[gentoo-commits] repo/gentoo:master commit in: app-emulation/spice/, app-emulation/spice/files/
commit: f669a2f91427e142b943efe92978216dff4c842a Author: John Helmert III gentoo org> AuthorDate: Tue Aug 9 21:27:51 2022 + Commit: John Helmert III gentoo org> CommitDate: Tue Aug 9 21:30:23 2022 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f669a2f9 app-emulation/spice: drop 0.14.3-r1 Bug: https://bugs.gentoo.org/792618 Signed-off-by: John Helmert III gentoo.org> app-emulation/spice/Manifest | 1 - .../spice-0.14.3-CVE-2020-14355-404d7478.patch | 31 -- .../spice-0.14.3-CVE-2020-14355-762e0aba.patch | 13 --- .../spice-0.14.3-CVE-2020-14355-b24fe6b6.patch | 18 .../spice-0.14.3-CVE-2020-14355-ef1b6ff7.patch | 17 app-emulation/spice/spice-0.14.3-r1.ebuild | 106 - 6 files changed, 186 deletions(-) diff --git a/app-emulation/spice/Manifest b/app-emulation/spice/Manifest index 0135aefa813e..9fac0bce8dcb 100644 --- a/app-emulation/spice/Manifest +++ b/app-emulation/spice/Manifest @@ -1,3 +1,2 @@ -DIST spice-0.14.3.tar.bz2 1504304 BLAKE2B be655e1d4c48dae29903ab8e0dc52da63723e3252052afccc9587065531f28c8af7dbab4c585093f26d98f2273c6e734a553c18d4779a9f4464334ae1764f682 SHA512 9ecdc455ff25c71ac1fe6c576654b51efbfb860110bd6828065d23f7462d5c5cac772074d1a40f033386258d970b77275b2007bcfdffb23fdff2137154ea46e4 DIST spice-0.15.0-pthread-c5fe3df1.patch.bz2 7605 BLAKE2B 86b8094a22a02080db038ef98972bf09f391d5344fee8df2aa7d2def0b50a581353cb0e3dd97f99bbd58b88a13ceac4b54be8086a9f4274f38d132b27b62e84d SHA512 5075bd260b33c2dad8c3ce641372383871f7d69190a4f4697bd5e12af1bf5429310c592961de001d36c19a9cdd91143b8d6e8be0e08b3850b9700c2aef2ddd78 DIST spice-0.15.0.tar.bz2 1537970 BLAKE2B 98e8f55de81a86c6370e4a74c0fd90db78a9a8e8e3af536bccd6a2a75185194ac7b87521163090c4312e392d2ee10036c0283171c7796aea630e1307128a2d55 SHA512 0a776d191c395ce1f7ebbbac47956a00a2765327d3127aeca6e232bd56fd4ccd28750ae1599eb6eb2909ac909cda517d5511faa631166db16b8b75bd4e7b86d9 diff --git a/app-emulation/spice/files/spice-0.14.3-CVE-2020-14355-404d7478.patch b/app-emulation/spice/files/spice-0.14.3-CVE-2020-14355-404d7478.patch deleted file mode 100644 index 338f4e6ca657.. --- a/app-emulation/spice/files/spice-0.14.3-CVE-2020-14355-404d7478.patch +++ /dev/null @@ -1,31 +0,0 @@ -diff --git a/common/quic.c b/common/quic.c -index bc753ca5064a0326906b4aa8c18d8745747feb5c..681531677fbd6c3bca5e482c77bb709d4465ef8e 100644 a/subprojects/spice-common/common/quic.c -+++ b/subprojects/spice-common/common/quic.c -@@ -56,6 +56,9 @@ typedef uint8_t BYTE; - #define MINwminext 1 - #define MAXwminext 1 - -+/* Maximum image size in pixels, mainly to avoid possible integer overflows */ -+#define SPICE_MAX_IMAGE_SIZE (512 * 1024 * 1024 - 1) -+ - typedef struct QuicFamily { - unsigned int nGRcodewords[MAXNUMCODES]; /* indexed by code number, contains number of - unmodified GR codewords in the code */ -@@ -1165,6 +1168,16 @@ int quic_decode_begin(QuicContext *quic, uint32_t *io_ptr, unsigned int num_io_w - height = encoder->io_word; - decode_eat32bits(encoder); - -+if (width <= 0 || height <= 0) { -+encoder->usr->warn(encoder->usr, "invalid size\n"); -+return QUIC_ERROR; -+} -+ -+/* avoid too big images */ -+if ((uint64_t) width * height > SPICE_MAX_IMAGE_SIZE) { -+encoder->usr->error(encoder->usr, "image too large\n"); -+} -+ - quic_image_params(encoder, type, , ); - - if (!encoder_reset_channels(encoder, channels, width, bpc)) { diff --git a/app-emulation/spice/files/spice-0.14.3-CVE-2020-14355-762e0aba.patch b/app-emulation/spice/files/spice-0.14.3-CVE-2020-14355-762e0aba.patch deleted file mode 100644 index ce79ef0043ee.. --- a/app-emulation/spice/files/spice-0.14.3-CVE-2020-14355-762e0aba.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff --git a/common/quic.c b/common/quic.c -index e2dee0fd68741512911d5d050053ad073cf29457..bc753ca5064a0326906b4aa8c18d8745747feb5c 100644 a/subprojects/spice-common/common/quic.c -+++ b/subprojects/spice-common/common/quic.c -@@ -1136,7 +1136,7 @@ int quic_decode_begin(QuicContext *quic, uint32_t *io_ptr, unsigned int num_io_w - int channels; - int bpc; - --if (!encoder_reset(encoder, io_ptr, io_ptr_end)) { -+if (!num_io_words || !encoder_reset(encoder, io_ptr, io_ptr_end)) { - return QUIC_ERROR; - } - diff --git a/app-emulation/spice/files/spice-0.14.3-CVE-2020-14355-b24fe6b6.patch b/app-emulation/spice/files/spice-0.14.3-CVE-2020-14355-b24fe6b6.patch deleted file mode 100644 index 40127deda15a.. --- a/app-emulation/spice/files/spice-0.14.3-CVE-2020-14355-b24fe6b6.patch +++ /dev/null @@ -1,18 +0,0 @@ -diff --git a/common/quic_family_tmpl.c b/common/quic_family_tmpl.c -index 8a5f7d2c9be3f6b1bd82993703749268bab243b4..6cc051b36889f773fe5401e204db6245d99e27df 100644
[gentoo-commits] repo/gentoo:master commit in: app-emulation/spice/, app-emulation/spice/files/
commit: d6418bd9306729c2497c17fe302f58965800897c Author: Matthias Maier gentoo org> AuthorDate: Sun Apr 4 18:48:42 2021 + Commit: Matthias Maier gentoo org> CommitDate: Sun Apr 4 18:54:34 2021 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d6418bd9 app-emulation/spice: apply security patches for CVE-2020-14355 Bug: https://bugs.gentoo.org/746920 Package-Manager: Portage-3.0.18, Repoman-3.0.3 Signed-off-by: Matthias Maier gentoo.org> .../spice-0.14.3-CVE-2020-14355-404d7478.patch | 31 +++ .../spice-0.14.3-CVE-2020-14355-762e0aba.patch | 13 +++ .../spice-0.14.3-CVE-2020-14355-b24fe6b6.patch | 18 .../spice-0.14.3-CVE-2020-14355-ef1b6ff7.patch | 17 app-emulation/spice/spice-0.14.3-r1.ebuild | 103 + 5 files changed, 182 insertions(+) diff --git a/app-emulation/spice/files/spice-0.14.3-CVE-2020-14355-404d7478.patch b/app-emulation/spice/files/spice-0.14.3-CVE-2020-14355-404d7478.patch new file mode 100644 index 000..338f4e6ca65 --- /dev/null +++ b/app-emulation/spice/files/spice-0.14.3-CVE-2020-14355-404d7478.patch @@ -0,0 +1,31 @@ +diff --git a/common/quic.c b/common/quic.c +index bc753ca5064a0326906b4aa8c18d8745747feb5c..681531677fbd6c3bca5e482c77bb709d4465ef8e 100644 +--- a/subprojects/spice-common/common/quic.c b/subprojects/spice-common/common/quic.c +@@ -56,6 +56,9 @@ typedef uint8_t BYTE; + #define MINwminext 1 + #define MAXwminext 1 + ++/* Maximum image size in pixels, mainly to avoid possible integer overflows */ ++#define SPICE_MAX_IMAGE_SIZE (512 * 1024 * 1024 - 1) ++ + typedef struct QuicFamily { + unsigned int nGRcodewords[MAXNUMCODES]; /* indexed by code number, contains number of + unmodified GR codewords in the code */ +@@ -1165,6 +1168,16 @@ int quic_decode_begin(QuicContext *quic, uint32_t *io_ptr, unsigned int num_io_w + height = encoder->io_word; + decode_eat32bits(encoder); + ++if (width <= 0 || height <= 0) { ++encoder->usr->warn(encoder->usr, "invalid size\n"); ++return QUIC_ERROR; ++} ++ ++/* avoid too big images */ ++if ((uint64_t) width * height > SPICE_MAX_IMAGE_SIZE) { ++encoder->usr->error(encoder->usr, "image too large\n"); ++} ++ + quic_image_params(encoder, type, , ); + + if (!encoder_reset_channels(encoder, channels, width, bpc)) { diff --git a/app-emulation/spice/files/spice-0.14.3-CVE-2020-14355-762e0aba.patch b/app-emulation/spice/files/spice-0.14.3-CVE-2020-14355-762e0aba.patch new file mode 100644 index 000..ce79ef0043e --- /dev/null +++ b/app-emulation/spice/files/spice-0.14.3-CVE-2020-14355-762e0aba.patch @@ -0,0 +1,13 @@ +diff --git a/common/quic.c b/common/quic.c +index e2dee0fd68741512911d5d050053ad073cf29457..bc753ca5064a0326906b4aa8c18d8745747feb5c 100644 +--- a/subprojects/spice-common/common/quic.c b/subprojects/spice-common/common/quic.c +@@ -1136,7 +1136,7 @@ int quic_decode_begin(QuicContext *quic, uint32_t *io_ptr, unsigned int num_io_w + int channels; + int bpc; + +-if (!encoder_reset(encoder, io_ptr, io_ptr_end)) { ++if (!num_io_words || !encoder_reset(encoder, io_ptr, io_ptr_end)) { + return QUIC_ERROR; + } + diff --git a/app-emulation/spice/files/spice-0.14.3-CVE-2020-14355-b24fe6b6.patch b/app-emulation/spice/files/spice-0.14.3-CVE-2020-14355-b24fe6b6.patch new file mode 100644 index 000..40127deda15 --- /dev/null +++ b/app-emulation/spice/files/spice-0.14.3-CVE-2020-14355-b24fe6b6.patch @@ -0,0 +1,18 @@ +diff --git a/common/quic_family_tmpl.c b/common/quic_family_tmpl.c +index 8a5f7d2c9be3f6b1bd82993703749268bab243b4..6cc051b36889f773fe5401e204db6245d99e27df 100644 +--- a/subprojects/spice-common/common/quic_family_tmpl.c b/subprojects/spice-common/common/quic_family_tmpl.c +@@ -103,7 +103,12 @@ static s_bucket *FNAME(find_bucket)(Channel *channel, const unsigned int val) + { + spice_extra_assert(val < (0x1U << BPC)); + +-return channel->_buckets_ptrs[val]; ++/* The and (&) here is to avoid buffer overflows in case of garbage or malicious ++ * attempts. Is much faster then using comparisons and save us from such situations. ++ * Note that on normal build the check above won't be compiled as this code path ++ * is pretty hot and would cause speed regressions. ++ */ ++return channel->_buckets_ptrs[val & ((1U << BPC) - 1)]; + } + + #undef FNAME diff --git a/app-emulation/spice/files/spice-0.14.3-CVE-2020-14355-ef1b6ff7.patch b/app-emulation/spice/files/spice-0.14.3-CVE-2020-14355-ef1b6ff7.patch new file mode 100644 index 000..bc764ec23ce --- /dev/null +++ b/app-emulation/spice/files/spice-0.14.3-CVE-2020-14355-ef1b6ff7.patch @@ -0,0 +1,17 @@ +diff --git a/common/quic_tmpl.c b/common/quic_tmpl.c +index
[gentoo-commits] repo/gentoo:master commit in: app-emulation/spice/, app-emulation/spice/files/
commit: ad28dfa767dead9be522f8bd8801ba76eb33a324 Author: Matthias Maier gentoo org> AuthorDate: Sat Apr 18 18:35:25 2020 + Commit: Matthias Maier gentoo org> CommitDate: Sat Apr 18 18:56:14 2020 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ad28dfa7 app-emulation/spice: drop vulnerable versions, bug #717776 Bug: https://bugs.gentoo.org/717776 Package-Manager: Portage-2.3.99, Repoman-2.3.22 Signed-off-by: Matthias Maier gentoo.org> app-emulation/spice/Manifest | 2 - ...0.14.0-fix-flexible-array-buffer-overflow.patch | 12 --- .../spice/files/spice-0.14.0-libressl_fix.patch| 13 --- .../spice/files/spice-0.14.0-openssl1.1_fix.patch | 26 -- app-emulation/spice/spice-0.14.0-r2.ebuild | 102 - app-emulation/spice/spice-0.14.2.ebuild| 100 6 files changed, 255 deletions(-) diff --git a/app-emulation/spice/Manifest b/app-emulation/spice/Manifest index 57ed7cd9f34..7b50d54451c 100644 --- a/app-emulation/spice/Manifest +++ b/app-emulation/spice/Manifest @@ -1,3 +1 @@ -DIST spice-0.14.0.tar.bz2 1330195 BLAKE2B 08f93e8ddeb79adb4feac0557a854cc41fd096a9dfefc0baaca176803c2a03ef9286c4f61a135d62ad22e3ac3f4bb31ffd1614c8ddeaec7ae8c01eca34da1750 SHA512 84532146aa628ca6ca459a82afb89d6391892e063668fd4a68023c92cee7ca868b6c82e31dd9886819b76ea745ebdae0d0030e1f608d8f58f51c00f0b09bae1f -DIST spice-0.14.2.tar.bz2 1406009 BLAKE2B e6c57bedd8c8ec0444da194be7279b895bf348dfa9b427d20301cc223627bcd65b7037280bc2a3d0b531b0cdcd8cb62d34ee132c549ac3dc8f6e5a2959339ce2 SHA512 1093b618ea4a7ff31944429ce2903abecfc8d20c35f2d9c8c837a6e053ee429c0115e40665542637a717869209523ac05d15cdb5e77563102d5d3915e4aaaf76 DIST spice-0.14.3.tar.bz2 1504304 BLAKE2B be655e1d4c48dae29903ab8e0dc52da63723e3252052afccc9587065531f28c8af7dbab4c585093f26d98f2273c6e734a553c18d4779a9f4464334ae1764f682 SHA512 9ecdc455ff25c71ac1fe6c576654b51efbfb860110bd6828065d23f7462d5c5cac772074d1a40f033386258d970b77275b2007bcfdffb23fdff2137154ea46e4 diff --git a/app-emulation/spice/files/spice-0.14.0-fix-flexible-array-buffer-overflow.patch b/app-emulation/spice/files/spice-0.14.0-fix-flexible-array-buffer-overflow.patch deleted file mode 100644 index a05bbb7545a..000 --- a/app-emulation/spice/files/spice-0.14.0-fix-flexible-array-buffer-overflow.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff --git a/spice-common/python_modules/demarshal.py b/spice-common/python_modules/demarshal.py -index 1ea131d..7172762 100644 a/spice-common/python_modules/demarshal.py -+++ b/spice-common/python_modules/demarshal.py -@@ -318,6 +318,7 @@ def write_validate_array_item(writer, container, item, scope, parent_scope, star - writer.assign(nelements, array.size) - elif array.is_remaining_length(): - if element_type.is_fixed_nw_size(): -+writer.error_check("%s > message_end" % item.get_position()) - if element_type.get_fixed_nw_size() == 1: - writer.assign(nelements, "message_end - %s" % item.get_position()) - else: diff --git a/app-emulation/spice/files/spice-0.14.0-libressl_fix.patch b/app-emulation/spice/files/spice-0.14.0-libressl_fix.patch deleted file mode 100644 index 1dfce9480e9..000 --- a/app-emulation/spice/files/spice-0.14.0-libressl_fix.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff --git a/spice-common/common/ssl_verify.c b/spice-common/common/ssl_verify.c -index a9ed650..27aa5d3 100644 a/spice-common/common/ssl_verify.c -+++ b/spice-common/common/ssl_verify.c -@@ -33,7 +33,7 @@ - #include - #include - --#if OPENSSL_VERSION_NUMBER < 0x1010 -+#if OPENSSL_VERSION_NUMBER < 0x1010 || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x2070L) - static const unsigned char *ASN1_STRING_get0_data(const ASN1_STRING *asn1) - { - return M_ASN1_STRING_data(asn1); diff --git a/app-emulation/spice/files/spice-0.14.0-openssl1.1_fix.patch b/app-emulation/spice/files/spice-0.14.0-openssl1.1_fix.patch deleted file mode 100644 index c1c5a1c04ba..000 --- a/app-emulation/spice/files/spice-0.14.0-openssl1.1_fix.patch +++ /dev/null @@ -1,26 +0,0 @@ spice-0.13.90-orig/server/reds.c 2017-07-27 01:04:10.0 +1000 -+++ spice-0.13.90/server/reds.c2017-10-18 21:42:12.054934199 +1100 -@@ -34,6 +34,8 @@ - #include - - #include -+#include -+#include - - #if HAVE_SASL - #include -@@ -2795,9 +2797,12 @@ - - static gpointer openssl_global_init(gpointer arg) - { -+#if OPENSSL_VERSION_NUMBER >= 0x1010L && !defined (LIBRESSL_VERSION_NUMBER) -+OPENSSL_init_ssl(0, NULL); -+#else - SSL_library_init(); - SSL_load_error_strings(); -- -+#endif - openssl_thread_setup(); - - return NULL; - diff --git a/app-emulation/spice/spice-0.14.0-r2.ebuild b/app-emulation/spice/spice-0.14.0-r2.ebuild deleted file mode 100644 index 49bf1e178a9..000 --- a/app-emulation/spice/spice-0.14.0-r2.ebuild
[gentoo-commits] repo/gentoo:master commit in: app-emulation/spice/, app-emulation/spice/files/
commit: 54518b5955919d26b69fb31737f6450146ef6a7d Author: Matthias Maier gentoo org> AuthorDate: Thu Aug 16 21:31:54 2018 + Commit: Matthias Maier gentoo org> CommitDate: Fri Aug 17 00:07:47 2018 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=54518b59 app-emulation/spice: drop old Package-Manager: Portage-2.3.46, Repoman-2.3.10 app-emulation/spice/Manifest | 1 - ...buffer-overflows-handling-monitor-configu.patch | 47 -- ...integer-overflows-handling-monitor-config.patch | 30 -- ...nect-when-receiving-overly-big-ClientMoni.patch | 75 --- .../files/spice-0.13.3-skip_faulty_lz4_check.patch | 13 --- app-emulation/spice/spice-0.13.3-r2.ebuild | 104 - 6 files changed, 270 deletions(-) diff --git a/app-emulation/spice/Manifest b/app-emulation/spice/Manifest index 8258480e0ae..6b3b7c613b4 100644 --- a/app-emulation/spice/Manifest +++ b/app-emulation/spice/Manifest @@ -1,2 +1 @@ -DIST spice-0.13.3.tar.bz2 1322505 BLAKE2B 56f9cd34bb48fdcf750230242b27567db713ef749649d4b780a82d0d4ec5d326b19540c9bb4f36c164d40a692eb0368c39e05ee8dba319dd8461a0315e5a9a17 SHA512 63496fbd3df0fd453052cef8e1fb00a3a28f0105610676fdc4a58043cbc6da571ae4407701af2b817e410d05ce727d60d5ee0c93c8897231e25229897c51d95a DIST spice-0.14.0.tar.bz2 1330195 BLAKE2B 08f93e8ddeb79adb4feac0557a854cc41fd096a9dfefc0baaca176803c2a03ef9286c4f61a135d62ad22e3ac3f4bb31ffd1614c8ddeaec7ae8c01eca34da1750 SHA512 84532146aa628ca6ca459a82afb89d6391892e063668fd4a68023c92cee7ca868b6c82e31dd9886819b76ea745ebdae0d0030e1f608d8f58f51c00f0b09bae1f diff --git a/app-emulation/spice/files/spice-0.13.3-reds-Avoid-buffer-overflows-handling-monitor-configu.patch b/app-emulation/spice/files/spice-0.13.3-reds-Avoid-buffer-overflows-handling-monitor-configu.patch deleted file mode 100644 index 8792395977e..000 --- a/app-emulation/spice/files/spice-0.13.3-reds-Avoid-buffer-overflows-handling-monitor-configu.patch +++ /dev/null @@ -1,47 +0,0 @@ -Matthias Maier - - - Ported to 0.13.3 - - -From fbbcdad773e2791cfb988f4748faa41943551ca6 Mon Sep 17 00:00:00 2001 -From: Frediano Ziglio -Date: Mon, 15 May 2017 15:57:28 +0100 -Subject: [PATCH 3/3] reds: Avoid buffer overflows handling monitor - configuration - -It was also possible for a malicious client to set -VDAgentMonitorsConfig::num_of_monitors to a number larger -than the actual size of VDAgentMOnitorsConfig::monitors. -This would lead to buffer overflows, which could allow the guest to -read part of the host memory. This might cause write overflows in the -host as well, but controlling the content of such buffers seems -complicated. - -Signed-off-by: Frediano Ziglio - -diff --git a/server/reds.c b/server/reds.c -index ec89105..fd1457f 100644 a/server/reds.c -+++ b/server/reds.c -@@ -1084,6 +1084,7 @@ static void reds_on_main_agent_monitors_config(RedsState *reds, - VDAgentMessage *msg_header; - VDAgentMonitorsConfig *monitors_config; - RedsClientMonitorsConfig *cmc = >client_monitors_config; -+uint32_t max_monitors; - - // limit size of message sent by the client as this can cause a DoS through - // memory exhaustion, or potentially some integer overflows -@@ -1113,6 +1114,12 @@ static void reds_on_main_agent_monitors_config(RedsState *reds, - goto overflow; - } - monitors_config = (VDAgentMonitorsConfig *)(cmc->buffer + sizeof(*msg_header)); -+// limit the monitor number to avoid buffer overflows -+max_monitors = (msg_header->size - sizeof(VDAgentMonitorsConfig)) / -+ sizeof(VDAgentMonConfig); -+if (monitors_config->num_of_monitors > max_monitors) { -+goto overflow; -+} - spice_debug("%s: %d", __func__, monitors_config->num_of_monitors); - reds_client_monitors_config(reds, monitors_config); - reds_client_monitors_config_cleanup(reds); diff --git a/app-emulation/spice/files/spice-0.13.3-reds-Avoid-integer-overflows-handling-monitor-config.patch b/app-emulation/spice/files/spice-0.13.3-reds-Avoid-integer-overflows-handling-monitor-config.patch deleted file mode 100644 index f05e55c7354..000 --- a/app-emulation/spice/files/spice-0.13.3-reds-Avoid-integer-overflows-handling-monitor-config.patch +++ /dev/null @@ -1,30 +0,0 @@ -From 571cec91e71c2aae0d5f439ea2d8439d0c3d75eb Mon Sep 17 00:00:00 2001 -From: Frediano Ziglio -Date: Mon, 15 May 2017 15:57:28 +0100 -Subject: [PATCH 2/3] reds: Avoid integer overflows handling monitor - configuration - -Avoid VDAgentMessage::size integer overflows. - -Signed-off-by: Frediano Ziglio - server/reds.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/server/reds.c b/server/reds.c -index ec2b6f47..656f518f 100644 a/server/reds.c -+++ b/server/reds.c -@@ -1131,6 +1131,9 @@ static void reds_on_main_agent_monitors_config(RedsState *reds, - spice_debug("not enough data yet. %zd", cmc->offset); - return;
[gentoo-commits] repo/gentoo:master commit in: app-emulation/spice/, app-emulation/spice/files/
commit: 09c721b3411933c73bb1f9891765a3cbdc98bbdf Author: Matthias Maier gentoo org> AuthorDate: Mon Feb 12 01:46:20 2018 + Commit: Matthias Maier gentoo org> CommitDate: Mon Feb 12 01:48:29 2018 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=09c721b3 app-emulation/spice: drop 0.13.90 - let's focus on 0.14.0 Package-Manager: Portage-2.3.24, Repoman-2.3.6 app-emulation/spice/Manifest | 1 - .../spice/files/spice-0.14.0-openssl1.1_fix.patch | 2 +- app-emulation/spice/spice-0.13.90.ebuild | 97 -- 3 files changed, 1 insertion(+), 99 deletions(-) diff --git a/app-emulation/spice/Manifest b/app-emulation/spice/Manifest index 5dd45f8f0fc..8258480e0ae 100644 --- a/app-emulation/spice/Manifest +++ b/app-emulation/spice/Manifest @@ -1,3 +1,2 @@ DIST spice-0.13.3.tar.bz2 1322505 BLAKE2B 56f9cd34bb48fdcf750230242b27567db713ef749649d4b780a82d0d4ec5d326b19540c9bb4f36c164d40a692eb0368c39e05ee8dba319dd8461a0315e5a9a17 SHA512 63496fbd3df0fd453052cef8e1fb00a3a28f0105610676fdc4a58043cbc6da571ae4407701af2b817e410d05ce727d60d5ee0c93c8897231e25229897c51d95a -DIST spice-0.13.90.tar.bz2 1364173 BLAKE2B 1bc0e71d8c5a21f9961ac6c0567bde19d31983bd5b0f5d4df30cc5634080d288f277689d875334d94c6a276284313bc82f15eaf0ce20916c6c912c2dcc4bdfc0 SHA512 a5a6ab328a2d3cb405ead6eef40a1b896432f35accf1f8b015fc9deadcc4e5eb5f6d8d575a94fa3b2505e206986887badecf721ab015efd88dad174d7340c01c DIST spice-0.14.0.tar.bz2 1330195 BLAKE2B 08f93e8ddeb79adb4feac0557a854cc41fd096a9dfefc0baaca176803c2a03ef9286c4f61a135d62ad22e3ac3f4bb31ffd1614c8ddeaec7ae8c01eca34da1750 SHA512 84532146aa628ca6ca459a82afb89d6391892e063668fd4a68023c92cee7ca868b6c82e31dd9886819b76ea745ebdae0d0030e1f608d8f58f51c00f0b09bae1f diff --git a/app-emulation/spice/files/spice-0.14.0-openssl1.1_fix.patch b/app-emulation/spice/files/spice-0.14.0-openssl1.1_fix.patch index ea4e606b3db..5854d8788c7 100644 --- a/app-emulation/spice/files/spice-0.14.0-openssl1.1_fix.patch +++ b/app-emulation/spice/files/spice-0.14.0-openssl1.1_fix.patch @@ -13,7 +13,7 @@ static gpointer openssl_global_init(gpointer arg) { -+#if OPENSSL_VERSION_NUMBER >= 0x1000L ++#if OPENSSL_VERSION_NUMBER >= 0x1010L +OPENSSL_init_ssl(0, NULL); +#else SSL_library_init(); diff --git a/app-emulation/spice/spice-0.13.90.ebuild b/app-emulation/spice/spice-0.13.90.ebuild deleted file mode 100644 index abf7a28a67b..000 --- a/app-emulation/spice/spice-0.13.90.ebuild +++ /dev/null @@ -1,97 +0,0 @@ -# Copyright 1999-2017 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 - -EAPI=6 -PYTHON_COMPAT=( python{2_7,3_4,3_5,3_6} ) - -inherit autotools ltprune python-any-r1 readme.gentoo-r1 xdg-utils - -DESCRIPTION="SPICE server" -HOMEPAGE="https://www.spice-space.org/; -SRC_URI="https://www.spice-space.org/download/releases/${P}.tar.bz2; - -LICENSE="LGPL-2.1" -SLOT="0" -KEYWORDS="~amd64 ~arm64 ~x86" -IUSE="libressl lz4 sasl smartcard static-libs gstreamer" - -# the libspice-server only uses the headers of libcacard -RDEPEND=" - >=dev-libs/glib-2.22:2[static-libs(+)?] - >=media-libs/celt-0.5.1.1:0.5.1[static-libs(+)?] - media-libs/opus[static-libs(+)?] - sys-libs/zlib[static-libs(+)?] - virtual/jpeg:0=[static-libs(+)?] - >=x11-libs/pixman-0.17.7[static-libs(+)?] - !libressl? ( dev-libs/openssl:0=[static-libs(+)?] ) - libressl? ( dev-libs/libressl:0=[static-libs(+)?] ) - lz4? ( app-arch/lz4:0=[static-libs(+)?] ) - smartcard? ( >=app-emulation/libcacard-0.1.2 ) - sasl? ( dev-libs/cyrus-sasl[static-libs(+)?] ) - gstreamer? ( - media-libs/gstreamer:1.0 - media-libs/gst-plugins-base:1.0 - )" -DEPEND="${RDEPEND} - ${PYTHON_DEPS} - >=app-emulation/spice-protocol-0.12.12 - virtual/pkgconfig - $(python_gen_any_dep ' - >=dev-python/pyparsing-1.5.6-r2[${PYTHON_USEDEP}] - dev-python/six[${PYTHON_USEDEP}] - ') - smartcard? ( app-emulation/qemu[smartcard] )" - -python_check_deps() { - has_version ">=dev-python/pyparsing-1.5.6-r2[${PYTHON_USEDEP}]" - has_version "dev-python/six[${PYTHON_USEDEP}]" -} - -pkg_setup() { - [[ ${MERGE_TYPE} != binary ]] && python-any-r1_pkg_setup -} - -src_prepare() { - default - - eautoreconf -} - -src_configure() { - # Prevent sandbox violations, bug #586560 - # https://bugzilla.gnome.org/show_bug.cgi?id=744134 - # https://bugzilla.gnome.org/show_bug.cgi?id=744135 - addpredict /dev - - xdg_environment_reset - - local myconf=" - $(use_enable static-libs static) - $(use_enable lz4) - $(use_with sasl) - $(use_enable smartcard) - --enable-gstreamer=$(usex gstreamer "1.0" "no") - --enable-celt051 - --disable-gui - "
[gentoo-commits] repo/gentoo:master commit in: app-emulation/spice/, app-emulation/spice/files/
commit: 24492876545e0acf680e214f8547a2e739f89a9e Author: Matthias Maier gentoo org> AuthorDate: Thu May 11 04:36:38 2017 + Commit: Matthias Maier gentoo org> CommitDate: Thu May 11 04:37:33 2017 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=24492876 app-emulation/spice: drop versions 0.12.8, 0.13.1, 0.13.2 Package-Manager: Portage-2.3.5, Repoman-2.3.2 app-emulation/spice/Manifest | 3 - .../spice/files/0.12.8-upstream-fix.patch | 36 --- .../spice/files/0.13.1-CVE-2016-0749-p1.patch | 56 --- .../spice/files/0.13.1-CVE-2016-0749-p2.patch | 50 -- .../spice/files/0.13.1-CVE-2016-2150-p1.patch | 109 - .../spice/files/0.13.1-CVE-2016-2150-p2.patch | 50 -- app-emulation/spice/spice-0.12.8.ebuild| 86 app-emulation/spice/spice-0.13.1-r2.ebuild | 91 - app-emulation/spice/spice-0.13.2.ebuild| 88 - 9 files changed, 569 deletions(-) diff --git a/app-emulation/spice/Manifest b/app-emulation/spice/Manifest index 61803b6991c..8e228b69b86 100644 --- a/app-emulation/spice/Manifest +++ b/app-emulation/spice/Manifest @@ -1,5 +1,2 @@ DIST spice-0.12.7.tar.bz2 1220405 SHA256 1c8e96cb9e833e23372e2f461508135903b697fd8c6daff565e9e87f6d2f6aba SHA512 a740d500d0ccad3edd1f2f71e51c5a120d6ae98e44125f33870c12f5d1eeb30b809e588d05b2d0cadb4216e889b38e57d2278916817538311b875ff22e3b31ae WHIRLPOOL 61ffa3e280a346a2667ddd38dcfd63ffa6c1e6efd0f05da4fad43b00ca5e1a1587411a907b929b75e4d1e72ebcef29621ccdd76dfb313e8f3a5513a5a367132b -DIST spice-0.12.8.tar.bz2 1223778 SHA256 f901a5c5873d61acac84642f9eea5c4d6386fc3e525c2b68792322794e1c407d SHA512 6485d3522af1cde93d2c0abad7f7ef9f2e4d3e5049314fb93b6dd4b86e33d67d353a3ff42a355c8fd991bad447bbde1e6320c083bbc6f02b576bd9cebe7269ed WHIRLPOOL 9363254a4b072e8c06e7c0ea4d25dd4b068e4700cbb4fdaabc9f8fe9291e2f67afc321b0d56c2b6f46153b3f6bd7d6c96341437053b0410808fb95ddd01354fb -DIST spice-0.13.1.tar.bz2 1245323 SHA256 9ecb130424da02e90c235c1294f6e759d7c676c5e710587a5c98a1f20f991da2 SHA512 a8e65cc02c802686f2e0c21615401e13b337e050c40938bebefa684abc1ce0e2d478136d0fec481a8ee30ed98f2e2fb909dfbf6cd65e9dfd7093d59f825b95d5 WHIRLPOOL 068d7d26f18435995546d84b0d8d81ced4973773303463e597cf05e1c5accd9ac8554f22032eb55827bebbe6c0fc14915455da24c58fc70b135d955fe3442db7 -DIST spice-0.13.2.tar.bz2 1284734 SHA256 045a1f145d8207ecf33105c8a8917252c1201c45791fdc544733465a37974954 SHA512 7220c6550446a8077522442bd518cff68439bb0b00ee199920b32a97c3655ccad75a0cdfc822a99be678e6098ad33698b26340caddae0400403490a89137d367 WHIRLPOOL f2bd409e87203c2bbe481e6b6ba9ae3c6cfee0e67b0dd5073c97e9ff14d9c02a7cec0606700717ce9c25e478a38eefc925f9c797697981528f357464f388b65d DIST spice-0.13.3.tar.bz2 1322505 SHA256 30f710c0e7594e05b6b9cc702be748a69f910a95192ab851d748c256157fb89e SHA512 63496fbd3df0fd453052cef8e1fb00a3a28f0105610676fdc4a58043cbc6da571ae4407701af2b817e410d05ce727d60d5ee0c93c8897231e25229897c51d95a WHIRLPOOL 16bb08301d66c1f21f612f5be87ba1ffef7132f3c18ac3ab7feec21e16de61461648311d04f6990254d4c47ee7a6d39f4c33f122e941e5a3fc0c2ed289dd928b diff --git a/app-emulation/spice/files/0.12.8-upstream-fix.patch b/app-emulation/spice/files/0.12.8-upstream-fix.patch deleted file mode 100644 index fcc1855ac77..000 --- a/app-emulation/spice/files/0.12.8-upstream-fix.patch +++ /dev/null @@ -1,36 +0,0 @@ -commit 1d597f4b1a6bbeaf3dda998413a1e3cef2e40681 -Author: Marc-André Lureau-Date: Wed Jul 20 17:16:31 2016 +0400 - -Call migrate_end_complete() after falling back to switch-host - -Eventually, during a seamless migration, qemu may finish to migrate -before the spice client even finished to connect all channels to -destination and informed the server. In this case, -main_channel_client_migrate_src_complete() will fall back to -switch-host method, and reds_mig_fill_wait_disconnect() is called to -complete the migration (disconnecting all channels). - -reds_mig_cleanup() is called when all channels are disconnected, but -reds->mig_wait_connect is still TRUE, and it will call -migrate_connect_complete() instead of the expected -migrate_end_complete(). Setting reds->mig_wait_connect to FALSE when -reds_mig_fill_wait_disconnect() solves the issue. - -Fixes: -https://bugzilla.redhat.com/show_bug.cgi?id=1352836 - -Signed-off-by: Marc-André Lureau - -diff --git a/server/reds.c b/server/reds.c -index 61bf735..f40b65c 100644 a/server/reds.c -+++ b/server/reds.c -@@ -2816,6 +2816,7 @@ static void reds_mig_fill_wait_disconnect(void) - wait_client->client = client; - ring_add(>mig_wait_disconnect_clients, _client->link); - } -+reds->mig_wait_connect = FALSE; - reds->mig_wait_disconnect = TRUE; - core->timer_start(reds->mig_timer,
[gentoo-commits] repo/gentoo:master commit in: app-emulation/spice/, app-emulation/spice/files/
commit: 21553fd5fd80fdeef53848b820f870fb7744aa12 Author: Yixun Lan gentoo org> AuthorDate: Tue Nov 1 02:45:56 2016 + Commit: Yixun Lan gentoo org> CommitDate: Tue Nov 1 02:46:24 2016 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=21553fd5 app-emulation/spice: upstream stable release bump Package-Manager: portage-2.3.2 app-emulation/spice/Manifest | 1 + .../spice/files/0.12.8-upstream-fix.patch | 36 + app-emulation/spice/spice-0.12.8.ebuild| 87 ++ 3 files changed, 124 insertions(+) diff --git a/app-emulation/spice/Manifest b/app-emulation/spice/Manifest index b1bc248..4bc4869 100644 --- a/app-emulation/spice/Manifest +++ b/app-emulation/spice/Manifest @@ -1,3 +1,4 @@ DIST spice-0.12.7.tar.bz2 1220405 SHA256 1c8e96cb9e833e23372e2f461508135903b697fd8c6daff565e9e87f6d2f6aba SHA512 a740d500d0ccad3edd1f2f71e51c5a120d6ae98e44125f33870c12f5d1eeb30b809e588d05b2d0cadb4216e889b38e57d2278916817538311b875ff22e3b31ae WHIRLPOOL 61ffa3e280a346a2667ddd38dcfd63ffa6c1e6efd0f05da4fad43b00ca5e1a1587411a907b929b75e4d1e72ebcef29621ccdd76dfb313e8f3a5513a5a367132b +DIST spice-0.12.8.tar.bz2 1223778 SHA256 f901a5c5873d61acac84642f9eea5c4d6386fc3e525c2b68792322794e1c407d SHA512 6485d3522af1cde93d2c0abad7f7ef9f2e4d3e5049314fb93b6dd4b86e33d67d353a3ff42a355c8fd991bad447bbde1e6320c083bbc6f02b576bd9cebe7269ed WHIRLPOOL 9363254a4b072e8c06e7c0ea4d25dd4b068e4700cbb4fdaabc9f8fe9291e2f67afc321b0d56c2b6f46153b3f6bd7d6c96341437053b0410808fb95ddd01354fb DIST spice-0.13.1.tar.bz2 1245323 SHA256 9ecb130424da02e90c235c1294f6e759d7c676c5e710587a5c98a1f20f991da2 SHA512 a8e65cc02c802686f2e0c21615401e13b337e050c40938bebefa684abc1ce0e2d478136d0fec481a8ee30ed98f2e2fb909dfbf6cd65e9dfd7093d59f825b95d5 WHIRLPOOL 068d7d26f18435995546d84b0d8d81ced4973773303463e597cf05e1c5accd9ac8554f22032eb55827bebbe6c0fc14915455da24c58fc70b135d955fe3442db7 DIST spice-0.13.2.tar.bz2 1284734 SHA256 045a1f145d8207ecf33105c8a8917252c1201c45791fdc544733465a37974954 SHA512 7220c6550446a8077522442bd518cff68439bb0b00ee199920b32a97c3655ccad75a0cdfc822a99be678e6098ad33698b26340caddae0400403490a89137d367 WHIRLPOOL f2bd409e87203c2bbe481e6b6ba9ae3c6cfee0e67b0dd5073c97e9ff14d9c02a7cec0606700717ce9c25e478a38eefc925f9c797697981528f357464f388b65d diff --git a/app-emulation/spice/files/0.12.8-upstream-fix.patch b/app-emulation/spice/files/0.12.8-upstream-fix.patch new file mode 100644 index ..fcc1855 --- /dev/null +++ b/app-emulation/spice/files/0.12.8-upstream-fix.patch @@ -0,0 +1,36 @@ +commit 1d597f4b1a6bbeaf3dda998413a1e3cef2e40681 +Author: Marc-André Lureau+Date: Wed Jul 20 17:16:31 2016 +0400 + +Call migrate_end_complete() after falling back to switch-host + +Eventually, during a seamless migration, qemu may finish to migrate +before the spice client even finished to connect all channels to +destination and informed the server. In this case, +main_channel_client_migrate_src_complete() will fall back to +switch-host method, and reds_mig_fill_wait_disconnect() is called to +complete the migration (disconnecting all channels). + +reds_mig_cleanup() is called when all channels are disconnected, but +reds->mig_wait_connect is still TRUE, and it will call +migrate_connect_complete() instead of the expected +migrate_end_complete(). Setting reds->mig_wait_connect to FALSE when +reds_mig_fill_wait_disconnect() solves the issue. + +Fixes: +https://bugzilla.redhat.com/show_bug.cgi?id=1352836 + +Signed-off-by: Marc-André Lureau + +diff --git a/server/reds.c b/server/reds.c +index 61bf735..f40b65c 100644 +--- a/server/reds.c b/server/reds.c +@@ -2816,6 +2816,7 @@ static void reds_mig_fill_wait_disconnect(void) + wait_client->client = client; + ring_add(>mig_wait_disconnect_clients, _client->link); + } ++reds->mig_wait_connect = FALSE; + reds->mig_wait_disconnect = TRUE; + core->timer_start(reds->mig_timer, MIGRATE_TIMEOUT); + } diff --git a/app-emulation/spice/spice-0.12.8.ebuild b/app-emulation/spice/spice-0.12.8.ebuild new file mode 100644 index ..7cbe1ee --- /dev/null +++ b/app-emulation/spice/spice-0.12.8.ebuild @@ -0,0 +1,87 @@ +# Copyright 1999-2016 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Id$ + +EAPI=5 + +PYTHON_COMPAT=( python2_7 python3_4 ) + +inherit eutils python-any-r1 + +DESCRIPTION="SPICE server" +HOMEPAGE="http://spice-space.org/; +SRC_URI="http://spice-space.org/download/releases/${P}.tar.bz2; + +LICENSE="LGPL-2.1" +SLOT="0" +KEYWORDS="~amd64 ~x86" +IUSE="libressl sasl smartcard static-libs" + +# the libspice-server only uses the headers of libcacard +RDEPEND=" + >=dev-libs/glib-2.22:2[static-libs(+)?] + >=media-libs/celt-0.5.1.1:0.5.1[static-libs(+)?] +
[gentoo-commits] repo/gentoo:master commit in: app-emulation/spice/, app-emulation/spice/files/
commit: e78aee5d6b747e4dd0c6aed30b959107957a7c17 Author: Matthias Maier gentoo org> AuthorDate: Tue Jun 14 04:39:52 2016 + Commit: Matthias Maier gentoo org> CommitDate: Tue Jun 14 05:46:46 2016 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e78aee5d app-emulation/spice: fix vuln 0.12.7, bug #584126 Apply the following patches to 0.12.7: CVE-2016-2150: 0067-create-a-function-to-validate-surface-parameters.patch 0068-improve-primary-surface-parameter-checks.patch CVE-2016-0749: 0065-smartcard-add-a-ref-to-item-before-adding-to-pipe.patch 0066-smartcard-allocate-msg-with-the-expected-size.patch Gentoo-Bug: 584126 Package-Manager: portage-2.2.28 Signed-off-by: Matthias Maier gentoo.org> .../spice/files/0.12.6-CVE-2016-0749-p1.patch | 89 +++ .../spice/files/0.12.6-CVE-2016-0749-p2.patch | 61 +++ .../spice/files/0.12.6-CVE-2016-2150-p1.patch | 121 + .../spice/files/0.12.6-CVE-2016-2150-p2.patch | 33 ++ app-emulation/spice/spice-0.12.7-r1.ebuild | 76 + 5 files changed, 380 insertions(+) diff --git a/app-emulation/spice/files/0.12.6-CVE-2016-0749-p1.patch b/app-emulation/spice/files/0.12.6-CVE-2016-0749-p1.patch new file mode 100644 index 000..2d79fbb --- /dev/null +++ b/app-emulation/spice/files/0.12.6-CVE-2016-0749-p1.patch @@ -0,0 +1,89 @@ +From Mon Sep 17 00:00:00 2001 +From: Marc-Andre Lureau+Date: Thu, 17 Dec 2015 18:13:47 +0100 +Subject: [PATCH] smartcard: add a ref to item before adding to pipe + +There is an unref when the message is sent. + +==17204== ERROR: AddressSanitizer: heap-use-after-free on address 0x6008000144a8 at pc 0x7fffee0ce245 bp 0x7fffc630 sp 0x7fffc620 +READ of size 4 at 0x6008000144a8 thread T0 +#0 0x7fffee0ce244 in smartcard_unref_vsc_msg_item /home/elmarco/src/spice/spice/server/smartcard.c:608 +#1 0x7fffee0cb451 in smartcard_unref_msg_to_client /home/elmarco/src/spice/spice/server/smartcard.c:178 +#2 0x7fffedfcdf14 in spice_char_device_read_from_device /home/elmarco/src/spice/spice/server/char-device.c:330 +#3 0x7fffedfd1763 in spice_char_device_wakeup /home/elmarco/src/spice/spice/server/char-device.c:901 +#4 0x7fffee05da98 in spice_server_char_device_wakeup /home/elmarco/src/spice/spice/server/reds.c:2990 +#5 0x5593fa34 in spice_chr_write /home/elmarco/src/qemu/spice-qemu-char.c:189 +#6 0x559375f1 in qemu_chr_fe_write /home/elmarco/src/qemu/qemu-char.c:220 +#7 0x55b3b682 in ccid_card_vscard_send_msg.isra.2 /home/elmarco/src/qemu/hw/usb/ccid-card-passthru.c:76 +#8 0x55b3c466 in ccid_card_vscard_send_error /home/elmarco/src/qemu/hw/usb/ccid-card-passthru.c:91 +#9 0x55b3c466 in ccid_card_vscard_handle_message /home/elmarco/src/qemu/hw/usb/ccid-card-passthru.c:242 +#10 0x55b3c466 in ccid_card_vscard_read /home/elmarco/src/qemu/hw/usb/ccid-card-passthru.c:289 +#11 0x5593f169 in vmc_write /home/elmarco/src/qemu/spice-qemu-char.c:41 +#12 0x7fffedfcee6d in spice_char_device_write_to_device /home/elmarco/src/spice/spice/server/char-device.c:477 +#13 0x7fffedfcfd31 in spice_char_device_write_buffer_add /home/elmarco/src/spice/spice/server/char-device.c:629 +#14 0x7fffee0ce9df in smartcard_channel_write_to_reader /home/elmarco/src/spice/spice/server/smartcard.c:675 +#15 0x7fffee0cc7db in smartcard_char_device_notify_reader_add /home/elmarco/src/spice/spice/server/smartcard.c:341 +#16 0x7fffee0ce4f3 in smartcard_add_reader /home/elmarco/src/spice/spice/server/smartcard.c:648 +#17 0x7fffee0cf2e2 in smartcard_channel_handle_message /home/elmarco/src/spice/spice/server/smartcard.c:763 +#18 0x7fffedffe21f in red_peer_handle_incoming /home/elmarco/src/spice/spice/server/red-channel.c:307 +#19 0x7fffedffe4f6 in red_channel_client_receive /home/elmarco/src/spice/spice/server/red-channel.c:325 +#20 0x7fffee00726c in red_channel_client_event /home/elmarco/src/spice/spice/server/red-channel.c:1566 +#21 0x55c3c53d in qemu_iohandler_poll /home/elmarco/src/qemu/iohandler.c:143 +#22 0x55c3b800 in main_loop_wait /home/elmarco/src/qemu/main-loop.c:504 +#23 0x556f160c in main_loop /home/elmarco/src/qemu/vl.c:1818 +#24 0x556f160c in main /home/elmarco/src/qemu/vl.c:4394 +#25 0x7fffed7d0b14 in __libc_start_main /usr/src/debug/glibc-2.17-c758a686/csu/libc-start.c:274 +#26 0x556f9c20 in _start (/home/elmarco/src/qemu/x86_64-softmmu/qemu-system-x86_64+0x1a5c20) +0x6008000144a8 is located 24 bytes inside of 40-byte region [0x600800014490,0x6008000144b8) +freed by thread T0 here: +#0 0x74e61009 in __interceptor_free /usr/src/debug/gcc-4.8.5-20150702/obj-x86_64-redhat-linux/x86_64-redhat-linux/libsanitizer/asan/../../../../libsanitizer/asan/asan_malloc_linux.cc:61 +#1 0x7fffee0ce2a1 in
[gentoo-commits] repo/gentoo:master commit in: app-emulation/spice/, app-emulation/spice/files/
commit: 76546db063fa388fbd42de1860e0d79d17948011 Author: Matthias Maier gentoo org> AuthorDate: Tue Jun 14 05:37:13 2016 + Commit: Matthias Maier gentoo org> CommitDate: Tue Jun 14 05:46:47 2016 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=76546db0 app-emulation/spice: fix vuln 0.13.1, bug #584126 Apply the following patches to 0.13.1: CVE-2016-2150: Commits 69628ea1375282cb7ca5b4dc4410e7aa67e0fc02 Commits 790d8f3e53d324f496fc719498422e433aae8654 *instead of* 0067-create-a-function-to-validate-surface-parameters.patch *instead of* 0068-improve-primary-surface-parameter-checks.patch CVE-2016-0749: Ported the following commits to 0.13.1 (patches did not apply due to refactoring of some internal data structures and renaming). *modified* 0065-smartcard-add-a-ref-to-item-before-adding-to-pipe.patch *modified* 0066-smartcard-allocate-msg-with-the-expected-size.patch Gentoo-Bug: 584126 Package-Manager: portage-2.2.28 .../spice/files/0.13.1-CVE-2016-0749-p1.patch | 56 +++ .../spice/files/0.13.1-CVE-2016-0749-p2.patch | 50 ++ .../spice/files/0.13.1-CVE-2016-2150-p1.patch | 109 + .../spice/files/0.13.1-CVE-2016-2150-p2.patch | 50 ++ app-emulation/spice/spice-0.13.1-r2.ebuild | 78 +++ 5 files changed, 343 insertions(+) diff --git a/app-emulation/spice/files/0.13.1-CVE-2016-0749-p1.patch b/app-emulation/spice/files/0.13.1-CVE-2016-0749-p1.patch new file mode 100644 index 000..cd1c8ef --- /dev/null +++ b/app-emulation/spice/files/0.13.1-CVE-2016-0749-p1.patch @@ -0,0 +1,56 @@ +From fd4a179a15882234f86ded87905a240dc76a9445 Mon Sep 17 00:00:00 2001 +From: Matthias Maier+Date: Tue, 14 Jun 2016 00:08:05 -0500 +Subject: [PATCH 1/2] Port fix for CVE-2016-0749 to 0.13.1, part I + +This is a port of + + 0065-smartcard-add-a-ref-to-item-before-adding-to-pipe.patch + +to version 0.13.1 + +Original commit message: + +From Mon Sep 17 00:00:00 2001 +From: Marc-Andre Lureau +Date: Thu, 17 Dec 2015 18:13:47 +0100 +Subject: [PATCH] smartcard: add a ref to item before adding to pipe + +There is an unref when the message is sent. + +[...] + +Signed-off-by: Marc-Andre Lureau +--- + server/smartcard.c | 10 +++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/server/smartcard.c b/server/smartcard.c +index ba6f2f5..96e4295 100644 +--- a/server/smartcard.c b/server/smartcard.c +@@ -181,14 +181,18 @@ static void smartcard_unref_msg_to_client(RedCharDeviceMsgToClient *msg, + smartcard_unref_vsc_msg_item((MsgItem *)msg); + } + +-static void smartcard_send_msg_to_client(RedCharDeviceMsgToClient *msg, ++static void smartcard_send_msg_to_client(RedCharDeviceMsgToClient *message, + RedClient *client, + void *opaque) + { + RedCharDeviceSmartcard *dev = opaque; +-spice_assert(dev->priv->scc && dev->priv->scc->base.client == client); +-smartcard_channel_client_pipe_add_push(>priv->scc->base, &((MsgItem *)msg)->base); + ++MsgItem *msg = (MsgItem *)message; ++PipeItem *item = >base; ++ ++spice_assert(dev->priv->scc && dev->priv->scc->base.client == client); ++smartcard_ref_vsc_msg_item(msg); ++smartcard_channel_client_pipe_add_push(>priv->scc->base, item); + } + + static void smartcard_send_tokens_to_client(RedClient *client, uint32_t tokens, void *opaque) +-- +2.7.3 + diff --git a/app-emulation/spice/files/0.13.1-CVE-2016-0749-p2.patch b/app-emulation/spice/files/0.13.1-CVE-2016-0749-p2.patch new file mode 100644 index 000..6a1895f --- /dev/null +++ b/app-emulation/spice/files/0.13.1-CVE-2016-0749-p2.patch @@ -0,0 +1,50 @@ +From 4cd23b8378e68283c7c9cf0b1e25dae11cf69c3e Mon Sep 17 00:00:00 2001 +From: Matthias Maier +Date: Tue, 14 Jun 2016 00:15:48 -0500 +Subject: [PATCH 2/2] Port fix for CVE-2016-0749 to 0.13.1, part II + +This is a port of + + 0066-smartcard-allocate-msg-with-the-expected-size.patch + +to version 0.13.1 + +Original commit message: + +From Mon Sep 17 00:00:00 2001 +From: Marc-Andre Lureau +Date: Thu, 17 Dec 2015 18:16:22 +0100 +Subject: [PATCH] smartcard: allocate msg with the expected size + +[...] + +Signed-off-by: Marc-Andre Lureau +--- + server/smartcard.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/server/smartcard.c b/server/smartcard.c +index 96e4295..c317512 100644 +--- a/server/smartcard.c b/server/smartcard.c +@@ -313,7 +313,7 @@ static void smartcard_char_device_notify_reader_add(RedCharDeviceSmartcard *dev) + RedCharDeviceWriteBuffer *write_buf; + VSCMsgHeader *vheader; + +-write_buf =