Hello community, here is the log from the commit of package spice-gtk for openSUSE:Factory checked in at 2015-06-06 09:53:41 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/spice-gtk (Old) and /work/SRC/openSUSE:Factory/.spice-gtk.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "spice-gtk" Changes: -------- --- /work/SRC/openSUSE:Factory/spice-gtk/spice-gtk.changes 2015-04-03 14:32:25.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.spice-gtk.new/spice-gtk.changes 2015-06-06 09:53:42.000000000 +0200 @@ -1,0 +2,7 @@ +Fri Jun 5 08:30:10 UTC 2015 - [email protected] + +- Check for passwords longer than what spice protocol allows to + help reporting the error to the user. + password-length-check.patch. boo#931044 + +------------------------------------------------------------------- New: ---- password-length-check.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ spice-gtk.spec ++++++ --- /var/tmp/diff_new_pack.aOCfZF/_old 2015-06-06 09:53:43.000000000 +0200 +++ /var/tmp/diff_new_pack.aOCfZF/_new 2015-06-06 09:53:43.000000000 +0200 @@ -1,7 +1,7 @@ # # spec file for package spice-gtk # -# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2015 SUSE LINUX Products GmbH, Nuernberg, Germany. # Copyright (c) 2011 Dominique Leuenberger, Amsterdam, The Netherlands. # # All modifications and additions to the file contributed by third parties @@ -28,6 +28,8 @@ Source: http://spice-space.org/download/gtk/%{name}-%{version}.tar.bz2 # PATCH-FIX-OPENSUSE spice-gtk-polkit-privs.patch bnc#804184 [email protected] -- Set the polkit defaults to auth_admin Patch0: spice-gtk-polkit-privs.patch +# PATCH-FIX-UPSTREAM password-length-check.patch boo#931044 [email protected] -- Check max password length +Patch1: password-length-check.patch BuildRequires: cyrus-sasl-devel BuildRequires: intltool BuildRequires: libacl-devel @@ -143,6 +145,7 @@ %prep %setup -q %patch0 -p1 +%patch1 -p1 # Replace usbredirhost with usbredirhost-0.5... fail if no longer needed grep usbredirhost-0.5 configure && false sed -i "s:libusbredirparser:libusbredirparser-0.5:g" configure{.ac,} ++++++ password-length-check.patch ++++++ >From 76e29290a2130d5c78ebb4032bd019c83151ef48 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=A9dric=20Bosdonnat?= <[email protected]> Date: Fri, 22 May 2015 17:58:08 +0200 Subject: [PATCH] Check too long password Make sure that the password length is under the maximum lenght. If not report it as an authentication failure with an adapted message. --- gtk/spice-channel.c | 77 +++++++++++++++++++++++++++++++++-------------------- 1 file changed, 48 insertions(+), 29 deletions(-) diff --git a/gtk/spice-channel.c b/gtk/spice-channel.c index 4e7d8b7..a835c10 100644 --- a/gtk/spice-channel.c +++ b/gtk/spice-channel.c @@ -1010,7 +1010,34 @@ static int spice_channel_read(SpiceChannel *channel, void *data, size_t length) } /* coroutine context */ -static void spice_channel_send_spice_ticket(SpiceChannel *channel) +static void spice_channel_failed_authentication(SpiceChannel *channel, + gboolean invalidPassword) +{ + SpiceChannelPrivate *c = channel->priv; + + if (c->auth_needs_username_and_password) + g_set_error_literal(&c->error, + SPICE_CLIENT_ERROR, + SPICE_CLIENT_ERROR_AUTH_NEEDS_PASSWORD_AND_USERNAME, + _("Authentication failed: password and username are required")); + else if (invalidPassword) + g_set_error_literal(&c->error, + SPICE_CLIENT_ERROR, + SPICE_CLIENT_ERROR_AUTH_NEEDS_PASSWORD, + _("Authentication failed: password is too long")); + else + g_set_error_literal(&c->error, + SPICE_CLIENT_ERROR, + SPICE_CLIENT_ERROR_AUTH_NEEDS_PASSWORD, + _("Authentication failed: password is required")); + + c->event = SPICE_CHANNEL_ERROR_AUTH; + + c->has_error = TRUE; /* force disconnect */ +} + +/* coroutine context */ +static SpiceChannelEvent spice_channel_send_spice_ticket(SpiceChannel *channel) { SpiceChannelPrivate *c = channel->priv; EVP_PKEY *pubkey; @@ -1020,13 +1047,14 @@ static void spice_channel_send_spice_ticket(SpiceChannel *channel) char *password; uint8_t *encrypted; int rc; + SpiceChannelEvent ret = SPICE_CHANNEL_ERROR_LINK; bioKey = BIO_new(BIO_s_mem()); - g_return_if_fail(bioKey != NULL); + g_return_val_if_fail(bioKey != NULL, ret); BIO_write(bioKey, c->peer_msg->pub_key, SPICE_TICKET_PUBKEY_BYTES); pubkey = d2i_PUBKEY_bio(bioKey, NULL); - g_return_if_fail(pubkey != NULL); + g_return_val_if_fail(pubkey != NULL, ret); rsa = pubkey->pkey.rsa; nRSASize = RSA_size(rsa); @@ -1039,36 +1067,24 @@ static void spice_channel_send_spice_ticket(SpiceChannel *channel) g_object_get(c->session, "password", &password, NULL); if (password == NULL) password = g_strdup(""); + if (strlen(password) > SPICE_MAX_PASSWORD_LENGTH) { + spice_channel_failed_authentication(channel, TRUE); + ret = SPICE_CHANNEL_ERROR_AUTH; + goto cleanup; + } rc = RSA_public_encrypt(strlen(password) + 1, (uint8_t*)password, encrypted, rsa, RSA_PKCS1_OAEP_PADDING); g_warn_if_fail(rc > 0); spice_channel_write(channel, encrypted, nRSASize); + ret = SPICE_CHANNEL_NONE; + +cleanup: memset(encrypted, 0, nRSASize); EVP_PKEY_free(pubkey); BIO_free(bioKey); g_free(password); -} - -/* coroutine context */ -static void spice_channel_failed_authentication(SpiceChannel *channel) -{ - SpiceChannelPrivate *c = channel->priv; - - if (c->auth_needs_username_and_password) - g_set_error_literal(&c->error, - SPICE_CLIENT_ERROR, - SPICE_CLIENT_ERROR_AUTH_NEEDS_PASSWORD_AND_USERNAME, - _("Authentication failed: password and username are required")); - else - g_set_error_literal(&c->error, - SPICE_CLIENT_ERROR, - SPICE_CLIENT_ERROR_AUTH_NEEDS_PASSWORD, - _("Authentication failed: password is required")); - - c->event = SPICE_CHANNEL_ERROR_AUTH; - - c->has_error = TRUE; /* force disconnect */ + return ret; } /* coroutine context */ @@ -1088,7 +1104,7 @@ static gboolean spice_channel_recv_auth(SpiceChannel *channel) if (link_res != SPICE_LINK_ERR_OK) { CHANNEL_DEBUG(channel, "link result: reply %d", link_res); - spice_channel_failed_authentication(channel); + spice_channel_failed_authentication(channel, FALSE); return FALSE; } @@ -1662,7 +1678,7 @@ error: if (saslconn) sasl_dispose(&saslconn); - spice_channel_failed_authentication(channel); + spice_channel_failed_authentication(channel, FALSE); ret = FALSE; cleanup: @@ -1681,6 +1697,7 @@ static gboolean spice_channel_recv_link_msg(SpiceChannel *channel) SpiceChannelPrivate *c; int rc, num_caps, i; uint32_t *caps; + SpiceChannelEvent event = SPICE_CHANNEL_ERROR_LINK; g_return_val_if_fail(channel != NULL, FALSE); g_return_val_if_fail(channel->priv != NULL, FALSE); @@ -1733,7 +1750,8 @@ static gboolean spice_channel_recv_link_msg(SpiceChannel *channel) if (!spice_channel_test_common_capability(channel, SPICE_COMMON_CAP_PROTOCOL_AUTH_SELECTION)) { CHANNEL_DEBUG(channel, "Server supports spice ticket auth only"); - spice_channel_send_spice_ticket(channel); + if ((event = spice_channel_send_spice_ticket(channel)) != SPICE_CHANNEL_NONE) + goto error; } else { SpiceLinkAuthMechanism auth = { 0, }; @@ -1749,7 +1767,8 @@ static gboolean spice_channel_recv_link_msg(SpiceChannel *channel) if (spice_channel_test_common_capability(channel, SPICE_COMMON_CAP_AUTH_SPICE)) { auth.auth_mechanism = SPICE_COMMON_CAP_AUTH_SPICE; spice_channel_write(channel, &auth, sizeof(auth)); - spice_channel_send_spice_ticket(channel); + if ((event = spice_channel_send_spice_ticket(channel)) != SPICE_CHANNEL_NONE) + goto error; } else { g_warning("No compatible AUTH mechanism"); goto error; @@ -1762,7 +1781,7 @@ static gboolean spice_channel_recv_link_msg(SpiceChannel *channel) error: c->has_error = TRUE; - c->event = SPICE_CHANNEL_ERROR_LINK; + c->event = event; return FALSE; } -- 2.1.4
