Package: spice / 0.14.0-1.3+deb10u1


Package Version Patches format
spice 0.14.0-1.3+deb10u1 3.0 (quilt)

Patch series

view the series file
Patch File delta Description
Fix flexible array buffer overflow.patch | (download)

spice-common/python_modules/ | 1 1 + 0 - 0 !
1 file changed, 1 insertion(+)

 fix flexible array buffer overflow
refresh tests pki keys.patch | (download)

server/tests/pki/ca-cert.pem | 32 19 + 13 - 0 !
server/tests/pki/server-cert.pem | 23 14 + 9 - 0 !
server/tests/pki/server-key.pem | 38 25 + 13 - 0 !
3 files changed, 58 insertions(+), 35 deletions(-)

 tests/pki: use ca/certificate with 2048 bit rsa keys
 The testsuite contains only 1024 bit RSA keys generated/refreshed
 in the upstream commit
 In openssl/1.1.1-1 /etc/ssl/openssl.cnf contains
   CipherString = DEFAULT@SECLEVEL=2
 This level is responsible to not accept the 80 bits used in
 the certificate in this test, while we need at least 112 bits.
 Generate new certificates following the instructions from .
memslot Fix off by one error in group slot boundary .patch | (download)

server/memslot.c | 4 2 + 2 - 0 !
1 file changed, 2 insertions(+), 2 deletions(-)

 [spice-server] memslot: fix off-by-one error in group/slot boundary

RedMemSlotInfo keeps an array of groups, and each group contains an
array of slots. Unfortunately, these checks are off by 1, they check
that the index is greater or equal to the number of elements in the
array, while these arrays are 0 based. The check should only check for
strictly greater than the number of elements.

For the group array, this is not a big issue, as these memslot groups
are created by spice-server users (eg QEMU), and the group ids used to
index that array are also generated by the spice-server user, so it
should not be possible for the guest to set them to arbitrary values.

The slot id is more problematic, as it's calculated from a QXLPHYSICAL
address, and such addresses are usually set by the guest QXL driver, so
the guest can set these to arbitrary values, including malicious values,
which are probably easy to build from the guest PCI configuration.

This patch fixes the arrays bound check, and adds a test case for this.

Signed-off-by: Christophe Fergeau <>

quic Check we have some data to start decoding quic .patch | (download)

spice-common/common/quic.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 [patch spice-common 1/4] quic: check we have some data to start
 decoding quic image

All paths already pass some data to quic_decode_begin but for the
test check it, it's not that expensive test.
Checking for not 0 is enough, all other words will potentially be
read calling more_io_words but we need one to avoid a potential
initial buffer overflow or deferencing an invalid pointer.

Signed-off-by: Frediano Ziglio <>
quic Check image size in quic_decode_begin.patch | (download)

spice-common/common/quic.c | 13 13 + 0 - 0 !
1 file changed, 13 insertions(+)

 [patch spice-common 2/4] quic: check image size in quic_decode_begin

Avoid some overflow in code due to images too big or
negative numbers.

Signed-off-by: Frediano Ziglio <>
quic Check RLE lengths.patch | (download)

spice-common/common/quic_tmpl.c | 9 7 + 2 - 0 !
1 file changed, 7 insertions(+), 2 deletions(-)

 [patch spice-common 3/4] quic: check rle lengths

Avoid buffer overflows decoding images. On compression we compute
lengths till end of line so it won't cause regressions.
Proved by fuzzing the code.

Signed-off-by: Frediano Ziglio <>
quic Avoid possible buffer overflow in find_bucket.patch | (download)

spice-common/common/quic_family_tmpl.c | 7 6 + 1 - 0 !
1 file changed, 6 insertions(+), 1 deletion(-)

 [patch spice-common 4/4] quic: avoid possible buffer overflow in

Proved by fuzzing the code.

Signed-off-by: Frediano Ziglio <>