[arch-commits] Commit in spice/trunk (CVE-2013-4282.patch PKGBUILD git-fixes.patch)

2017-03-16 Thread Jan de Groot 
Date: Thursday, March 16, 2017 @ 22:11:00
  Author: jgc
Revision: 290964

upgpkg: spice 0.12.8-2

Apply (security) fixes from git
Add signature
Switch to https
Use sha256 instead of md5

Added:
  spice/trunk/git-fixes.patch
Modified:
  spice/trunk/PKGBUILD
Deleted:
  spice/trunk/CVE-2013-4282.patch

-+
 CVE-2013-4282.patch |  104 --
 PKGBUILD|   17 ++--
 git-fixes.patch |   98 +++
 3 files changed, 111 insertions(+), 108 deletions(-)

Deleted: CVE-2013-4282.patch
===
--- CVE-2013-4282.patch 2017-03-16 21:33:42 UTC (rev 290963)
+++ CVE-2013-4282.patch 2017-03-16 22:11:00 UTC (rev 290964)
@@ -1,104 +0,0 @@
-From 8af619009660b24e0b41ad26b30289eea288fcc2 Mon Sep 17 00:00:00 2001
-From: Christophe Fergeau 
-Date: Fri, 23 Aug 2013 09:29:44 +
-Subject: Fix buffer overflow when decrypting client SPICE ticket
-
-reds_handle_ticket uses a fixed size 'password' buffer for the decrypted
-password whose size is SPICE_MAX_PASSWORD_LENGTH. However,
-RSA_private_decrypt which we call for the decryption expects the
-destination buffer to be at least RSA_size(link->tiTicketing.rsa)
-bytes long. On my spice-server build, SPICE_MAX_PASSWORD_LENGTH
-is 60 while RSA_size() is 128, so we end up overflowing 'password'
-when using long passwords (this was reproduced using the string:
-'fullscreen=1proxy=#enter proxy here; e.g spice_proxy = http://[proxy]:[port]'
-as a password).
-
-When the overflow occurs, QEMU dies with:
-*** stack smashing detected ***: qemu-system-x86_64 terminated
-
-This commit ensures we use a corectly sized 'password' buffer,
-and that it's correctly nul-terminated so that we can use strcmp
-instead of strncmp. To keep using strncmp, we'd need to figure out
-which one of 'password' and 'taTicket.password' is the smaller buffer,
-and use that size.
-
-This fixes rhbz#999839

-diff --git a/server/reds.c b/server/reds.c
-index 892d247..2a0002b 100644
 a/server/reds.c
-+++ b/server/reds.c
-@@ -1926,39 +1926,59 @@ static void reds_handle_link(RedLinkInfo *link)
- static void reds_handle_ticket(void *opaque)
- {
- RedLinkInfo *link = (RedLinkInfo *)opaque;
--char password[SPICE_MAX_PASSWORD_LENGTH];
-+char *password;
- time_t ltime;
-+int password_size;
- 
- //todo: use monotonic time
- time();
--RSA_private_decrypt(link->tiTicketing.rsa_size,
--link->tiTicketing.encrypted_ticket.encrypted_data,
--(unsigned char *)password, link->tiTicketing.rsa, 
RSA_PKCS1_OAEP_PADDING);
-+if (RSA_size(link->tiTicketing.rsa) < SPICE_MAX_PASSWORD_LENGTH) {
-+spice_warning("RSA modulus size is smaller than 
SPICE_MAX_PASSWORD_LENGTH (%d < %d), "
-+  "SPICE ticket sent from client may be truncated",
-+  RSA_size(link->tiTicketing.rsa), 
SPICE_MAX_PASSWORD_LENGTH);
-+}
-+
-+password = g_malloc0(RSA_size(link->tiTicketing.rsa) + 1);
-+password_size = RSA_private_decrypt(link->tiTicketing.rsa_size,
-+
link->tiTicketing.encrypted_ticket.encrypted_data,
-+(unsigned char *)password,
-+link->tiTicketing.rsa,
-+RSA_PKCS1_OAEP_PADDING);
-+if (password_size == -1) {
-+spice_warning("failed to decrypt RSA encrypted password: %s",
-+  ERR_error_string(ERR_get_error(), NULL));
-+goto error;
-+}
-+password[password_size] = '\0';
- 
- if (ticketing_enabled && !link->skip_auth) {
- int expired =  taTicket.expiration_time < ltime;
- 
- if (strlen(taTicket.password) == 0) {
--reds_send_link_result(link, SPICE_LINK_ERR_PERMISSION_DENIED);
- spice_warning("Ticketing is enabled, but no password is set. "
--"please set a ticket first");
--reds_link_free(link);
--return;
-+  "please set a ticket first");
-+goto error;
- }
- 
--if (expired || strncmp(password, taTicket.password, 
SPICE_MAX_PASSWORD_LENGTH) != 0) {
-+if (expired || strcmp(password, taTicket.password) != 0) {
- if (expired) {
- spice_warning("Ticket has expired");
- } else {
- spice_warning("Invalid password");
- }
--reds_send_link_result(link, SPICE_LINK_ERR_PERMISSION_DENIED);
--reds_link_free(link);
--return;
-+goto error;
- }
- }
- 
- reds_handle_link(link);
-+goto end;
-+
-+error:
-+reds_send_link_result(link, SPICE_LINK_ERR_PERMISSION_DENIED);
-+reds_link_free(link);
-+
-+end:
-+g_free(password);
- }
- 
- static

[arch-commits] Commit in spice/trunk (CVE-2013-4282.patch PKGBUILD)

2013-11-17 Thread Tobias Powalowski 
Date: Monday, November 18, 2013 @ 08:36:08
  Author: tpowa
Revision: 199888

upgpkg: spice 0.12.4-3

#37767 fix CVE-2013-4282

Added:
  spice/trunk/CVE-2013-4282.patch
Modified:
  spice/trunk/PKGBUILD

-+
 CVE-2013-4282.patch |  104 ++
 PKGBUILD|   13 --
 2 files changed, 114 insertions(+), 3 deletions(-)

Added: CVE-2013-4282.patch
===
--- CVE-2013-4282.patch (rev 0)
+++ CVE-2013-4282.patch 2013-11-18 07:36:08 UTC (rev 199888)
@@ -0,0 +1,104 @@
+From 8af619009660b24e0b41ad26b30289eea288fcc2 Mon Sep 17 00:00:00 2001
+From: Christophe Fergeau cferg...@redhat.com
+Date: Fri, 23 Aug 2013 09:29:44 +
+Subject: Fix buffer overflow when decrypting client SPICE ticket
+
+reds_handle_ticket uses a fixed size 'password' buffer for the decrypted
+password whose size is SPICE_MAX_PASSWORD_LENGTH. However,
+RSA_private_decrypt which we call for the decryption expects the
+destination buffer to be at least RSA_size(link-tiTicketing.rsa)
+bytes long. On my spice-server build, SPICE_MAX_PASSWORD_LENGTH
+is 60 while RSA_size() is 128, so we end up overflowing 'password'
+when using long passwords (this was reproduced using the string:
+'fullscreen=1proxy=#enter proxy here; e.g spice_proxy = http://[proxy]:[port]'
+as a password).
+
+When the overflow occurs, QEMU dies with:
+*** stack smashing detected ***: qemu-system-x86_64 terminated
+
+This commit ensures we use a corectly sized 'password' buffer,
+and that it's correctly nul-terminated so that we can use strcmp
+instead of strncmp. To keep using strncmp, we'd need to figure out
+which one of 'password' and 'taTicket.password' is the smaller buffer,
+and use that size.
+
+This fixes rhbz#999839
+---
+diff --git a/server/reds.c b/server/reds.c
+index 892d247..2a0002b 100644
+--- a/server/reds.c
 b/server/reds.c
+@@ -1926,39 +1926,59 @@ static void reds_handle_link(RedLinkInfo *link)
+ static void reds_handle_ticket(void *opaque)
+ {
+ RedLinkInfo *link = (RedLinkInfo *)opaque;
+-char password[SPICE_MAX_PASSWORD_LENGTH];
++char *password;
+ time_t ltime;
++int password_size;
+ 
+ //todo: use monotonic time
+ time(ltime);
+-RSA_private_decrypt(link-tiTicketing.rsa_size,
+-link-tiTicketing.encrypted_ticket.encrypted_data,
+-(unsigned char *)password, link-tiTicketing.rsa, 
RSA_PKCS1_OAEP_PADDING);
++if (RSA_size(link-tiTicketing.rsa)  SPICE_MAX_PASSWORD_LENGTH) {
++spice_warning(RSA modulus size is smaller than 
SPICE_MAX_PASSWORD_LENGTH (%d  %d), 
++  SPICE ticket sent from client may be truncated,
++  RSA_size(link-tiTicketing.rsa), 
SPICE_MAX_PASSWORD_LENGTH);
++}
++
++password = g_malloc0(RSA_size(link-tiTicketing.rsa) + 1);
++password_size = RSA_private_decrypt(link-tiTicketing.rsa_size,
++
link-tiTicketing.encrypted_ticket.encrypted_data,
++(unsigned char *)password,
++link-tiTicketing.rsa,
++RSA_PKCS1_OAEP_PADDING);
++if (password_size == -1) {
++spice_warning(failed to decrypt RSA encrypted password: %s,
++  ERR_error_string(ERR_get_error(), NULL));
++goto error;
++}
++password[password_size] = '\0';
+ 
+ if (ticketing_enabled  !link-skip_auth) {
+ int expired =  taTicket.expiration_time  ltime;
+ 
+ if (strlen(taTicket.password) == 0) {
+-reds_send_link_result(link, SPICE_LINK_ERR_PERMISSION_DENIED);
+ spice_warning(Ticketing is enabled, but no password is set. 
+-please set a ticket first);
+-reds_link_free(link);
+-return;
++  please set a ticket first);
++goto error;
+ }
+ 
+-if (expired || strncmp(password, taTicket.password, 
SPICE_MAX_PASSWORD_LENGTH) != 0) {
++if (expired || strcmp(password, taTicket.password) != 0) {
+ if (expired) {
+ spice_warning(Ticket has expired);
+ } else {
+ spice_warning(Invalid password);
+ }
+-reds_send_link_result(link, SPICE_LINK_ERR_PERMISSION_DENIED);
+-reds_link_free(link);
+-return;
++goto error;
+ }
+ }
+ 
+ reds_handle_link(link);
++goto end;
++
++error:
++reds_send_link_result(link, SPICE_LINK_ERR_PERMISSION_DENIED);
++reds_link_free(link);
++
++end:
++g_free(password);
+ }
+ 
+ static inline void async_read_clear_handlers(AsyncRead *obj)
+--
+cgit v0.9.0.2-2-gbebe

Modified: PKGBUILD
===
--- PKGBUILD2013-11-18 07:25:14 UTC (rev