[gentoo-commits] repo/gentoo:master commit in: app-emulation/spice/, app-emulation/spice/files/

2022-08-09 Thread John Helmert III 
commit: f669a2f91427e142b943efe92978216dff4c842a
Author: John Helmert III  gentoo  org>
AuthorDate: Tue Aug  9 21:27:51 2022 +
Commit: John Helmert III  gentoo  org>
CommitDate: Tue Aug  9 21:30:23 2022 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f669a2f9

app-emulation/spice: drop 0.14.3-r1

Bug: https://bugs.gentoo.org/792618
Signed-off-by: John Helmert III  gentoo.org>

 app-emulation/spice/Manifest   |   1 -
 .../spice-0.14.3-CVE-2020-14355-404d7478.patch |  31 --
 .../spice-0.14.3-CVE-2020-14355-762e0aba.patch |  13 ---
 .../spice-0.14.3-CVE-2020-14355-b24fe6b6.patch |  18 
 .../spice-0.14.3-CVE-2020-14355-ef1b6ff7.patch |  17 
 app-emulation/spice/spice-0.14.3-r1.ebuild | 106 -
 6 files changed, 186 deletions(-)

diff --git a/app-emulation/spice/Manifest b/app-emulation/spice/Manifest
index 0135aefa813e..9fac0bce8dcb 100644
--- a/app-emulation/spice/Manifest
+++ b/app-emulation/spice/Manifest
@@ -1,3 +1,2 @@
-DIST spice-0.14.3.tar.bz2 1504304 BLAKE2B 
be655e1d4c48dae29903ab8e0dc52da63723e3252052afccc9587065531f28c8af7dbab4c585093f26d98f2273c6e734a553c18d4779a9f4464334ae1764f682
 SHA512 
9ecdc455ff25c71ac1fe6c576654b51efbfb860110bd6828065d23f7462d5c5cac772074d1a40f033386258d970b77275b2007bcfdffb23fdff2137154ea46e4
 DIST spice-0.15.0-pthread-c5fe3df1.patch.bz2 7605 BLAKE2B 
86b8094a22a02080db038ef98972bf09f391d5344fee8df2aa7d2def0b50a581353cb0e3dd97f99bbd58b88a13ceac4b54be8086a9f4274f38d132b27b62e84d
 SHA512 
5075bd260b33c2dad8c3ce641372383871f7d69190a4f4697bd5e12af1bf5429310c592961de001d36c19a9cdd91143b8d6e8be0e08b3850b9700c2aef2ddd78
 DIST spice-0.15.0.tar.bz2 1537970 BLAKE2B 
98e8f55de81a86c6370e4a74c0fd90db78a9a8e8e3af536bccd6a2a75185194ac7b87521163090c4312e392d2ee10036c0283171c7796aea630e1307128a2d55
 SHA512 
0a776d191c395ce1f7ebbbac47956a00a2765327d3127aeca6e232bd56fd4ccd28750ae1599eb6eb2909ac909cda517d5511faa631166db16b8b75bd4e7b86d9

diff --git 
a/app-emulation/spice/files/spice-0.14.3-CVE-2020-14355-404d7478.patch 
b/app-emulation/spice/files/spice-0.14.3-CVE-2020-14355-404d7478.patch
deleted file mode 100644
index 338f4e6ca657..
--- a/app-emulation/spice/files/spice-0.14.3-CVE-2020-14355-404d7478.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-diff --git a/common/quic.c b/common/quic.c
-index 
bc753ca5064a0326906b4aa8c18d8745747feb5c..681531677fbd6c3bca5e482c77bb709d4465ef8e
 100644
 a/subprojects/spice-common/common/quic.c
-+++ b/subprojects/spice-common/common/quic.c
-@@ -56,6 +56,9 @@ typedef uint8_t BYTE;
- #define MINwminext 1
- #define MAXwminext 1
- 
-+/* Maximum image size in pixels, mainly to avoid possible integer overflows */
-+#define SPICE_MAX_IMAGE_SIZE (512 * 1024 * 1024 - 1)
-+
- typedef struct QuicFamily {
- unsigned int nGRcodewords[MAXNUMCODES];  /* indexed by code number, 
contains number of
- unmodified GR codewords 
in the code */
-@@ -1165,6 +1168,16 @@ int quic_decode_begin(QuicContext *quic, uint32_t 
*io_ptr, unsigned int num_io_w
- height = encoder->io_word;
- decode_eat32bits(encoder);
- 
-+if (width <= 0 || height <= 0) {
-+encoder->usr->warn(encoder->usr, "invalid size\n");
-+return QUIC_ERROR;
-+}
-+
-+/* avoid too big images */
-+if ((uint64_t) width * height > SPICE_MAX_IMAGE_SIZE) {
-+encoder->usr->error(encoder->usr, "image too large\n");
-+}
-+
- quic_image_params(encoder, type, , );
- 
- if (!encoder_reset_channels(encoder, channels, width, bpc)) {

diff --git 
a/app-emulation/spice/files/spice-0.14.3-CVE-2020-14355-762e0aba.patch 
b/app-emulation/spice/files/spice-0.14.3-CVE-2020-14355-762e0aba.patch
deleted file mode 100644
index ce79ef0043ee..
--- a/app-emulation/spice/files/spice-0.14.3-CVE-2020-14355-762e0aba.patch
+++ /dev/null
@@ -1,13 +0,0 @@
-diff --git a/common/quic.c b/common/quic.c
-index 
e2dee0fd68741512911d5d050053ad073cf29457..bc753ca5064a0326906b4aa8c18d8745747feb5c
 100644
 a/subprojects/spice-common/common/quic.c
-+++ b/subprojects/spice-common/common/quic.c
-@@ -1136,7 +1136,7 @@ int quic_decode_begin(QuicContext *quic, uint32_t 
*io_ptr, unsigned int num_io_w
- int channels;
- int bpc;
- 
--if (!encoder_reset(encoder, io_ptr, io_ptr_end)) {
-+if (!num_io_words || !encoder_reset(encoder, io_ptr, io_ptr_end)) {
- return QUIC_ERROR;
- }
- 

diff --git 
a/app-emulation/spice/files/spice-0.14.3-CVE-2020-14355-b24fe6b6.patch 
b/app-emulation/spice/files/spice-0.14.3-CVE-2020-14355-b24fe6b6.patch
deleted file mode 100644
index 40127deda15a..
--- a/app-emulation/spice/files/spice-0.14.3-CVE-2020-14355-b24fe6b6.patch
+++ /dev/null
@@ -1,18 +0,0 @@
-diff --git a/common/quic_family_tmpl.c b/common/quic_family_tmpl.c
-index 
8a5f7d2c9be3f6b1bd82993703749268bab243b4..6cc051b36889f773fe5401e204db6245d99e27df
 100644

[gentoo-commits] repo/gentoo:master commit in: app-emulation/spice/, app-emulation/spice/files/

2021-04-04 Thread Matthias Maier 
commit: d6418bd9306729c2497c17fe302f58965800897c
Author: Matthias Maier  gentoo  org>
AuthorDate: Sun Apr  4 18:48:42 2021 +
Commit: Matthias Maier  gentoo  org>
CommitDate: Sun Apr  4 18:54:34 2021 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d6418bd9

app-emulation/spice: apply security patches for CVE-2020-14355

Bug: https://bugs.gentoo.org/746920
Package-Manager: Portage-3.0.18, Repoman-3.0.3
Signed-off-by: Matthias Maier  gentoo.org>

 .../spice-0.14.3-CVE-2020-14355-404d7478.patch |  31 +++
 .../spice-0.14.3-CVE-2020-14355-762e0aba.patch |  13 +++
 .../spice-0.14.3-CVE-2020-14355-b24fe6b6.patch |  18 
 .../spice-0.14.3-CVE-2020-14355-ef1b6ff7.patch |  17 
 app-emulation/spice/spice-0.14.3-r1.ebuild | 103 +
 5 files changed, 182 insertions(+)

diff --git 
a/app-emulation/spice/files/spice-0.14.3-CVE-2020-14355-404d7478.patch 
b/app-emulation/spice/files/spice-0.14.3-CVE-2020-14355-404d7478.patch
new file mode 100644
index 000..338f4e6ca65
--- /dev/null
+++ b/app-emulation/spice/files/spice-0.14.3-CVE-2020-14355-404d7478.patch
@@ -0,0 +1,31 @@
+diff --git a/common/quic.c b/common/quic.c
+index 
bc753ca5064a0326906b4aa8c18d8745747feb5c..681531677fbd6c3bca5e482c77bb709d4465ef8e
 100644
+--- a/subprojects/spice-common/common/quic.c
 b/subprojects/spice-common/common/quic.c
+@@ -56,6 +56,9 @@ typedef uint8_t BYTE;
+ #define MINwminext 1
+ #define MAXwminext 1
+ 
++/* Maximum image size in pixels, mainly to avoid possible integer overflows */
++#define SPICE_MAX_IMAGE_SIZE (512 * 1024 * 1024 - 1)
++
+ typedef struct QuicFamily {
+ unsigned int nGRcodewords[MAXNUMCODES];  /* indexed by code number, 
contains number of
+ unmodified GR codewords 
in the code */
+@@ -1165,6 +1168,16 @@ int quic_decode_begin(QuicContext *quic, uint32_t 
*io_ptr, unsigned int num_io_w
+ height = encoder->io_word;
+ decode_eat32bits(encoder);
+ 
++if (width <= 0 || height <= 0) {
++encoder->usr->warn(encoder->usr, "invalid size\n");
++return QUIC_ERROR;
++}
++
++/* avoid too big images */
++if ((uint64_t) width * height > SPICE_MAX_IMAGE_SIZE) {
++encoder->usr->error(encoder->usr, "image too large\n");
++}
++
+ quic_image_params(encoder, type, , );
+ 
+ if (!encoder_reset_channels(encoder, channels, width, bpc)) {

diff --git 
a/app-emulation/spice/files/spice-0.14.3-CVE-2020-14355-762e0aba.patch 
b/app-emulation/spice/files/spice-0.14.3-CVE-2020-14355-762e0aba.patch
new file mode 100644
index 000..ce79ef0043e
--- /dev/null
+++ b/app-emulation/spice/files/spice-0.14.3-CVE-2020-14355-762e0aba.patch
@@ -0,0 +1,13 @@
+diff --git a/common/quic.c b/common/quic.c
+index 
e2dee0fd68741512911d5d050053ad073cf29457..bc753ca5064a0326906b4aa8c18d8745747feb5c
 100644
+--- a/subprojects/spice-common/common/quic.c
 b/subprojects/spice-common/common/quic.c
+@@ -1136,7 +1136,7 @@ int quic_decode_begin(QuicContext *quic, uint32_t 
*io_ptr, unsigned int num_io_w
+ int channels;
+ int bpc;
+ 
+-if (!encoder_reset(encoder, io_ptr, io_ptr_end)) {
++if (!num_io_words || !encoder_reset(encoder, io_ptr, io_ptr_end)) {
+ return QUIC_ERROR;
+ }
+ 

diff --git 
a/app-emulation/spice/files/spice-0.14.3-CVE-2020-14355-b24fe6b6.patch 
b/app-emulation/spice/files/spice-0.14.3-CVE-2020-14355-b24fe6b6.patch
new file mode 100644
index 000..40127deda15
--- /dev/null
+++ b/app-emulation/spice/files/spice-0.14.3-CVE-2020-14355-b24fe6b6.patch
@@ -0,0 +1,18 @@
+diff --git a/common/quic_family_tmpl.c b/common/quic_family_tmpl.c
+index 
8a5f7d2c9be3f6b1bd82993703749268bab243b4..6cc051b36889f773fe5401e204db6245d99e27df
 100644
+--- a/subprojects/spice-common/common/quic_family_tmpl.c
 b/subprojects/spice-common/common/quic_family_tmpl.c
+@@ -103,7 +103,12 @@ static s_bucket *FNAME(find_bucket)(Channel *channel, 
const unsigned int val)
+ {
+ spice_extra_assert(val < (0x1U << BPC));
+ 
+-return channel->_buckets_ptrs[val];
++/* The and (&) here is to avoid buffer overflows in case of garbage or 
malicious
++ * attempts. Is much faster then using comparisons and save us from such 
situations.
++ * Note that on normal build the check above won't be compiled as this 
code path
++ * is pretty hot and would cause speed regressions.
++ */
++return channel->_buckets_ptrs[val & ((1U << BPC) - 1)];
+ }
+ 
+ #undef FNAME

diff --git 
a/app-emulation/spice/files/spice-0.14.3-CVE-2020-14355-ef1b6ff7.patch 
b/app-emulation/spice/files/spice-0.14.3-CVE-2020-14355-ef1b6ff7.patch
new file mode 100644
index 000..bc764ec23ce
--- /dev/null
+++ b/app-emulation/spice/files/spice-0.14.3-CVE-2020-14355-ef1b6ff7.patch
@@ -0,0 +1,17 @@
+diff --git a/common/quic_tmpl.c b/common/quic_tmpl.c
+index

[gentoo-commits] repo/gentoo:master commit in: app-emulation/spice/, app-emulation/spice/files/

2020-04-18 Thread Matthias Maier 
commit: ad28dfa767dead9be522f8bd8801ba76eb33a324
Author: Matthias Maier  gentoo  org>
AuthorDate: Sat Apr 18 18:35:25 2020 +
Commit: Matthias Maier  gentoo  org>
CommitDate: Sat Apr 18 18:56:14 2020 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ad28dfa7

app-emulation/spice: drop vulnerable versions, bug #717776

Bug: https://bugs.gentoo.org/717776
Package-Manager: Portage-2.3.99, Repoman-2.3.22
Signed-off-by: Matthias Maier  gentoo.org>

 app-emulation/spice/Manifest   |   2 -
 ...0.14.0-fix-flexible-array-buffer-overflow.patch |  12 ---
 .../spice/files/spice-0.14.0-libressl_fix.patch|  13 ---
 .../spice/files/spice-0.14.0-openssl1.1_fix.patch  |  26 --
 app-emulation/spice/spice-0.14.0-r2.ebuild | 102 -
 app-emulation/spice/spice-0.14.2.ebuild| 100 
 6 files changed, 255 deletions(-)

diff --git a/app-emulation/spice/Manifest b/app-emulation/spice/Manifest
index 57ed7cd9f34..7b50d54451c 100644
--- a/app-emulation/spice/Manifest
+++ b/app-emulation/spice/Manifest
@@ -1,3 +1 @@
-DIST spice-0.14.0.tar.bz2 1330195 BLAKE2B 
08f93e8ddeb79adb4feac0557a854cc41fd096a9dfefc0baaca176803c2a03ef9286c4f61a135d62ad22e3ac3f4bb31ffd1614c8ddeaec7ae8c01eca34da1750
 SHA512 
84532146aa628ca6ca459a82afb89d6391892e063668fd4a68023c92cee7ca868b6c82e31dd9886819b76ea745ebdae0d0030e1f608d8f58f51c00f0b09bae1f
-DIST spice-0.14.2.tar.bz2 1406009 BLAKE2B 
e6c57bedd8c8ec0444da194be7279b895bf348dfa9b427d20301cc223627bcd65b7037280bc2a3d0b531b0cdcd8cb62d34ee132c549ac3dc8f6e5a2959339ce2
 SHA512 
1093b618ea4a7ff31944429ce2903abecfc8d20c35f2d9c8c837a6e053ee429c0115e40665542637a717869209523ac05d15cdb5e77563102d5d3915e4aaaf76
 DIST spice-0.14.3.tar.bz2 1504304 BLAKE2B 
be655e1d4c48dae29903ab8e0dc52da63723e3252052afccc9587065531f28c8af7dbab4c585093f26d98f2273c6e734a553c18d4779a9f4464334ae1764f682
 SHA512 
9ecdc455ff25c71ac1fe6c576654b51efbfb860110bd6828065d23f7462d5c5cac772074d1a40f033386258d970b77275b2007bcfdffb23fdff2137154ea46e4

diff --git 
a/app-emulation/spice/files/spice-0.14.0-fix-flexible-array-buffer-overflow.patch
 
b/app-emulation/spice/files/spice-0.14.0-fix-flexible-array-buffer-overflow.patch
deleted file mode 100644
index a05bbb7545a..000
--- 
a/app-emulation/spice/files/spice-0.14.0-fix-flexible-array-buffer-overflow.patch
+++ /dev/null
@@ -1,12 +0,0 @@
-diff --git a/spice-common/python_modules/demarshal.py 
b/spice-common/python_modules/demarshal.py
-index 1ea131d..7172762 100644
 a/spice-common/python_modules/demarshal.py
-+++ b/spice-common/python_modules/demarshal.py
-@@ -318,6 +318,7 @@ def write_validate_array_item(writer, container, item, 
scope, parent_scope, star
- writer.assign(nelements, array.size)
- elif array.is_remaining_length():
- if element_type.is_fixed_nw_size():
-+writer.error_check("%s > message_end" % item.get_position())
- if element_type.get_fixed_nw_size() == 1:
- writer.assign(nelements, "message_end - %s" % 
item.get_position())
- else:

diff --git a/app-emulation/spice/files/spice-0.14.0-libressl_fix.patch 
b/app-emulation/spice/files/spice-0.14.0-libressl_fix.patch
deleted file mode 100644
index 1dfce9480e9..000
--- a/app-emulation/spice/files/spice-0.14.0-libressl_fix.patch
+++ /dev/null
@@ -1,13 +0,0 @@
-diff --git a/spice-common/common/ssl_verify.c 
b/spice-common/common/ssl_verify.c
-index a9ed650..27aa5d3 100644
 a/spice-common/common/ssl_verify.c
-+++ b/spice-common/common/ssl_verify.c
-@@ -33,7 +33,7 @@
- #include 
- #include 
- 
--#if OPENSSL_VERSION_NUMBER < 0x1010
-+#if OPENSSL_VERSION_NUMBER < 0x1010 || (defined(LIBRESSL_VERSION_NUMBER) 
&& LIBRESSL_VERSION_NUMBER < 0x2070L)
- static const unsigned char *ASN1_STRING_get0_data(const ASN1_STRING *asn1)
- {
- return M_ASN1_STRING_data(asn1);

diff --git a/app-emulation/spice/files/spice-0.14.0-openssl1.1_fix.patch 
b/app-emulation/spice/files/spice-0.14.0-openssl1.1_fix.patch
deleted file mode 100644
index c1c5a1c04ba..000
--- a/app-emulation/spice/files/spice-0.14.0-openssl1.1_fix.patch
+++ /dev/null
@@ -1,26 +0,0 @@
 spice-0.13.90-orig/server/reds.c   2017-07-27 01:04:10.0 +1000
-+++ spice-0.13.90/server/reds.c2017-10-18 21:42:12.054934199 +1100
-@@ -34,6 +34,8 @@
- #include 
- 
- #include 
-+#include 
-+#include 
- 
- #if HAVE_SASL
- #include 
-@@ -2795,9 +2797,12 @@
- 
- static gpointer openssl_global_init(gpointer arg)
- {
-+#if OPENSSL_VERSION_NUMBER >= 0x1010L && !defined 
(LIBRESSL_VERSION_NUMBER)
-+OPENSSL_init_ssl(0, NULL);
-+#else
- SSL_library_init();
- SSL_load_error_strings();
--
-+#endif
- openssl_thread_setup();
- 
- return NULL;
-

diff --git a/app-emulation/spice/spice-0.14.0-r2.ebuild 
b/app-emulation/spice/spice-0.14.0-r2.ebuild
deleted file mode 100644
index 49bf1e178a9..000
--- a/app-emulation/spice/spice-0.14.0-r2.ebuild

[gentoo-commits] repo/gentoo:master commit in: app-emulation/spice/, app-emulation/spice/files/

2018-08-16 Thread Matthias Maier 
commit: 54518b5955919d26b69fb31737f6450146ef6a7d
Author: Matthias Maier  gentoo  org>
AuthorDate: Thu Aug 16 21:31:54 2018 +
Commit: Matthias Maier  gentoo  org>
CommitDate: Fri Aug 17 00:07:47 2018 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=54518b59

app-emulation/spice: drop old

Package-Manager: Portage-2.3.46, Repoman-2.3.10

 app-emulation/spice/Manifest   |   1 -
 ...buffer-overflows-handling-monitor-configu.patch |  47 --
 ...integer-overflows-handling-monitor-config.patch |  30 --
 ...nect-when-receiving-overly-big-ClientMoni.patch |  75 ---
 .../files/spice-0.13.3-skip_faulty_lz4_check.patch |  13 ---
 app-emulation/spice/spice-0.13.3-r2.ebuild | 104 -
 6 files changed, 270 deletions(-)

diff --git a/app-emulation/spice/Manifest b/app-emulation/spice/Manifest
index 8258480e0ae..6b3b7c613b4 100644
--- a/app-emulation/spice/Manifest
+++ b/app-emulation/spice/Manifest
@@ -1,2 +1 @@
-DIST spice-0.13.3.tar.bz2 1322505 BLAKE2B 
56f9cd34bb48fdcf750230242b27567db713ef749649d4b780a82d0d4ec5d326b19540c9bb4f36c164d40a692eb0368c39e05ee8dba319dd8461a0315e5a9a17
 SHA512 
63496fbd3df0fd453052cef8e1fb00a3a28f0105610676fdc4a58043cbc6da571ae4407701af2b817e410d05ce727d60d5ee0c93c8897231e25229897c51d95a
 DIST spice-0.14.0.tar.bz2 1330195 BLAKE2B 
08f93e8ddeb79adb4feac0557a854cc41fd096a9dfefc0baaca176803c2a03ef9286c4f61a135d62ad22e3ac3f4bb31ffd1614c8ddeaec7ae8c01eca34da1750
 SHA512 
84532146aa628ca6ca459a82afb89d6391892e063668fd4a68023c92cee7ca868b6c82e31dd9886819b76ea745ebdae0d0030e1f608d8f58f51c00f0b09bae1f

diff --git 
a/app-emulation/spice/files/spice-0.13.3-reds-Avoid-buffer-overflows-handling-monitor-configu.patch
 
b/app-emulation/spice/files/spice-0.13.3-reds-Avoid-buffer-overflows-handling-monitor-configu.patch
deleted file mode 100644
index 8792395977e..000
--- 
a/app-emulation/spice/files/spice-0.13.3-reds-Avoid-buffer-overflows-handling-monitor-configu.patch
+++ /dev/null
@@ -1,47 +0,0 @@
-Matthias Maier 
-
- - Ported to 0.13.3
-
-
-From fbbcdad773e2791cfb988f4748faa41943551ca6 Mon Sep 17 00:00:00 2001
-From: Frediano Ziglio 
-Date: Mon, 15 May 2017 15:57:28 +0100
-Subject: [PATCH 3/3] reds: Avoid buffer overflows handling monitor
- configuration
-
-It was also possible for a malicious client to set
-VDAgentMonitorsConfig::num_of_monitors to a number larger
-than the actual size of VDAgentMOnitorsConfig::monitors.
-This would lead to buffer overflows, which could allow the guest to
-read part of the host memory. This might cause write overflows in the
-host as well, but controlling the content of such buffers seems
-complicated.
-
-Signed-off-by: Frediano Ziglio 

-
-diff --git a/server/reds.c b/server/reds.c
-index ec89105..fd1457f 100644
 a/server/reds.c
-+++ b/server/reds.c
-@@ -1084,6 +1084,7 @@ static void reds_on_main_agent_monitors_config(RedsState 
*reds,
- VDAgentMessage *msg_header;
- VDAgentMonitorsConfig *monitors_config;
- RedsClientMonitorsConfig *cmc = >client_monitors_config;
-+uint32_t max_monitors;
- 
- // limit size of message sent by the client as this can cause a DoS 
through
- // memory exhaustion, or potentially some integer overflows
-@@ -1113,6 +1114,12 @@ static void 
reds_on_main_agent_monitors_config(RedsState *reds,
- goto overflow;
- }
- monitors_config = (VDAgentMonitorsConfig *)(cmc->buffer + 
sizeof(*msg_header));
-+// limit the monitor number to avoid buffer overflows
-+max_monitors = (msg_header->size - sizeof(VDAgentMonitorsConfig)) /
-+   sizeof(VDAgentMonConfig);
-+if (monitors_config->num_of_monitors > max_monitors) {
-+goto overflow;
-+}
- spice_debug("%s: %d", __func__, monitors_config->num_of_monitors);
- reds_client_monitors_config(reds, monitors_config);
- reds_client_monitors_config_cleanup(reds);

diff --git 
a/app-emulation/spice/files/spice-0.13.3-reds-Avoid-integer-overflows-handling-monitor-config.patch
 
b/app-emulation/spice/files/spice-0.13.3-reds-Avoid-integer-overflows-handling-monitor-config.patch
deleted file mode 100644
index f05e55c7354..000
--- 
a/app-emulation/spice/files/spice-0.13.3-reds-Avoid-integer-overflows-handling-monitor-config.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-From 571cec91e71c2aae0d5f439ea2d8439d0c3d75eb Mon Sep 17 00:00:00 2001
-From: Frediano Ziglio 
-Date: Mon, 15 May 2017 15:57:28 +0100
-Subject: [PATCH 2/3] reds: Avoid integer overflows handling monitor
- configuration
-
-Avoid VDAgentMessage::size integer overflows.
-
-Signed-off-by: Frediano Ziglio 

- server/reds.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/server/reds.c b/server/reds.c
-index ec2b6f47..656f518f 100644
 a/server/reds.c
-+++ b/server/reds.c
-@@ -1131,6 +1131,9 @@ static void reds_on_main_agent_monitors_config(RedsState 
*reds,
- spice_debug("not enough data yet. %zd", cmc->offset);
- return;

[gentoo-commits] repo/gentoo:master commit in: app-emulation/spice/, app-emulation/spice/files/

2018-02-11 Thread Matthias Maier 
commit: 09c721b3411933c73bb1f9891765a3cbdc98bbdf
Author: Matthias Maier  gentoo  org>
AuthorDate: Mon Feb 12 01:46:20 2018 +
Commit: Matthias Maier  gentoo  org>
CommitDate: Mon Feb 12 01:48:29 2018 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=09c721b3

app-emulation/spice: drop 0.13.90 - let's focus on 0.14.0

Package-Manager: Portage-2.3.24, Repoman-2.3.6

 app-emulation/spice/Manifest   |  1 -
 .../spice/files/spice-0.14.0-openssl1.1_fix.patch  |  2 +-
 app-emulation/spice/spice-0.13.90.ebuild   | 97 --
 3 files changed, 1 insertion(+), 99 deletions(-)

diff --git a/app-emulation/spice/Manifest b/app-emulation/spice/Manifest
index 5dd45f8f0fc..8258480e0ae 100644
--- a/app-emulation/spice/Manifest
+++ b/app-emulation/spice/Manifest
@@ -1,3 +1,2 @@
 DIST spice-0.13.3.tar.bz2 1322505 BLAKE2B 
56f9cd34bb48fdcf750230242b27567db713ef749649d4b780a82d0d4ec5d326b19540c9bb4f36c164d40a692eb0368c39e05ee8dba319dd8461a0315e5a9a17
 SHA512 
63496fbd3df0fd453052cef8e1fb00a3a28f0105610676fdc4a58043cbc6da571ae4407701af2b817e410d05ce727d60d5ee0c93c8897231e25229897c51d95a
-DIST spice-0.13.90.tar.bz2 1364173 BLAKE2B 
1bc0e71d8c5a21f9961ac6c0567bde19d31983bd5b0f5d4df30cc5634080d288f277689d875334d94c6a276284313bc82f15eaf0ce20916c6c912c2dcc4bdfc0
 SHA512 
a5a6ab328a2d3cb405ead6eef40a1b896432f35accf1f8b015fc9deadcc4e5eb5f6d8d575a94fa3b2505e206986887badecf721ab015efd88dad174d7340c01c
 DIST spice-0.14.0.tar.bz2 1330195 BLAKE2B 
08f93e8ddeb79adb4feac0557a854cc41fd096a9dfefc0baaca176803c2a03ef9286c4f61a135d62ad22e3ac3f4bb31ffd1614c8ddeaec7ae8c01eca34da1750
 SHA512 
84532146aa628ca6ca459a82afb89d6391892e063668fd4a68023c92cee7ca868b6c82e31dd9886819b76ea745ebdae0d0030e1f608d8f58f51c00f0b09bae1f

diff --git a/app-emulation/spice/files/spice-0.14.0-openssl1.1_fix.patch 
b/app-emulation/spice/files/spice-0.14.0-openssl1.1_fix.patch
index ea4e606b3db..5854d8788c7 100644
--- a/app-emulation/spice/files/spice-0.14.0-openssl1.1_fix.patch
+++ b/app-emulation/spice/files/spice-0.14.0-openssl1.1_fix.patch
@@ -13,7 +13,7 @@
  
  static gpointer openssl_global_init(gpointer arg)
  {
-+#if OPENSSL_VERSION_NUMBER >= 0x1000L
++#if OPENSSL_VERSION_NUMBER >= 0x1010L
 +OPENSSL_init_ssl(0, NULL);
 +#else
  SSL_library_init();

diff --git a/app-emulation/spice/spice-0.13.90.ebuild 
b/app-emulation/spice/spice-0.13.90.ebuild
deleted file mode 100644
index abf7a28a67b..000
--- a/app-emulation/spice/spice-0.13.90.ebuild
+++ /dev/null
@@ -1,97 +0,0 @@
-# Copyright 1999-2017 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=6
-PYTHON_COMPAT=( python{2_7,3_4,3_5,3_6} )
-
-inherit autotools ltprune python-any-r1 readme.gentoo-r1 xdg-utils
-
-DESCRIPTION="SPICE server"
-HOMEPAGE="https://www.spice-space.org/;
-SRC_URI="https://www.spice-space.org/download/releases/${P}.tar.bz2;
-
-LICENSE="LGPL-2.1"
-SLOT="0"
-KEYWORDS="~amd64 ~arm64 ~x86"
-IUSE="libressl lz4 sasl smartcard static-libs gstreamer"
-
-# the libspice-server only uses the headers of libcacard
-RDEPEND="
-   >=dev-libs/glib-2.22:2[static-libs(+)?]
-   >=media-libs/celt-0.5.1.1:0.5.1[static-libs(+)?]
-   media-libs/opus[static-libs(+)?]
-   sys-libs/zlib[static-libs(+)?]
-   virtual/jpeg:0=[static-libs(+)?]
-   >=x11-libs/pixman-0.17.7[static-libs(+)?]
-   !libressl? ( dev-libs/openssl:0=[static-libs(+)?] )
-   libressl? ( dev-libs/libressl:0=[static-libs(+)?] )
-   lz4? ( app-arch/lz4:0=[static-libs(+)?] )
-   smartcard? ( >=app-emulation/libcacard-0.1.2 )
-   sasl? ( dev-libs/cyrus-sasl[static-libs(+)?] )
-   gstreamer? (
-   media-libs/gstreamer:1.0
-   media-libs/gst-plugins-base:1.0
-   )"
-DEPEND="${RDEPEND}
-   ${PYTHON_DEPS}
-   >=app-emulation/spice-protocol-0.12.12
-   virtual/pkgconfig
-   $(python_gen_any_dep '
-   >=dev-python/pyparsing-1.5.6-r2[${PYTHON_USEDEP}]
-   dev-python/six[${PYTHON_USEDEP}]
-   ')
-   smartcard? ( app-emulation/qemu[smartcard] )"
-
-python_check_deps() {
-   has_version ">=dev-python/pyparsing-1.5.6-r2[${PYTHON_USEDEP}]"
-   has_version "dev-python/six[${PYTHON_USEDEP}]"
-}
-
-pkg_setup() {
-   [[ ${MERGE_TYPE} != binary ]] && python-any-r1_pkg_setup
-}
-
-src_prepare() {
-   default
-
-   eautoreconf
-}
-
-src_configure() {
-   # Prevent sandbox violations, bug #586560
-   # https://bugzilla.gnome.org/show_bug.cgi?id=744134
-   # https://bugzilla.gnome.org/show_bug.cgi?id=744135
-   addpredict /dev
-
-   xdg_environment_reset
-
-   local myconf="
-   $(use_enable static-libs static)
-   $(use_enable lz4)
-   $(use_with sasl)
-   $(use_enable smartcard)
-   --enable-gstreamer=$(usex gstreamer "1.0" "no")
-   --enable-celt051
-   --disable-gui
-   "

[gentoo-commits] repo/gentoo:master commit in: app-emulation/spice/, app-emulation/spice/files/

2017-05-10 Thread Matthias Maier 
commit: 24492876545e0acf680e214f8547a2e739f89a9e
Author: Matthias Maier  gentoo  org>
AuthorDate: Thu May 11 04:36:38 2017 +
Commit: Matthias Maier  gentoo  org>
CommitDate: Thu May 11 04:37:33 2017 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=24492876

app-emulation/spice: drop versions 0.12.8, 0.13.1, 0.13.2

Package-Manager: Portage-2.3.5, Repoman-2.3.2

 app-emulation/spice/Manifest   |   3 -
 .../spice/files/0.12.8-upstream-fix.patch  |  36 ---
 .../spice/files/0.13.1-CVE-2016-0749-p1.patch  |  56 ---
 .../spice/files/0.13.1-CVE-2016-0749-p2.patch  |  50 --
 .../spice/files/0.13.1-CVE-2016-2150-p1.patch  | 109 -
 .../spice/files/0.13.1-CVE-2016-2150-p2.patch  |  50 --
 app-emulation/spice/spice-0.12.8.ebuild|  86 
 app-emulation/spice/spice-0.13.1-r2.ebuild |  91 -
 app-emulation/spice/spice-0.13.2.ebuild|  88 -
 9 files changed, 569 deletions(-)

diff --git a/app-emulation/spice/Manifest b/app-emulation/spice/Manifest
index 61803b6991c..8e228b69b86 100644
--- a/app-emulation/spice/Manifest
+++ b/app-emulation/spice/Manifest
@@ -1,5 +1,2 @@
 DIST spice-0.12.7.tar.bz2 1220405 SHA256 
1c8e96cb9e833e23372e2f461508135903b697fd8c6daff565e9e87f6d2f6aba SHA512 
a740d500d0ccad3edd1f2f71e51c5a120d6ae98e44125f33870c12f5d1eeb30b809e588d05b2d0cadb4216e889b38e57d2278916817538311b875ff22e3b31ae
 WHIRLPOOL 
61ffa3e280a346a2667ddd38dcfd63ffa6c1e6efd0f05da4fad43b00ca5e1a1587411a907b929b75e4d1e72ebcef29621ccdd76dfb313e8f3a5513a5a367132b
-DIST spice-0.12.8.tar.bz2 1223778 SHA256 
f901a5c5873d61acac84642f9eea5c4d6386fc3e525c2b68792322794e1c407d SHA512 
6485d3522af1cde93d2c0abad7f7ef9f2e4d3e5049314fb93b6dd4b86e33d67d353a3ff42a355c8fd991bad447bbde1e6320c083bbc6f02b576bd9cebe7269ed
 WHIRLPOOL 
9363254a4b072e8c06e7c0ea4d25dd4b068e4700cbb4fdaabc9f8fe9291e2f67afc321b0d56c2b6f46153b3f6bd7d6c96341437053b0410808fb95ddd01354fb
-DIST spice-0.13.1.tar.bz2 1245323 SHA256 
9ecb130424da02e90c235c1294f6e759d7c676c5e710587a5c98a1f20f991da2 SHA512 
a8e65cc02c802686f2e0c21615401e13b337e050c40938bebefa684abc1ce0e2d478136d0fec481a8ee30ed98f2e2fb909dfbf6cd65e9dfd7093d59f825b95d5
 WHIRLPOOL 
068d7d26f18435995546d84b0d8d81ced4973773303463e597cf05e1c5accd9ac8554f22032eb55827bebbe6c0fc14915455da24c58fc70b135d955fe3442db7
-DIST spice-0.13.2.tar.bz2 1284734 SHA256 
045a1f145d8207ecf33105c8a8917252c1201c45791fdc544733465a37974954 SHA512 
7220c6550446a8077522442bd518cff68439bb0b00ee199920b32a97c3655ccad75a0cdfc822a99be678e6098ad33698b26340caddae0400403490a89137d367
 WHIRLPOOL 
f2bd409e87203c2bbe481e6b6ba9ae3c6cfee0e67b0dd5073c97e9ff14d9c02a7cec0606700717ce9c25e478a38eefc925f9c797697981528f357464f388b65d
 DIST spice-0.13.3.tar.bz2 1322505 SHA256 
30f710c0e7594e05b6b9cc702be748a69f910a95192ab851d748c256157fb89e SHA512 
63496fbd3df0fd453052cef8e1fb00a3a28f0105610676fdc4a58043cbc6da571ae4407701af2b817e410d05ce727d60d5ee0c93c8897231e25229897c51d95a
 WHIRLPOOL 
16bb08301d66c1f21f612f5be87ba1ffef7132f3c18ac3ab7feec21e16de61461648311d04f6990254d4c47ee7a6d39f4c33f122e941e5a3fc0c2ed289dd928b

diff --git a/app-emulation/spice/files/0.12.8-upstream-fix.patch 
b/app-emulation/spice/files/0.12.8-upstream-fix.patch
deleted file mode 100644
index fcc1855ac77..000
--- a/app-emulation/spice/files/0.12.8-upstream-fix.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-commit 1d597f4b1a6bbeaf3dda998413a1e3cef2e40681
-Author: Marc-André Lureau 
-Date:   Wed Jul 20 17:16:31 2016 +0400
-
-Call migrate_end_complete() after falling back to switch-host
-
-Eventually, during a seamless migration, qemu may finish to migrate
-before the spice client even finished to connect all channels to
-destination and informed the server. In this case,
-main_channel_client_migrate_src_complete() will fall back to
-switch-host method, and reds_mig_fill_wait_disconnect() is called to
-complete the migration (disconnecting all channels).
-
-reds_mig_cleanup() is called when all channels are disconnected, but
-reds->mig_wait_connect is still TRUE, and it will call
-migrate_connect_complete() instead of the expected
-migrate_end_complete(). Setting reds->mig_wait_connect to FALSE when
-reds_mig_fill_wait_disconnect() solves the issue.
-
-Fixes:
-https://bugzilla.redhat.com/show_bug.cgi?id=1352836
-
-Signed-off-by: Marc-André Lureau 
-
-diff --git a/server/reds.c b/server/reds.c
-index 61bf735..f40b65c 100644
 a/server/reds.c
-+++ b/server/reds.c
-@@ -2816,6 +2816,7 @@ static void reds_mig_fill_wait_disconnect(void)
- wait_client->client = client;
- ring_add(>mig_wait_disconnect_clients, _client->link);
- }
-+reds->mig_wait_connect = FALSE;
- reds->mig_wait_disconnect = TRUE;
- core->timer_start(reds->mig_timer,

[gentoo-commits] repo/gentoo:master commit in: app-emulation/spice/, app-emulation/spice/files/

2016-10-31 Thread Yixun Lan 
commit: 21553fd5fd80fdeef53848b820f870fb7744aa12
Author: Yixun Lan  gentoo  org>
AuthorDate: Tue Nov  1 02:45:56 2016 +
Commit: Yixun Lan  gentoo  org>
CommitDate: Tue Nov  1 02:46:24 2016 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=21553fd5

app-emulation/spice: upstream stable release bump

Package-Manager: portage-2.3.2

 app-emulation/spice/Manifest   |  1 +
 .../spice/files/0.12.8-upstream-fix.patch  | 36 +
 app-emulation/spice/spice-0.12.8.ebuild| 87 ++
 3 files changed, 124 insertions(+)

diff --git a/app-emulation/spice/Manifest b/app-emulation/spice/Manifest
index b1bc248..4bc4869 100644
--- a/app-emulation/spice/Manifest
+++ b/app-emulation/spice/Manifest
@@ -1,3 +1,4 @@
 DIST spice-0.12.7.tar.bz2 1220405 SHA256 
1c8e96cb9e833e23372e2f461508135903b697fd8c6daff565e9e87f6d2f6aba SHA512 
a740d500d0ccad3edd1f2f71e51c5a120d6ae98e44125f33870c12f5d1eeb30b809e588d05b2d0cadb4216e889b38e57d2278916817538311b875ff22e3b31ae
 WHIRLPOOL 
61ffa3e280a346a2667ddd38dcfd63ffa6c1e6efd0f05da4fad43b00ca5e1a1587411a907b929b75e4d1e72ebcef29621ccdd76dfb313e8f3a5513a5a367132b
+DIST spice-0.12.8.tar.bz2 1223778 SHA256 
f901a5c5873d61acac84642f9eea5c4d6386fc3e525c2b68792322794e1c407d SHA512 
6485d3522af1cde93d2c0abad7f7ef9f2e4d3e5049314fb93b6dd4b86e33d67d353a3ff42a355c8fd991bad447bbde1e6320c083bbc6f02b576bd9cebe7269ed
 WHIRLPOOL 
9363254a4b072e8c06e7c0ea4d25dd4b068e4700cbb4fdaabc9f8fe9291e2f67afc321b0d56c2b6f46153b3f6bd7d6c96341437053b0410808fb95ddd01354fb
 DIST spice-0.13.1.tar.bz2 1245323 SHA256 
9ecb130424da02e90c235c1294f6e759d7c676c5e710587a5c98a1f20f991da2 SHA512 
a8e65cc02c802686f2e0c21615401e13b337e050c40938bebefa684abc1ce0e2d478136d0fec481a8ee30ed98f2e2fb909dfbf6cd65e9dfd7093d59f825b95d5
 WHIRLPOOL 
068d7d26f18435995546d84b0d8d81ced4973773303463e597cf05e1c5accd9ac8554f22032eb55827bebbe6c0fc14915455da24c58fc70b135d955fe3442db7
 DIST spice-0.13.2.tar.bz2 1284734 SHA256 
045a1f145d8207ecf33105c8a8917252c1201c45791fdc544733465a37974954 SHA512 
7220c6550446a8077522442bd518cff68439bb0b00ee199920b32a97c3655ccad75a0cdfc822a99be678e6098ad33698b26340caddae0400403490a89137d367
 WHIRLPOOL 
f2bd409e87203c2bbe481e6b6ba9ae3c6cfee0e67b0dd5073c97e9ff14d9c02a7cec0606700717ce9c25e478a38eefc925f9c797697981528f357464f388b65d

diff --git a/app-emulation/spice/files/0.12.8-upstream-fix.patch 
b/app-emulation/spice/files/0.12.8-upstream-fix.patch
new file mode 100644
index ..fcc1855
--- /dev/null
+++ b/app-emulation/spice/files/0.12.8-upstream-fix.patch
@@ -0,0 +1,36 @@
+commit 1d597f4b1a6bbeaf3dda998413a1e3cef2e40681
+Author: Marc-André Lureau 
+Date:   Wed Jul 20 17:16:31 2016 +0400
+
+Call migrate_end_complete() after falling back to switch-host
+
+Eventually, during a seamless migration, qemu may finish to migrate
+before the spice client even finished to connect all channels to
+destination and informed the server. In this case,
+main_channel_client_migrate_src_complete() will fall back to
+switch-host method, and reds_mig_fill_wait_disconnect() is called to
+complete the migration (disconnecting all channels).
+
+reds_mig_cleanup() is called when all channels are disconnected, but
+reds->mig_wait_connect is still TRUE, and it will call
+migrate_connect_complete() instead of the expected
+migrate_end_complete(). Setting reds->mig_wait_connect to FALSE when
+reds_mig_fill_wait_disconnect() solves the issue.
+
+Fixes:
+https://bugzilla.redhat.com/show_bug.cgi?id=1352836
+
+Signed-off-by: Marc-André Lureau 
+
+diff --git a/server/reds.c b/server/reds.c
+index 61bf735..f40b65c 100644
+--- a/server/reds.c
 b/server/reds.c
+@@ -2816,6 +2816,7 @@ static void reds_mig_fill_wait_disconnect(void)
+ wait_client->client = client;
+ ring_add(>mig_wait_disconnect_clients, _client->link);
+ }
++reds->mig_wait_connect = FALSE;
+ reds->mig_wait_disconnect = TRUE;
+ core->timer_start(reds->mig_timer, MIGRATE_TIMEOUT);
+ }

diff --git a/app-emulation/spice/spice-0.12.8.ebuild 
b/app-emulation/spice/spice-0.12.8.ebuild
new file mode 100644
index ..7cbe1ee
--- /dev/null
+++ b/app-emulation/spice/spice-0.12.8.ebuild
@@ -0,0 +1,87 @@
+# Copyright 1999-2016 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI=5
+
+PYTHON_COMPAT=( python2_7 python3_4 )
+
+inherit eutils python-any-r1
+
+DESCRIPTION="SPICE server"
+HOMEPAGE="http://spice-space.org/;
+SRC_URI="http://spice-space.org/download/releases/${P}.tar.bz2;
+
+LICENSE="LGPL-2.1"
+SLOT="0"
+KEYWORDS="~amd64 ~x86"
+IUSE="libressl sasl smartcard static-libs"
+
+# the libspice-server only uses the headers of libcacard
+RDEPEND="
+   >=dev-libs/glib-2.22:2[static-libs(+)?]
+   >=media-libs/celt-0.5.1.1:0.5.1[static-libs(+)?]
+

[gentoo-commits] repo/gentoo:master commit in: app-emulation/spice/, app-emulation/spice/files/

2016-06-13 Thread Matthias Maier 
commit: e78aee5d6b747e4dd0c6aed30b959107957a7c17
Author: Matthias Maier  gentoo  org>
AuthorDate: Tue Jun 14 04:39:52 2016 +
Commit: Matthias Maier  gentoo  org>
CommitDate: Tue Jun 14 05:46:46 2016 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e78aee5d

app-emulation/spice: fix vuln 0.12.7, bug #584126

Apply the following patches to 0.12.7:

CVE-2016-2150:

  0067-create-a-function-to-validate-surface-parameters.patch
  0068-improve-primary-surface-parameter-checks.patch

CVE-2016-0749:

  0065-smartcard-add-a-ref-to-item-before-adding-to-pipe.patch
  0066-smartcard-allocate-msg-with-the-expected-size.patch

Gentoo-Bug: 584126

Package-Manager: portage-2.2.28
Signed-off-by: Matthias Maier  gentoo.org>

 .../spice/files/0.12.6-CVE-2016-0749-p1.patch  |  89 +++
 .../spice/files/0.12.6-CVE-2016-0749-p2.patch  |  61 +++
 .../spice/files/0.12.6-CVE-2016-2150-p1.patch  | 121 +
 .../spice/files/0.12.6-CVE-2016-2150-p2.patch  |  33 ++
 app-emulation/spice/spice-0.12.7-r1.ebuild |  76 +
 5 files changed, 380 insertions(+)

diff --git a/app-emulation/spice/files/0.12.6-CVE-2016-0749-p1.patch 
b/app-emulation/spice/files/0.12.6-CVE-2016-0749-p1.patch
new file mode 100644
index 000..2d79fbb
--- /dev/null
+++ b/app-emulation/spice/files/0.12.6-CVE-2016-0749-p1.patch
@@ -0,0 +1,89 @@
+From  Mon Sep 17 00:00:00 2001
+From: Marc-Andre Lureau 
+Date: Thu, 17 Dec 2015 18:13:47 +0100
+Subject: [PATCH] smartcard: add a ref to item before adding to pipe
+
+There is an unref when the message is sent.
+
+==17204== ERROR: AddressSanitizer: heap-use-after-free on address 
0x6008000144a8 at pc 0x7fffee0ce245 bp 0x7fffc630 sp 0x7fffc620
+READ of size 4 at 0x6008000144a8 thread T0
+#0 0x7fffee0ce244 in smartcard_unref_vsc_msg_item 
/home/elmarco/src/spice/spice/server/smartcard.c:608
+#1 0x7fffee0cb451 in smartcard_unref_msg_to_client 
/home/elmarco/src/spice/spice/server/smartcard.c:178
+#2 0x7fffedfcdf14 in spice_char_device_read_from_device 
/home/elmarco/src/spice/spice/server/char-device.c:330
+#3 0x7fffedfd1763 in spice_char_device_wakeup 
/home/elmarco/src/spice/spice/server/char-device.c:901
+#4 0x7fffee05da98 in spice_server_char_device_wakeup 
/home/elmarco/src/spice/spice/server/reds.c:2990
+#5 0x5593fa34 in spice_chr_write 
/home/elmarco/src/qemu/spice-qemu-char.c:189
+#6 0x559375f1 in qemu_chr_fe_write 
/home/elmarco/src/qemu/qemu-char.c:220
+#7 0x55b3b682 in ccid_card_vscard_send_msg.isra.2 
/home/elmarco/src/qemu/hw/usb/ccid-card-passthru.c:76
+#8 0x55b3c466 in ccid_card_vscard_send_error 
/home/elmarco/src/qemu/hw/usb/ccid-card-passthru.c:91
+#9 0x55b3c466 in ccid_card_vscard_handle_message 
/home/elmarco/src/qemu/hw/usb/ccid-card-passthru.c:242
+#10 0x55b3c466 in ccid_card_vscard_read 
/home/elmarco/src/qemu/hw/usb/ccid-card-passthru.c:289
+#11 0x5593f169 in vmc_write /home/elmarco/src/qemu/spice-qemu-char.c:41
+#12 0x7fffedfcee6d in spice_char_device_write_to_device 
/home/elmarco/src/spice/spice/server/char-device.c:477
+#13 0x7fffedfcfd31 in spice_char_device_write_buffer_add 
/home/elmarco/src/spice/spice/server/char-device.c:629
+#14 0x7fffee0ce9df in smartcard_channel_write_to_reader 
/home/elmarco/src/spice/spice/server/smartcard.c:675
+#15 0x7fffee0cc7db in smartcard_char_device_notify_reader_add 
/home/elmarco/src/spice/spice/server/smartcard.c:341
+#16 0x7fffee0ce4f3 in smartcard_add_reader 
/home/elmarco/src/spice/spice/server/smartcard.c:648
+#17 0x7fffee0cf2e2 in smartcard_channel_handle_message 
/home/elmarco/src/spice/spice/server/smartcard.c:763
+#18 0x7fffedffe21f in red_peer_handle_incoming 
/home/elmarco/src/spice/spice/server/red-channel.c:307
+#19 0x7fffedffe4f6 in red_channel_client_receive 
/home/elmarco/src/spice/spice/server/red-channel.c:325
+#20 0x7fffee00726c in red_channel_client_event 
/home/elmarco/src/spice/spice/server/red-channel.c:1566
+#21 0x55c3c53d in qemu_iohandler_poll 
/home/elmarco/src/qemu/iohandler.c:143
+#22 0x55c3b800 in main_loop_wait /home/elmarco/src/qemu/main-loop.c:504
+#23 0x556f160c in main_loop /home/elmarco/src/qemu/vl.c:1818
+#24 0x556f160c in main /home/elmarco/src/qemu/vl.c:4394
+#25 0x7fffed7d0b14 in __libc_start_main 
/usr/src/debug/glibc-2.17-c758a686/csu/libc-start.c:274
+#26 0x556f9c20 in _start 
(/home/elmarco/src/qemu/x86_64-softmmu/qemu-system-x86_64+0x1a5c20)
+0x6008000144a8 is located 24 bytes inside of 40-byte region 
[0x600800014490,0x6008000144b8)
+freed by thread T0 here:
+#0 0x74e61009 in __interceptor_free 
/usr/src/debug/gcc-4.8.5-20150702/obj-x86_64-redhat-linux/x86_64-redhat-linux/libsanitizer/asan/../../../../libsanitizer/asan/asan_malloc_linux.cc:61
+#1 0x7fffee0ce2a1 in

[gentoo-commits] repo/gentoo:master commit in: app-emulation/spice/, app-emulation/spice/files/

2016-06-13 Thread Matthias Maier 
commit: 76546db063fa388fbd42de1860e0d79d17948011
Author: Matthias Maier  gentoo  org>
AuthorDate: Tue Jun 14 05:37:13 2016 +
Commit: Matthias Maier  gentoo  org>
CommitDate: Tue Jun 14 05:46:47 2016 +
URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=76546db0

app-emulation/spice: fix vuln 0.13.1, bug #584126

Apply the following patches to 0.13.1:

CVE-2016-2150:

  Commits 69628ea1375282cb7ca5b4dc4410e7aa67e0fc02
  Commits 790d8f3e53d324f496fc719498422e433aae8654

  *instead of* 0067-create-a-function-to-validate-surface-parameters.patch
  *instead of* 0068-improve-primary-surface-parameter-checks.patch

CVE-2016-0749:

  Ported the following commits to 0.13.1 (patches did not apply due to
  refactoring of some internal data structures and renaming).

  *modified* 0065-smartcard-add-a-ref-to-item-before-adding-to-pipe.patch
  *modified* 0066-smartcard-allocate-msg-with-the-expected-size.patch

Gentoo-Bug: 584126

Package-Manager: portage-2.2.28

 .../spice/files/0.13.1-CVE-2016-0749-p1.patch  |  56 +++
 .../spice/files/0.13.1-CVE-2016-0749-p2.patch  |  50 ++
 .../spice/files/0.13.1-CVE-2016-2150-p1.patch  | 109 +
 .../spice/files/0.13.1-CVE-2016-2150-p2.patch  |  50 ++
 app-emulation/spice/spice-0.13.1-r2.ebuild |  78 +++
 5 files changed, 343 insertions(+)

diff --git a/app-emulation/spice/files/0.13.1-CVE-2016-0749-p1.patch 
b/app-emulation/spice/files/0.13.1-CVE-2016-0749-p1.patch
new file mode 100644
index 000..cd1c8ef
--- /dev/null
+++ b/app-emulation/spice/files/0.13.1-CVE-2016-0749-p1.patch
@@ -0,0 +1,56 @@
+From fd4a179a15882234f86ded87905a240dc76a9445 Mon Sep 17 00:00:00 2001
+From: Matthias Maier 
+Date: Tue, 14 Jun 2016 00:08:05 -0500
+Subject: [PATCH 1/2] Port fix for CVE-2016-0749 to 0.13.1, part I
+
+This is a port of
+
+  0065-smartcard-add-a-ref-to-item-before-adding-to-pipe.patch
+
+to version 0.13.1
+
+Original commit message:
+
+From  Mon Sep 17 00:00:00 2001
+From: Marc-Andre Lureau 
+Date: Thu, 17 Dec 2015 18:13:47 +0100
+Subject: [PATCH] smartcard: add a ref to item before adding to pipe
+
+There is an unref when the message is sent.
+
+[...]
+
+Signed-off-by: Marc-Andre Lureau 
+---
+ server/smartcard.c | 10 +++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/server/smartcard.c b/server/smartcard.c
+index ba6f2f5..96e4295 100644
+--- a/server/smartcard.c
 b/server/smartcard.c
+@@ -181,14 +181,18 @@ static void 
smartcard_unref_msg_to_client(RedCharDeviceMsgToClient *msg,
+ smartcard_unref_vsc_msg_item((MsgItem *)msg);
+ }
+ 
+-static void smartcard_send_msg_to_client(RedCharDeviceMsgToClient *msg,
++static void smartcard_send_msg_to_client(RedCharDeviceMsgToClient *message,
+  RedClient *client,
+  void *opaque)
+ {
+ RedCharDeviceSmartcard *dev = opaque;
+-spice_assert(dev->priv->scc && dev->priv->scc->base.client == client);
+-smartcard_channel_client_pipe_add_push(>priv->scc->base, &((MsgItem 
*)msg)->base);
+ 
++MsgItem *msg = (MsgItem *)message;
++PipeItem *item = >base;
++
++spice_assert(dev->priv->scc && dev->priv->scc->base.client == client);
++smartcard_ref_vsc_msg_item(msg);
++smartcard_channel_client_pipe_add_push(>priv->scc->base, item);
+ }
+ 
+ static void smartcard_send_tokens_to_client(RedClient *client, uint32_t 
tokens, void *opaque)
+-- 
+2.7.3
+

diff --git a/app-emulation/spice/files/0.13.1-CVE-2016-0749-p2.patch 
b/app-emulation/spice/files/0.13.1-CVE-2016-0749-p2.patch
new file mode 100644
index 000..6a1895f
--- /dev/null
+++ b/app-emulation/spice/files/0.13.1-CVE-2016-0749-p2.patch
@@ -0,0 +1,50 @@
+From 4cd23b8378e68283c7c9cf0b1e25dae11cf69c3e Mon Sep 17 00:00:00 2001
+From: Matthias Maier 
+Date: Tue, 14 Jun 2016 00:15:48 -0500
+Subject: [PATCH 2/2] Port fix for CVE-2016-0749 to 0.13.1, part II
+
+This is a port of
+
+  0066-smartcard-allocate-msg-with-the-expected-size.patch
+
+to version 0.13.1
+
+Original commit message:
+
+From  Mon Sep 17 00:00:00 2001
+From: Marc-Andre Lureau 
+Date: Thu, 17 Dec 2015 18:16:22 +0100
+Subject: [PATCH] smartcard: allocate msg with the expected size
+
+[...]
+
+Signed-off-by: Marc-Andre Lureau 
+---
+ server/smartcard.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/server/smartcard.c b/server/smartcard.c
+index 96e4295..c317512 100644
+--- a/server/smartcard.c
 b/server/smartcard.c
+@@ -313,7 +313,7 @@ static void 
smartcard_char_device_notify_reader_add(RedCharDeviceSmartcard *dev)
+ RedCharDeviceWriteBuffer *write_buf;
+ VSCMsgHeader *vheader;
+ 
+-write_buf =