[arch-commits] Commit in spice/trunk (CVE-2019-3813.patch PKGBUILD)

Anatol Pomozov anatolik at archlinux.org
Wed Jul 10 02:12:03 UTC 2019 

    Date: Wednesday, July 10, 2019 @ 02:12:02
  Author: anatolik
Revision: 357491

upgpkg: spice 0.14.2-1

Modified:
  spice/trunk/PKGBUILD
Deleted:
  spice/trunk/CVE-2019-3813.patch

---------------------+
 CVE-2019-3813.patch |   50 --------------------------------------------------
 PKGBUILD            |   23 +++++++----------------
 2 files changed, 7 insertions(+), 66 deletions(-)

Deleted: CVE-2019-3813.patch
===================================================================
--- CVE-2019-3813.patch	2019-07-09 21:35:19 UTC (rev 357490)
+++ CVE-2019-3813.patch	2019-07-10 02:12:02 UTC (rev 357491)
@@ -1,50 +0,0 @@
-commit 42f658a48b675de736317b28bcc2061508f407c3
-Author: Christophe Fergeau <cfergeau at redhat.com>
-Date:   Thu Nov 29 14:18:39 2018 +0100
-
-    memslot: Fix off-by-one error in group/slot boundary check
-    
-    RedMemSlotInfo keeps an array of groups, and each group contains an
-    array of slots. Unfortunately, these checks are off by 1, they check
-    that the index is greater or equal to the number of elements in the
-    array, while these arrays are 0 based. The check should only check for
-    strictly greater than the number of elements.
-    
-    For the group array, this is not a big issue, as these memslot groups
-    are created by spice-server users (eg QEMU), and the group ids used to
-    index that array are also generated by the spice-server user, so it
-    should not be possible for the guest to set them to arbitrary values.
-    
-    The slot id is more problematic, as it's calculated from a QXLPHYSICAL
-    address, and such addresses are usually set by the guest QXL driver, so
-    the guest can set these to arbitrary values, including malicious values,
-    which are probably easy to build from the guest PCI configuration.
-    
-    This patch fixes the arrays bound check, and adds a test case for this.
-    This fixes CVE-2019-3813.
-    
-    Signed-off-by: Christophe Fergeau <cfergeau at redhat.com>
-    Acked-by: Frediano Ziglio <fziglio at redhat.com>
-
-diff --git a/server/memslot.c b/server/memslot.c
-index 7074b432..8c59c383 100644
---- a/server/memslot.c
-+++ b/server/memslot.c
-@@ -99,14 +99,14 @@ unsigned long memslot_get_virt(RedMemSlotInfo *info, QXLPHYSICAL addr, uint32_t
-     MemSlot *slot;
- 
-     *error = 0;
--    if (group_id > info->num_memslots_groups) {
-+    if (group_id >= info->num_memslots_groups) {
-         spice_critical("group_id too big");
-         *error = 1;
-         return 0;
-     }
- 
-     slot_id = memslot_get_id(info, addr);
--    if (slot_id > info->num_memslots) {
-+    if (slot_id >= info->num_memslots) {
-         print_memslots(info);
-         spice_critical("slot_id %d too big, addr=%" PRIx64, slot_id, addr);
-         *error = 1;
- 

Modified: PKGBUILD
===================================================================
--- PKGBUILD	2019-07-09 21:35:19 UTC (rev 357490)
+++ PKGBUILD	2019-07-10 02:12:02 UTC (rev 357491)
@@ -2,8 +2,8 @@
 # Maintainer: Patryk Kowalczyk < patryk at kowalczyk dot ws>
 
 pkgname=spice
-pkgver=0.14.0
-pkgrel=3
+pkgver=0.14.2
+pkgrel=1
 pkgdesc="SPICE server"
 arch=('x86_64')
 url="https://www.spice-space.org"
@@ -10,23 +10,14 @@
 license=('LGPL2.1')
 depends=(celt0.5.1 libjpeg-turbo libsasl pixman glib2 opus lz4)
 makedepends=(python2-pyparsing python2-six qemu spice-protocol git libcacard)
-source=(https://www.spice-space.org/download/releases/spice-$pkgver.tar.bz2
-        https://www.spice-space.org/download/releases/spice-$pkgver.tar.bz2.sign
-        CVE-2019-3813.patch)
-sha256sums=('3adb9495b51650e5eab53c74dd6a74919af4b339ff21721d9ab2a45b2e3bb848'
-            'SKIP'
-            '35c4f83f0b5933be2589327bfe203085289180217514d61dba2977b0ec6a6d39')
-validpgpkeys=(94A9F75661F77A6168649B23A9D8C21429AC6C82) # Christophe Fergeau (teuf) <christophe at fergeau.eu>
+source=(https://www.spice-space.org/download/releases/spice-server/spice-$pkgver.tar.bz2{,.sign})
+sha256sums=('b203b3882e06f4c7249a3150d90c84e1a90490d41ead255a3d2cede46f4a29a7'
+            'SKIP')
+validpgpkeys=(206D3B352F566F3B0E6572E997D9123DE37A484F) # Victor Toso de Carvalho <me at victortoso.com>
 
-prepare() {
-  cd spice-$pkgver
-  # based on upstream change a4a16ac42d2f19a17e36556546aa94d5cd83745f
-  patch -p1 < ../CVE-2019-3813.patch
-}
-
 build() {
   cd spice-$pkgver
-  PYTHON=python2 ./configure --prefix=/usr --disable-static --enable-smartcard --enable-client --disable-werror
+  PYTHON=python2 ./configure --prefix=/usr --disable-static --enable-smartcard --enable-client --enable-celt051 --disable-werror
   make
 }

More information about the arch-commits mailing list