Control: tags 854336 + pending Dear maintainer,
I've prepared an NMU for spice (versioned as 0.12.8-2.1) and uploaded it to DELAYED/2. Please feel free to tell me if I should delay it longer. I am attaching the debdiff to this bug report. Regards, Markus
diff -Nru spice-0.12.8/debian/changelog spice-0.12.8/debian/changelog --- spice-0.12.8/debian/changelog 2017-01-06 14:50:55.000000000 +0100 +++ spice-0.12.8/debian/changelog 2017-02-13 21:42:01.000000000 +0100 @@ -1,3 +1,17 @@ +spice (0.12.8-2.1) unstable; urgency=medium + + * Non-maintainer upload. + * Add CVE-2016-9577-and-CVE-2016-9578.patch: + - CVE-2016-9577: A buffer overflow vulnerability in + main_channel_alloc_msg_rcv_buf was found that occurs when reading large + messages due to missing buffer size check. + - CVE-2016-9578: A vulnerability was discovered in the server's + protocol handling. An attacker able to connect to the spice server could + send crafted messages which would cause the process to crash. + (Closes: #854336) + + -- Markus Koschany <a...@debian.org> Mon, 13 Feb 2017 21:42:01 +0100 + spice (0.12.8-2) unstable; urgency=medium * Build on all little-endian architectures (Closes: #734218) diff -Nru spice-0.12.8/debian/patches/CVE-2016-9577-and-CVE-2016-9578.patch spice-0.12.8/debian/patches/CVE-2016-9577-and-CVE-2016-9578.patch --- spice-0.12.8/debian/patches/CVE-2016-9577-and-CVE-2016-9578.patch 1970-01-01 01:00:00.000000000 +0100 +++ spice-0.12.8/debian/patches/CVE-2016-9577-and-CVE-2016-9578.patch 2017-02-13 21:42:01.000000000 +0100 @@ -0,0 +1,54 @@ +From: Markus Koschany <a...@debian.org> +Date: Mon, 13 Feb 2017 21:38:02 +0100 +Subject: CVE-2016-9577 and CVE-2016-9578 + +Bug-Debian: https://bugs.debian.org/854336 +Origin: http://pkgs.fedoraproject.org/cgit/rpms/spice.git/commit/?id=d919d639ae5f83a9735a04d843eed675f9357c0d +--- + server/main_channel.c | 3 +++ + server/reds.c | 11 ++++++++++- + 2 files changed, 13 insertions(+), 1 deletion(-) + +diff --git a/server/main_channel.c b/server/main_channel.c +index 0ecc9df..1fc3915 100644 +--- a/server/main_channel.c ++++ b/server/main_channel.c +@@ -1026,6 +1026,9 @@ static uint8_t *main_channel_alloc_msg_rcv_buf(RedChannelClient *rcc, + + if (type == SPICE_MSGC_MAIN_AGENT_DATA) { + return reds_get_agent_data_buffer(mcc, size); ++ } else if (size > sizeof(main_chan->recv_buf)) { ++ /* message too large, caller will log a message and close the connection */ ++ return NULL; + } else { + return main_chan->recv_buf; + } +diff --git a/server/reds.c b/server/reds.c +index 61bf735..4c60f58 100644 +--- a/server/reds.c ++++ b/server/reds.c +@@ -2110,6 +2110,14 @@ static void reds_handle_read_link_done(void *opaque) + link_mess->num_channel_caps = GUINT32_FROM_LE(link_mess->num_channel_caps); + link_mess->num_common_caps = GUINT32_FROM_LE(link_mess->num_common_caps); + ++ /* Prevent DoS. Currently we defined only 13 capabilities, ++ * I expect 1024 to be valid for quite a lot time */ ++ if (link_mess->num_channel_caps > 1024 || link_mess->num_common_caps > 1024) { ++ reds_send_link_error(link, SPICE_LINK_ERR_INVALID_DATA); ++ reds_link_free(link); ++ return; ++ } ++ + num_caps = link_mess->num_common_caps + link_mess->num_channel_caps; + caps = (uint32_t *)((uint8_t *)link_mess + link_mess->caps_offset); + +@@ -2202,7 +2210,8 @@ static void reds_handle_read_header_done(void *opaque) + + reds->peer_minor_version = header->minor_version; + +- if (header->size < sizeof(SpiceLinkMess)) { ++ /* the check for 4096 is to avoid clients to cause arbitrary big memory allocations */ ++ if (header->size < sizeof(SpiceLinkMess) || header->size > 4096) { + reds_send_link_error(link, SPICE_LINK_ERR_INVALID_DATA); + spice_warning("bad size %u", header->size); + reds_link_free(link); diff -Nru spice-0.12.8/debian/patches/series spice-0.12.8/debian/patches/series --- spice-0.12.8/debian/patches/series 2017-01-06 14:50:42.000000000 +0100 +++ spice-0.12.8/debian/patches/series 2017-02-13 21:42:01.000000000 +0100 @@ -1 +1,2 @@ stop-linking-with-libcacard.diff +CVE-2016-9577-and-CVE-2016-9578.patch
