[arch-commits] Commit in spice/trunk (CVE-2013-4282.patch PKGBUILD git-fixes.patch)
Date: Thursday, March 16, 2017 @ 22:11:00 Author: jgc Revision: 290964 upgpkg: spice 0.12.8-2 Apply (security) fixes from git Add signature Switch to https Use sha256 instead of md5 Added: spice/trunk/git-fixes.patch Modified: spice/trunk/PKGBUILD Deleted: spice/trunk/CVE-2013-4282.patch -+ CVE-2013-4282.patch | 104 -- PKGBUILD| 17 ++-- git-fixes.patch | 98 +++ 3 files changed, 111 insertions(+), 108 deletions(-) Deleted: CVE-2013-4282.patch === --- CVE-2013-4282.patch 2017-03-16 21:33:42 UTC (rev 290963) +++ CVE-2013-4282.patch 2017-03-16 22:11:00 UTC (rev 290964) @@ -1,104 +0,0 @@ -From 8af619009660b24e0b41ad26b30289eea288fcc2 Mon Sep 17 00:00:00 2001 -From: Christophe Fergeau-Date: Fri, 23 Aug 2013 09:29:44 + -Subject: Fix buffer overflow when decrypting client SPICE ticket - -reds_handle_ticket uses a fixed size 'password' buffer for the decrypted -password whose size is SPICE_MAX_PASSWORD_LENGTH. However, -RSA_private_decrypt which we call for the decryption expects the -destination buffer to be at least RSA_size(link->tiTicketing.rsa) -bytes long. On my spice-server build, SPICE_MAX_PASSWORD_LENGTH -is 60 while RSA_size() is 128, so we end up overflowing 'password' -when using long passwords (this was reproduced using the string: -'fullscreen=1proxy=#enter proxy here; e.g spice_proxy = http://[proxy]:[port]' -as a password). - -When the overflow occurs, QEMU dies with: -*** stack smashing detected ***: qemu-system-x86_64 terminated - -This commit ensures we use a corectly sized 'password' buffer, -and that it's correctly nul-terminated so that we can use strcmp -instead of strncmp. To keep using strncmp, we'd need to figure out -which one of 'password' and 'taTicket.password' is the smaller buffer, -and use that size. - -This fixes rhbz#999839 -diff --git a/server/reds.c b/server/reds.c -index 892d247..2a0002b 100644 a/server/reds.c -+++ b/server/reds.c -@@ -1926,39 +1926,59 @@ static void reds_handle_link(RedLinkInfo *link) - static void reds_handle_ticket(void *opaque) - { - RedLinkInfo *link = (RedLinkInfo *)opaque; --char password[SPICE_MAX_PASSWORD_LENGTH]; -+char *password; - time_t ltime; -+int password_size; - - //todo: use monotonic time - time(); --RSA_private_decrypt(link->tiTicketing.rsa_size, --link->tiTicketing.encrypted_ticket.encrypted_data, --(unsigned char *)password, link->tiTicketing.rsa, RSA_PKCS1_OAEP_PADDING); -+if (RSA_size(link->tiTicketing.rsa) < SPICE_MAX_PASSWORD_LENGTH) { -+spice_warning("RSA modulus size is smaller than SPICE_MAX_PASSWORD_LENGTH (%d < %d), " -+ "SPICE ticket sent from client may be truncated", -+ RSA_size(link->tiTicketing.rsa), SPICE_MAX_PASSWORD_LENGTH); -+} -+ -+password = g_malloc0(RSA_size(link->tiTicketing.rsa) + 1); -+password_size = RSA_private_decrypt(link->tiTicketing.rsa_size, -+ link->tiTicketing.encrypted_ticket.encrypted_data, -+(unsigned char *)password, -+link->tiTicketing.rsa, -+RSA_PKCS1_OAEP_PADDING); -+if (password_size == -1) { -+spice_warning("failed to decrypt RSA encrypted password: %s", -+ ERR_error_string(ERR_get_error(), NULL)); -+goto error; -+} -+password[password_size] = '\0'; - - if (ticketing_enabled && !link->skip_auth) { - int expired = taTicket.expiration_time < ltime; - - if (strlen(taTicket.password) == 0) { --reds_send_link_result(link, SPICE_LINK_ERR_PERMISSION_DENIED); - spice_warning("Ticketing is enabled, but no password is set. " --"please set a ticket first"); --reds_link_free(link); --return; -+ "please set a ticket first"); -+goto error; - } - --if (expired || strncmp(password, taTicket.password, SPICE_MAX_PASSWORD_LENGTH) != 0) { -+if (expired || strcmp(password, taTicket.password) != 0) { - if (expired) { - spice_warning("Ticket has expired"); - } else { - spice_warning("Invalid password"); - } --reds_send_link_result(link, SPICE_LINK_ERR_PERMISSION_DENIED); --reds_link_free(link); --return; -+goto error; - } - } - - reds_handle_link(link); -+goto end; -+ -+error: -+reds_send_link_result(link, SPICE_LINK_ERR_PERMISSION_DENIED); -+reds_link_free(link); -+ -+end: -+g_free(password); - } - - static
[arch-commits] Commit in spice/trunk (CVE-2013-4282.patch PKGBUILD)
Date: Monday, November 18, 2013 @ 08:36:08 Author: tpowa Revision: 199888 upgpkg: spice 0.12.4-3 #37767 fix CVE-2013-4282 Added: spice/trunk/CVE-2013-4282.patch Modified: spice/trunk/PKGBUILD -+ CVE-2013-4282.patch | 104 ++ PKGBUILD| 13 -- 2 files changed, 114 insertions(+), 3 deletions(-) Added: CVE-2013-4282.patch === --- CVE-2013-4282.patch (rev 0) +++ CVE-2013-4282.patch 2013-11-18 07:36:08 UTC (rev 199888) @@ -0,0 +1,104 @@ +From 8af619009660b24e0b41ad26b30289eea288fcc2 Mon Sep 17 00:00:00 2001 +From: Christophe Fergeau cferg...@redhat.com +Date: Fri, 23 Aug 2013 09:29:44 + +Subject: Fix buffer overflow when decrypting client SPICE ticket + +reds_handle_ticket uses a fixed size 'password' buffer for the decrypted +password whose size is SPICE_MAX_PASSWORD_LENGTH. However, +RSA_private_decrypt which we call for the decryption expects the +destination buffer to be at least RSA_size(link-tiTicketing.rsa) +bytes long. On my spice-server build, SPICE_MAX_PASSWORD_LENGTH +is 60 while RSA_size() is 128, so we end up overflowing 'password' +when using long passwords (this was reproduced using the string: +'fullscreen=1proxy=#enter proxy here; e.g spice_proxy = http://[proxy]:[port]' +as a password). + +When the overflow occurs, QEMU dies with: +*** stack smashing detected ***: qemu-system-x86_64 terminated + +This commit ensures we use a corectly sized 'password' buffer, +and that it's correctly nul-terminated so that we can use strcmp +instead of strncmp. To keep using strncmp, we'd need to figure out +which one of 'password' and 'taTicket.password' is the smaller buffer, +and use that size. + +This fixes rhbz#999839 +--- +diff --git a/server/reds.c b/server/reds.c +index 892d247..2a0002b 100644 +--- a/server/reds.c b/server/reds.c +@@ -1926,39 +1926,59 @@ static void reds_handle_link(RedLinkInfo *link) + static void reds_handle_ticket(void *opaque) + { + RedLinkInfo *link = (RedLinkInfo *)opaque; +-char password[SPICE_MAX_PASSWORD_LENGTH]; ++char *password; + time_t ltime; ++int password_size; + + //todo: use monotonic time + time(ltime); +-RSA_private_decrypt(link-tiTicketing.rsa_size, +-link-tiTicketing.encrypted_ticket.encrypted_data, +-(unsigned char *)password, link-tiTicketing.rsa, RSA_PKCS1_OAEP_PADDING); ++if (RSA_size(link-tiTicketing.rsa) SPICE_MAX_PASSWORD_LENGTH) { ++spice_warning(RSA modulus size is smaller than SPICE_MAX_PASSWORD_LENGTH (%d %d), ++ SPICE ticket sent from client may be truncated, ++ RSA_size(link-tiTicketing.rsa), SPICE_MAX_PASSWORD_LENGTH); ++} ++ ++password = g_malloc0(RSA_size(link-tiTicketing.rsa) + 1); ++password_size = RSA_private_decrypt(link-tiTicketing.rsa_size, ++ link-tiTicketing.encrypted_ticket.encrypted_data, ++(unsigned char *)password, ++link-tiTicketing.rsa, ++RSA_PKCS1_OAEP_PADDING); ++if (password_size == -1) { ++spice_warning(failed to decrypt RSA encrypted password: %s, ++ ERR_error_string(ERR_get_error(), NULL)); ++goto error; ++} ++password[password_size] = '\0'; + + if (ticketing_enabled !link-skip_auth) { + int expired = taTicket.expiration_time ltime; + + if (strlen(taTicket.password) == 0) { +-reds_send_link_result(link, SPICE_LINK_ERR_PERMISSION_DENIED); + spice_warning(Ticketing is enabled, but no password is set. +-please set a ticket first); +-reds_link_free(link); +-return; ++ please set a ticket first); ++goto error; + } + +-if (expired || strncmp(password, taTicket.password, SPICE_MAX_PASSWORD_LENGTH) != 0) { ++if (expired || strcmp(password, taTicket.password) != 0) { + if (expired) { + spice_warning(Ticket has expired); + } else { + spice_warning(Invalid password); + } +-reds_send_link_result(link, SPICE_LINK_ERR_PERMISSION_DENIED); +-reds_link_free(link); +-return; ++goto error; + } + } + + reds_handle_link(link); ++goto end; ++ ++error: ++reds_send_link_result(link, SPICE_LINK_ERR_PERMISSION_DENIED); ++reds_link_free(link); ++ ++end: ++g_free(password); + } + + static inline void async_read_clear_handlers(AsyncRead *obj) +-- +cgit v0.9.0.2-2-gbebe Modified: PKGBUILD === --- PKGBUILD2013-11-18 07:25:14 UTC (rev