Package: spice / 0.11.0-1+deb7u2

Metadata

Package Version Patches format
spice 0.11.0-1+deb7u2 3.0 (quilt)

Patch series

view the series file
Patch File delta Description
link libspice server with libm libpthread.patch | (download)

server/Makefile.am | 1 1 + 0 - 0 !
1 file changed, 1 insertion(+)

 link libspice server with libm libpthread
make celt to be optional.patch | (download)

client/audio_channels.h | 8 8 + 0 - 0 !
client/playback_channel.cpp | 25 20 + 5 - 0 !
client/record_channel.cpp | 21 18 + 3 - 0 !
configure.ac | 16 11 + 5 - 0 !
server/snd_worker.c | 83 65 + 18 - 0 !
5 files changed, 122 insertions(+), 31 deletions(-)

 [patch] make celt to be optional
CVE 2013 4130.patch | (download)

server/red_channel.c | 4 2 + 2 - 0 !
1 file changed, 2 insertions(+), 2 deletions(-)

 use ring_foreach_safe in red_channel.c functions which are missing it
 Currently, both red_channel_pipes_add_type() and
 red_channel_pipes_add_empty_msg() use plaing RING_FOREACH() which is not
 safe versus removals from the ring within the loop body.
 .
 Although it's rare, such a removal can occur in both cases.  In the case
 of red_channel_pipes_add_type() we have:
     red_channel_pipes_add_type()
     -> red_channel_client_pipe_add_type()
         -> red_channel_client_push()
 .
 And in the case of red_channel_client_pipes_add_empty_msg() we have:
     red_channel_client_pipes_add_empty_msg()
     -> red_channel_client_pipe_add_empty_msg()
         -> red_channel_client_push()
 .
 But red_channel_client_push() can cause a removal from the clients ring if
 a network error occurs:
     red_channel_client_push()
     -> red_channel_client_send()
         -> red_peer_handle_outgoing()
             -> handler->cb->on_error callback
             =  red_channel_client_default_peer_on_error()
                 -> red_channel_client_disconnect()
                     -> red_channel_remove_client()
                         -> ring_remove()
 .
 When this error path does occur, the assertion in RING_FOREACH()'s
 ring_next() trips, and the process containing the spice server is aborted.
 i.e. your whole VM dies, as a result of an unfortunately timed network
 error on the spice channel.
CVE 2013 4282.patch | (download)

server/reds.c | 42 31 + 11 - 0 !
1 file changed, 31 insertions(+), 11 deletions(-)

 fix buffer overflow when decrypting client spice ticket
 reds_handle_ticket uses a fixed size 'password' buffer for the decrypted
 password whose size is SPICE_MAX_PASSWORD_LENGTH. However,
 RSA_private_decrypt which we call for the decryption expects the
 destination buffer to be at least RSA_size(link->tiTicketing.rsa)
 bytes long. On my spice-server build, SPICE_MAX_PASSWORD_LENGTH
 is 60 while RSA_size() is 128, so we end up overflowing 'password'
 when using long passwords (this was reproduced using the string:
 'fullscreen=1proxy=#enter proxy here; e.g spice_proxy = http://[proxy]:[port]'
 as a password).
 .
 When the overflow occurs, QEMU dies with:
 *** stack smashing detected ***: qemu-system-x86_64 terminated
 .
 This commit ensures we use a corectly sized 'password' buffer,
 and that it's correctly nul-terminated so that we can use strcmp
 instead of strncmp. To keep using strncmp, we'd need to figure out
 which one of 'password' and 'taTicket.password' is the smaller buffer,
 and use that size.

CVE 2015 5260_CVE 2015 5261/0001 server red_worker wip VALIDATE_SURFACE macros remove.patch | (download)

server/red_worker.c | 62 50 + 12 - 0 !
1 file changed, 50 insertions(+), 12 deletions(-)

 [patch] server/red_worker: wip: validate_surface macros, remove
 asserts (but too late - should be done earlier)


CVE 2015 5260_CVE 2015 5261/0001 worker validate correctly surfaces.patch | (download)

server/red_worker.c | 31 17 + 14 - 0 !
1 file changed, 17 insertions(+), 14 deletions(-)

 [patch 01/19] worker: validate correctly surfaces

Do not just give warning and continue to use an invalid index into
an array.

Resolves: CVE-2015-5260

Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
CVE 2015 5260_CVE 2015 5261/0002 worker avoid double free or double create of surface.patch | (download)

server/red_worker.c | 9 8 + 1 - 0 !
1 file changed, 8 insertions(+), 1 deletion(-)

 [patch 02/19] worker: avoid double free or double create of surfaces

A driver can overwrite surface state creating a surface with the same
id of a previous one.
Also can try to destroy surfaces that are not created.
Both requests cause invalid internal states that could lead to crashes
or memory corruptions.

Signed-off-by: Frediano Ziglio <fziglio@redhat.com>

CVE 2015 5260_CVE 2015 5261/0003 Define a constant to limit data from guest.patch | (download)

server/red_parse_qxl.c | 8 8 + 0 - 0 !
1 file changed, 8 insertions(+)

 [patch 03/19] define a constant to limit data from guest.

This limit will prevent guest trying to do nasty things and DoS to host.

Signed-off-by: Frediano Ziglio <fziglio@redhat.com>

CVE 2015 5260_CVE 2015 5261/0004 Fix some integer overflow causing large memory alloc.patch | (download)

server/red_parse_qxl.c | 34 24 + 10 - 0 !
1 file changed, 24 insertions(+), 10 deletions(-)

 [patch 04/19] fix some integer overflow causing large memory
 allocations

Prevent integer overflow when computing image sizes.
Image index computations are done using 32 bit so this can cause easily
security issues. MAX_DATA_CHUNK is larger than the virtual
card limit, so this is not going to cause change in behaviours.
Comparing size calculation results with MAX_DATA_CHUNK will allow us to
catch overflows.
Prevent guest from allocating large amount of memory.

Signed-off-by: Frediano Ziglio <fziglio@redhat.com>

CVE 2015 5260_CVE 2015 5261/0005 Check properly surface to be created.patch | (download)

server/red_parse_qxl.c | 35 34 + 1 - 0 !
1 file changed, 34 insertions(+), 1 deletion(-)

 [patch 05/19] check properly surface to be created

Check format is valid.
Check stride is at least the size of required bytes for a row.

Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
CVE 2015 5260_CVE 2015 5261/0008 Fix race condition on red_get_clip_rects.patch | (download)

server/red_parse_qxl.c | 8 5 + 3 - 0 !
1 file changed, 5 insertions(+), 3 deletions(-)

 [patch 08/19] fix race condition on red_get_clip_rects

Do not read multiple time an array size that can be changed.

Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
CVE 2015 5260_CVE 2015 5261/0009 Fix race in red_get_image.patch | (download)

server/red_parse_qxl.c | 8 5 + 3 - 0 !
1 file changed, 5 insertions(+), 3 deletions(-)

 [patch 09/19] fix race in red_get_image

Do not read multiple times data from guest as this could be changed
by other vcpu threads.
This causes races and security problems if these data are used for
buffer allocation or checks.

Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
CVE 2015 5260_CVE 2015 5261/0010 Fix race condition in red_get_string.patch | (download)

server/red_parse_qxl.c | 15 9 + 6 - 0 !
1 file changed, 9 insertions(+), 6 deletions(-)

 [patch 10/19] fix race condition in red_get_string

Do not read multiple time an array size that can be changed.

Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
CVE 2015 5260_CVE 2015 5261/0011 Fix integer overflow computing glyph_size in red_get.patch | (download)

server/red_parse_qxl.c | 8 5 + 3 - 0 !
1 file changed, 5 insertions(+), 3 deletions(-)

 [patch 11/19] fix integer overflow computing glyph_size in
 red_get_string

If bpp is int the formula can lead to weird overflows. width and height
are uint16_t so the formula is:

  size_t = u16 * (u16 * int + const_int) / const_int;

so it became

  size_t = (int) u16 * ((int) u16 * int + const_int) / const_int;

However the (int) u16 * (int) u16 can then became negative to overflow.
Under 64 bit architectures size_t is 64 and int usually 32 so converting
this negative 32 bit number to a unsigned 64 bit lead to a very big
number as the signed is extended and then converted to unsigned.
Using unsigned arithmetic prevent extending the sign.

Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
CVE 2015 5260_CVE 2015 5261/0012 Fix race condition in red_get_data_chunks_ptr.patch | (download)

server/red_parse_qxl.c | 17 10 + 7 - 0 !
1 file changed, 10 insertions(+), 7 deletions(-)

 [patch 12/19] fix race condition in red_get_data_chunks_ptr

Do not read multiple times data from guest as this can be changed by
other guest vcpus. This causes races and security problems if these
data are used for buffer allocation or checks.

Actually, the 'data' member can't change during read as it is just a
pointer to a fixed array contained in qxl. However, this change will
make it clear that there can be no race condition.

Signed-off-by: Frediano Ziglio <fziglio@redhat.com>

CVE 2015 5260_CVE 2015 5261/0013 Prevent memory leak if red_get_data_chunks_ptr fails.patch | (download)

server/red_parse_qxl.c | 31 20 + 11 - 0 !
1 file changed, 20 insertions(+), 11 deletions(-)

 [patch 13/19] prevent memory leak if red_get_data_chunks_ptr fails

Free linked list if client tries to do nasty things

Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
CVE 2015 5260_CVE 2015 5261/0014 Prevent DoS from guest trying to allocate too much d.patch | (download)

server/red_parse_qxl.c | 49 41 + 8 - 0 !
1 file changed, 41 insertions(+), 8 deletions(-)

 [patch 14/19] prevent dos from guest trying to allocate too much data
 on host for chunks

Limit number of chunks to a given amount to avoid guest trying to
allocate too much memory. Using circular or nested chunks lists
guest could try to allocate huge amounts of memory.
Considering the list can be infinite and guest can change data this
also prevents strange security attacks from guest.

Signed-off-by: Frediano Ziglio <fziglio@redhat.com>

CVE 2015 5260_CVE 2015 5261/0015 Fix some possible overflows in red_get_string for 32.patch | (download)

server/red_parse_qxl.c | 8 7 + 1 - 0 !
1 file changed, 7 insertions(+), 1 deletion(-)

 [patch 15/19] fix some possible overflows in red_get_string for 32
 bit

Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
CVE 2015 5260_CVE 2015 5261/0016 Make sure we can read QXLPathSeg structures.patch | (download)

server/red_parse_qxl.c | 4 2 + 2 - 0 !
1 file changed, 2 insertions(+), 2 deletions(-)

 [patch 16/19] make sure we can read qxlpathseg structures

start pointer points to a QXLPathSeg structure.
Before reading from the structure, make sure the structure is contained
in the memory range checked.

Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
CVE 2015 5260_CVE 2015 5261/0017 Avoid race condition copying segments in red_get_pat.patch | (download)

server/red_parse_qxl.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 [patch 17/19] avoid race condition copying segments in red_get_path

The guest can attempt to increase the number of segments while
spice-server is reading them.
Make sure we don't copy more then the allocated segments.

Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
CVE 2015 5260_CVE 2015 5261/0018 Prevent data_size to be set independently from data.patch | (download)

server/red_parse_qxl.c | 1 1 + 0 - 0 !
1 file changed, 1 insertion(+)

 [patch 18/19] prevent data_size to be set independently from data

There was not check for data_size field so one could set data to
a small set of data and data_size much bigger than size of data
leading to buffer overflow.

Signed-off-by: Frediano Ziglio <fziglio@redhat.com>

CVE 2015 5260_CVE 2015 5261/0019 Prevent leak if size from red_get_data_chunks don t .patch | (download)

server/red_parse_qxl.c | 2 2 + 0 - 0 !
1 file changed, 2 insertions(+)

 [patch 19/19] prevent leak if size from red_get_data_chunks don't
 match in red_get_image

Signed-off-by: Frediano Ziglio <fziglio@redhat.com>