Hello community, here is the log from the commit of package spice-gtk for openSUSE:Factory checked in at 2018-08-07 09:39:18 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/spice-gtk (Old) and /work/SRC/openSUSE:Factory/.spice-gtk.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "spice-gtk" Tue Aug 7 09:39:18 2018 rev:38 rq:625041 version:0.35 Changes: -------- --- /work/SRC/openSUSE:Factory/spice-gtk/spice-gtk.changes 2018-07-04 23:53:39.123990051 +0200 +++ /work/SRC/openSUSE:Factory/.spice-gtk.new/spice-gtk.changes 2018-08-07 09:39:27.392931439 +0200 @@ -1,0 +2,9 @@ +Mon Jul 16 09:36:31 UTC 2018 - [email protected] + +- Avoid buffer overflow on image lz cheks (CVE-2018-10893, bsc#1101295) + Added patches: + 0001-lz-Avoid-buffer-reading-overflow-checking-for-image-.patch + 0002-lz-More-checks-on-image-sizes.patch +- Add setuid bit to spice-client-glib-usb-acl-helper (bsc#1101420) + +------------------------------------------------------------------- New: ---- 0001-lz-Avoid-buffer-reading-overflow-checking-for-image-.patch 0002-lz-More-checks-on-image-sizes.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ spice-gtk.spec ++++++ --- /var/tmp/diff_new_pack.5QwsCx/_old 2018-08-07 09:39:27.888932304 +0200 +++ /var/tmp/diff_new_pack.5QwsCx/_new 2018-08-07 09:39:27.892932311 +0200 @@ -29,6 +29,9 @@ Source: http://spice-space.org/download/gtk/%{name}-%{version}.tar.bz2 # PATCH-FIX-OPENSUSE spice-gtk-polkit-privs.patch bnc#804184 [email protected] -- Set the polkit defaults to auth_admin Patch0: spice-gtk-polkit-privs.patch +# PATCH-FIX-UPSTREAM - CVE-2018-10893 +Patch1: 0001-lz-Avoid-buffer-reading-overflow-checking-for-image-.patch +Patch2: 0002-lz-More-checks-on-image-sizes.patch BuildRequires: autoconf BuildRequires: automake BuildRequires: cyrus-sasl-devel @@ -89,6 +92,7 @@ %package -n libspice-client-glib-helper Summary: Gtk client and libraries for SPICE remote desktop servers Group: System/Libraries +Requires: group(kvm) %description -n libspice-client-glib-helper A Gtk client and libraries for SPICE remote desktop servers, (Linux and Windows). @@ -131,6 +135,10 @@ %prep %setup -q %patch0 -p1 +pushd spice-common +%patch1 -p1 +%patch2 -p1 +popd %build autoreconf -fi @@ -151,10 +159,10 @@ find %{buildroot} -type f -name "*.la" -delete -print %find_lang %{name} -%post +%post -n libspice-client-glib-helper %set_permissions %{_bindir}/spice-client-glib-usb-acl-helper -%verifyscript +%verifyscript -n libspice-client-glib-helper %verify_permissions -e %{_bindir}/spice-client-glib-usb-acl-helper %post -n libspice-client-glib-2_0-8 -p /sbin/ldconfig @@ -174,7 +182,7 @@ %{_libdir}/libspice-client-glib-2.0.so.* %files -n libspice-client-glib-helper -%attr(755,root,root) %{_bindir}/spice-client-glib-usb-acl-helper +%verify(not mode) %attr(4750,root,kvm) %{_bindir}/spice-client-glib-usb-acl-helper %{_datadir}/polkit-1/actions/org.spice-space.lowlevelusbaccess.policy %files -n libspice-client-gtk-3_0-5 ++++++ 0001-lz-Avoid-buffer-reading-overflow-checking-for-image-.patch ++++++ >From b94b3ca285d81180ed8fdf18f949761e40657b93 Mon Sep 17 00:00:00 2001 From: Frediano Ziglio <[email protected]> Date: Fri, 22 Dec 2017 18:43:00 +0000 Subject: [PATCH spice-common 1/2] lz: Avoid buffer reading overflow checking for image type The type of the image is just copied from network without any check and later used for array indexing. Signed-off-by: Frediano Ziglio <[email protected]> --- common/lz.c | 3 +++ common/lz_common.h | 7 ++++--- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/common/lz.c b/common/lz.c index b7e7d48..e76105e 100644 --- a/common/lz.c +++ b/common/lz.c @@ -594,6 +594,9 @@ void lz_decode_begin(LzContext *lz, uint8_t *io_ptr, unsigned int num_io_bytes, } encoder->type = (LzImageType)decode_32(encoder); + if (encoder->type < 0 || encoder->type > LZ_IMAGE_TYPE_MAX) { + encoder->usr->error(encoder->usr, "invalid lz type\n"); + } encoder->width = decode_32(encoder); encoder->height = decode_32(encoder); encoder->stride = decode_32(encoder); diff --git a/common/lz_common.h b/common/lz_common.h index 78df003..6526d16 100644 --- a/common/lz_common.h +++ b/common/lz_common.h @@ -51,6 +51,7 @@ typedef enum { #define LZ_IMAGE_TYPE_MASK 0x0f #define LZ_IMAGE_TYPE_LOG 4 // number of bits required for coding the image type +#define LZ_IMAGE_TYPE_MAX LZ_IMAGE_TYPE_A8 /* access to the arrays is based on the image types */ static const int IS_IMAGE_TYPE_PLT[] = {0, 1, 1, 1, 1, 1, 0, 0, 0, 0, 0, 0}; @@ -58,10 +59,10 @@ static const int IS_IMAGE_TYPE_RGB[] = {0, 0, 0, 0, 0, 0, 1, 1, 1, 1, 1, 1}; static const int PLT_PIXELS_PER_BYTE[] = {0, 8, 8, 2, 2, 1}; static const int RGB_BYTES_PER_PIXEL[] = {0, 1, 1, 1, 1, 1, 2, 3, 4, 4, 4, 1}; -verify(SPICE_N_ELEMENTS(IS_IMAGE_TYPE_PLT) == (LZ_IMAGE_TYPE_A8 + 1)); -verify(SPICE_N_ELEMENTS(IS_IMAGE_TYPE_RGB) == (LZ_IMAGE_TYPE_A8 + 1)); +verify(SPICE_N_ELEMENTS(IS_IMAGE_TYPE_PLT) == (LZ_IMAGE_TYPE_MAX + 1)); +verify(SPICE_N_ELEMENTS(IS_IMAGE_TYPE_RGB) == (LZ_IMAGE_TYPE_MAX + 1)); verify(SPICE_N_ELEMENTS(PLT_PIXELS_PER_BYTE) == (LZ_IMAGE_TYPE_PLT8 + 1)); -verify(SPICE_N_ELEMENTS(RGB_BYTES_PER_PIXEL) == (LZ_IMAGE_TYPE_A8 + 1)); +verify(SPICE_N_ELEMENTS(RGB_BYTES_PER_PIXEL) == (LZ_IMAGE_TYPE_MAX + 1)); /* ASCII "LZ " */ #define LZ_MAGIC 0x20205a4c -- 2.17.1 ++++++ 0002-lz-More-checks-on-image-sizes.patch ++++++ >From 7117d2dced9438ce8074d20362196a313b0854cc Mon Sep 17 00:00:00 2001 From: Frediano Ziglio <[email protected]> Date: Mon, 25 Jun 2018 14:16:10 +0100 Subject: [PATCH spice-common 2/2] lz: More checks on image sizes Extend sizes check also to decoding, actually the source data decoding images should be less safe than encoding. This avoids different integer overflows and buffer overflows. To avoid potential issues images are limited to 1GB. Signed-off-by: Frediano Ziglio <[email protected]> --- common/lz.c | 36 +++++++++++++++++++++++++++--------- 1 file changed, 27 insertions(+), 9 deletions(-) diff --git a/common/lz.c b/common/lz.c index e76105e..f57d388 100644 --- a/common/lz.c +++ b/common/lz.c @@ -482,17 +482,13 @@ typedef uint16_t rgb16_pixel_t; #undef LZ_UNEXPECT_CONDITIONAL #undef LZ_EXPECT_CONDITIONAL -int lz_encode(LzContext *lz, LzImageType type, int width, int height, int top_down, - uint8_t *lines, unsigned int num_lines, int stride, - uint8_t *io_ptr, unsigned int num_io_bytes) +static void lz_check_sizes(Encoder *encoder) { - Encoder *encoder = (Encoder *)lz; - uint8_t *io_ptr_end = io_ptr + num_io_bytes; + const int width = encoder->width; - encoder->type = type; - encoder->width = width; - encoder->height = height; - encoder->stride = stride; + if (width < 0 || encoder->height < 0 || encoder->stride < 0) { + encoder->usr->error(encoder->usr, "invalid lz size\n"); + } if (IS_IMAGE_TYPE_PLT[encoder->type]) { if (encoder->stride > (width / PLT_PIXELS_PER_BYTE[encoder->type])) { @@ -509,6 +505,26 @@ int lz_encode(LzContext *lz, LzImageType type, int width, int height, int top_do } } + // avoid too big images, 1 GB is enough + if ((uint64_t) encoder->stride * encoder->height >= 1024u * 1024u * 1024u) { + encoder->usr->error(encoder->usr, "image too large\n"); + } +} + +int lz_encode(LzContext *lz, LzImageType type, int width, int height, int top_down, + uint8_t *lines, unsigned int num_lines, int stride, + uint8_t *io_ptr, unsigned int num_io_bytes) +{ + Encoder *encoder = (Encoder *)lz; + uint8_t *io_ptr_end = io_ptr + num_io_bytes; + + encoder->type = type; + encoder->width = width; + encoder->height = height; + encoder->stride = stride; + + lz_check_sizes(encoder); + // assign the output buffer if (!encoder_reset(encoder, io_ptr, io_ptr_end)) { encoder->usr->error(encoder->usr, "lz encoder io reset failed\n"); @@ -600,6 +616,8 @@ void lz_decode_begin(LzContext *lz, uint8_t *io_ptr, unsigned int num_io_bytes, encoder->width = decode_32(encoder); encoder->height = decode_32(encoder); encoder->stride = decode_32(encoder); + lz_check_sizes(encoder); + *out_top_down = decode_32(encoder); *out_width = encoder->width; -- 2.17.1
