Package: release.debian.org Severity: normal Tags: stretch User: release.debian....@packages.debian.org Usertags: pu
Hi spice-gtk is affected by the CVE-2018-10873 issue, as well tracked in the Debian BTS as #906316. Whilst for src:spice itself we released a DSA, for spice-gtk this does not warrant a DSA (the issue would be other way around so a malicious spice server triggering the issue in the client). Basic smoke test was performed with the resulting package, but not specifically tried to trigger the issue. The changelog reads as +spice-gtk (0.33-3.3+deb9u1) stretch; urgency=medium + + * Non-maintainer upload. + * Fix flexible array buffer overflow (CVE-2018-10873) (Closes: #906316) + + -- Salvatore Bonaccorso <car...@debian.org> Fri, 26 Oct 2018 17:52:24 +0200 Full debdiff attached. Thanks for considering including the update in the next stretch point release. Regards, Salvatore
diff -Nru spice-gtk-0.33/debian/changelog spice-gtk-0.33/debian/changelog --- spice-gtk-0.33/debian/changelog 2017-01-14 12:34:36.000000000 +0100 +++ spice-gtk-0.33/debian/changelog 2018-10-26 17:52:24.000000000 +0200 @@ -1,3 +1,10 @@ +spice-gtk (0.33-3.3+deb9u1) stretch; urgency=medium + + * Non-maintainer upload. + * Fix flexible array buffer overflow (CVE-2018-10873) (Closes: #906316) + + -- Salvatore Bonaccorso <car...@debian.org> Fri, 26 Oct 2018 17:52:24 +0200 + spice-gtk (0.33-3.3) unstable; urgency=medium * Non-maintainer upload. diff -Nru spice-gtk-0.33/debian/patches/Fix-flexible-array-buffer-overflow.patch spice-gtk-0.33/debian/patches/Fix-flexible-array-buffer-overflow.patch --- spice-gtk-0.33/debian/patches/Fix-flexible-array-buffer-overflow.patch 1970-01-01 01:00:00.000000000 +0100 +++ spice-gtk-0.33/debian/patches/Fix-flexible-array-buffer-overflow.patch 2018-10-26 17:52:24.000000000 +0200 @@ -0,0 +1,68 @@ +From: Frediano Ziglio <fzig...@redhat.com> +Date: Fri, 18 May 2018 11:41:57 +0100 +Subject: Fix flexible array buffer overflow +Origin: https://gitlab.freedesktop.org/spice/spice-common/commit/bb15d4815ab586b4c4a20f4a565970a44824c42c +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-10873 +Bug-Debian: https://bugs.debian.org/906316 + +This is kind of a DoS, possibly flexible array in the protocol +causes the network size check to be ignored due to integer overflows. + +The size of flexible array is computed as (message_end - position), +then this size is added to the number of bytes before the array and +this number is used to check if we overflow initial message. + +An example is: + + message { + uint32 dummy[2]; + uint8 data[] @end; + } LenMessage; + +which generated this (simplified remove useless code) code: + + { /* data */ + data__nelements = message_end - (start + 8); + + data__nw_size = data__nelements; + } + + nw_size = 8 + data__nw_size; + + /* Check if message fits in reported side */ + if (nw_size > (uintptr_t) (message_end - start)) { + return NULL; + } + +Following code: +- data__nelements == message_end - (start + 8) +- data__nw_size == data__nelements == message_end - (start + 8) +- nw_size == 8 + data__nw_size == 8 + message_end - (start + 8) == + 8 + message_end - start - 8 == message_end -start +- the check for overflow is (nw_size > (message_end - start)) but + nw_size == message_end - start so the check is doing + ((message_end - start) > (message_end - start)) which is always false. + +If message_end - start < 8 then data__nelements (number of element +on the array above) computation generate an integer underflow that +later create a buffer overflow. + +Add a check to make sure that the array starts before the message ends +to avoid the overflow. + +Signed-off-by: Frediano Ziglio <fzig...@redhat.com> +Signed-off-by: Christophe Fergeau <cferg...@redhat.com> +[Salvatore Bonaccorso: Drop generated diff from commit messages causing + problem when applying with quilt. Remove addition to testsuite] +--- + +--- a/spice-common/python_modules/demarshal.py ++++ b/spice-common/python_modules/demarshal.py +@@ -318,6 +318,7 @@ def write_validate_array_item(writer, co + writer.assign(nelements, array.size) + elif array.is_remaining_length(): + if element_type.is_fixed_nw_size(): ++ writer.error_check("%s > message_end" % item.get_position()) + if element_type.get_fixed_nw_size() == 1: + writer.assign(nelements, "message_end - %s" % item.get_position()) + else: diff -Nru spice-gtk-0.33/debian/patches/series spice-gtk-0.33/debian/patches/series --- spice-gtk-0.33/debian/patches/series 2017-01-14 12:34:36.000000000 +0100 +++ spice-gtk-0.33/debian/patches/series 2018-10-26 17:52:24.000000000 +0200 @@ -3,3 +3,4 @@ ssl-Stop-creating-our-own-X509_LOOKUP_METHOD.patch ssl-Rework-our-custom-BIO-type.patch ssl-Use-accessors-rather-than-direct-struct-access.patch +Fix-flexible-array-buffer-overflow.patch
