diff options
author | V3n3RiX <venerix@redcorelinux.org> | 2018-07-14 21:03:06 +0100 |
---|---|---|
committer | V3n3RiX <venerix@redcorelinux.org> | 2018-07-14 21:03:06 +0100 |
commit | 8376ef56580626e9c0f796d5b85b53a0a1c7d5f5 (patch) | |
tree | 7681bbd4e8b05407772df40a4bf04cbbc8afc3fa /app-emulation/spice/files | |
parent | 30a9caf154332f12ca60756e1b75d2f0e3e1822d (diff) |
gentoo resync : 14.07.2018
Diffstat (limited to 'app-emulation/spice/files')
7 files changed, 211 insertions, 0 deletions
diff --git a/app-emulation/spice/files/README.gentoo b/app-emulation/spice/files/README.gentoo new file mode 100644 index 000000000000..1920ea69303b --- /dev/null +++ b/app-emulation/spice/files/README.gentoo @@ -0,0 +1,7 @@ + +If you choose to enable the video streaming support of gstreamer, +please try to install addtional gst-plugins which matching the video codecs + + mjpeg media-plugins/gst-plugins-libav:1.0 + vpx media-plugins/gst-plugins-vpx:1.0 + x264 media-plugins/gst-plugins-x264:1.0 diff --git a/app-emulation/spice/files/spice-0.13.3-reds-Avoid-buffer-overflows-handling-monitor-configu.patch b/app-emulation/spice/files/spice-0.13.3-reds-Avoid-buffer-overflows-handling-monitor-configu.patch new file mode 100644 index 000000000000..8792395977e9 --- /dev/null +++ b/app-emulation/spice/files/spice-0.13.3-reds-Avoid-buffer-overflows-handling-monitor-configu.patch @@ -0,0 +1,47 @@ +Matthias Maier <tamiko@gentoo.org> + + - Ported to 0.13.3 + + +From fbbcdad773e2791cfb988f4748faa41943551ca6 Mon Sep 17 00:00:00 2001 +From: Frediano Ziglio <fziglio@redhat.com> +Date: Mon, 15 May 2017 15:57:28 +0100 +Subject: [PATCH 3/3] reds: Avoid buffer overflows handling monitor + configuration + +It was also possible for a malicious client to set +VDAgentMonitorsConfig::num_of_monitors to a number larger +than the actual size of VDAgentMOnitorsConfig::monitors. +This would lead to buffer overflows, which could allow the guest to +read part of the host memory. This might cause write overflows in the +host as well, but controlling the content of such buffers seems +complicated. + +Signed-off-by: Frediano Ziglio <fziglio@redhat.com> +--- + +diff --git a/server/reds.c b/server/reds.c +index ec89105..fd1457f 100644 +--- a/server/reds.c ++++ b/server/reds.c +@@ -1084,6 +1084,7 @@ static void reds_on_main_agent_monitors_config(RedsState *reds, + VDAgentMessage *msg_header; + VDAgentMonitorsConfig *monitors_config; + RedsClientMonitorsConfig *cmc = &reds->client_monitors_config; ++ uint32_t max_monitors; + + // limit size of message sent by the client as this can cause a DoS through + // memory exhaustion, or potentially some integer overflows +@@ -1113,6 +1114,12 @@ static void reds_on_main_agent_monitors_config(RedsState *reds, + goto overflow; + } + monitors_config = (VDAgentMonitorsConfig *)(cmc->buffer + sizeof(*msg_header)); ++ // limit the monitor number to avoid buffer overflows ++ max_monitors = (msg_header->size - sizeof(VDAgentMonitorsConfig)) / ++ sizeof(VDAgentMonConfig); ++ if (monitors_config->num_of_monitors > max_monitors) { ++ goto overflow; ++ } + spice_debug("%s: %d", __func__, monitors_config->num_of_monitors); + reds_client_monitors_config(reds, monitors_config); + reds_client_monitors_config_cleanup(reds); diff --git a/app-emulation/spice/files/spice-0.13.3-reds-Avoid-integer-overflows-handling-monitor-config.patch b/app-emulation/spice/files/spice-0.13.3-reds-Avoid-integer-overflows-handling-monitor-config.patch new file mode 100644 index 000000000000..f05e55c7354a --- /dev/null +++ b/app-emulation/spice/files/spice-0.13.3-reds-Avoid-integer-overflows-handling-monitor-config.patch @@ -0,0 +1,30 @@ +From 571cec91e71c2aae0d5f439ea2d8439d0c3d75eb Mon Sep 17 00:00:00 2001 +From: Frediano Ziglio <fziglio@redhat.com> +Date: Mon, 15 May 2017 15:57:28 +0100 +Subject: [PATCH 2/3] reds: Avoid integer overflows handling monitor + configuration + +Avoid VDAgentMessage::size integer overflows. + +Signed-off-by: Frediano Ziglio <fziglio@redhat.com> +--- + server/reds.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/server/reds.c b/server/reds.c +index ec2b6f47..656f518f 100644 +--- a/server/reds.c ++++ b/server/reds.c +@@ -1131,6 +1131,9 @@ static void reds_on_main_agent_monitors_config(RedsState *reds, + spice_debug("not enough data yet. %zd", cmc->offset); + return; + } ++ if (msg_header->size < sizeof(VDAgentMonitorsConfig)) { ++ goto overflow; ++ } + monitors_config = (VDAgentMonitorsConfig *)(cmc->buffer + sizeof(*msg_header)); + spice_debug("monitors_config->num_of_monitors: %d", monitors_config->num_of_monitors); + reds_client_monitors_config(reds, monitors_config); +-- +2.13.0 + diff --git a/app-emulation/spice/files/spice-0.13.3-reds-Disconnect-when-receiving-overly-big-ClientMoni.patch b/app-emulation/spice/files/spice-0.13.3-reds-Disconnect-when-receiving-overly-big-ClientMoni.patch new file mode 100644 index 000000000000..2cd186482ad9 --- /dev/null +++ b/app-emulation/spice/files/spice-0.13.3-reds-Disconnect-when-receiving-overly-big-ClientMoni.patch @@ -0,0 +1,75 @@ +Matthias Maier <tamiko@gentoo.org> + + - Ported to 0.13.3 + + +From 111ab38611cef5012f1565a65fa2d8a8a05cce37 Mon Sep 17 00:00:00 2001 +From: Frediano Ziglio <fziglio@redhat.com> +Date: Mon, 15 May 2017 15:57:28 +0100 +Subject: [PATCH 1/3] reds: Disconnect when receiving overly big + ClientMonitorsConfig + +Total message size received from the client was unlimited. There is +a 2kiB size check on individual agent messages, but the MonitorsConfig +message can be split in multiple chunks, and the size of the +non-chunked MonitorsConfig message was never checked. This could easily +lead to memory exhaustion on the host. + +Signed-off-by: Frediano Ziglio <fziglio@redhat.com> +--- + +diff --git a/server/reds.c b/server/reds.c +index 92feea1..286993b 100644 +--- a/server/reds.c ++++ b/server/reds.c +@@ -1077,19 +1077,35 @@ static void reds_client_monitors_config_cleanup(RedsState *reds) + static void reds_on_main_agent_monitors_config(RedsState *reds, + MainChannelClient *mcc, void *message, size_t size) + { ++ const unsigned int MAX_MONITORS = 256; ++ const unsigned int MAX_MONITOR_CONFIG_SIZE = ++ sizeof(VDAgentMonitorsConfig) + MAX_MONITORS * sizeof(VDAgentMonConfig); ++ + VDAgentMessage *msg_header; + VDAgentMonitorsConfig *monitors_config; + RedsClientMonitorsConfig *cmc = &reds->client_monitors_config; + ++ // limit size of message sent by the client as this can cause a DoS through ++ // memory exhaustion, or potentially some integer overflows ++ if (sizeof(VDAgentMessage) + MAX_MONITOR_CONFIG_SIZE - cmc->buffer_size < size) { ++ goto overflow; ++ } ++ + cmc->buffer_size += size; + cmc->buffer = realloc(cmc->buffer, cmc->buffer_size); + spice_assert(cmc->buffer); + cmc->mcc = mcc; + memcpy(cmc->buffer + cmc->buffer_pos, message, size); + cmc->buffer_pos += size; ++ if (sizeof(VDAgentMessage) > cmc->buffer_size) { ++ spice_debug("not enough data yet. %d", cmc->buffer_size); ++ return; ++ } + msg_header = (VDAgentMessage *)cmc->buffer; +- if (sizeof(VDAgentMessage) > cmc->buffer_size || +- msg_header->size > cmc->buffer_size - sizeof(VDAgentMessage)) { ++ if (msg_header->size > MAX_MONITOR_CONFIG_SIZE) { ++ goto overflow; ++ } ++ if (msg_header->size > cmc->buffer_size - sizeof(VDAgentMessage)) { + spice_debug("not enough data yet. %d", cmc->buffer_size); + return; + } +@@ -1097,6 +1113,12 @@ static void reds_on_main_agent_monitors_config(RedsState *reds, + spice_debug("%s: %d", __func__, monitors_config->num_of_monitors); + reds_client_monitors_config(reds, monitors_config); + reds_client_monitors_config_cleanup(reds); ++ return; ++ ++overflow: ++ spice_warning("received invalid MonitorsConfig request from client, disconnecting"); ++ red_channel_client_disconnect(RED_CHANNEL_CLIENT(mcc)); ++ reds_client_monitors_config_cleanup(reds); + } + + void reds_on_main_agent_data(RedsState *reds, MainChannelClient *mcc, void *message, size_t size) diff --git a/app-emulation/spice/files/spice-0.13.3-skip_faulty_lz4_check.patch b/app-emulation/spice/files/spice-0.13.3-skip_faulty_lz4_check.patch new file mode 100644 index 000000000000..6ae65ba6d13c --- /dev/null +++ b/app-emulation/spice/files/spice-0.13.3-skip_faulty_lz4_check.patch @@ -0,0 +1,13 @@ +diff --git a/spice-common/m4/spice-deps.m4 b/spice-common/m4/spice-deps.m4 +index adedec4..6cb8bde 100644 +--- a/spice-common/m4/spice-deps.m4 ++++ b/spice-common/m4/spice-deps.m4 +@@ -185,7 +185,7 @@ AC_DEFUN([SPICE_CHECK_LZ4], [ + + have_lz4="no" + if test "x$enable_lz4" != "xno"; then +- PKG_CHECK_MODULES([LZ4], [liblz4 >= 129], [have_lz4="yes"], [have_lz4="no"]) ++ PKG_CHECK_MODULES([LZ4], [liblz4], [have_lz4="yes"], [have_lz4="no"]) + + if test "x$have_lz4" = "xyes"; then + AC_DEFINE(USE_LZ4, [1], [Define to build with lz4 support]) diff --git a/app-emulation/spice/files/spice-0.14.0-libressl_fix.patch b/app-emulation/spice/files/spice-0.14.0-libressl_fix.patch new file mode 100644 index 000000000000..2f77fa5a0006 --- /dev/null +++ b/app-emulation/spice/files/spice-0.14.0-libressl_fix.patch @@ -0,0 +1,13 @@ +diff --git a/spice-common/common/ssl_verify.c b/spice-common/common/ssl_verify.c +index a9ed650..27aa5d3 100644 +--- a/spice-common/common/ssl_verify.c ++++ b/spice-common/common/ssl_verify.c +@@ -33,7 +33,7 @@ + #include <string.h> + #include <gio/gio.h> + +-#if OPENSSL_VERSION_NUMBER < 0x10100000 ++#if OPENSSL_VERSION_NUMBER < 0x10100000 || defined (LIBRESSL_VERSION_NUMBER) + static const unsigned char *ASN1_STRING_get0_data(const ASN1_STRING *asn1) + { + return M_ASN1_STRING_data(asn1); diff --git a/app-emulation/spice/files/spice-0.14.0-openssl1.1_fix.patch b/app-emulation/spice/files/spice-0.14.0-openssl1.1_fix.patch new file mode 100644 index 000000000000..c1c5a1c04ba1 --- /dev/null +++ b/app-emulation/spice/files/spice-0.14.0-openssl1.1_fix.patch @@ -0,0 +1,26 @@ +--- spice-0.13.90-orig/server/reds.c 2017-07-27 01:04:10.000000000 +1000 ++++ spice-0.13.90/server/reds.c 2017-10-18 21:42:12.054934199 +1100 +@@ -34,6 +34,8 @@ + #include <ctype.h> + + #include <openssl/err.h> ++#include <openssl/bn.h> ++#include <openssl/rsa.h> + + #if HAVE_SASL + #include <sasl/sasl.h> +@@ -2795,9 +2797,12 @@ + + static gpointer openssl_global_init(gpointer arg) + { ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined (LIBRESSL_VERSION_NUMBER) ++ OPENSSL_init_ssl(0, NULL); ++#else + SSL_library_init(); + SSL_load_error_strings(); +- ++#endif + openssl_thread_setup(); + + return NULL; + |