Date: Wednesday, July 10, 2019 @ 02:12:02 Author: anatolik Revision: 357491
upgpkg: spice 0.14.2-1 Modified: spice/trunk/PKGBUILD Deleted: spice/trunk/CVE-2019-3813.patch ---------------------+ CVE-2019-3813.patch | 50 -------------------------------------------------- PKGBUILD | 23 +++++++---------------- 2 files changed, 7 insertions(+), 66 deletions(-) Deleted: CVE-2019-3813.patch =================================================================== --- CVE-2019-3813.patch 2019-07-09 21:35:19 UTC (rev 357490) +++ CVE-2019-3813.patch 2019-07-10 02:12:02 UTC (rev 357491) @@ -1,50 +0,0 @@ -commit 42f658a48b675de736317b28bcc2061508f407c3 -Author: Christophe Fergeau <[email protected]> -Date: Thu Nov 29 14:18:39 2018 +0100 - - memslot: Fix off-by-one error in group/slot boundary check - - RedMemSlotInfo keeps an array of groups, and each group contains an - array of slots. Unfortunately, these checks are off by 1, they check - that the index is greater or equal to the number of elements in the - array, while these arrays are 0 based. The check should only check for - strictly greater than the number of elements. - - For the group array, this is not a big issue, as these memslot groups - are created by spice-server users (eg QEMU), and the group ids used to - index that array are also generated by the spice-server user, so it - should not be possible for the guest to set them to arbitrary values. - - The slot id is more problematic, as it's calculated from a QXLPHYSICAL - address, and such addresses are usually set by the guest QXL driver, so - the guest can set these to arbitrary values, including malicious values, - which are probably easy to build from the guest PCI configuration. - - This patch fixes the arrays bound check, and adds a test case for this. - This fixes CVE-2019-3813. - - Signed-off-by: Christophe Fergeau <[email protected]> - Acked-by: Frediano Ziglio <[email protected]> - -diff --git a/server/memslot.c b/server/memslot.c -index 7074b432..8c59c383 100644 ---- a/server/memslot.c -+++ b/server/memslot.c -@@ -99,14 +99,14 @@ unsigned long memslot_get_virt(RedMemSlotInfo *info, QXLPHYSICAL addr, uint32_t - MemSlot *slot; - - *error = 0; -- if (group_id > info->num_memslots_groups) { -+ if (group_id >= info->num_memslots_groups) { - spice_critical("group_id too big"); - *error = 1; - return 0; - } - - slot_id = memslot_get_id(info, addr); -- if (slot_id > info->num_memslots) { -+ if (slot_id >= info->num_memslots) { - print_memslots(info); - spice_critical("slot_id %d too big, addr=%" PRIx64, slot_id, addr); - *error = 1; - Modified: PKGBUILD =================================================================== --- PKGBUILD 2019-07-09 21:35:19 UTC (rev 357490) +++ PKGBUILD 2019-07-10 02:12:02 UTC (rev 357491) @@ -2,8 +2,8 @@ # Maintainer: Patryk Kowalczyk < patryk at kowalczyk dot ws> pkgname=spice -pkgver=0.14.0 -pkgrel=3 +pkgver=0.14.2 +pkgrel=1 pkgdesc="SPICE server" arch=('x86_64') url="https://www.spice-space.org"; @@ -10,23 +10,14 @@ license=('LGPL2.1') depends=(celt0.5.1 libjpeg-turbo libsasl pixman glib2 opus lz4) makedepends=(python2-pyparsing python2-six qemu spice-protocol git libcacard) -source=(https://www.spice-space.org/download/releases/spice-$pkgver.tar.bz2 - https://www.spice-space.org/download/releases/spice-$pkgver.tar.bz2.sign - CVE-2019-3813.patch) -sha256sums=('3adb9495b51650e5eab53c74dd6a74919af4b339ff21721d9ab2a45b2e3bb848' - 'SKIP' - '35c4f83f0b5933be2589327bfe203085289180217514d61dba2977b0ec6a6d39') -validpgpkeys=(94A9F75661F77A6168649B23A9D8C21429AC6C82) # Christophe Fergeau (teuf) <[email protected]> +source=(https://www.spice-space.org/download/releases/spice-server/spice-$pkgver.tar.bz2{,.sign}) +sha256sums=('b203b3882e06f4c7249a3150d90c84e1a90490d41ead255a3d2cede46f4a29a7' + 'SKIP') +validpgpkeys=(206D3B352F566F3B0E6572E997D9123DE37A484F) # Victor Toso de Carvalho <[email protected]> -prepare() { - cd spice-$pkgver - # based on upstream change a4a16ac42d2f19a17e36556546aa94d5cd83745f - patch -p1 < ../CVE-2019-3813.patch -} - build() { cd spice-$pkgver - PYTHON=python2 ./configure --prefix=/usr --disable-static --enable-smartcard --enable-client --disable-werror + PYTHON=python2 ./configure --prefix=/usr --disable-static --enable-smartcard --enable-client --enable-celt051 --disable-werror make }
