Hello community, here is the log from the commit of package spice for openSUSE:Factory checked in at 2016-10-22 13:02:17 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/spice (Old) and /work/SRC/openSUSE:Factory/.spice.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "spice" Changes: -------- --- /work/SRC/openSUSE:Factory/spice/spice.changes 2016-04-15 19:04:58.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.spice.new/spice.changes 2016-10-22 13:02:18.000000000 +0200 @@ -1,0 +2,6 @@ +Sat Oct 8 19:36:49 UTC 2016 - [email protected] + +- Update to version 0.12.8: + + Fixes for CVE-2016-0749 and CVE-2016-2150. + +------------------------------------------------------------------- Old: ---- spice-0.12.7.tar.bz2 New: ---- spice-0.12.8.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ spice.spec ++++++ --- /var/tmp/diff_new_pack.w4oswe/_old 2016-10-22 13:02:19.000000000 +0200 +++ /var/tmp/diff_new_pack.w4oswe/_new 2016-10-22 13:02:19.000000000 +0200 @@ -1,7 +1,7 @@ # # spec file for package spice # -# Copyright (c) 2016 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -18,7 +18,7 @@ # Common info Name: spice -Version: 0.12.7 +Version: 0.12.8 Release: 0 Summary: SPICE client and server library License: LGPL-2.1+ ++++++ spice-0.12.7.tar.bz2 -> spice-0.12.8.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/spice-0.12.7/.tarball-version new/spice-0.12.8/.tarball-version --- old/spice-0.12.7/.tarball-version 2016-04-14 18:04:18.000000000 +0200 +++ new/spice-0.12.8/.tarball-version 2016-07-13 15:58:30.000000000 +0200 @@ -1 +1 @@ -0.12.7 +0.12.8 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/spice-0.12.7/.version new/spice-0.12.8/.version --- old/spice-0.12.7/.version 2016-04-08 18:17:10.000000000 +0200 +++ new/spice-0.12.8/.version 2016-07-06 18:28:11.000000000 +0200 @@ -1 +1 @@ -0.13.1-dirty +0.13.1.279-a68c8-dirty diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/spice-0.12.7/ChangeLog new/spice-0.12.8/ChangeLog --- old/spice-0.12.7/ChangeLog 2016-04-14 18:04:18.000000000 +0200 +++ new/spice-0.12.8/ChangeLog 2016-07-13 15:58:30.000000000 +0200 @@ -1,3 +1,141 @@ +2016-07-13 Frediano Ziglio <[email protected]> + + worker: don't process drawable if it can't be allocated + Acked-by: Fabiano Fidêncio <[email protected]> + (cherry picked from commit 63b8ea5afba5c6eb1b9825b06f2006930c318aed) + +2016-07-13 Marc-André Lureau <[email protected]> + + worker: remove assertion on alloc_drawable + There is no guarantee in the code that this can't be hit, so we should + cope with it (the condition can be reached easily by running the server + without waiting for blocked clients or pipe size) + + The following commit will attempt to address this. + + Acked-by: Frediano Ziglio <[email protected]> + Acked-by: Christophe Fergeau <[email protected]> + (cherry picked from commit 5c7e248445f95c3fa2627532780950cf604b9e20) + +2016-07-08 Christophe Fergeau <[email protected]> + + Update NEWS for 0.12.8 release + +2016-07-07 Marc-Andre Lureau <[email protected]> + + smartcard: allocate msg with the expected size + This is related to CVE-2016-0749 + + ==529== ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60040009c098 at pc 0x7fffee0eda6d bp 0x7fffffffcd00 sp 0x7fffffffccf0 + WRITE of size 4 at 0x60040009c098 thread T0 + #0 0x7fffee0eda6c in smartcard_char_device_notify_reader_add /home/elmarco/pkg/spice/spice-0.12.4/server/smartcard.c:334 + #1 0x7fffee0ef783 in smartcard_add_reader /home/elmarco/pkg/spice/spice-0.12.4/server/smartcard.c:642 + #2 0x7fffee0f0568 in smartcard_channel_handle_message /home/elmarco/pkg/spice/spice-0.12.4/server/smartcard.c:757 + #3 0x7fffee032f3f in red_peer_handle_incoming /home/elmarco/pkg/spice/spice-0.12.4/server/red_channel.c:304 + #4 0x7fffee033216 in red_channel_client_receive /home/elmarco/pkg/spice/spice-0.12.4/server/red_channel.c:322 + #5 0x7fffee03bf1f in red_channel_client_event /home/elmarco/pkg/spice/spice-0.12.4/server/red_channel.c:1561 + #6 0x555555c3c53d in qemu_iohandler_poll /home/elmarco/src/qemu/iohandler.c:143 + #7 0x555555c3b800 in main_loop_wait /home/elmarco/src/qemu/main-loop.c:504 + #8 0x5555556f160c in main_loop /home/elmarco/src/qemu/vl.c:1818 + #9 0x5555556f160c in main /home/elmarco/src/qemu/vl.c:4394 + #10 0x7fffed80eb14 in __libc_start_main /usr/src/debug/glibc-2.17-c758a686/csu/libc-start.c:274 + #11 0x5555556f9c20 in _start (/home/elmarco/src/qemu/x86_64-softmmu/qemu-system-x86_64+0x1a5c20) + 0x60040009c098 is located 0 bytes to the right of 8-byte region [0x60040009c090,0x60040009c098) + allocated by thread T0 here: + #0 0x7ffff4e612be in __interceptor_realloc /usr/src/debug/gcc-4.8.5-20150702/obj-x86_64-redhat-linux/x86_64-redhat-linux/libsanitizer/asan/../../../../libsanitizer/asan/asan_malloc_linux.cc:92 + #1 0x7fffee121308 in spice_realloc /home/elmarco/pkg/spice/spice-0.12.4/spice-common/common/mem.c:123 + #2 0x7fffee004a48 in __spice_char_device_write_buffer_get /home/elmarco/pkg/spice/spice-0.12.4/server/char_device.c:516 + #3 0x7fffee004e87 in spice_char_device_write_buffer_get /home/elmarco/pkg/spice/spice-0.12.4/server/char_device.c:557 + #4 0x7fffee0ed8b9 in smartcard_char_device_notify_reader_add /home/elmarco/pkg/spice/spice-0.12.4/server/smartcard.c:325 + #5 0x7fffee0ef783 in smartcard_add_reader /home/elmarco/pkg/spice/spice-0.12.4/server/smartcard.c:642 + #6 0x7fffee0f0568 in smartcard_channel_handle_message /home/elmarco/pkg/spice/spice-0.12.4/server/smartcard.c:757 + #7 0x7fffee032f3f in red_peer_handle_incoming /home/elmarco/pkg/spice/spice-0.12.4/server/red_channel.c:304 + #8 0x7fffee033216 in red_channel_client_receive /home/elmarco/pkg/spice/spice-0.12.4/server/red_channel.c:322 + #9 0x7fffee03bf1f in red_channel_client_event /home/elmarco/pkg/spice/spice-0.12.4/server/red_channel.c:1561 + #10 0x555555c3c53d in qemu_iohandler_poll /home/elmarco/src/qemu/iohandler.c:143 + SUMMARY: AddressSanitizer: heap-buffer-overflow /home/elmarco/pkg/spice/spice-0.12.4/server/smartcard.c:334 smartcard_char_device_notify_reader_add + + smartcard: add a ref to item before adding to pipe + There is an unref when the message is sent. + + This is related to CVE-2016-0749 + + ==17204== ERROR: AddressSanitizer: heap-use-after-free on address 0x6008000144a8 at pc 0x7fffee0ce245 bp 0x7fffffffc630 sp 0x7fffffffc620 + READ of size 4 at 0x6008000144a8 thread T0 + #0 0x7fffee0ce244 in smartcard_unref_vsc_msg_item /home/elmarco/src/spice/spice/server/smartcard.c:608 + #1 0x7fffee0cb451 in smartcard_unref_msg_to_client /home/elmarco/src/spice/spice/server/smartcard.c:178 + #2 0x7fffedfcdf14 in spice_char_device_read_from_device /home/elmarco/src/spice/spice/server/char-device.c:330 + #3 0x7fffedfd1763 in spice_char_device_wakeup /home/elmarco/src/spice/spice/server/char-device.c:901 + #4 0x7fffee05da98 in spice_server_char_device_wakeup /home/elmarco/src/spice/spice/server/reds.c:2990 + #5 0x55555593fa34 in spice_chr_write /home/elmarco/src/qemu/spice-qemu-char.c:189 + #6 0x5555559375f1 in qemu_chr_fe_write /home/elmarco/src/qemu/qemu-char.c:220 + #7 0x555555b3b682 in ccid_card_vscard_send_msg.isra.2 /home/elmarco/src/qemu/hw/usb/ccid-card-passthru.c:76 + #8 0x555555b3c466 in ccid_card_vscard_send_error /home/elmarco/src/qemu/hw/usb/ccid-card-passthru.c:91 + #9 0x555555b3c466 in ccid_card_vscard_handle_message /home/elmarco/src/qemu/hw/usb/ccid-card-passthru.c:242 + #10 0x555555b3c466 in ccid_card_vscard_read /home/elmarco/src/qemu/hw/usb/ccid-card-passthru.c:289 + #11 0x55555593f169 in vmc_write /home/elmarco/src/qemu/spice-qemu-char.c:41 + #12 0x7fffedfcee6d in spice_char_device_write_to_device /home/elmarco/src/spice/spice/server/char-device.c:477 + #13 0x7fffedfcfd31 in spice_char_device_write_buffer_add /home/elmarco/src/spice/spice/server/char-device.c:629 + #14 0x7fffee0ce9df in smartcard_channel_write_to_reader /home/elmarco/src/spice/spice/server/smartcard.c:675 + #15 0x7fffee0cc7db in smartcard_char_device_notify_reader_add /home/elmarco/src/spice/spice/server/smartcard.c:341 + #16 0x7fffee0ce4f3 in smartcard_add_reader /home/elmarco/src/spice/spice/server/smartcard.c:648 + #17 0x7fffee0cf2e2 in smartcard_channel_handle_message /home/elmarco/src/spice/spice/server/smartcard.c:763 + #18 0x7fffedffe21f in red_peer_handle_incoming /home/elmarco/src/spice/spice/server/red-channel.c:307 + #19 0x7fffedffe4f6 in red_channel_client_receive /home/elmarco/src/spice/spice/server/red-channel.c:325 + #20 0x7fffee00726c in red_channel_client_event /home/elmarco/src/spice/spice/server/red-channel.c:1566 + #21 0x555555c3c53d in qemu_iohandler_poll /home/elmarco/src/qemu/iohandler.c:143 + #22 0x555555c3b800 in main_loop_wait /home/elmarco/src/qemu/main-loop.c:504 + #23 0x5555556f160c in main_loop /home/elmarco/src/qemu/vl.c:1818 + #24 0x5555556f160c in main /home/elmarco/src/qemu/vl.c:4394 + #25 0x7fffed7d0b14 in __libc_start_main /usr/src/debug/glibc-2.17-c758a686/csu/libc-start.c:274 + #26 0x5555556f9c20 in _start (/home/elmarco/src/qemu/x86_64-softmmu/qemu-system-x86_64+0x1a5c20) + 0x6008000144a8 is located 24 bytes inside of 40-byte region [0x600800014490,0x6008000144b8) + freed by thread T0 here: + #0 0x7ffff4e61009 in __interceptor_free /usr/src/debug/gcc-4.8.5-20150702/obj-x86_64-redhat-linux/x86_64-redhat-linux/libsanitizer/asan/../../../../libsanitizer/asan/asan_malloc_linux.cc:61 + #1 0x7fffee0ce2a1 in smartcard_unref_vsc_msg_item /home/elmarco/src/spice/spice/server/smartcard.c:610 + #2 0x7fffee0cdd58 in smartcard_channel_release_pipe_item /home/elmarco/src/spice/spice/server/smartcard.c:548 + #3 0x7fffee000668 in red_channel_client_release_item /home/elmarco/src/spice/spice/server/red-channel.c:602 + #4 0x7fffee0006ef in red_channel_client_release_sent_item /home/elmarco/src/spice/spice/server/red-channel.c:609 + #5 0x7fffee0007b5 in red_channel_peer_on_out_msg_done /home/elmarco/src/spice/spice/server/red-channel.c:620 + #6 0x7fffedffed7e in red_peer_handle_outgoing /home/elmarco/src/spice/spice/server/red-channel.c:385 + #7 0x7fffee0057bb in red_channel_client_send /home/elmarco/src/spice/spice/server/red-channel.c:1294 + #8 0x7fffee0076e6 in red_channel_client_begin_send_message /home/elmarco/src/spice/spice/server/red-channel.c:1605 + #9 0x7fffee0cdccd in smartcard_channel_send_item /home/elmarco/src/spice/spice/server/smartcard.c:541 + #10 0x7fffee000570 in red_channel_client_send_item /home/elmarco/src/spice/spice/server/red-channel.c:588 + #11 0x7fffee005bfb in red_channel_client_push /home/elmarco/src/spice/spice/server/red-channel.c:1347 + #12 0x7fffee007ef7 in red_channel_client_pipe_add_push /home/elmarco/src/spice/spice/server/red-channel.c:1673 + #13 0x7fffee0cde4d in smartcard_channel_client_pipe_add_push /home/elmarco/src/spice/spice/server/smartcard.c:571 + #14 0x7fffee0cb567 in smartcard_send_msg_to_client /home/elmarco/src/spice/spice/server/smartcard.c:187 + #15 0x7fffedfcdba2 in spice_char_device_send_msg_to_clients /home/elmarco/src/spice/spice/server/char-device.c:282 + #16 0x7fffedfcdea4 in spice_char_device_read_from_device /home/elmarco/src/spice/spice/server/char-device.c:329 + #17 0x7fffedfd1763 in spice_char_device_wakeup /home/elmarco/src/spice/spice/server/char-device.c:901 + #18 0x7fffee05da98 in spice_server_char_device_wakeup /home/elmarco/src/spice/spice/server/reds.c:2990 + #19 0x55555593fa34 in spice_chr_write /home/elmarco/src/qemu/spice-qemu-char.c:189 + +2016-07-01 Frediano Ziglio <[email protected]> + + improve primary surface parameter checks + Primary surface, as additional surfaces, can be used to access + host memory from the guest using invalid parameters. + + The removed warning is not enough to prevent all cases. Also a warning + is not enough to stop an escalation to happen. + The red_validate_surface do different checks to make sure surface + request is valid and not cause possible buffer/integer overflows: + - format is valid; + - width is not large to cause overflow compared to stride; + - stride is not -2^31 (a number which negate is still <0); + - stride * height does not overflow. + + This fixes https://bugzilla.redhat.com/show_bug.cgi?id=1312980. + + Acked-by: Christophe Fergeau <[email protected]> + + factor out red_validate_surface function to validate surface parameters + Make possible to reuse it outside red-parse-qxl.c. + + Acked-by: Christophe Fergeau <[email protected]> + 2016-04-14 Christophe Fergeau <[email protected]> Revert "Set TCP_KEEPINTVL when enabling TCP keepalive" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/spice-0.12.7/NEWS new/spice-0.12.8/NEWS --- old/spice-0.12.7/NEWS 2016-04-14 16:09:30.000000000 +0200 +++ new/spice-0.12.8/NEWS 2016-07-13 13:56:56.000000000 +0200 @@ -1,3 +1,7 @@ +Changes in 0.12.8: +================== +* Fixes for CVE-2016-0749 and CVE-2016-2150 + Changes in 0.12.7: ================== * spice-server will now send TCP keepalive probes on the TCP connections it diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/spice-0.12.7/aclocal.m4 new/spice-0.12.8/aclocal.m4 --- old/spice-0.12.7/aclocal.m4 2016-04-14 17:47:16.000000000 +0200 +++ new/spice-0.12.8/aclocal.m4 2016-07-13 15:55:14.000000000 +0200 @@ -21,7 +21,7 @@ To do so, use the procedure documented by the package, typically 'autoreconf'.])]) dnl pkg.m4 - Macros to locate and utilise pkg-config. -*- Autoconf -*- -dnl serial 11 (pkg-config-0.29.1) +dnl serial 11 (pkg-config-0.29) dnl dnl Copyright © 2004 Scott James Remnant <[email protected]>. dnl Copyright © 2012-2015 Dan Nicholson <[email protected]> @@ -63,7 +63,7 @@ dnl See the "Since" comment for each macro you use to see what version dnl of the macros you require. m4_defun([PKG_PREREQ], -[m4_define([PKG_MACROS_VERSION], [0.29.1]) +[m4_define([PKG_MACROS_VERSION], [0.29]) m4_if(m4_version_compare(PKG_MACROS_VERSION, [$1]), -1, [m4_fatal([pkg.m4 version $1 or higher is required but ]PKG_MACROS_VERSION[ found])]) ])dnl PKG_PREREQ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/spice-0.12.7/configure new/spice-0.12.8/configure --- old/spice-0.12.7/configure 2016-04-14 17:47:17.000000000 +0200 +++ new/spice-0.12.8/configure 2016-07-13 15:55:16.000000000 +0200 @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for spice 0.12.7. +# Generated by GNU Autoconf 2.69 for spice 0.12.8. # # Report bugs to <[email protected]>. # @@ -590,8 +590,8 @@ # Identity of this package. PACKAGE_NAME='spice' PACKAGE_TARNAME='spice' -PACKAGE_VERSION='0.12.7' -PACKAGE_STRING='spice 0.12.7' +PACKAGE_VERSION='0.12.8' +PACKAGE_STRING='spice 0.12.8' PACKAGE_BUGREPORT='[email protected]' PACKAGE_URL='' @@ -1399,7 +1399,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures spice 0.12.7 to adapt to many kinds of systems. +\`configure' configures spice 0.12.8 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1469,7 +1469,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of spice 0.12.7:";; + short | recursive ) echo "Configuration of spice 0.12.8:";; esac cat <<\_ACEOF @@ -1622,7 +1622,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -spice configure 0.12.7 +spice configure 0.12.8 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -2045,7 +2045,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by spice $as_me 0.12.7, which was +It was created by spice $as_me 0.12.8, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -3046,7 +3046,7 @@ # Define the identity of the package. PACKAGE='spice' - VERSION='0.12.7' + VERSION='0.12.8' cat >>confdefs.h <<_ACEOF @@ -16637,7 +16637,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by spice $as_me 0.12.7, which was +This file was extended by spice $as_me 0.12.8, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -16703,7 +16703,7 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -spice config.status 0.12.7 +spice config.status 0.12.8 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/spice-0.12.7/docs/manual/manual.chunked/ar01s02.html new/spice-0.12.8/docs/manual/manual.chunked/ar01s02.html --- old/spice-0.12.7/docs/manual/manual.chunked/ar01s02.html 2016-04-14 12:18:54.000000000 +0200 +++ new/spice-0.12.8/docs/manual/manual.chunked/ar01s02.html 2016-07-13 15:56:22.000000000 +0200 @@ -54,4 +54,4 @@ client. The example connection will be related to the qemu instance started in the previous sections.</p><p>Be aware that the port used for spice communication (port 3001 in our case) should not be blocked by firewall. Host <code class="literal">myhost</code> is referring to -the machine which is running our qemu instance.</p><pre class="programlisting">client$ remote-viewer spice://myhost:3001</pre><div class="figure"><a id="idm140445490091408"></a><p class="title"><strong>Figure 1. Established connection to Windows 2008 guest</strong></p><div class="figure-contents"><div class="mediaobject"><img src="images/spicec01.png" alt="images/spicec01.png" /></div></div></div><br class="figure-break" /></div></div><div class="navfooter"><hr /><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="ar01s01.html">Prev</a> </td><td width="20%" align="center"> </td><td width="40%" align="right"> <a accesskey="n" href="ar01s03.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top"> </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> </td></tr></table></div></body></html> \ No newline at end of file +the machine which is running our qemu instance.</p><pre class="programlisting">client$ remote-viewer spice://myhost:3001</pre><div class="figure"><a id="idm140478687311568"></a><p class="title"><strong>Figure 1. Established connection to Windows 2008 guest</strong></p><div class="figure-contents"><div class="mediaobject"><img src="images/spicec01.png" alt="images/spicec01.png" /></div></div></div><br class="figure-break" /></div></div><div class="navfooter"><hr /><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="ar01s01.html">Prev</a> </td><td width="20%" align="center"> </td><td width="40%" align="right"> <a accesskey="n" href="ar01s03.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top"> </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> </td></tr></table></div></body></html> \ No newline at end of file diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/spice-0.12.7/docs/manual/manual.chunked/index.html new/spice-0.12.8/docs/manual/manual.chunked/index.html --- old/spice-0.12.7/docs/manual/manual.chunked/index.html 2016-04-14 12:18:54.000000000 +0200 +++ new/spice-0.12.8/docs/manual/manual.chunked/index.html 2016-07-13 15:56:22.000000000 +0200 @@ -1,4 +1,4 @@ <?xml version="1.0" encoding="UTF-8" standalone="no"?> -<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd";><html xmlns="http://www.w3.org/1999/xhtml";><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>Spice User Manual</title><link rel="stylesheet" type="text/css" href="docbook-xsl.css" /><meta name="generator" content="DocBook XSL Stylesheets V1.78.1" /><link rel="home" href="index.html" title="Spice User Manual" /><link rel="next" href="ar01s01.html" title="1. Introduction" /></head><body><div class="navheader"><table width="100%" summary="Navigation header"><tr><td width="20%" align="left"> </td><th width="60%" align="center"> </th><td width="20%" align="right"> <a accesskey="n" href="ar01s01.html">Next</a></td></tr></table><hr /></div><div xml:lang="en" class="article" lang="en"><div class="titlepage"><div><div><h2 class="title"><a id="idm140445495521872"></a>Spice User Manual</h2></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="ar01s01.html">1. Introduction</a></span></dt><dd><dl><dt><span class="section"><a href="ar01s01.html#_spice_and_spice_related_components">1.1. Spice and Spice-related components</a></span></dt><dt><span class="section"><a href="ar01s01.html#_features">1.2. Features</a></span></dt></dl></dd><dt><span class="section"><a href="ar01s02.html">2. Using Spice</a></span></dt><dd><dl><dt><span class="section"><a href="ar01s02.html#_running_qemu_manually">2.1. Running qemu manually</a></span></dt><dt><span class="section"><a href="ar01s02.html#_basic_configuration">2.2. Basic configuration</a></span></dt><dt><span class="section"><a href="ar01s02.html#_connecting_to_the_guest">2.3. Connecting to the guest</a></span></dt></dl></dd><dt><span class="section"><a href="ar01s03.html">3. Ticketing</a></span></dt><dd><dl><dt><span class="section"><a href="ar01s03.html#_configuration">3.1. Configuration</a></span></dt><dt><span class="section"><a href="ar01s03.html#_client">3.2. Client</a></span></dt></dl></dd><dt><span class="section"><a href="ar01s04.html">4. Agent</a></span></dt><dd><dl><dt><span class="section"><a href="ar01s04.html#_configuration_2">4.1. Configuration</a></span></dt></dl></dd><dt><span class="section"><a href="ar01s05.html">5. USB redirection</a></span></dt><dd><dl><dt><span class="section"><a href="ar01s05.html#_configuration_3">5.1. Configuration</a></span></dt><dt><span class="section"><a href="ar01s05.html#_client_2">5.2. Client</a></span></dt></dl></dd><dt><span class="section"><a href="ar01s06.html">6. CAC smartcard redirection</a></span></dt><dd><dl><dt><span class="section"><a href="ar01s06.html#_configuration_4">6.1. Configuration</a></span></dt><dt><span class="section"><a href="ar01s06.html#_client_3">6.2. Client</a></span></dt></dl></dd><dt><span class="section"><a href="ar01s07.html">7. Multiple monitor support</a></span></dt><dd><dl><dt><span class="section"><a href="ar01s07.html#_configuration_5">7.1. Configuration</a></span></dt><dt><span class="section"><a href="ar01s07.html#_client_4">7.2. Client</a></span></dt></dl></dd><dt><span class="section"><a href="ar01s08.html">8. TLS</a></span></dt><dd><dl><dt><span class="section"><a href="ar01s08.html#_configuration_6">8.1. Configuration</a></span></dt><dt><span class="section"><a href="ar01s08.html#_client_5">8.2. Client</a></span></dt><dt><span class="section"><a href="ar01s08.html#_generating_self_signed_certificates">8.3. Generating self-signed certificates</a></span></dt></dl></dd><dt><span class="section"><a href="ar01s09.html">9. SASL</a></span></dt><dd><dl><dt><span class="section"><a href="ar01s09.html#_configuration_7">9.1. Configuration</a></span></dt><dt><span class="section"><a href="ar01s09.html#_client_6">9.2. Client</a></span></dt></dl></dd><dt><span class="section"><a href="ar01s10.html">10. Folder sharing</a></span></dt><dd><dl><dt><span class="section"><a href="ar01s10.html#_configuration_8">10.1. Configuration</a></span></dt><dt><span class="section"><a href="ar01s10.html#_guest_configuration">10.2. Guest configuration</a></span></dt></dl></dd><dt><span class="section"><a href="ar01s11.html">11. QEMU Spice reference</a></span></dt><dd><dl><dt><span class="section"><a href="ar01s11.html#_command_line_options">11.1. Command line options</a></span></dt><dt><span class="section"><a href="ar01s11.html#_qxl_command_line_options">11.2. QXL command line options</a></span></dt><dt><span class="section"><a href="ar01s11.html#_qemu_console_spice_commands">11.3. QEMU console Spice commands</a></span></dt></dl></dd><dt><span class="section"><a href="ar01s12.html">12. Spice guest additions</a></span></dt><dd><dl><dt><span class="section"><a href="ar01s12.html#_windows_guest">12.1. Windows guest</a></span></dt></dl></dd><dt><span class="section"><a href="ar01s13.html">13. Installation</a></span></dt><dd><dl><dt><span class="section"><a href="ar01s13.html#_installing_spice_on_rhel_or_fedora">13.1. Installing Spice on RHEL or Fedora</a></span></dt><dt><span class="section"><a href="ar01s13.html#_general_build_instructions">13.2. General build instructions</a></span></dt></dl></dd><dt><span class="section"><a href="ar01s14.html">14. Debugging</a></span></dt><dd><dl><dt><span class="section"><a href="ar01s14.html#_server_side">14.1. Server side</a></span></dt><dt><span class="section"><a href="ar01s14.html#_client_side">14.2. Client side</a></span></dt><dt><span class="section"><a href="ar01s14.html#_guest_side">14.3. Guest side</a></span></dt><dt><span class="section"><a href="ar01s14.html#_recording_replaying_spice_server_traffic">14.4. Recording/replaying SPICE server traffic</a></span></dt></dl></dd><dt><span class="appendix"><a href="apa.html">A. Manual authors</a></span></dt><dt><span class="glossary"><a href="go01.html">Glossary</a></span></dt></dl></div><p>Licensed under a Creative Commons Attribution-Share Alike 3.0 United +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd";><html xmlns="http://www.w3.org/1999/xhtml";><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>Spice User Manual</title><link rel="stylesheet" type="text/css" href="docbook-xsl.css" /><meta name="generator" content="DocBook XSL Stylesheets V1.78.1" /><link rel="home" href="index.html" title="Spice User Manual" /><link rel="next" href="ar01s01.html" title="1. Introduction" /></head><body><div class="navheader"><table width="100%" summary="Navigation header"><tr><td width="20%" align="left"> </td><th width="60%" align="center"> </th><td width="20%" align="right"> <a accesskey="n" href="ar01s01.html">Next</a></td></tr></table><hr /></div><div xml:lang="en" class="article" lang="en"><div class="titlepage"><div><div><h2 class="title"><a id="idm140478691862912"></a>Spice User Manual</h2></div></div><hr /></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="ar01s01.html">1. Introduction</a></span></dt><dd><dl><dt><span class="section"><a href="ar01s01.html#_spice_and_spice_related_components">1.1. Spice and Spice-related components</a></span></dt><dt><span class="section"><a href="ar01s01.html#_features">1.2. Features</a></span></dt></dl></dd><dt><span class="section"><a href="ar01s02.html">2. Using Spice</a></span></dt><dd><dl><dt><span class="section"><a href="ar01s02.html#_running_qemu_manually">2.1. Running qemu manually</a></span></dt><dt><span class="section"><a href="ar01s02.html#_basic_configuration">2.2. Basic configuration</a></span></dt><dt><span class="section"><a href="ar01s02.html#_connecting_to_the_guest">2.3. Connecting to the guest</a></span></dt></dl></dd><dt><span class="section"><a href="ar01s03.html">3. Ticketing</a></span></dt><dd><dl><dt><span class="section"><a href="ar01s03.html#_configuration">3.1. Configuration</a></span></dt><dt><span class="section"><a href="ar01s03.html#_client">3.2. Client</a></span></dt></dl></dd><dt><span class="section"><a href="ar01s04.html">4. Agent</a></span></dt><dd><dl><dt><span class="section"><a href="ar01s04.html#_configuration_2">4.1. Configuration</a></span></dt></dl></dd><dt><span class="section"><a href="ar01s05.html">5. USB redirection</a></span></dt><dd><dl><dt><span class="section"><a href="ar01s05.html#_configuration_3">5.1. Configuration</a></span></dt><dt><span class="section"><a href="ar01s05.html#_client_2">5.2. Client</a></span></dt></dl></dd><dt><span class="section"><a href="ar01s06.html">6. CAC smartcard redirection</a></span></dt><dd><dl><dt><span class="section"><a href="ar01s06.html#_configuration_4">6.1. Configuration</a></span></dt><dt><span class="section"><a href="ar01s06.html#_client_3">6.2. Client</a></span></dt></dl></dd><dt><span class="section"><a href="ar01s07.html">7. Multiple monitor support</a></span></dt><dd><dl><dt><span class="section"><a href="ar01s07.html#_configuration_5">7.1. Configuration</a></span></dt><dt><span class="section"><a href="ar01s07.html#_client_4">7.2. Client</a></span></dt></dl></dd><dt><span class="section"><a href="ar01s08.html">8. TLS</a></span></dt><dd><dl><dt><span class="section"><a href="ar01s08.html#_configuration_6">8.1. Configuration</a></span></dt><dt><span class="section"><a href="ar01s08.html#_client_5">8.2. Client</a></span></dt><dt><span class="section"><a href="ar01s08.html#_generating_self_signed_certificates">8.3. Generating self-signed certificates</a></span></dt></dl></dd><dt><span class="section"><a href="ar01s09.html">9. SASL</a></span></dt><dd><dl><dt><span class="section"><a href="ar01s09.html#_configuration_7">9.1. Configuration</a></span></dt><dt><span class="section"><a href="ar01s09.html#_client_6">9.2. Client</a></span></dt></dl></dd><dt><span class="section"><a href="ar01s10.html">10. Folder sharing</a></span></dt><dd><dl><dt><span class="section"><a href="ar01s10.html#_configuration_8">10.1. Configuration</a></span></dt><dt><span class="section"><a href="ar01s10.html#_guest_configuration">10.2. Guest configuration</a></span></dt></dl></dd><dt><span class="section"><a href="ar01s11.html">11. QEMU Spice reference</a></span></dt><dd><dl><dt><span class="section"><a href="ar01s11.html#_command_line_options">11.1. Command line options</a></span></dt><dt><span class="section"><a href="ar01s11.html#_qxl_command_line_options">11.2. QXL command line options</a></span></dt><dt><span class="section"><a href="ar01s11.html#_qemu_console_spice_commands">11.3. QEMU console Spice commands</a></span></dt></dl></dd><dt><span class="section"><a href="ar01s12.html">12. Spice guest additions</a></span></dt><dd><dl><dt><span class="section"><a href="ar01s12.html#_windows_guest">12.1. Windows guest</a></span></dt></dl></dd><dt><span class="section"><a href="ar01s13.html">13. Installation</a></span></dt><dd><dl><dt><span class="section"><a href="ar01s13.html#_installing_spice_on_rhel_or_fedora">13.1. Installing Spice on RHEL or Fedora</a></span></dt><dt><span class="section"><a href="ar01s13.html#_general_build_instructions">13.2. General build instructions</a></span></dt></dl></dd><dt><span class="section"><a href="ar01s14.html">14. Debugging</a></span></dt><dd><dl><dt><span class="section"><a href="ar01s14.html#_server_side">14.1. Server side</a></span></dt><dt><span class="section"><a href="ar01s14.html#_client_side">14.2. Client side</a></span></dt><dt><span class="section"><a href="ar01s14.html#_guest_side">14.3. Guest side</a></span></dt><dt><span class="section"><a href="ar01s14.html#_recording_replaying_spice_server_traffic">14.4. Recording/replaying SPICE server traffic</a></span></dt></dl></dd><dt><span class="appendix"><a href="apa.html">A. Manual authors</a></span></dt><dt><span class="glossary"><a href="go01.html">Glossary</a></span></dt></dl></div><p>Licensed under a Creative Commons Attribution-Share Alike 3.0 United States License (see <a class="ulink" href="http://creativecommons.org/licenses/by-sa/3.0/us/legalcode"; target="_top">http://creativecommons.org/licenses/by-sa/3.0/us/legalcode</a>).</p></div><div class="navfooter"><hr /><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"> </td><td width="20%" align="center"> </td><td width="40%" align="right"> <a accesskey="n" href="ar01s01.html">Next</a></td></tr></table></div></body></html> \ No newline at end of file diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/spice-0.12.7/docs/manual/manual.html new/spice-0.12.8/docs/manual/manual.html --- old/spice-0.12.7/docs/manual/manual.html 2016-04-14 12:18:54.000000000 +0200 +++ new/spice-0.12.8/docs/manual/manual.html 2016-07-13 15:56:22.000000000 +0200 @@ -2126,7 +2126,7 @@ <div id="footnotes"><hr /></div> <div id="footer"> <div id="footer-text"> -Last updated 2016-04-14 12:07:00 CEST +Last updated 2016-07-13 13:56:56 CEST </div> </div> </body> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/spice-0.12.7/server/red_parse_qxl.c new/spice-0.12.8/server/red_parse_qxl.c --- old/spice-0.12.7/server/red_parse_qxl.c 2016-04-12 15:06:48.000000000 +0200 +++ new/spice-0.12.8/server/red_parse_qxl.c 2016-07-13 13:56:56.000000000 +0200 @@ -1303,13 +1303,41 @@ return 0; } +bool red_validate_surface(uint32_t width, uint32_t height, + int32_t stride, uint32_t format) +{ + unsigned int bpp; + uint64_t size; + + bpp = surface_format_to_bpp(format); + + /* check if format is valid */ + if (!bpp) { + return false; + } + + /* check stride is larger than required bytes */ + size = ((uint64_t) width * bpp + 7u) / 8u; + /* the uint32_t conversion is here to avoid problems with -2^31 value */ + if (stride == G_MININT32 || size > (uint32_t) abs(stride)) { + return false; + } + + /* the multiplication can overflow, also abs(-2^31) may return a negative value */ + size = (uint64_t) height * abs(stride); + if (size > MAX_DATA_CHUNK) { + return false; + } + + return true; +} + int red_get_surface_cmd(RedMemSlotInfo *slots, int group_id, RedSurfaceCmd *red, QXLPHYSICAL addr) { QXLSurfaceCmd *qxl; uint64_t size; int error; - unsigned int bpp; qxl = (QXLSurfaceCmd *)get_virt(slots, addr, sizeof(*qxl), group_id, &error); @@ -1328,26 +1356,13 @@ red->u.surface_create.width = qxl->u.surface_create.width; red->u.surface_create.height = qxl->u.surface_create.height; red->u.surface_create.stride = qxl->u.surface_create.stride; - bpp = surface_format_to_bpp(red->u.surface_create.format); - /* check if format is valid */ - if (!bpp) { + if (!red_validate_surface(red->u.surface_create.width, red->u.surface_create.height, + red->u.surface_create.stride, red->u.surface_create.format)) { return 1; } - /* check stride is larger than required bytes */ - size = ((uint64_t) red->u.surface_create.width * bpp + 7u) / 8u; - /* the uint32_t conversion is here to avoid problems with -2^31 value */ - if (red->u.surface_create.stride == G_MININT32 - || size > (uint32_t) abs(red->u.surface_create.stride)) { - return 1; - } - - /* the multiplication can overflow, also abs(-2^31) may return a negative value */ - size = (uint64_t) red->u.surface_create.height * abs(red->u.surface_create.stride); - if (size > MAX_DATA_CHUNK) { - return 1; - } + size = red->u.surface_create.height * abs(red->u.surface_create.stride); red->u.surface_create.data = (uint8_t*)get_virt(slots, qxl->u.surface_create.data, size, group_id, &error); if (error) { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/spice-0.12.7/server/red_parse_qxl.h new/spice-0.12.8/server/red_parse_qxl.h --- old/spice-0.12.7/server/red_parse_qxl.h 2016-04-12 15:06:48.000000000 +0200 +++ new/spice-0.12.8/server/red_parse_qxl.h 2016-07-13 13:56:56.000000000 +0200 @@ -128,6 +128,9 @@ RedMessage *red, QXLPHYSICAL addr); void red_put_message(RedMessage *red); +bool red_validate_surface(uint32_t width, uint32_t height, + int32_t stride, uint32_t format); + int red_get_surface_cmd(RedMemSlotInfo *slots, int group_id, RedSurfaceCmd *red, QXLPHYSICAL addr); void red_put_surface_cmd(RedSurfaceCmd *red); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/spice-0.12.7/server/red_worker.c new/spice-0.12.8/server/red_worker.c --- old/spice-0.12.7/server/red_worker.c 2016-04-14 17:09:14.000000000 +0200 +++ new/spice-0.12.8/server/red_worker.c 2016-07-13 13:57:10.000000000 +0200 @@ -4038,13 +4038,15 @@ return TRUE; } -static void free_one_drawable(RedWorker *worker, int force_glz_free) +static bool free_one_drawable(RedWorker *worker, int force_glz_free) { RingItem *ring_item = ring_get_tail(&worker->current_list); Drawable *drawable; Container *container; - spice_assert(ring_item); + if (!ring_item) { + return FALSE; + } drawable = SPICE_CONTAINEROF(ring_item, Drawable, list_link); if (force_glz_free) { RingItem *glz_item, *next_item; @@ -4058,6 +4060,8 @@ current_remove_drawable(worker, drawable); container_cleanup(worker, container); + + return TRUE; } static Drawable *get_drawable(RedWorker *worker, uint8_t effect, RedDrawable *red_drawable, @@ -4079,7 +4083,8 @@ } while (!(drawable = alloc_drawable(worker))) { - free_one_drawable(worker, FALSE); + if (!free_one_drawable(worker, FALSE)) + return NULL; } worker->drawable_count++; memset(drawable, 0, sizeof(Drawable)); @@ -4189,7 +4194,6 @@ Drawable *drawable = get_drawable(worker, red_drawable->effect, red_drawable, group_id); if (!drawable) { - rendering_incorrect("failed to get_drawable"); return; } @@ -11322,8 +11326,15 @@ spice_debug(NULL); spice_warn_if(surface_id != 0); spice_warn_if(surface.height == 0); - spice_warn_if(((uint64_t)abs(surface.stride) * (uint64_t)surface.height) != - abs(surface.stride) * surface.height); + + /* surface can arrive from guest unchecked so make sure + * guest is not a malicious one and drop invalid requests + */ + if (!red_validate_surface(surface.width, surface.height, + surface.stride, surface.format)) { + spice_warning("wrong primary surface creation request"); + return; + } line_0 = (uint8_t*)get_virt(&worker->mem_slots, surface.mem, surface.height * abs(surface.stride), diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/spice-0.12.7/server/smartcard.c new/spice-0.12.8/server/smartcard.c --- old/spice-0.12.7/server/smartcard.c 2016-04-14 12:07:00.000000000 +0200 +++ new/spice-0.12.8/server/smartcard.c 2016-07-13 13:56:56.000000000 +0200 @@ -178,14 +178,17 @@ smartcard_unref_vsc_msg_item((MsgItem *)msg); } -static void smartcard_send_msg_to_client(SpiceCharDeviceMsgToClient *msg, +static void smartcard_send_msg_to_client(SpiceCharDeviceMsgToClient *message, RedClient *client, void *opaque) { SmartCardDeviceState *dev = opaque; - spice_assert(dev->scc && dev->scc->base.client == client); - smartcard_channel_client_pipe_add_push(&dev->scc->base, &((MsgItem *)msg)->base); + MsgItem *msg = (MsgItem *)message; + PipeItem *item = &msg->base; + spice_assert(dev->scc && dev->scc->base.client == client); + smartcard_ref_vsc_msg_item(msg); + smartcard_channel_client_pipe_add_push(&dev->scc->base, item); } static void smartcard_send_tokens_to_client(RedClient *client, uint32_t tokens, void *opaque) @@ -328,7 +331,7 @@ SpiceCharDeviceWriteBuffer *write_buf; VSCMsgHeader *vheader; - write_buf = spice_char_device_write_buffer_get(st->chardev_st, NULL, sizeof(vheader)); + write_buf = spice_char_device_write_buffer_get(st->chardev_st, NULL, sizeof(*vheader)); if (!write_buf) { spice_error("failed to allocate write buffer"); return; @@ -375,7 +378,7 @@ spice_debug("reader add was never sent to the device"); return; } - write_buf = spice_char_device_write_buffer_get(st->chardev_st, NULL, sizeof(vheader)); + write_buf = spice_char_device_write_buffer_get(st->chardev_st, NULL, sizeof(*vheader)); if (!write_buf) { spice_error("failed to allocate write buffer"); return; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/spice-0.12.7/server/spice-version.h new/spice-0.12.8/server/spice-version.h --- old/spice-0.12.7/server/spice-version.h 2016-04-14 17:47:23.000000000 +0200 +++ new/spice-0.12.8/server/spice-version.h 2016-07-13 15:55:32.000000000 +0200 @@ -22,6 +22,6 @@ #error "Only spice.h can be included directly." #endif -#define SPICE_SERVER_VERSION 0x000c07 +#define SPICE_SERVER_VERSION 0x000c08 #endif /* SPICE_VERSION_H_ */ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/spice-0.12.7/spice-common/aclocal.m4 new/spice-0.12.8/spice-common/aclocal.m4 --- old/spice-0.12.7/spice-common/aclocal.m4 2016-04-14 17:47:10.000000000 +0200 +++ new/spice-0.12.8/spice-common/aclocal.m4 2016-07-13 15:54:56.000000000 +0200 @@ -21,7 +21,7 @@ To do so, use the procedure documented by the package, typically 'autoreconf'.])]) dnl pkg.m4 - Macros to locate and utilise pkg-config. -*- Autoconf -*- -dnl serial 11 (pkg-config-0.29.1) +dnl serial 11 (pkg-config-0.29) dnl dnl Copyright © 2004 Scott James Remnant <[email protected]>. dnl Copyright © 2012-2015 Dan Nicholson <[email protected]> @@ -63,7 +63,7 @@ dnl See the "Since" comment for each macro you use to see what version dnl of the macros you require. m4_defun([PKG_PREREQ], -[m4_define([PKG_MACROS_VERSION], [0.29.1]) +[m4_define([PKG_MACROS_VERSION], [0.29]) m4_if(m4_version_compare(PKG_MACROS_VERSION, [$1]), -1, [m4_fatal([pkg.m4 version $1 or higher is required but ]PKG_MACROS_VERSION[ found])]) ])dnl PKG_PREREQ
