parser->header_read = i; parser->type_header_len = 0; /* Set various length field from the header (if any) */ if (parser->header_read == header_len) { - if (parser->header.length > MAX_PACKET_SIZE) { - ERROR("packet length of %d larger than permitted %d bytes", - parser->header.length, MAX_PACKET_SIZE); - return -1; - } - int type_header_len = usbredirparser_get_type_header_len(parser_pub, parser->header.type, 0); -- GitLab ++++++ dffc41c3.patch ++++++ >From dffc41c30d2535d02b670de96a438755ed130876 Mon Sep 17 00:00:00 2001 From: Victor Toso <victort...@redhat.com> Date: Mon, 15 Nov 2021 12:35:12 +0100 Subject: [PATCH] usbredirect: fix leak on bad input Found by covscan: Error: RESOURCE_LEAK (CWE-772): [#def1] [important] usbredir-0.12.0/tools/usbredirect.c:55: alloc_fn: Storage is returned from allocation function "g_strsplit". usbredir-0.12.0/tools/usbredirect.c:55: var_assign: Assigning: "usbid" = storage returned from "g_strsplit(device, "-", 2)". usbredir-0.12.0/tools/usbredirect.c:76: leaked_storage: Variable "usbid" going out of scope leaks the storage it points to. # 74| if (i == n) { # 75| libusb_free_device_list(list, true); # 76|-> return false; # 77| } # 78| and Error: RESOURCE_LEAK (CWE-772): [#def2] [important] usbredir-0.12.0/tools/usbredirect.c:55: alloc_fn: Storage is returned from allocation function "g_strsplit". usbredir-0.12.0/tools/usbredirect.c:55: var_assign: Assigning: "usbid" = storage returned from "g_strsplit(device, "-", 2)". usbredir-0.12.0/tools/usbredirect.c:85: leaked_storage: Variable "usbid" going out of scope leaks the storage it points to. # 83| # 84| libusb_free_device_list(list, true); # 85|-> return true; # 86| } # 87| Signed-off-by: Victor Toso <victort...@redhat.com> --- tools/usbredirect.c | 1 + 1 file changed, 1 insertion(+) diff --git a/tools/usbredirect.c b/tools/usbredirect.c index 98e5a8c..5e2376c 100644 --- a/tools/usbredirect.c +++ b/tools/usbredirect.c @@ -59,6 +59,7 @@ parse_opt_device(const char *device, int *vendor, int *product) } gint64 bus = g_ascii_strtoll(usbid[0], NULL, 10); gint64 addr = g_ascii_strtoll(usbid[1], NULL, 10); + g_strfreev(usbid); libusb_device **list = NULL; ssize_t i, n; -- GitLab
