diff options
author | V3n3RiX <venerix@redcorelinux.org> | 2018-07-14 20:56:41 +0100 |
---|---|---|
committer | V3n3RiX <venerix@redcorelinux.org> | 2018-07-14 20:56:41 +0100 |
commit | d87262dd706fec50cd150aab3e93883b6337466d (patch) | |
tree | 246b44c33ad7a57550430b0a60fa0df86a3c9e68 /app-emulation/spice/files | |
parent | 71bc00c87bba1ce31de0dac6c3b7fd1aee6917fc (diff) |
gentoo resync : 14.07.2018
Diffstat (limited to 'app-emulation/spice/files')
7 files changed, 0 insertions, 211 deletions
diff --git a/app-emulation/spice/files/README.gentoo b/app-emulation/spice/files/README.gentoo deleted file mode 100644 index 1920ea69303b..000000000000 --- a/app-emulation/spice/files/README.gentoo +++ /dev/null @@ -1,7 +0,0 @@ - -If you choose to enable the video streaming support of gstreamer, -please try to install addtional gst-plugins which matching the video codecs - - mjpeg media-plugins/gst-plugins-libav:1.0 - vpx media-plugins/gst-plugins-vpx:1.0 - x264 media-plugins/gst-plugins-x264:1.0 diff --git a/app-emulation/spice/files/spice-0.13.3-reds-Avoid-buffer-overflows-handling-monitor-configu.patch b/app-emulation/spice/files/spice-0.13.3-reds-Avoid-buffer-overflows-handling-monitor-configu.patch deleted file mode 100644 index 8792395977e9..000000000000 --- a/app-emulation/spice/files/spice-0.13.3-reds-Avoid-buffer-overflows-handling-monitor-configu.patch +++ /dev/null @@ -1,47 +0,0 @@ -Matthias Maier <tamiko@gentoo.org> - - - Ported to 0.13.3 - - -From fbbcdad773e2791cfb988f4748faa41943551ca6 Mon Sep 17 00:00:00 2001 -From: Frediano Ziglio <fziglio@redhat.com> -Date: Mon, 15 May 2017 15:57:28 +0100 -Subject: [PATCH 3/3] reds: Avoid buffer overflows handling monitor - configuration - -It was also possible for a malicious client to set -VDAgentMonitorsConfig::num_of_monitors to a number larger -than the actual size of VDAgentMOnitorsConfig::monitors. -This would lead to buffer overflows, which could allow the guest to -read part of the host memory. This might cause write overflows in the -host as well, but controlling the content of such buffers seems -complicated. - -Signed-off-by: Frediano Ziglio <fziglio@redhat.com> ---- - -diff --git a/server/reds.c b/server/reds.c -index ec89105..fd1457f 100644 ---- a/server/reds.c -+++ b/server/reds.c -@@ -1084,6 +1084,7 @@ static void reds_on_main_agent_monitors_config(RedsState *reds, - VDAgentMessage *msg_header; - VDAgentMonitorsConfig *monitors_config; - RedsClientMonitorsConfig *cmc = &reds->client_monitors_config; -+ uint32_t max_monitors; - - // limit size of message sent by the client as this can cause a DoS through - // memory exhaustion, or potentially some integer overflows -@@ -1113,6 +1114,12 @@ static void reds_on_main_agent_monitors_config(RedsState *reds, - goto overflow; - } - monitors_config = (VDAgentMonitorsConfig *)(cmc->buffer + sizeof(*msg_header)); -+ // limit the monitor number to avoid buffer overflows -+ max_monitors = (msg_header->size - sizeof(VDAgentMonitorsConfig)) / -+ sizeof(VDAgentMonConfig); -+ if (monitors_config->num_of_monitors > max_monitors) { -+ goto overflow; -+ } - spice_debug("%s: %d", __func__, monitors_config->num_of_monitors); - reds_client_monitors_config(reds, monitors_config); - reds_client_monitors_config_cleanup(reds); diff --git a/app-emulation/spice/files/spice-0.13.3-reds-Avoid-integer-overflows-handling-monitor-config.patch b/app-emulation/spice/files/spice-0.13.3-reds-Avoid-integer-overflows-handling-monitor-config.patch deleted file mode 100644 index f05e55c7354a..000000000000 --- a/app-emulation/spice/files/spice-0.13.3-reds-Avoid-integer-overflows-handling-monitor-config.patch +++ /dev/null @@ -1,30 +0,0 @@ -From 571cec91e71c2aae0d5f439ea2d8439d0c3d75eb Mon Sep 17 00:00:00 2001 -From: Frediano Ziglio <fziglio@redhat.com> -Date: Mon, 15 May 2017 15:57:28 +0100 -Subject: [PATCH 2/3] reds: Avoid integer overflows handling monitor - configuration - -Avoid VDAgentMessage::size integer overflows. - -Signed-off-by: Frediano Ziglio <fziglio@redhat.com> ---- - server/reds.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/server/reds.c b/server/reds.c -index ec2b6f47..656f518f 100644 ---- a/server/reds.c -+++ b/server/reds.c -@@ -1131,6 +1131,9 @@ static void reds_on_main_agent_monitors_config(RedsState *reds, - spice_debug("not enough data yet. %zd", cmc->offset); - return; - } -+ if (msg_header->size < sizeof(VDAgentMonitorsConfig)) { -+ goto overflow; -+ } - monitors_config = (VDAgentMonitorsConfig *)(cmc->buffer + sizeof(*msg_header)); - spice_debug("monitors_config->num_of_monitors: %d", monitors_config->num_of_monitors); - reds_client_monitors_config(reds, monitors_config); --- -2.13.0 - diff --git a/app-emulation/spice/files/spice-0.13.3-reds-Disconnect-when-receiving-overly-big-ClientMoni.patch b/app-emulation/spice/files/spice-0.13.3-reds-Disconnect-when-receiving-overly-big-ClientMoni.patch deleted file mode 100644 index 2cd186482ad9..000000000000 --- a/app-emulation/spice/files/spice-0.13.3-reds-Disconnect-when-receiving-overly-big-ClientMoni.patch +++ /dev/null @@ -1,75 +0,0 @@ -Matthias Maier <tamiko@gentoo.org> - - - Ported to 0.13.3 - - -From 111ab38611cef5012f1565a65fa2d8a8a05cce37 Mon Sep 17 00:00:00 2001 -From: Frediano Ziglio <fziglio@redhat.com> -Date: Mon, 15 May 2017 15:57:28 +0100 -Subject: [PATCH 1/3] reds: Disconnect when receiving overly big - ClientMonitorsConfig - -Total message size received from the client was unlimited. There is -a 2kiB size check on individual agent messages, but the MonitorsConfig -message can be split in multiple chunks, and the size of the -non-chunked MonitorsConfig message was never checked. This could easily -lead to memory exhaustion on the host. - -Signed-off-by: Frediano Ziglio <fziglio@redhat.com> ---- - -diff --git a/server/reds.c b/server/reds.c -index 92feea1..286993b 100644 ---- a/server/reds.c -+++ b/server/reds.c -@@ -1077,19 +1077,35 @@ static void reds_client_monitors_config_cleanup(RedsState *reds) - static void reds_on_main_agent_monitors_config(RedsState *reds, - MainChannelClient *mcc, void *message, size_t size) - { -+ const unsigned int MAX_MONITORS = 256; -+ const unsigned int MAX_MONITOR_CONFIG_SIZE = -+ sizeof(VDAgentMonitorsConfig) + MAX_MONITORS * sizeof(VDAgentMonConfig); -+ - VDAgentMessage *msg_header; - VDAgentMonitorsConfig *monitors_config; - RedsClientMonitorsConfig *cmc = &reds->client_monitors_config; - -+ // limit size of message sent by the client as this can cause a DoS through -+ // memory exhaustion, or potentially some integer overflows -+ if (sizeof(VDAgentMessage) + MAX_MONITOR_CONFIG_SIZE - cmc->buffer_size < size) { -+ goto overflow; -+ } -+ - cmc->buffer_size += size; - cmc->buffer = realloc(cmc->buffer, cmc->buffer_size); - spice_assert(cmc->buffer); - cmc->mcc = mcc; - memcpy(cmc->buffer + cmc->buffer_pos, message, size); - cmc->buffer_pos += size; -+ if (sizeof(VDAgentMessage) > cmc->buffer_size) { -+ spice_debug("not enough data yet. %d", cmc->buffer_size); -+ return; -+ } - msg_header = (VDAgentMessage *)cmc->buffer; -- if (sizeof(VDAgentMessage) > cmc->buffer_size || -- msg_header->size > cmc->buffer_size - sizeof(VDAgentMessage)) { -+ if (msg_header->size > MAX_MONITOR_CONFIG_SIZE) { -+ goto overflow; -+ } -+ if (msg_header->size > cmc->buffer_size - sizeof(VDAgentMessage)) { - spice_debug("not enough data yet. %d", cmc->buffer_size); - return; - } -@@ -1097,6 +1113,12 @@ static void reds_on_main_agent_monitors_config(RedsState *reds, - spice_debug("%s: %d", __func__, monitors_config->num_of_monitors); - reds_client_monitors_config(reds, monitors_config); - reds_client_monitors_config_cleanup(reds); -+ return; -+ -+overflow: -+ spice_warning("received invalid MonitorsConfig request from client, disconnecting"); -+ red_channel_client_disconnect(RED_CHANNEL_CLIENT(mcc)); -+ reds_client_monitors_config_cleanup(reds); - } - - void reds_on_main_agent_data(RedsState *reds, MainChannelClient *mcc, void *message, size_t size) diff --git a/app-emulation/spice/files/spice-0.13.3-skip_faulty_lz4_check.patch b/app-emulation/spice/files/spice-0.13.3-skip_faulty_lz4_check.patch deleted file mode 100644 index 6ae65ba6d13c..000000000000 --- a/app-emulation/spice/files/spice-0.13.3-skip_faulty_lz4_check.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff --git a/spice-common/m4/spice-deps.m4 b/spice-common/m4/spice-deps.m4 -index adedec4..6cb8bde 100644 ---- a/spice-common/m4/spice-deps.m4 -+++ b/spice-common/m4/spice-deps.m4 -@@ -185,7 +185,7 @@ AC_DEFUN([SPICE_CHECK_LZ4], [ - - have_lz4="no" - if test "x$enable_lz4" != "xno"; then -- PKG_CHECK_MODULES([LZ4], [liblz4 >= 129], [have_lz4="yes"], [have_lz4="no"]) -+ PKG_CHECK_MODULES([LZ4], [liblz4], [have_lz4="yes"], [have_lz4="no"]) - - if test "x$have_lz4" = "xyes"; then - AC_DEFINE(USE_LZ4, [1], [Define to build with lz4 support]) diff --git a/app-emulation/spice/files/spice-0.14.0-libressl_fix.patch b/app-emulation/spice/files/spice-0.14.0-libressl_fix.patch deleted file mode 100644 index 2f77fa5a0006..000000000000 --- a/app-emulation/spice/files/spice-0.14.0-libressl_fix.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff --git a/spice-common/common/ssl_verify.c b/spice-common/common/ssl_verify.c -index a9ed650..27aa5d3 100644 ---- a/spice-common/common/ssl_verify.c -+++ b/spice-common/common/ssl_verify.c -@@ -33,7 +33,7 @@ - #include <string.h> - #include <gio/gio.h> - --#if OPENSSL_VERSION_NUMBER < 0x10100000 -+#if OPENSSL_VERSION_NUMBER < 0x10100000 || defined (LIBRESSL_VERSION_NUMBER) - static const unsigned char *ASN1_STRING_get0_data(const ASN1_STRING *asn1) - { - return M_ASN1_STRING_data(asn1); diff --git a/app-emulation/spice/files/spice-0.14.0-openssl1.1_fix.patch b/app-emulation/spice/files/spice-0.14.0-openssl1.1_fix.patch deleted file mode 100644 index c1c5a1c04ba1..000000000000 --- a/app-emulation/spice/files/spice-0.14.0-openssl1.1_fix.patch +++ /dev/null @@ -1,26 +0,0 @@ ---- spice-0.13.90-orig/server/reds.c 2017-07-27 01:04:10.000000000 +1000 -+++ spice-0.13.90/server/reds.c 2017-10-18 21:42:12.054934199 +1100 -@@ -34,6 +34,8 @@ - #include <ctype.h> - - #include <openssl/err.h> -+#include <openssl/bn.h> -+#include <openssl/rsa.h> - - #if HAVE_SASL - #include <sasl/sasl.h> -@@ -2795,9 +2797,12 @@ - - static gpointer openssl_global_init(gpointer arg) - { -+#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined (LIBRESSL_VERSION_NUMBER) -+ OPENSSL_init_ssl(0, NULL); -+#else - SSL_library_init(); - SSL_load_error_strings(); -- -+#endif - openssl_thread_setup(); - - return NULL; - |