commit: d6418bd9306729c2497c17fe302f58965800897c Author: Matthias Maier <tamiko <AT> gentoo <DOT> org> AuthorDate: Sun Apr 4 18:48:42 2021 +0000 Commit: Matthias Maier <tamiko <AT> gentoo <DOT> org> CommitDate: Sun Apr 4 18:54:34 2021 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d6418bd9
app-emulation/spice: apply security patches for CVE-2020-14355 Bug: https://bugs.gentoo.org/746920 Package-Manager: Portage-3.0.18, Repoman-3.0.3 Signed-off-by: Matthias Maier <tamiko <AT> gentoo.org> .../spice-0.14.3-CVE-2020-14355-404d7478.patch | 31 +++++++ .../spice-0.14.3-CVE-2020-14355-762e0aba.patch | 13 +++ .../spice-0.14.3-CVE-2020-14355-b24fe6b6.patch | 18 ++++ .../spice-0.14.3-CVE-2020-14355-ef1b6ff7.patch | 17 ++++ app-emulation/spice/spice-0.14.3-r1.ebuild | 103 +++++++++++++++++++++ 5 files changed, 182 insertions(+) diff --git a/app-emulation/spice/files/spice-0.14.3-CVE-2020-14355-404d7478.patch b/app-emulation/spice/files/spice-0.14.3-CVE-2020-14355-404d7478.patch new file mode 100644 index 00000000000..338f4e6ca65 --- /dev/null +++ b/app-emulation/spice/files/spice-0.14.3-CVE-2020-14355-404d7478.patch @@ -0,0 +1,31 @@ +diff --git a/common/quic.c b/common/quic.c +index bc753ca5064a0326906b4aa8c18d8745747feb5c..681531677fbd6c3bca5e482c77bb709d4465ef8e 100644 +--- a/subprojects/spice-common/common/quic.c ++++ b/subprojects/spice-common/common/quic.c +@@ -56,6 +56,9 @@ typedef uint8_t BYTE; + #define MINwminext 1 + #define MAXwminext 100000000 + ++/* Maximum image size in pixels, mainly to avoid possible integer overflows */ ++#define SPICE_MAX_IMAGE_SIZE (512 * 1024 * 1024 - 1) ++ + typedef struct QuicFamily { + unsigned int nGRcodewords[MAXNUMCODES]; /* indexed by code number, contains number of + unmodified GR codewords in the code */ +@@ -1165,6 +1168,16 @@ int quic_decode_begin(QuicContext *quic, uint32_t *io_ptr, unsigned int num_io_w + height = encoder->io_word; + decode_eat32bits(encoder); + ++ if (width <= 0 || height <= 0) { ++ encoder->usr->warn(encoder->usr, "invalid size\n"); ++ return QUIC_ERROR; ++ } ++ ++ /* avoid too big images */ ++ if ((uint64_t) width * height > SPICE_MAX_IMAGE_SIZE) { ++ encoder->usr->error(encoder->usr, "image too large\n"); ++ } ++ + quic_image_params(encoder, type, &channels, &bpc); + + if (!encoder_reset_channels(encoder, channels, width, bpc)) { diff --git a/app-emulation/spice/files/spice-0.14.3-CVE-2020-14355-762e0aba.patch b/app-emulation/spice/files/spice-0.14.3-CVE-2020-14355-762e0aba.patch new file mode 100644 index 00000000000..ce79ef0043e --- /dev/null +++ b/app-emulation/spice/files/spice-0.14.3-CVE-2020-14355-762e0aba.patch @@ -0,0 +1,13 @@ +diff --git a/common/quic.c b/common/quic.c +index e2dee0fd68741512911d5d050053ad073cf29457..bc753ca5064a0326906b4aa8c18d8745747feb5c 100644 +--- a/subprojects/spice-common/common/quic.c ++++ b/subprojects/spice-common/common/quic.c +@@ -1136,7 +1136,7 @@ int quic_decode_begin(QuicContext *quic, uint32_t *io_ptr, unsigned int num_io_w + int channels; + int bpc; + +- if (!encoder_reset(encoder, io_ptr, io_ptr_end)) { ++ if (!num_io_words || !encoder_reset(encoder, io_ptr, io_ptr_end)) { + return QUIC_ERROR; + } + diff --git a/app-emulation/spice/files/spice-0.14.3-CVE-2020-14355-b24fe6b6.patch b/app-emulation/spice/files/spice-0.14.3-CVE-2020-14355-b24fe6b6.patch new file mode 100644 index 00000000000..40127deda15 --- /dev/null +++ b/app-emulation/spice/files/spice-0.14.3-CVE-2020-14355-b24fe6b6.patch @@ -0,0 +1,18 @@ +diff --git a/common/quic_family_tmpl.c b/common/quic_family_tmpl.c +index 8a5f7d2c9be3f6b1bd82993703749268bab243b4..6cc051b36889f773fe5401e204db6245d99e27df 100644 +--- a/subprojects/spice-common/common/quic_family_tmpl.c ++++ b/subprojects/spice-common/common/quic_family_tmpl.c +@@ -103,7 +103,12 @@ static s_bucket *FNAME(find_bucket)(Channel *channel, const unsigned int val) + { + spice_extra_assert(val < (0x1U << BPC)); + +- return channel->_buckets_ptrs[val]; ++ /* The and (&) here is to avoid buffer overflows in case of garbage or malicious ++ * attempts. Is much faster then using comparisons and save us from such situations. ++ * Note that on normal build the check above won't be compiled as this code path ++ * is pretty hot and would cause speed regressions. ++ */ ++ return channel->_buckets_ptrs[val & ((1U << BPC) - 1)]; + } + + #undef FNAME diff --git a/app-emulation/spice/files/spice-0.14.3-CVE-2020-14355-ef1b6ff7.patch b/app-emulation/spice/files/spice-0.14.3-CVE-2020-14355-ef1b6ff7.patch new file mode 100644 index 00000000000..bc764ec23ce --- /dev/null +++ b/app-emulation/spice/files/spice-0.14.3-CVE-2020-14355-ef1b6ff7.patch @@ -0,0 +1,17 @@ +diff --git a/common/quic_tmpl.c b/common/quic_tmpl.c +index ecd6f3f187c753a89b7dbb0657edc3ae82ffaaff..ebae992d642a657a7505b3ca0e8145310805f32f 100644 +--- a/subprojects/spice-common/common/quic_tmpl.c ++++ b/subprojects/spice-common/common/quic_tmpl.c +@@ -563,7 +563,11 @@ static void FNAME_DECL(uncompress_row_seg)(const PIXEL * const prev_row, + do_run: + state->waitcnt = stopidx - i; + run_index = i; +- run_end = i + decode_state_run(encoder, state); ++ run_end = decode_state_run(encoder, state); ++ if (run_end < 0 || run_end > (end - i)) { ++ encoder->usr->error(encoder->usr, "wrong RLE\n"); ++ } ++ run_end += i; + + for (; i < run_end; i++) { + UNCOMPRESS_PIX_START(&cur_row[i]); diff --git a/app-emulation/spice/spice-0.14.3-r1.ebuild b/app-emulation/spice/spice-0.14.3-r1.ebuild new file mode 100644 index 00000000000..175926c76fb --- /dev/null +++ b/app-emulation/spice/spice-0.14.3-r1.ebuild @@ -0,0 +1,103 @@ +# Copyright 1999-2021 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=7 + +PYTHON_COMPAT=( python3_{7,8} ) +inherit autotools python-any-r1 readme.gentoo-r1 xdg-utils + +DESCRIPTION="SPICE server" +HOMEPAGE="https://www.spice-space.org/"; +SRC_URI="https://www.spice-space.org/download/releases/spice-server/${P}.tar.bz2"; + +LICENSE="LGPL-2.1" +SLOT="0" +KEYWORDS="~amd64 ~arm64 ~ppc64 ~x86" +IUSE="libressl lz4 sasl smartcard static-libs gstreamer" + +# the libspice-server only uses the headers of libcacard +RDEPEND=" + dev-lang/orc[static-libs(+)?] + >=dev-libs/glib-2.22:2[static-libs(+)?] + media-libs/opus[static-libs(+)?] + sys-libs/zlib[static-libs(+)?] + virtual/jpeg:0=[static-libs(+)?] + >=x11-libs/pixman-0.17.7[static-libs(+)?] + !libressl? ( dev-libs/openssl:0=[static-libs(+)?] ) + libressl? ( dev-libs/libressl:0=[static-libs(+)?] ) + lz4? ( app-arch/lz4:0=[static-libs(+)?] ) + smartcard? ( >=app-emulation/libcacard-0.1.2 ) + sasl? ( dev-libs/cyrus-sasl[static-libs(+)?] ) + gstreamer? ( + media-libs/gstreamer:1.0 + media-libs/gst-plugins-base:1.0 + )" +DEPEND="${RDEPEND} + >=app-emulation/spice-protocol-0.14.0 + smartcard? ( app-emulation/qemu[smartcard] )" +BDEPEND="${PYTHON_DEPS} + virtual/pkgconfig + $(python_gen_any_dep ' + >=dev-python/pyparsing-1.5.6-r2[${PYTHON_USEDEP}] + dev-python/six[${PYTHON_USEDEP}] + ')" + +python_check_deps() { + has_version -b ">=dev-python/pyparsing-1.5.6-r2[${PYTHON_USEDEP}]" + has_version -b "dev-python/six[${PYTHON_USEDEP}]" +} + +PATCHES=( + "${FILESDIR}"/${P}-CVE-2020-14355-762e0aba.patch + "${FILESDIR}"/${P}-CVE-2020-14355-404d7478.patch + "${FILESDIR}"/${P}-CVE-2020-14355-ef1b6ff7.patch + "${FILESDIR}"/${P}-CVE-2020-14355-b24fe6b6.patch +) + +pkg_setup() { + [[ ${MERGE_TYPE} != binary ]] && python-any-r1_pkg_setup +} + +src_prepare() { + default + + eautoreconf +} + +src_configure() { + # Prevent sandbox violations, bug #586560 + # https://bugzilla.gnome.org/show_bug.cgi?id=744134 + # https://bugzilla.gnome.org/show_bug.cgi?id=744135 + addpredict /dev + + xdg_environment_reset + + local myconf=" + $(use_enable static-libs static) + $(use_enable lz4) + $(use_with sasl) + $(use_enable smartcard) + --enable-gstreamer=$(usex gstreamer "1.0" "no") + --disable-celt051 + " + econf ${myconf} +} + +src_compile() { + # Prevent sandbox violations, bug #586560 + # https://bugzilla.gnome.org/show_bug.cgi?id=744134 + # https://bugzilla.gnome.org/show_bug.cgi?id=744135 + addpredict /dev + + default +} + +src_install() { + default + use static-libs || find "${D}" -name '*.la' -type f -delete || die + readme.gentoo_create_doc +} + +pkg_postinst() { + readme.gentoo_print_elog +}
