[arch-commits] Commit in spice/trunk (CVE-2019-3813.patch PKGBUILD)
Anatol Pomozov
anatolik at archlinux.org
Wed Feb 6 18:13:39 UTC 2019
Date: Wednesday, February 6, 2019 @ 18:13:38
Author: anatolik
Revision: 345329
upgpkg: spice 0.14.0-3
Added:
spice/trunk/CVE-2019-3813.patch
Modified:
spice/trunk/PKGBUILD
---------------------+
CVE-2019-3813.patch | 50 ++++++++++++++++++++++++++++++++++++++++++++++++++
PKGBUILD | 14 +++++++++++---
2 files changed, 61 insertions(+), 3 deletions(-)
Added: CVE-2019-3813.patch
===================================================================
--- CVE-2019-3813.patch (rev 0)
+++ CVE-2019-3813.patch 2019-02-06 18:13:38 UTC (rev 345329)
@@ -0,0 +1,50 @@
+commit 42f658a48b675de736317b28bcc2061508f407c3
+Author: Christophe Fergeau <cfergeau at redhat.com>
+Date: Thu Nov 29 14:18:39 2018 +0100
+
+ memslot: Fix off-by-one error in group/slot boundary check
+
+ RedMemSlotInfo keeps an array of groups, and each group contains an
+ array of slots. Unfortunately, these checks are off by 1, they check
+ that the index is greater or equal to the number of elements in the
+ array, while these arrays are 0 based. The check should only check for
+ strictly greater than the number of elements.
+
+ For the group array, this is not a big issue, as these memslot groups
+ are created by spice-server users (eg QEMU), and the group ids used to
+ index that array are also generated by the spice-server user, so it
+ should not be possible for the guest to set them to arbitrary values.
+
+ The slot id is more problematic, as it's calculated from a QXLPHYSICAL
+ address, and such addresses are usually set by the guest QXL driver, so
+ the guest can set these to arbitrary values, including malicious values,
+ which are probably easy to build from the guest PCI configuration.
+
+ This patch fixes the arrays bound check, and adds a test case for this.
+ This fixes CVE-2019-3813.
+
+ Signed-off-by: Christophe Fergeau <cfergeau at redhat.com>
+ Acked-by: Frediano Ziglio <fziglio at redhat.com>
+
+diff --git a/server/memslot.c b/server/memslot.c
+index 7074b432..8c59c383 100644
+--- a/server/memslot.c
++++ b/server/memslot.c
+@@ -99,14 +99,14 @@ unsigned long memslot_get_virt(RedMemSlotInfo *info, QXLPHYSICAL addr, uint32_t
+ MemSlot *slot;
+
+ *error = 0;
+- if (group_id > info->num_memslots_groups) {
++ if (group_id >= info->num_memslots_groups) {
+ spice_critical("group_id too big");
+ *error = 1;
+ return 0;
+ }
+
+ slot_id = memslot_get_id(info, addr);
+- if (slot_id > info->num_memslots) {
++ if (slot_id >= info->num_memslots) {
+ print_memslots(info);
+ spice_critical("slot_id %d too big, addr=%" PRIx64, slot_id, addr);
+ *error = 1;
+
Modified: PKGBUILD
===================================================================
--- PKGBUILD 2019-02-06 13:23:41 UTC (rev 345328)
+++ PKGBUILD 2019-02-06 18:13:38 UTC (rev 345329)
@@ -3,7 +3,7 @@
pkgname=spice
pkgver=0.14.0
-pkgrel=2
+pkgrel=3
pkgdesc="SPICE server"
arch=('x86_64')
url="https://www.spice-space.org"
@@ -11,11 +11,19 @@
depends=(celt0.5.1 libjpeg-turbo libsasl pixman glib2 opus lz4)
makedepends=(python2-pyparsing python2-six qemu spice-protocol git libcacard)
source=(https://www.spice-space.org/download/releases/spice-$pkgver.tar.bz2
- https://www.spice-space.org/download/releases/spice-$pkgver.tar.bz2.sign)
+ https://www.spice-space.org/download/releases/spice-$pkgver.tar.bz2.sign
+ CVE-2019-3813.patch)
sha256sums=('3adb9495b51650e5eab53c74dd6a74919af4b339ff21721d9ab2a45b2e3bb848'
- 'SKIP')
+ 'SKIP'
+ '35c4f83f0b5933be2589327bfe203085289180217514d61dba2977b0ec6a6d39')
validpgpkeys=(94A9F75661F77A6168649B23A9D8C21429AC6C82) # Christophe Fergeau (teuf) <christophe at fergeau.eu>
+prepare() {
+ cd spice-$pkgver
+ # based on upstream change a4a16ac42d2f19a17e36556546aa94d5cd83745f
+ patch -p1 < ../CVE-2019-3813.patch
+}
+
build() {
cd spice-$pkgver
PYTHON=python2 ./configure --prefix=/usr --disable-static --enable-smartcard --enable-client --disable-werror
More information about the arch-commits
mailing list