Package: spice / 0.14.0-1.3
Patch seriesview the series file
|Fix flexible array buffer overflow.patch | (download)||
1 1 + 0 - 0 !
fix flexible array buffer overflow
|refresh tests pki keys.patch | (download)||
32 19 + 13 - 0 !
tests/pki: use ca/certificate with 2048 bit rsa keys The testsuite contains only 1024 bit RSA keys generated/refreshed in the upstream commit https://cgit.freedesktop.org/spice/spice/commit/server/tests/pki?id=7b5e294a363e1500ab1a5b143da1602c9fed0547 . In openssl/1.1.1-1 /etc/ssl/openssl.cnf contains . CipherString = DEFAULT@SECLEVEL=2 . This level is responsible to not accept the 80 bits used in the certificate in this test, while we need at least 112 bits. . Generate new certificates following the instructions from https://www.spice-space.org/spice-user-manual.html .
|memslot Fix off by one error in group slot boundary .patch | (download)||
4 2 + 2 - 0 !
[spice-server] memslot: fix off-by-one error in group/slot boundary check RedMemSlotInfo keeps an array of groups, and each group contains an array of slots. Unfortunately, these checks are off by 1, they check that the index is greater or equal to the number of elements in the array, while these arrays are 0 based. The check should only check for strictly greater than the number of elements. For the group array, this is not a big issue, as these memslot groups are created by spice-server users (eg QEMU), and the group ids used to index that array are also generated by the spice-server user, so it should not be possible for the guest to set them to arbitrary values. The slot id is more problematic, as it's calculated from a QXLPHYSICAL address, and such addresses are usually set by the guest QXL driver, so the guest can set these to arbitrary values, including malicious values, which are probably easy to build from the guest PCI configuration. This patch fixes the arrays bound check, and adds a test case for this. Signed-off-by: Christophe Fergeau <email@example.com>