[arch-commits] Commit in spice/repos (6 files)
Tobias Powalowski
tpowa at nymeria.archlinux.org
Mon Nov 18 07:36:22 UTC 2013
Date: Monday, November 18, 2013 @ 08:36:22
Author: tpowa
Revision: 199889
archrelease: copy trunk to extra-i686, extra-x86_64
Added:
spice/repos/extra-i686/CVE-2013-4282.patch
(from rev 199888, spice/trunk/CVE-2013-4282.patch)
spice/repos/extra-i686/PKGBUILD
(from rev 199888, spice/trunk/PKGBUILD)
spice/repos/extra-x86_64/CVE-2013-4282.patch
(from rev 199888, spice/trunk/CVE-2013-4282.patch)
spice/repos/extra-x86_64/PKGBUILD
(from rev 199888, spice/trunk/PKGBUILD)
Deleted:
spice/repos/extra-i686/PKGBUILD
spice/repos/extra-x86_64/PKGBUILD
----------------------------------+
/PKGBUILD | 66 +++++++++++++++++++++++
extra-i686/CVE-2013-4282.patch | 104 +++++++++++++++++++++++++++++++++++++
extra-i686/PKGBUILD | 26 ---------
extra-x86_64/CVE-2013-4282.patch | 104 +++++++++++++++++++++++++++++++++++++
extra-x86_64/PKGBUILD | 26 ---------
5 files changed, 274 insertions(+), 52 deletions(-)
Copied: spice/repos/extra-i686/CVE-2013-4282.patch (from rev 199888, spice/trunk/CVE-2013-4282.patch)
===================================================================
--- extra-i686/CVE-2013-4282.patch (rev 0)
+++ extra-i686/CVE-2013-4282.patch 2013-11-18 07:36:22 UTC (rev 199889)
@@ -0,0 +1,104 @@
+From 8af619009660b24e0b41ad26b30289eea288fcc2 Mon Sep 17 00:00:00 2001
+From: Christophe Fergeau <cfergeau at redhat.com>
+Date: Fri, 23 Aug 2013 09:29:44 +0000
+Subject: Fix buffer overflow when decrypting client SPICE ticket
+
+reds_handle_ticket uses a fixed size 'password' buffer for the decrypted
+password whose size is SPICE_MAX_PASSWORD_LENGTH. However,
+RSA_private_decrypt which we call for the decryption expects the
+destination buffer to be at least RSA_size(link->tiTicketing.rsa)
+bytes long. On my spice-server build, SPICE_MAX_PASSWORD_LENGTH
+is 60 while RSA_size() is 128, so we end up overflowing 'password'
+when using long passwords (this was reproduced using the string:
+'fullscreen=1proxy=#enter proxy here; e.g spice_proxy = http://[proxy]:[port]'
+as a password).
+
+When the overflow occurs, QEMU dies with:
+*** stack smashing detected ***: qemu-system-x86_64 terminated
+
+This commit ensures we use a corectly sized 'password' buffer,
+and that it's correctly nul-terminated so that we can use strcmp
+instead of strncmp. To keep using strncmp, we'd need to figure out
+which one of 'password' and 'taTicket.password' is the smaller buffer,
+and use that size.
+
+This fixes rhbz#999839
+---
+diff --git a/server/reds.c b/server/reds.c
+index 892d247..2a0002b 100644
+--- a/server/reds.c
++++ b/server/reds.c
+@@ -1926,39 +1926,59 @@ static void reds_handle_link(RedLinkInfo *link)
+ static void reds_handle_ticket(void *opaque)
+ {
+ RedLinkInfo *link = (RedLinkInfo *)opaque;
+- char password[SPICE_MAX_PASSWORD_LENGTH];
++ char *password;
+ time_t ltime;
++ int password_size;
+
+ //todo: use monotonic time
+ time(<ime);
+- RSA_private_decrypt(link->tiTicketing.rsa_size,
+- link->tiTicketing.encrypted_ticket.encrypted_data,
+- (unsigned char *)password, link->tiTicketing.rsa, RSA_PKCS1_OAEP_PADDING);
++ if (RSA_size(link->tiTicketing.rsa) < SPICE_MAX_PASSWORD_LENGTH) {
++ spice_warning("RSA modulus size is smaller than SPICE_MAX_PASSWORD_LENGTH (%d < %d), "
++ "SPICE ticket sent from client may be truncated",
++ RSA_size(link->tiTicketing.rsa), SPICE_MAX_PASSWORD_LENGTH);
++ }
++
++ password = g_malloc0(RSA_size(link->tiTicketing.rsa) + 1);
++ password_size = RSA_private_decrypt(link->tiTicketing.rsa_size,
++ link->tiTicketing.encrypted_ticket.encrypted_data,
++ (unsigned char *)password,
++ link->tiTicketing.rsa,
++ RSA_PKCS1_OAEP_PADDING);
++ if (password_size == -1) {
++ spice_warning("failed to decrypt RSA encrypted password: %s",
++ ERR_error_string(ERR_get_error(), NULL));
++ goto error;
++ }
++ password[password_size] = '\0';
+
+ if (ticketing_enabled && !link->skip_auth) {
+ int expired = taTicket.expiration_time < ltime;
+
+ if (strlen(taTicket.password) == 0) {
+- reds_send_link_result(link, SPICE_LINK_ERR_PERMISSION_DENIED);
+ spice_warning("Ticketing is enabled, but no password is set. "
+- "please set a ticket first");
+- reds_link_free(link);
+- return;
++ "please set a ticket first");
++ goto error;
+ }
+
+- if (expired || strncmp(password, taTicket.password, SPICE_MAX_PASSWORD_LENGTH) != 0) {
++ if (expired || strcmp(password, taTicket.password) != 0) {
+ if (expired) {
+ spice_warning("Ticket has expired");
+ } else {
+ spice_warning("Invalid password");
+ }
+- reds_send_link_result(link, SPICE_LINK_ERR_PERMISSION_DENIED);
+- reds_link_free(link);
+- return;
++ goto error;
+ }
+ }
+
+ reds_handle_link(link);
++ goto end;
++
++error:
++ reds_send_link_result(link, SPICE_LINK_ERR_PERMISSION_DENIED);
++ reds_link_free(link);
++
++end:
++ g_free(password);
+ }
+
+ static inline void async_read_clear_handlers(AsyncRead *obj)
+--
+cgit v0.9.0.2-2-gbebe
Deleted: extra-i686/PKGBUILD
===================================================================
--- extra-i686/PKGBUILD 2013-11-18 07:36:08 UTC (rev 199888)
+++ extra-i686/PKGBUILD 2013-11-18 07:36:22 UTC (rev 199889)
@@ -1,26 +0,0 @@
-# $Id$
-# Maintainer: Sergej Pupykin <pupykin.s+arch at gmail.com>
-# Maintainer: Patryk Kowalczyk < patryk at kowalczyk dot ws>
-
-pkgname=spice
-pkgver=0.12.4
-pkgrel=2
-pkgdesc="SPICE client and server"
-arch=('i686' 'x86_64')
-url="http://spice-space.org"
-license=('LGPL2.1')
-depends=(alsa-lib celt0.5.1 libcacard libjpeg-turbo libsasl libxinerama libxfixes libxrandr pixman)
-makedepends=(python2-pyparsing qemu spice-protocol)
-source=(http://spice-space.org/download/releases/$pkgname-$pkgver.tar.bz2)
-md5sums=('325b1c42ce24e75de45a75876b73a8bd')
-
-build() {
- cd "$srcdir/$pkgname-$pkgver"
- PYTHON=python2 ./configure --prefix=/usr --disable-static --enable-smartcard --enable-client
- make
-}
-
-package() {
- cd "$srcdir/$pkgname-$pkgver"
- make DESTDIR="$pkgdir/" install
-}
Copied: spice/repos/extra-i686/PKGBUILD (from rev 199888, spice/trunk/PKGBUILD)
===================================================================
--- extra-i686/PKGBUILD (rev 0)
+++ extra-i686/PKGBUILD 2013-11-18 07:36:22 UTC (rev 199889)
@@ -0,0 +1,33 @@
+# $Id$
+# Maintainer: Sergej Pupykin <pupykin.s+arch at gmail.com>
+# Maintainer: Patryk Kowalczyk < patryk at kowalczyk dot ws>
+
+pkgname=spice
+pkgver=0.12.4
+pkgrel=3
+pkgdesc="SPICE client and server"
+arch=('i686' 'x86_64')
+url="http://spice-space.org"
+license=('LGPL2.1')
+depends=(alsa-lib celt0.5.1 libcacard libjpeg-turbo libsasl libxinerama libxfixes libxrandr pixman)
+makedepends=(python2-pyparsing qemu spice-protocol)
+source=(http://spice-space.org/download/releases/$pkgname-$pkgver.tar.bz2
+ CVE-2013-4282.patch)
+
+prepare() {
+ cd "$srcdir/$pkgname-$pkgver"
+ patch -Np1 -i ../CVE-2013-4282.patch
+}
+
+build() {
+ cd "$srcdir/$pkgname-$pkgver"
+ PYTHON=python2 ./configure --prefix=/usr --disable-static --enable-smartcard --enable-client
+ make
+}
+
+package() {
+ cd "$srcdir/$pkgname-$pkgver"
+ make DESTDIR="$pkgdir/" install
+}
+md5sums=('325b1c42ce24e75de45a75876b73a8bd'
+ '24a1648e7c684b4444d7921b5534767e')
Copied: spice/repos/extra-x86_64/CVE-2013-4282.patch (from rev 199888, spice/trunk/CVE-2013-4282.patch)
===================================================================
--- extra-x86_64/CVE-2013-4282.patch (rev 0)
+++ extra-x86_64/CVE-2013-4282.patch 2013-11-18 07:36:22 UTC (rev 199889)
@@ -0,0 +1,104 @@
+From 8af619009660b24e0b41ad26b30289eea288fcc2 Mon Sep 17 00:00:00 2001
+From: Christophe Fergeau <cfergeau at redhat.com>
+Date: Fri, 23 Aug 2013 09:29:44 +0000
+Subject: Fix buffer overflow when decrypting client SPICE ticket
+
+reds_handle_ticket uses a fixed size 'password' buffer for the decrypted
+password whose size is SPICE_MAX_PASSWORD_LENGTH. However,
+RSA_private_decrypt which we call for the decryption expects the
+destination buffer to be at least RSA_size(link->tiTicketing.rsa)
+bytes long. On my spice-server build, SPICE_MAX_PASSWORD_LENGTH
+is 60 while RSA_size() is 128, so we end up overflowing 'password'
+when using long passwords (this was reproduced using the string:
+'fullscreen=1proxy=#enter proxy here; e.g spice_proxy = http://[proxy]:[port]'
+as a password).
+
+When the overflow occurs, QEMU dies with:
+*** stack smashing detected ***: qemu-system-x86_64 terminated
+
+This commit ensures we use a corectly sized 'password' buffer,
+and that it's correctly nul-terminated so that we can use strcmp
+instead of strncmp. To keep using strncmp, we'd need to figure out
+which one of 'password' and 'taTicket.password' is the smaller buffer,
+and use that size.
+
+This fixes rhbz#999839
+---
+diff --git a/server/reds.c b/server/reds.c
+index 892d247..2a0002b 100644
+--- a/server/reds.c
++++ b/server/reds.c
+@@ -1926,39 +1926,59 @@ static void reds_handle_link(RedLinkInfo *link)
+ static void reds_handle_ticket(void *opaque)
+ {
+ RedLinkInfo *link = (RedLinkInfo *)opaque;
+- char password[SPICE_MAX_PASSWORD_LENGTH];
++ char *password;
+ time_t ltime;
++ int password_size;
+
+ //todo: use monotonic time
+ time(<ime);
+- RSA_private_decrypt(link->tiTicketing.rsa_size,
+- link->tiTicketing.encrypted_ticket.encrypted_data,
+- (unsigned char *)password, link->tiTicketing.rsa, RSA_PKCS1_OAEP_PADDING);
++ if (RSA_size(link->tiTicketing.rsa) < SPICE_MAX_PASSWORD_LENGTH) {
++ spice_warning("RSA modulus size is smaller than SPICE_MAX_PASSWORD_LENGTH (%d < %d), "
++ "SPICE ticket sent from client may be truncated",
++ RSA_size(link->tiTicketing.rsa), SPICE_MAX_PASSWORD_LENGTH);
++ }
++
++ password = g_malloc0(RSA_size(link->tiTicketing.rsa) + 1);
++ password_size = RSA_private_decrypt(link->tiTicketing.rsa_size,
++ link->tiTicketing.encrypted_ticket.encrypted_data,
++ (unsigned char *)password,
++ link->tiTicketing.rsa,
++ RSA_PKCS1_OAEP_PADDING);
++ if (password_size == -1) {
++ spice_warning("failed to decrypt RSA encrypted password: %s",
++ ERR_error_string(ERR_get_error(), NULL));
++ goto error;
++ }
++ password[password_size] = '\0';
+
+ if (ticketing_enabled && !link->skip_auth) {
+ int expired = taTicket.expiration_time < ltime;
+
+ if (strlen(taTicket.password) == 0) {
+- reds_send_link_result(link, SPICE_LINK_ERR_PERMISSION_DENIED);
+ spice_warning("Ticketing is enabled, but no password is set. "
+- "please set a ticket first");
+- reds_link_free(link);
+- return;
++ "please set a ticket first");
++ goto error;
+ }
+
+- if (expired || strncmp(password, taTicket.password, SPICE_MAX_PASSWORD_LENGTH) != 0) {
++ if (expired || strcmp(password, taTicket.password) != 0) {
+ if (expired) {
+ spice_warning("Ticket has expired");
+ } else {
+ spice_warning("Invalid password");
+ }
+- reds_send_link_result(link, SPICE_LINK_ERR_PERMISSION_DENIED);
+- reds_link_free(link);
+- return;
++ goto error;
+ }
+ }
+
+ reds_handle_link(link);
++ goto end;
++
++error:
++ reds_send_link_result(link, SPICE_LINK_ERR_PERMISSION_DENIED);
++ reds_link_free(link);
++
++end:
++ g_free(password);
+ }
+
+ static inline void async_read_clear_handlers(AsyncRead *obj)
+--
+cgit v0.9.0.2-2-gbebe
Deleted: extra-x86_64/PKGBUILD
===================================================================
--- extra-x86_64/PKGBUILD 2013-11-18 07:36:08 UTC (rev 199888)
+++ extra-x86_64/PKGBUILD 2013-11-18 07:36:22 UTC (rev 199889)
@@ -1,26 +0,0 @@
-# $Id$
-# Maintainer: Sergej Pupykin <pupykin.s+arch at gmail.com>
-# Maintainer: Patryk Kowalczyk < patryk at kowalczyk dot ws>
-
-pkgname=spice
-pkgver=0.12.4
-pkgrel=2
-pkgdesc="SPICE client and server"
-arch=('i686' 'x86_64')
-url="http://spice-space.org"
-license=('LGPL2.1')
-depends=(alsa-lib celt0.5.1 libcacard libjpeg-turbo libsasl libxinerama libxfixes libxrandr pixman)
-makedepends=(python2-pyparsing qemu spice-protocol)
-source=(http://spice-space.org/download/releases/$pkgname-$pkgver.tar.bz2)
-md5sums=('325b1c42ce24e75de45a75876b73a8bd')
-
-build() {
- cd "$srcdir/$pkgname-$pkgver"
- PYTHON=python2 ./configure --prefix=/usr --disable-static --enable-smartcard --enable-client
- make
-}
-
-package() {
- cd "$srcdir/$pkgname-$pkgver"
- make DESTDIR="$pkgdir/" install
-}
Copied: spice/repos/extra-x86_64/PKGBUILD (from rev 199888, spice/trunk/PKGBUILD)
===================================================================
--- extra-x86_64/PKGBUILD (rev 0)
+++ extra-x86_64/PKGBUILD 2013-11-18 07:36:22 UTC (rev 199889)
@@ -0,0 +1,33 @@
+# $Id$
+# Maintainer: Sergej Pupykin <pupykin.s+arch at gmail.com>
+# Maintainer: Patryk Kowalczyk < patryk at kowalczyk dot ws>
+
+pkgname=spice
+pkgver=0.12.4
+pkgrel=3
+pkgdesc="SPICE client and server"
+arch=('i686' 'x86_64')
+url="http://spice-space.org"
+license=('LGPL2.1')
+depends=(alsa-lib celt0.5.1 libcacard libjpeg-turbo libsasl libxinerama libxfixes libxrandr pixman)
+makedepends=(python2-pyparsing qemu spice-protocol)
+source=(http://spice-space.org/download/releases/$pkgname-$pkgver.tar.bz2
+ CVE-2013-4282.patch)
+
+prepare() {
+ cd "$srcdir/$pkgname-$pkgver"
+ patch -Np1 -i ../CVE-2013-4282.patch
+}
+
+build() {
+ cd "$srcdir/$pkgname-$pkgver"
+ PYTHON=python2 ./configure --prefix=/usr --disable-static --enable-smartcard --enable-client
+ make
+}
+
+package() {
+ cd "$srcdir/$pkgname-$pkgver"
+ make DESTDIR="$pkgdir/" install
+}
+md5sums=('325b1c42ce24e75de45a75876b73a8bd'
+ '24a1648e7c684b4444d7921b5534767e')
More information about the arch-commits
mailing list