Your message dated Sat, 10 Nov 2018 10:42:56 +0000
with message-id <1541846576.3542.38.ca...@adam-barratt.org.uk>
and subject line Closing bugs for updates included in 9.6
has caused the Debian Bug report #911992,
regarding stretch-pu: package spice-gtk/0.33-3.3+deb9u1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
911992: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=911992
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian....@packages.debian.org
Usertags: pu
Hi
spice-gtk is affected by the CVE-2018-10873 issue, as well tracked in
the Debian BTS as #906316. Whilst for src:spice itself we released a
DSA, for spice-gtk this does not warrant a DSA (the issue would be
other way around so a malicious spice server triggering the issue in
the client).
Basic smoke test was performed with the resulting package, but not
specifically tried to trigger the issue.
The changelog reads as
+spice-gtk (0.33-3.3+deb9u1) stretch; urgency=medium
+
+ * Non-maintainer upload.
+ * Fix flexible array buffer overflow (CVE-2018-10873) (Closes: #906316)
+
+ -- Salvatore Bonaccorso <car...@debian.org> Fri, 26 Oct 2018 17:52:24 +0200
Full debdiff attached.
Thanks for considering including the update in the next stretch point
release.
Regards,
Salvatore
diff -Nru spice-gtk-0.33/debian/changelog spice-gtk-0.33/debian/changelog
--- spice-gtk-0.33/debian/changelog 2017-01-14 12:34:36.000000000 +0100
+++ spice-gtk-0.33/debian/changelog 2018-10-26 17:52:24.000000000 +0200
@@ -1,3 +1,10 @@
+spice-gtk (0.33-3.3+deb9u1) stretch; urgency=medium
+
+ * Non-maintainer upload.
+ * Fix flexible array buffer overflow (CVE-2018-10873) (Closes: #906316)
+
+ -- Salvatore Bonaccorso <car...@debian.org> Fri, 26 Oct 2018 17:52:24 +0200
+
spice-gtk (0.33-3.3) unstable; urgency=medium
* Non-maintainer upload.
diff -Nru
spice-gtk-0.33/debian/patches/Fix-flexible-array-buffer-overflow.patch
spice-gtk-0.33/debian/patches/Fix-flexible-array-buffer-overflow.patch
--- spice-gtk-0.33/debian/patches/Fix-flexible-array-buffer-overflow.patch
1970-01-01 01:00:00.000000000 +0100
+++ spice-gtk-0.33/debian/patches/Fix-flexible-array-buffer-overflow.patch
2018-10-26 17:52:24.000000000 +0200
@@ -0,0 +1,68 @@
+From: Frediano Ziglio <fzig...@redhat.com>
+Date: Fri, 18 May 2018 11:41:57 +0100
+Subject: Fix flexible array buffer overflow
+Origin:
https://gitlab.freedesktop.org/spice/spice-common/commit/bb15d4815ab586b4c4a20f4a565970a44824c42c
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-10873
+Bug-Debian: https://bugs.debian.org/906316
+
+This is kind of a DoS, possibly flexible array in the protocol
+causes the network size check to be ignored due to integer overflows.
+
+The size of flexible array is computed as (message_end - position),
+then this size is added to the number of bytes before the array and
+this number is used to check if we overflow initial message.
+
+An example is:
+
+ message {
+ uint32 dummy[2];
+ uint8 data[] @end;
+ } LenMessage;
+
+which generated this (simplified remove useless code) code:
+
+ { /* data */
+ data__nelements = message_end - (start + 8);
+
+ data__nw_size = data__nelements;
+ }
+
+ nw_size = 8 + data__nw_size;
+
+ /* Check if message fits in reported side */
+ if (nw_size > (uintptr_t) (message_end - start)) {
+ return NULL;
+ }
+
+Following code:
+- data__nelements == message_end - (start + 8)
+- data__nw_size == data__nelements == message_end - (start + 8)
+- nw_size == 8 + data__nw_size == 8 + message_end - (start + 8) ==
+ 8 + message_end - start - 8 == message_end -start
+- the check for overflow is (nw_size > (message_end - start)) but
+ nw_size == message_end - start so the check is doing
+ ((message_end - start) > (message_end - start)) which is always false.
+
+If message_end - start < 8 then data__nelements (number of element
+on the array above) computation generate an integer underflow that
+later create a buffer overflow.
+
+Add a check to make sure that the array starts before the message ends
+to avoid the overflow.
+
+Signed-off-by: Frediano Ziglio <fzig...@redhat.com>
+Signed-off-by: Christophe Fergeau <cferg...@redhat.com>
+[Salvatore Bonaccorso: Drop generated diff from commit messages causing
+ problem when applying with quilt. Remove addition to testsuite]
+---
+
+--- a/spice-common/python_modules/demarshal.py
++++ b/spice-common/python_modules/demarshal.py
+@@ -318,6 +318,7 @@ def write_validate_array_item(writer, co
+ writer.assign(nelements, array.size)
+ elif array.is_remaining_length():
+ if element_type.is_fixed_nw_size():
++ writer.error_check("%s > message_end" % item.get_position())
+ if element_type.get_fixed_nw_size() == 1:
+ writer.assign(nelements, "message_end - %s" %
item.get_position())
+ else:
diff -Nru spice-gtk-0.33/debian/patches/series
spice-gtk-0.33/debian/patches/series
--- spice-gtk-0.33/debian/patches/series 2017-01-14 12:34:36.000000000
+0100
+++ spice-gtk-0.33/debian/patches/series 2018-10-26 17:52:24.000000000
+0200
@@ -3,3 +3,4 @@
ssl-Stop-creating-our-own-X509_LOOKUP_METHOD.patch
ssl-Rework-our-custom-BIO-type.patch
ssl-Use-accessors-rather-than-direct-struct-access.patch
+Fix-flexible-array-buffer-overflow.patch
--- End Message ---
--- Begin Message ---
Version: 9.6
Hi,
The update referenced by each of these bugs was included in this
morning's stretch point release.
Regards,
Adam
--- End Message ---
