Hello community, here is the log from the commit of package spice for openSUSE:Factory checked in at 2017-02-11 01:36:47 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/spice (Old) and /work/SRC/openSUSE:Factory/.spice.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "spice" Changes: -------- --- /work/SRC/openSUSE:Factory/spice/spice.changes 2017-02-08 10:43:38.380589082 +0100 +++ /work/SRC/openSUSE:Factory/.spice.new/spice.changes 2017-02-11 01:36:49.213950095 +0100 @@ -1,0 +2,9 @@ +Thu Feb 2 11:23:03 UTC 2017 - psim...@suse.com + +- Added patches to fix two security vulnerabilities. + * CVE-2016-9577-buffer-overflow-in-main_channel_alloc_msg_rcv_buf.patch + [CVE-2016-9577, bsc#1023078] + * CVE-2016-9578-remote-dos-via-crafted-message.patch + [CVE-2016-9578, bsc#1023079] + +------------------------------------------------------------------- New: ---- CVE-2016-9577-buffer-overflow-in-main_channel_alloc_msg_rcv_buf.patch CVE-2016-9578-remote-dos-via-crafted-message.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ spice.spec ++++++ --- /var/tmp/diff_new_pack.ri7d5I/_old 2017-02-11 01:36:50.025835523 +0100 +++ /var/tmp/diff_new_pack.ri7d5I/_new 2017-02-11 01:36:50.025835523 +0100 @@ -26,6 +26,9 @@ Url: http://www.spice-space.org/ Source: http://spice-space.org/download/releases/%{name}-%{version}.tar.bz2 Source99: %{name}.rpmlintrc +Patch0: CVE-2016-9577-buffer-overflow-in-main_channel_alloc_msg_rcv_buf.patch +Patch1: CVE-2016-9578-remote-dos-via-crafted-message.patch + # Build-time parameters BuildRequires: alsa-devel BuildRequires: celt051-devel @@ -81,6 +84,8 @@ %prep %setup -q +%patch0 -p1 +%patch1 -p1 %build %configure \ ++++++ CVE-2016-9577-buffer-overflow-in-main_channel_alloc_msg_rcv_buf.patch ++++++ >From 9f3ac8195f55027c6fb880d811141ae87d6d04f1 Mon Sep 17 00:00:00 2001 From: Frediano Ziglio <fzig...@redhat.com> Date: Tue, 29 Nov 2016 16:46:56 +0000 Subject: [PATCH spice-server] main-channel: Prevent overflow reading messages from client Caller is supposed the function return a buffer able to store size bytes. Signed-off-by: Frediano Ziglio <fzig...@redhat.com> --- server/main-channel.c | 3 +++ 1 file changed, 3 insertions(+) Index: spice-0.12.7/server/main_channel.c =================================================================== --- spice-0.12.7.orig/server/main_channel.c 2016-04-12 15:06:48.000000000 +0200 +++ spice-0.12.7/server/main_channel.c 2017-02-02 12:21:06.338289992 +0100 @@ -1026,6 +1026,9 @@ static uint8_t *main_channel_alloc_msg_r if (type == SPICE_MSGC_MAIN_AGENT_DATA) { return reds_get_agent_data_buffer(mcc, size); + } else if (size > sizeof(main_chan->recv_buf)) { + /* message too large, caller will log a message and close the connection */ + return NULL; } else { return main_chan->recv_buf; } ++++++ CVE-2016-9578-remote-dos-via-crafted-message.patch ++++++ >From fb8760d657271f52b357f83615c81bc984a3a197 Mon Sep 17 00:00:00 2001 From: Frediano Ziglio <fzig...@redhat.com> Date: Mon, 28 Nov 2016 13:15:58 +0000 Subject: [PATCH spice-server] Prevent possible DoS attempts during protocol handshake Signed-off-by: Frediano Ziglio <fzig...@redhat.com> --- server/reds.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) Index: spice-0.12.7/server/reds.c =================================================================== --- spice-0.12.7.orig/server/reds.c 2016-04-14 17:09:22.000000000 +0200 +++ spice-0.12.7/server/reds.c 2017-02-02 12:21:06.346289634 +0100 @@ -2110,6 +2110,14 @@ static void reds_handle_read_link_done(v link_mess->num_channel_caps = GUINT32_FROM_LE(link_mess->num_channel_caps); link_mess->num_common_caps = GUINT32_FROM_LE(link_mess->num_common_caps); + /* Prevent DoS. Currently we defined only 13 capabilities so here 1 would suffice, + * I expect 1024 to be valid for quite a lot time */ + if (link_mess->num_channel_caps > 1024 || link_mess->num_common_caps > 1024) { + reds_send_link_error(link, SPICE_LINK_ERR_INVALID_DATA); + reds_link_free(link); + return; + } + num_caps = link_mess->num_common_caps + link_mess->num_channel_caps; caps = (uint32_t *)((uint8_t *)link_mess + link_mess->caps_offset); @@ -2202,7 +2210,8 @@ static void reds_handle_read_header_done reds->peer_minor_version = header->minor_version; - if (header->size < sizeof(SpiceLinkMess)) { + /* the check for 4096 is to avoid clients to attempt DoS to the server */ + if (header->size < sizeof(SpiceLinkMess) || header->size > 4096) { reds_send_link_error(link, SPICE_LINK_ERR_INVALID_DATA); spice_warning("bad size %u", header->size); reds_link_free(link);
