commit: 54518b5955919d26b69fb31737f6450146ef6a7d Author: Matthias Maier <tamiko <AT> gentoo <DOT> org> AuthorDate: Thu Aug 16 21:31:54 2018 +0000 Commit: Matthias Maier <tamiko <AT> gentoo <DOT> org> CommitDate: Fri Aug 17 00:07:47 2018 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=54518b59
app-emulation/spice: drop old Package-Manager: Portage-2.3.46, Repoman-2.3.10 app-emulation/spice/Manifest | 1 - ...buffer-overflows-handling-monitor-configu.patch | 47 ---------- ...integer-overflows-handling-monitor-config.patch | 30 ------ ...nect-when-receiving-overly-big-ClientMoni.patch | 75 --------------- .../files/spice-0.13.3-skip_faulty_lz4_check.patch | 13 --- app-emulation/spice/spice-0.13.3-r2.ebuild | 104 --------------------- 6 files changed, 270 deletions(-) diff --git a/app-emulation/spice/Manifest b/app-emulation/spice/Manifest index 8258480e0ae..6b3b7c613b4 100644 --- a/app-emulation/spice/Manifest +++ b/app-emulation/spice/Manifest @@ -1,2 +1 @@ -DIST spice-0.13.3.tar.bz2 1322505 BLAKE2B 56f9cd34bb48fdcf750230242b27567db713ef749649d4b780a82d0d4ec5d326b19540c9bb4f36c164d40a692eb0368c39e05ee8dba319dd8461a0315e5a9a17 SHA512 63496fbd3df0fd453052cef8e1fb00a3a28f0105610676fdc4a58043cbc6da571ae4407701af2b817e410d05ce727d60d5ee0c93c8897231e25229897c51d95a DIST spice-0.14.0.tar.bz2 1330195 BLAKE2B 08f93e8ddeb79adb4feac0557a854cc41fd096a9dfefc0baaca176803c2a03ef9286c4f61a135d62ad22e3ac3f4bb31ffd1614c8ddeaec7ae8c01eca34da1750 SHA512 84532146aa628ca6ca459a82afb89d6391892e063668fd4a68023c92cee7ca868b6c82e31dd9886819b76ea745ebdae0d0030e1f608d8f58f51c00f0b09bae1f diff --git a/app-emulation/spice/files/spice-0.13.3-reds-Avoid-buffer-overflows-handling-monitor-configu.patch b/app-emulation/spice/files/spice-0.13.3-reds-Avoid-buffer-overflows-handling-monitor-configu.patch deleted file mode 100644 index 8792395977e..00000000000 --- a/app-emulation/spice/files/spice-0.13.3-reds-Avoid-buffer-overflows-handling-monitor-configu.patch +++ /dev/null @@ -1,47 +0,0 @@ -Matthias Maier <[email protected]> - - - Ported to 0.13.3 - - -From fbbcdad773e2791cfb988f4748faa41943551ca6 Mon Sep 17 00:00:00 2001 -From: Frediano Ziglio <[email protected]> -Date: Mon, 15 May 2017 15:57:28 +0100 -Subject: [PATCH 3/3] reds: Avoid buffer overflows handling monitor - configuration - -It was also possible for a malicious client to set -VDAgentMonitorsConfig::num_of_monitors to a number larger -than the actual size of VDAgentMOnitorsConfig::monitors. -This would lead to buffer overflows, which could allow the guest to -read part of the host memory. This might cause write overflows in the -host as well, but controlling the content of such buffers seems -complicated. - -Signed-off-by: Frediano Ziglio <[email protected]> ---- - -diff --git a/server/reds.c b/server/reds.c -index ec89105..fd1457f 100644 ---- a/server/reds.c -+++ b/server/reds.c -@@ -1084,6 +1084,7 @@ static void reds_on_main_agent_monitors_config(RedsState *reds, - VDAgentMessage *msg_header; - VDAgentMonitorsConfig *monitors_config; - RedsClientMonitorsConfig *cmc = &reds->client_monitors_config; -+ uint32_t max_monitors; - - // limit size of message sent by the client as this can cause a DoS through - // memory exhaustion, or potentially some integer overflows -@@ -1113,6 +1114,12 @@ static void reds_on_main_agent_monitors_config(RedsState *reds, - goto overflow; - } - monitors_config = (VDAgentMonitorsConfig *)(cmc->buffer + sizeof(*msg_header)); -+ // limit the monitor number to avoid buffer overflows -+ max_monitors = (msg_header->size - sizeof(VDAgentMonitorsConfig)) / -+ sizeof(VDAgentMonConfig); -+ if (monitors_config->num_of_monitors > max_monitors) { -+ goto overflow; -+ } - spice_debug("%s: %d", __func__, monitors_config->num_of_monitors); - reds_client_monitors_config(reds, monitors_config); - reds_client_monitors_config_cleanup(reds); diff --git a/app-emulation/spice/files/spice-0.13.3-reds-Avoid-integer-overflows-handling-monitor-config.patch b/app-emulation/spice/files/spice-0.13.3-reds-Avoid-integer-overflows-handling-monitor-config.patch deleted file mode 100644 index f05e55c7354..00000000000 --- a/app-emulation/spice/files/spice-0.13.3-reds-Avoid-integer-overflows-handling-monitor-config.patch +++ /dev/null @@ -1,30 +0,0 @@ -From 571cec91e71c2aae0d5f439ea2d8439d0c3d75eb Mon Sep 17 00:00:00 2001 -From: Frediano Ziglio <[email protected]> -Date: Mon, 15 May 2017 15:57:28 +0100 -Subject: [PATCH 2/3] reds: Avoid integer overflows handling monitor - configuration - -Avoid VDAgentMessage::size integer overflows. - -Signed-off-by: Frediano Ziglio <[email protected]> ---- - server/reds.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/server/reds.c b/server/reds.c -index ec2b6f47..656f518f 100644 ---- a/server/reds.c -+++ b/server/reds.c -@@ -1131,6 +1131,9 @@ static void reds_on_main_agent_monitors_config(RedsState *reds, - spice_debug("not enough data yet. %zd", cmc->offset); - return; - } -+ if (msg_header->size < sizeof(VDAgentMonitorsConfig)) { -+ goto overflow; -+ } - monitors_config = (VDAgentMonitorsConfig *)(cmc->buffer + sizeof(*msg_header)); - spice_debug("monitors_config->num_of_monitors: %d", monitors_config->num_of_monitors); - reds_client_monitors_config(reds, monitors_config); --- -2.13.0 - diff --git a/app-emulation/spice/files/spice-0.13.3-reds-Disconnect-when-receiving-overly-big-ClientMoni.patch b/app-emulation/spice/files/spice-0.13.3-reds-Disconnect-when-receiving-overly-big-ClientMoni.patch deleted file mode 100644 index 2cd186482ad..00000000000 --- a/app-emulation/spice/files/spice-0.13.3-reds-Disconnect-when-receiving-overly-big-ClientMoni.patch +++ /dev/null @@ -1,75 +0,0 @@ -Matthias Maier <[email protected]> - - - Ported to 0.13.3 - - -From 111ab38611cef5012f1565a65fa2d8a8a05cce37 Mon Sep 17 00:00:00 2001 -From: Frediano Ziglio <[email protected]> -Date: Mon, 15 May 2017 15:57:28 +0100 -Subject: [PATCH 1/3] reds: Disconnect when receiving overly big - ClientMonitorsConfig - -Total message size received from the client was unlimited. There is -a 2kiB size check on individual agent messages, but the MonitorsConfig -message can be split in multiple chunks, and the size of the -non-chunked MonitorsConfig message was never checked. This could easily -lead to memory exhaustion on the host. - -Signed-off-by: Frediano Ziglio <[email protected]> ---- - -diff --git a/server/reds.c b/server/reds.c -index 92feea1..286993b 100644 ---- a/server/reds.c -+++ b/server/reds.c -@@ -1077,19 +1077,35 @@ static void reds_client_monitors_config_cleanup(RedsState *reds) - static void reds_on_main_agent_monitors_config(RedsState *reds, - MainChannelClient *mcc, void *message, size_t size) - { -+ const unsigned int MAX_MONITORS = 256; -+ const unsigned int MAX_MONITOR_CONFIG_SIZE = -+ sizeof(VDAgentMonitorsConfig) + MAX_MONITORS * sizeof(VDAgentMonConfig); -+ - VDAgentMessage *msg_header; - VDAgentMonitorsConfig *monitors_config; - RedsClientMonitorsConfig *cmc = &reds->client_monitors_config; - -+ // limit size of message sent by the client as this can cause a DoS through -+ // memory exhaustion, or potentially some integer overflows -+ if (sizeof(VDAgentMessage) + MAX_MONITOR_CONFIG_SIZE - cmc->buffer_size < size) { -+ goto overflow; -+ } -+ - cmc->buffer_size += size; - cmc->buffer = realloc(cmc->buffer, cmc->buffer_size); - spice_assert(cmc->buffer); - cmc->mcc = mcc; - memcpy(cmc->buffer + cmc->buffer_pos, message, size); - cmc->buffer_pos += size; -+ if (sizeof(VDAgentMessage) > cmc->buffer_size) { -+ spice_debug("not enough data yet. %d", cmc->buffer_size); -+ return; -+ } - msg_header = (VDAgentMessage *)cmc->buffer; -- if (sizeof(VDAgentMessage) > cmc->buffer_size || -- msg_header->size > cmc->buffer_size - sizeof(VDAgentMessage)) { -+ if (msg_header->size > MAX_MONITOR_CONFIG_SIZE) { -+ goto overflow; -+ } -+ if (msg_header->size > cmc->buffer_size - sizeof(VDAgentMessage)) { - spice_debug("not enough data yet. %d", cmc->buffer_size); - return; - } -@@ -1097,6 +1113,12 @@ static void reds_on_main_agent_monitors_config(RedsState *reds, - spice_debug("%s: %d", __func__, monitors_config->num_of_monitors); - reds_client_monitors_config(reds, monitors_config); - reds_client_monitors_config_cleanup(reds); -+ return; -+ -+overflow: -+ spice_warning("received invalid MonitorsConfig request from client, disconnecting"); -+ red_channel_client_disconnect(RED_CHANNEL_CLIENT(mcc)); -+ reds_client_monitors_config_cleanup(reds); - } - - void reds_on_main_agent_data(RedsState *reds, MainChannelClient *mcc, void *message, size_t size) diff --git a/app-emulation/spice/files/spice-0.13.3-skip_faulty_lz4_check.patch b/app-emulation/spice/files/spice-0.13.3-skip_faulty_lz4_check.patch deleted file mode 100644 index 6ae65ba6d13..00000000000 --- a/app-emulation/spice/files/spice-0.13.3-skip_faulty_lz4_check.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff --git a/spice-common/m4/spice-deps.m4 b/spice-common/m4/spice-deps.m4 -index adedec4..6cb8bde 100644 ---- a/spice-common/m4/spice-deps.m4 -+++ b/spice-common/m4/spice-deps.m4 -@@ -185,7 +185,7 @@ AC_DEFUN([SPICE_CHECK_LZ4], [ - - have_lz4="no" - if test "x$enable_lz4" != "xno"; then -- PKG_CHECK_MODULES([LZ4], [liblz4 >= 129], [have_lz4="yes"], [have_lz4="no"]) -+ PKG_CHECK_MODULES([LZ4], [liblz4], [have_lz4="yes"], [have_lz4="no"]) - - if test "x$have_lz4" = "xyes"; then - AC_DEFINE(USE_LZ4, [1], [Define to build with lz4 support]) diff --git a/app-emulation/spice/spice-0.13.3-r2.ebuild b/app-emulation/spice/spice-0.13.3-r2.ebuild deleted file mode 100644 index 557c17470c3..00000000000 --- a/app-emulation/spice/spice-0.13.3-r2.ebuild +++ /dev/null @@ -1,104 +0,0 @@ -# Copyright 1999-2017 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 - -EAPI=6 -PYTHON_COMPAT=( python{2_7,3_4,3_5,3_6} ) - -inherit autotools ltprune python-any-r1 readme.gentoo-r1 xdg-utils - -DESCRIPTION="SPICE server" -HOMEPAGE="https://www.spice-space.org/"; -SRC_URI="https://www.spice-space.org/download/releases/${P}.tar.bz2"; - -LICENSE="LGPL-2.1" -SLOT="0" -KEYWORDS="amd64 ~arm64 x86" -IUSE="libressl lz4 sasl smartcard static-libs gstreamer" - -# the libspice-server only uses the headers of libcacard -RDEPEND=" - >=dev-libs/glib-2.22:2[static-libs(+)?] - >=media-libs/celt-0.5.1.1:0.5.1[static-libs(+)?] - media-libs/opus[static-libs(+)?] - sys-libs/zlib[static-libs(+)?] - virtual/jpeg:0=[static-libs(+)?] - >=x11-libs/pixman-0.17.7[static-libs(+)?] - !libressl? ( dev-libs/openssl:0=[static-libs(+)?] ) - libressl? ( dev-libs/libressl:0=[static-libs(+)?] ) - lz4? ( app-arch/lz4:0=[static-libs(+)?] ) - smartcard? ( >=app-emulation/libcacard-0.1.2 ) - sasl? ( dev-libs/cyrus-sasl[static-libs(+)?] ) - gstreamer? ( - media-libs/gstreamer:1.0 - media-libs/gst-plugins-base:1.0 - )" -DEPEND="${RDEPEND} - ${PYTHON_DEPS} - >=app-emulation/spice-protocol-0.12.12 - virtual/pkgconfig - $(python_gen_any_dep ' - >=dev-python/pyparsing-1.5.6-r2[${PYTHON_USEDEP}] - dev-python/six[${PYTHON_USEDEP}] - ') - smartcard? ( app-emulation/qemu[smartcard] )" - -PATCHES=( - "${FILESDIR}"/${PN}-0.13.3-skip_faulty_lz4_check.patch - "${FILESDIR}"/${PN}-0.13.3-reds-Disconnect-when-receiving-overly-big-ClientMoni.patch - "${FILESDIR}"/${PN}-0.13.3-reds-Avoid-integer-overflows-handling-monitor-config.patch - "${FILESDIR}"/${PN}-0.13.3-reds-Avoid-buffer-overflows-handling-monitor-configu.patch -) - -python_check_deps() { - has_version ">=dev-python/pyparsing-1.5.6-r2[${PYTHON_USEDEP}]" - has_version "dev-python/six[${PYTHON_USEDEP}]" -} - -pkg_setup() { - [[ ${MERGE_TYPE} != binary ]] && python-any-r1_pkg_setup -} - -src_prepare() { - default - - eautoreconf -} - -src_configure() { - # Prevent sandbox violations, bug #586560 - # https://bugzilla.gnome.org/show_bug.cgi?id=744134 - # https://bugzilla.gnome.org/show_bug.cgi?id=744135 - addpredict /dev - - xdg_environment_reset - - local myconf=" - $(use_enable static-libs static) - $(use_enable lz4) - $(use_with sasl) - $(use_enable smartcard) - --enable-gstreamer=$(usex gstreamer "1.0" "no") - --enable-celt051 - --disable-gui - " - econf ${myconf} -} - -src_compile() { - # Prevent sandbox violations, bug #586560 - # https://bugzilla.gnome.org/show_bug.cgi?id=744134 - # https://bugzilla.gnome.org/show_bug.cgi?id=744135 - addpredict /dev - - default -} - -src_install() { - default - use static-libs || prune_libtool_files - readme.gentoo_create_doc -} - -pkg_postinst() { - readme.gentoo_print_elog -}
