[arch-commits] Commit in spice/trunk (CVE-2019-3813.patch PKGBUILD)
Anatol Pomozov
anatolik at archlinux.org
Wed Jul 10 02:12:03 UTC 2019
Date: Wednesday, July 10, 2019 @ 02:12:02
Author: anatolik
Revision: 357491
upgpkg: spice 0.14.2-1
Modified:
spice/trunk/PKGBUILD
Deleted:
spice/trunk/CVE-2019-3813.patch
---------------------+
CVE-2019-3813.patch | 50 --------------------------------------------------
PKGBUILD | 23 +++++++----------------
2 files changed, 7 insertions(+), 66 deletions(-)
Deleted: CVE-2019-3813.patch
===================================================================
--- CVE-2019-3813.patch 2019-07-09 21:35:19 UTC (rev 357490)
+++ CVE-2019-3813.patch 2019-07-10 02:12:02 UTC (rev 357491)
@@ -1,50 +0,0 @@
-commit 42f658a48b675de736317b28bcc2061508f407c3
-Author: Christophe Fergeau <cfergeau at redhat.com>
-Date: Thu Nov 29 14:18:39 2018 +0100
-
- memslot: Fix off-by-one error in group/slot boundary check
-
- RedMemSlotInfo keeps an array of groups, and each group contains an
- array of slots. Unfortunately, these checks are off by 1, they check
- that the index is greater or equal to the number of elements in the
- array, while these arrays are 0 based. The check should only check for
- strictly greater than the number of elements.
-
- For the group array, this is not a big issue, as these memslot groups
- are created by spice-server users (eg QEMU), and the group ids used to
- index that array are also generated by the spice-server user, so it
- should not be possible for the guest to set them to arbitrary values.
-
- The slot id is more problematic, as it's calculated from a QXLPHYSICAL
- address, and such addresses are usually set by the guest QXL driver, so
- the guest can set these to arbitrary values, including malicious values,
- which are probably easy to build from the guest PCI configuration.
-
- This patch fixes the arrays bound check, and adds a test case for this.
- This fixes CVE-2019-3813.
-
- Signed-off-by: Christophe Fergeau <cfergeau at redhat.com>
- Acked-by: Frediano Ziglio <fziglio at redhat.com>
-
-diff --git a/server/memslot.c b/server/memslot.c
-index 7074b432..8c59c383 100644
---- a/server/memslot.c
-+++ b/server/memslot.c
-@@ -99,14 +99,14 @@ unsigned long memslot_get_virt(RedMemSlotInfo *info, QXLPHYSICAL addr, uint32_t
- MemSlot *slot;
-
- *error = 0;
-- if (group_id > info->num_memslots_groups) {
-+ if (group_id >= info->num_memslots_groups) {
- spice_critical("group_id too big");
- *error = 1;
- return 0;
- }
-
- slot_id = memslot_get_id(info, addr);
-- if (slot_id > info->num_memslots) {
-+ if (slot_id >= info->num_memslots) {
- print_memslots(info);
- spice_critical("slot_id %d too big, addr=%" PRIx64, slot_id, addr);
- *error = 1;
-
Modified: PKGBUILD
===================================================================
--- PKGBUILD 2019-07-09 21:35:19 UTC (rev 357490)
+++ PKGBUILD 2019-07-10 02:12:02 UTC (rev 357491)
@@ -2,8 +2,8 @@
# Maintainer: Patryk Kowalczyk < patryk at kowalczyk dot ws>
pkgname=spice
-pkgver=0.14.0
-pkgrel=3
+pkgver=0.14.2
+pkgrel=1
pkgdesc="SPICE server"
arch=('x86_64')
url="https://www.spice-space.org"
@@ -10,23 +10,14 @@
license=('LGPL2.1')
depends=(celt0.5.1 libjpeg-turbo libsasl pixman glib2 opus lz4)
makedepends=(python2-pyparsing python2-six qemu spice-protocol git libcacard)
-source=(https://www.spice-space.org/download/releases/spice-$pkgver.tar.bz2
- https://www.spice-space.org/download/releases/spice-$pkgver.tar.bz2.sign
- CVE-2019-3813.patch)
-sha256sums=('3adb9495b51650e5eab53c74dd6a74919af4b339ff21721d9ab2a45b2e3bb848'
- 'SKIP'
- '35c4f83f0b5933be2589327bfe203085289180217514d61dba2977b0ec6a6d39')
-validpgpkeys=(94A9F75661F77A6168649B23A9D8C21429AC6C82) # Christophe Fergeau (teuf) <christophe at fergeau.eu>
+source=(https://www.spice-space.org/download/releases/spice-server/spice-$pkgver.tar.bz2{,.sign})
+sha256sums=('b203b3882e06f4c7249a3150d90c84e1a90490d41ead255a3d2cede46f4a29a7'
+ 'SKIP')
+validpgpkeys=(206D3B352F566F3B0E6572E997D9123DE37A484F) # Victor Toso de Carvalho <me at victortoso.com>
-prepare() {
- cd spice-$pkgver
- # based on upstream change a4a16ac42d2f19a17e36556546aa94d5cd83745f
- patch -p1 < ../CVE-2019-3813.patch
-}
-
build() {
cd spice-$pkgver
- PYTHON=python2 ./configure --prefix=/usr --disable-static --enable-smartcard --enable-client --disable-werror
+ PYTHON=python2 ./configure --prefix=/usr --disable-static --enable-smartcard --enable-client --enable-celt051 --disable-werror
make
}
More information about the arch-commits
mailing list