Hello community, here is the log from the commit of package spice-gtk for openSUSE:Factory checked in at 2020-10-08 13:11:47 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/spice-gtk (Old) and /work/SRC/openSUSE:Factory/.spice-gtk.new.4249 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "spice-gtk" Thu Oct 8 13:11:47 2020 rev:48 rq:839839 version:0.38 Changes: -------- --- /work/SRC/openSUSE:Factory/spice-gtk/spice-gtk.changes 2020-03-31 17:31:36.608238169 +0200 +++ /work/SRC/openSUSE:Factory/.spice-gtk.new.4249/spice-gtk.changes 2020-10-08 13:12:35.963194988 +0200 @@ -1,0 +2,10 @@ +Mon Oct 5 19:51:44 UTC 2020 - Bruce Rogers <brog...@suse.com> + +- Fix buffer overflow vunerabilities in QUIC image decoding + (CVE-2020-14355 bsc#1177158) +0001-quic-Check-we-have-some-data-to-start-decoding-quic-.patch +0002-quic-Check-image-size-in-quic_decode_begin.patch +0003-quic-Check-RLE-lengths.patch +0004-quic-Avoid-possible-buffer-overflow-in-find_bucket.patch + +------------------------------------------------------------------- New: ---- 0001-quic-Check-we-have-some-data-to-start-decoding-quic-.patch 0002-quic-Check-image-size-in-quic_decode_begin.patch 0003-quic-Check-RLE-lengths.patch 0004-quic-Avoid-possible-buffer-overflow-in-find_bucket.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ spice-gtk.spec ++++++ --- /var/tmp/diff_new_pack.zqzSjm/_old 2020-10-08 13:12:36.635195596 +0200 +++ /var/tmp/diff_new_pack.zqzSjm/_new 2020-10-08 13:12:36.635195596 +0200 @@ -23,14 +23,19 @@ Summary: Gtk client and libraries for SPICE remote desktop servers License: GPL-2.0-or-later AND LGPL-2.1-or-later Group: System/GUI/GNOME -URL: http://spice-space.org -Source0: http://spice-space.org/download/gtk/%{name}-%{version}.tar.xz -Source1: http://spice-space.org/download/gtk/%{name}-%{version}.tar.xz.sig +URL: https://spice-space.org +Source0: https://spice-space.org/download/gtk/%{name}-%{version}.tar.xz +Source1: https://spice-space.org/download/gtk/%{name}-%{version}.tar.xz.sig Source2: %{name}.keyring Source3: README.SUSE # PATCH-FIX-OPENSUSE spice-gtk-polkit-privs.patch bnc#804184 dims...@opensuse.org -- Set the polkit defaults to auth_admin Patch0: spice-gtk-polkit-privs.patch Patch1: Remove-celt-support.patch +Patch2: 0001-quic-Check-we-have-some-data-to-start-decoding-quic-.patch +Patch3: 0002-quic-Check-image-size-in-quic_decode_begin.patch +Patch4: 0003-quic-Check-RLE-lengths.patch +Patch5: 0004-quic-Avoid-possible-buffer-overflow-in-find_bucket.patch + BuildRequires: cyrus-sasl-devel BuildRequires: gstreamer-plugins-bad BuildRequires: gstreamer-plugins-good @@ -134,6 +139,12 @@ %setup -q %patch0 -p1 %patch1 -p1 +cd subprojects/spice-common +%patch2 -p1 +%patch3 -p1 +%patch4 -p1 +%patch5 -p1 +cd ../../ cp %{SOURCE3} . %build ++++++ 0001-quic-Check-we-have-some-data-to-start-decoding-quic-.patch ++++++ >From 762e0abae36033ccde658fd52d3235887b60862d Mon Sep 17 00:00:00 2001 From: Frediano Ziglio <fredd...@gmail.com> Date: Wed, 29 Apr 2020 15:09:13 +0100 Subject: [PATCH spice-common 1/4] quic: Check we have some data to start decoding quic image All paths already pass some data to quic_decode_begin but for the test check it, it's not that expensive test. Checking for not 0 is enough, all other words will potentially be read calling more_io_words but we need one to avoid a potential initial buffer overflow or deferencing an invalid pointer. Signed-off-by: Frediano Ziglio <fredd...@gmail.com> Acked-by: Uri Lublin <u...@redhat.com> Signed-off-by: Bruce Rogers <brog...@suse.com> --- common/quic.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/common/quic.c b/common/quic.c index e2dee0f..bc753ca 100644 --- a/common/quic.c +++ b/common/quic.c @@ -1136,7 +1136,7 @@ int quic_decode_begin(QuicContext *quic, uint32_t *io_ptr, unsigned int num_io_w int channels; int bpc; - if (!encoder_reset(encoder, io_ptr, io_ptr_end)) { + if (!num_io_words || !encoder_reset(encoder, io_ptr, io_ptr_end)) { return QUIC_ERROR; } -- 2.25.4 ++++++ 0002-quic-Check-image-size-in-quic_decode_begin.patch ++++++ >From 404d74782c8b5e57d146c5bf3118bb41bf3378e4 Mon Sep 17 00:00:00 2001 From: Frediano Ziglio <fredd...@gmail.com> Date: Wed, 29 Apr 2020 15:10:24 +0100 Subject: [PATCH spice-common 2/4] quic: Check image size in quic_decode_begin Avoid some overflow in code due to images too big or negative numbers. Signed-off-by: Frediano Ziglio <fredd...@gmail.com> Acked-by: Uri Lublin <u...@redhat.com> Signed-off-by: Bruce Rogers <brog...@suse.com> --- common/quic.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/common/quic.c b/common/quic.c index bc753ca..6815316 100644 --- a/common/quic.c +++ b/common/quic.c @@ -56,6 +56,9 @@ typedef uint8_t BYTE; #define MINwminext 1 #define MAXwminext 100000000 +/* Maximum image size in pixels, mainly to avoid possible integer overflows */ +#define SPICE_MAX_IMAGE_SIZE (512 * 1024 * 1024 - 1) + typedef struct QuicFamily { unsigned int nGRcodewords[MAXNUMCODES]; /* indexed by code number, contains number of unmodified GR codewords in the code */ @@ -1165,6 +1168,16 @@ int quic_decode_begin(QuicContext *quic, uint32_t *io_ptr, unsigned int num_io_w height = encoder->io_word; decode_eat32bits(encoder); + if (width <= 0 || height <= 0) { + encoder->usr->warn(encoder->usr, "invalid size\n"); + return QUIC_ERROR; + } + + /* avoid too big images */ + if ((uint64_t) width * height > SPICE_MAX_IMAGE_SIZE) { + encoder->usr->error(encoder->usr, "image too large\n"); + } + quic_image_params(encoder, type, &channels, &bpc); if (!encoder_reset_channels(encoder, channels, width, bpc)) { -- 2.25.4 ++++++ 0003-quic-Check-RLE-lengths.patch ++++++ >From ef1b6ff7b82e15d759e5415b8e35b92bb1a4c206 Mon Sep 17 00:00:00 2001 From: Frediano Ziglio <fredd...@gmail.com> Date: Wed, 29 Apr 2020 15:11:38 +0100 Subject: [PATCH spice-common 3/4] quic: Check RLE lengths Avoid buffer overflows decoding images. On compression we compute lengths till end of line so it won't cause regressions. Proved by fuzzing the code. Signed-off-by: Frediano Ziglio <fredd...@gmail.com> Acked-by: Uri Lublin <u...@redhat.com> Signed-off-by: Bruce Rogers <brog...@suse.com> --- common/quic_tmpl.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/common/quic_tmpl.c b/common/quic_tmpl.c index ecd6f3f..ebae992 100644 --- a/common/quic_tmpl.c +++ b/common/quic_tmpl.c @@ -563,7 +563,11 @@ static void FNAME_DECL(uncompress_row_seg)(const PIXEL * const prev_row, do_run: state->waitcnt = stopidx - i; run_index = i; - run_end = i + decode_state_run(encoder, state); + run_end = decode_state_run(encoder, state); + if (run_end < 0 || run_end > (end - i)) { + encoder->usr->error(encoder->usr, "wrong RLE\n"); + } + run_end += i; for (; i < run_end; i++) { UNCOMPRESS_PIX_START(&cur_row[i]); -- 2.25.4 ++++++ 0004-quic-Avoid-possible-buffer-overflow-in-find_bucket.patch ++++++ >From b24fe6b66b86e601c725d30f00c37e684b6395b6 Mon Sep 17 00:00:00 2001 From: Frediano Ziglio <fredd...@gmail.com> Date: Thu, 30 Apr 2020 10:19:09 +0100 Subject: [PATCH spice-common 4/4] quic: Avoid possible buffer overflow in find_bucket Proved by fuzzing the code. Signed-off-by: Frediano Ziglio <fredd...@gmail.com> Acked-by: Uri Lublin <u...@redhat.com> Signed-off-by: Bruce Rogers <brog...@suse.com> --- common/quic_family_tmpl.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/common/quic_family_tmpl.c b/common/quic_family_tmpl.c index 8a5f7d2..6cc051b 100644 --- a/common/quic_family_tmpl.c +++ b/common/quic_family_tmpl.c @@ -103,7 +103,12 @@ static s_bucket *FNAME(find_bucket)(Channel *channel, const unsigned int val) { spice_extra_assert(val < (0x1U << BPC)); - return channel->_buckets_ptrs[val]; + /* The and (&) here is to avoid buffer overflows in case of garbage or malicious + * attempts. Is much faster then using comparisons and save us from such situations. + * Note that on normal build the check above won't be compiled as this code path + * is pretty hot and would cause speed regressions. + */ + return channel->_buckets_ptrs[val & ((1U << BPC) - 1)]; } #undef FNAME -- 2.25.4