Package: spice / 0.12.8-2.1+deb9u3

Metadata

Package Version Patches format
spice 0.12.8-2.1+deb9u3 3.0 (quilt)

Patch series

view the series file
Patch File delta Description
stop linking with libcacard.diff | (download)

configure.ac | 6 3 + 3 - 0 !
1 file changed, 3 insertions(+), 3 deletions(-)

 do not link spice with libcacard
CVE 2016 9577 and CVE 2016 9578.patch | (download)

server/main_channel.c | 3 3 + 0 - 0 !
server/reds.c | 11 10 + 1 - 0 !
2 files changed, 13 insertions(+), 1 deletion(-)

 cve-2016-9577 and cve-2016-9578

Bug-Debian: https://bugs.debian.org/854336
CVE 2017 7506 1.patch | (download)

server/reds.c | 25 23 + 2 - 0 !
1 file changed, 23 insertions(+), 2 deletions(-)

 [spice-server 1/3] reds: disconnect when receiving overly big
 ClientMonitorsConfig

Total message size received from the client was unlimited. There is
a 2kiB size check on individual agent messages, but the MonitorsConfig
message can be split in multiple chunks, and the size of the
non-chunked MonitorsConfig message was never checked. This could easily
lead to memory exhaustion on the host.

Signed-off-by: Frediano Ziglio <fziglio@redhat.com>

CVE 2017 7506 2.patch | (download)

server/reds.c | 3 3 + 0 - 0 !
1 file changed, 3 insertions(+)

 [spice-server 2/3] reds: avoid integer overflows handling monitor
 configuration

Avoid VDAgentMessage::size integer overflows.

Signed-off-by: Frediano Ziglio <fziglio@redhat.com>

CVE 2017 7506 3.patch | (download)

server/reds.c | 7 7 + 0 - 0 !
1 file changed, 7 insertions(+)

 [spice-server 3/3] reds: avoid buffer overflows handling monitor
 configuration

It was also possible for a malicious client to set
VDAgentMonitorsConfig::num_of_monitors to a number larger
than the actual size of VDAgentMOnitorsConfig::monitors.
This would lead to buffer overflows, which could allow the guest to
read part of the host memory. This might cause write overflows in the
host as well, but controlling the content of such buffers seems
complicated.

Signed-off-by: Frediano Ziglio <fziglio@redhat.com>

Fix flexible array buffer overflow.patch | (download)

spice-common/python_modules/demarshal.py | 1 1 + 0 - 0 !
1 file changed, 1 insertion(+)

 fix flexible array buffer overflow
memslot Fix off by one error in group slot boundary .patch | (download)

server/red_memslots.c | 4 2 + 2 - 0 !
1 file changed, 2 insertions(+), 2 deletions(-)

 [spice-server] memslot: fix off-by-one error in group/slot boundary
 check

RedMemSlotInfo keeps an array of groups, and each group contains an
array of slots. Unfortunately, these checks are off by 1, they check
that the index is greater or equal to the number of elements in the
array, while these arrays are 0 based. The check should only check for
strictly greater than the number of elements.

For the group array, this is not a big issue, as these memslot groups
are created by spice-server users (eg QEMU), and the group ids used to
index that array are also generated by the spice-server user, so it
should not be possible for the guest to set them to arbitrary values.

The slot id is more problematic, as it's calculated from a QXLPHYSICAL
address, and such addresses are usually set by the guest QXL driver, so
the guest can set these to arbitrary values, including malicious values,
which are probably easy to build from the guest PCI configuration.

This patch fixes the arrays bound check, and adds a test case for this.

Signed-off-by: Christophe Fergeau <cfergeau@redhat.com>