Hi Attached is a preliminary (not yet tested) debdiff, with backported patches for CVE-2013-4130 and CVE-2013-4282 to wheezy.
Regards, Salvatore
diff -Nru spice-0.11.0/debian/changelog spice-0.11.0/debian/changelog --- spice-0.11.0/debian/changelog 2012-06-28 19:09:52.000000000 +0200 +++ spice-0.11.0/debian/changelog 2014-01-03 21:57:51.000000000 +0100 @@ -1,3 +1,18 @@ +spice (0.11.0-1+deb7u1) wheezy-security; urgency=high + + * Non-maintainer upload by the Security Team. + * Add CVE-2013-4130.patch patch. + CVE-2013-4130: unsafe clients ring access abort. An user able to + initiate spice connection to the guest could use this flaw to crash the + guest. (Closes: #717030) + * Add CVE-2013-4282.patch patch. + CVE-2013-4282: Fix buffer overflow when decrypting client SPICE ticket. + A remote user able to initiate a SPICE connection to an application + acting as a SPICE server could use this flaw to crash the application. + (Closes: #728314) + + -- Salvatore Bonaccorso <car...@debian.org> Fri, 03 Jan 2014 17:52:06 +0100 + spice (0.11.0-1) unstable; urgency=low * New upstream release diff -Nru spice-0.11.0/debian/patches/CVE-2013-4130.patch spice-0.11.0/debian/patches/CVE-2013-4130.patch --- spice-0.11.0/debian/patches/CVE-2013-4130.patch 1970-01-01 01:00:00.000000000 +0100 +++ spice-0.11.0/debian/patches/CVE-2013-4130.patch 2014-01-03 21:57:51.000000000 +0100 @@ -0,0 +1,51 @@ +Description: Use RING_FOREACH_SAFE in red_channel.c functions which are missing it + Currently, both red_channel_pipes_add_type() and + red_channel_pipes_add_empty_msg() use plaing RING_FOREACH() which is not + safe versus removals from the ring within the loop body. + . + Although it's rare, such a removal can occur in both cases. In the case + of red_channel_pipes_add_type() we have: + red_channel_pipes_add_type() + -> red_channel_client_pipe_add_type() + -> red_channel_client_push() + . + And in the case of red_channel_client_pipes_add_empty_msg() we have: + red_channel_client_pipes_add_empty_msg() + -> red_channel_client_pipe_add_empty_msg() + -> red_channel_client_push() + . + But red_channel_client_push() can cause a removal from the clients ring if + a network error occurs: + red_channel_client_push() + -> red_channel_client_send() + -> red_peer_handle_outgoing() + -> handler->cb->on_error callback + = red_channel_client_default_peer_on_error() + -> red_channel_client_disconnect() + -> red_channel_remove_client() + -> ring_remove() + . + When this error path does occur, the assertion in RING_FOREACH()'s + ring_next() trips, and the process containing the spice server is aborted. + i.e. your whole VM dies, as a result of an unfortunately timed network + error on the spice channel. +Origin: backport, http://cgit.freedesktop.org/spice/spice/commit/?id=53488f0275d6c8a121af49f7ac817d09ce68090d +Bug-Debian: http://bugs.debian.org/717030 +Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=984769 +Forwarded: not-needed +Author: Salvatore Bonaccorso <car...@debian.org> +Last-Update: 2014-01-03 +--- a/server/red_channel.c ++++ b/server/red_channel.c +@@ -1213,9 +1213,9 @@ + + void red_channel_pipes_add_type(RedChannel *channel, int pipe_item_type) + { +- RingItem *link; ++ RingItem *link, *next; + +- RING_FOREACH(link, &channel->clients) { ++ RING_FOREACH_SAFE(link, next, &channel->clients) { + red_channel_client_pipe_add_type( + SPICE_CONTAINEROF(link, RedChannelClient, channel_link), + pipe_item_type); diff -Nru spice-0.11.0/debian/patches/CVE-2013-4282.patch spice-0.11.0/debian/patches/CVE-2013-4282.patch --- spice-0.11.0/debian/patches/CVE-2013-4282.patch 1970-01-01 01:00:00.000000000 +0100 +++ spice-0.11.0/debian/patches/CVE-2013-4282.patch 2014-01-03 21:57:51.000000000 +0100 @@ -0,0 +1,100 @@ +Description: Fix buffer overflow when decrypting client SPICE ticket + reds_handle_ticket uses a fixed size 'password' buffer for the decrypted + password whose size is SPICE_MAX_PASSWORD_LENGTH. However, + RSA_private_decrypt which we call for the decryption expects the + destination buffer to be at least RSA_size(link->tiTicketing.rsa) + bytes long. On my spice-server build, SPICE_MAX_PASSWORD_LENGTH + is 60 while RSA_size() is 128, so we end up overflowing 'password' + when using long passwords (this was reproduced using the string: + 'fullscreen=1proxy=#enter proxy here; e.g spice_proxy = http://[proxy]:[port]' + as a password). + . + When the overflow occurs, QEMU dies with: + *** stack smashing detected ***: qemu-system-x86_64 terminated + . + This commit ensures we use a corectly sized 'password' buffer, + and that it's correctly nul-terminated so that we can use strcmp + instead of strncmp. To keep using strncmp, we'd need to figure out + which one of 'password' and 'taTicket.password' is the smaller buffer, + and use that size. + +Origin: backport, http://cgit.freedesktop.org/spice/spice/commit/?id=8af619009660b24e0b41ad26b30289eea288fcc2 +Bug-Debian: http://bugs.debian.org/728314 +Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1000443 +Forwarded: not-needed +Author: Salvatore Bonaccorso <car...@debian.org> +Last-Update: 2014-01-03 + +--- a/server/reds.c ++++ b/server/reds.c +@@ -1848,39 +1848,59 @@ + static void reds_handle_ticket(void *opaque) + { + RedLinkInfo *link = (RedLinkInfo *)opaque; +- char password[SPICE_MAX_PASSWORD_LENGTH]; ++ char *password; + time_t ltime; ++ int password_size; + + //todo: use monotonic time + time(<ime); +- RSA_private_decrypt(link->tiTicketing.rsa_size, +- link->tiTicketing.encrypted_ticket.encrypted_data, +- (unsigned char *)password, link->tiTicketing.rsa, RSA_PKCS1_OAEP_PADDING); ++ if (RSA_size(link->tiTicketing.rsa) < SPICE_MAX_PASSWORD_LENGTH) { ++ spice_warning("RSA modulus size is smaller than SPICE_MAX_PASSWORD_LENGTH (%d < %d), " ++ "SPICE ticket sent from client may be truncated", ++ RSA_size(link->tiTicketing.rsa), SPICE_MAX_PASSWORD_LENGTH); ++ } ++ ++ password = spice_malloc0(RSA_size(link->tiTicketing.rsa) + 1); ++ password_size = RSA_private_decrypt(link->tiTicketing.rsa_size, ++ link->tiTicketing.encrypted_ticket.encrypted_data, ++ (unsigned char *)password, ++ link->tiTicketing.rsa, ++ RSA_PKCS1_OAEP_PADDING); ++ if (password_size == -1) { ++ spice_warning("failed to decrypt RSA encrypted password: %s", ++ ERR_error_string(ERR_get_error(), NULL)); ++ goto error; ++ } ++ password[password_size] = '\0'; + + if (ticketing_enabled && !link->skip_auth) { + int expired = taTicket.expiration_time < ltime; + + if (strlen(taTicket.password) == 0) { +- reds_send_link_result(link, SPICE_LINK_ERR_PERMISSION_DENIED); + spice_printerr("Ticketing is enabled, but no password is set. " + "please set a ticket first"); +- reds_link_free(link); +- return; ++ goto error; + } + +- if (expired || strncmp(password, taTicket.password, SPICE_MAX_PASSWORD_LENGTH) != 0) { ++ if (expired || strcmp(password, taTicket.password) != 0) { + if (expired) { + spice_printerr("Ticket has expired"); + } else { + spice_printerr("Invalid password"); + } +- reds_send_link_result(link, SPICE_LINK_ERR_PERMISSION_DENIED); +- reds_link_free(link); +- return; ++ goto error; + } + } + + reds_handle_link(link); ++ goto end; ++ ++error: ++ reds_send_link_result(link, SPICE_LINK_ERR_PERMISSION_DENIED); ++ reds_link_free(link); ++ ++end: ++ free(password); + } + + static inline void async_read_clear_handlers(AsyncRead *obj) diff -Nru spice-0.11.0/debian/patches/series spice-0.11.0/debian/patches/series --- spice-0.11.0/debian/patches/series 2012-06-28 17:35:07.000000000 +0200 +++ spice-0.11.0/debian/patches/series 2014-01-03 21:57:51.000000000 +0100 @@ -1,2 +1,4 @@ link-libspice-server-with-libm-libpthread.patch make-celt-to-be-optional.patch +CVE-2013-4130.patch +CVE-2013-4282.patch
signature.asc
Description: Digital signature
