Commit 4e7f2805 authored by Leonardo Arena's avatar Leonardo Arena

main/spice: security fix (CVE-2018-10873)

Fixes #9313
parent 8c2d71dd
......@@ -2,7 +2,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=spice
pkgver=0.12.8
pkgrel=3
pkgrel=4
pkgdesc="Implements the SPICE protocol"
url="http://www.spice-space.org/"
arch="all"
......@@ -15,11 +15,15 @@ makedepends="$depends_dev alsa-lib-dev libjpeg-turbo-dev libxrandr-dev
install=""
subpackages="$pkgname-dev $pkgname-server"
source="http://www.spice-space.org/download/releases/$pkgname-$pkgver.tar.bz2
CVE-2017-7506.patch"
CVE-2017-7506.patch
CVE-2018-10873.patch
"
builddir="$srcdir"/$pkgname-$pkgver
# secfixes:
# 0.12.8-r4:
# - CVE-2018-10873
# 0.12.8-r3:
# - CVE-2017-7506
......@@ -54,8 +58,11 @@ server() {
}
md5sums="376853d11b9921aa34a06c4dbef81874 spice-0.12.8.tar.bz2
47eef95ef416029b88e0d38ae9bf1c30 CVE-2017-7506.patch"
47eef95ef416029b88e0d38ae9bf1c30 CVE-2017-7506.patch
03d312fad101fe22230e5b4dcf5cec8d CVE-2018-10873.patch"
sha256sums="f901a5c5873d61acac84642f9eea5c4d6386fc3e525c2b68792322794e1c407d spice-0.12.8.tar.bz2
ec75c6a3c8a104aef22c040d945b52ecd31735e35a3f95078da5656bfc721704 CVE-2017-7506.patch"
ec75c6a3c8a104aef22c040d945b52ecd31735e35a3f95078da5656bfc721704 CVE-2017-7506.patch
997390924d5e964ce89c9a8c44f064dc40a375d6dc6b120f7a0f727ae2792bc8 CVE-2018-10873.patch"
sha512sums="6485d3522af1cde93d2c0abad7f7ef9f2e4d3e5049314fb93b6dd4b86e33d67d353a3ff42a355c8fd991bad447bbde1e6320c083bbc6f02b576bd9cebe7269ed spice-0.12.8.tar.bz2
8a7387fd297aa3d59e38af650f3f12d9b89e46283e2ceaf53ca6e01db6db3c2ac0df164fde05decc4a0d8a05296d3f31195e86e383029804e91b23c84e1292a2 CVE-2017-7506.patch"
8a7387fd297aa3d59e38af650f3f12d9b89e46283e2ceaf53ca6e01db6db3c2ac0df164fde05decc4a0d8a05296d3f31195e86e383029804e91b23c84e1292a2 CVE-2017-7506.patch
fd6f797daa7ae9d518111c23c9b594f2ef4ccfeb3725373060668b244588681c147b9c407791a56b85e7abb438f7174a4de5a78cd3e8c90f018efb2bae9302b4 CVE-2018-10873.patch"
From bb15d4815ab586b4c4a20f4a565970a44824c42c Mon Sep 17 00:00:00 2001
From: Frediano Ziglio <fziglio@redhat.com>
Date: Fri, 18 May 2018 11:41:57 +0100
Subject: [PATCH] Fix flexible array buffer overflow
This is kind of a DoS, possibly flexible array in the protocol
causes the network size check to be ignored due to integer overflows.
The size of flexible array is computed as (message_end - position),
then this size is added to the number of bytes before the array and
this number is used to check if we overflow initial message.
An example is:
message {
uint32 dummy[2];
uint8 data[] @end;
} LenMessage;
which generated this (simplified remove useless code) code:
{ /* data */
data__nelements = message_end - (start + 8);
data__nw_size = data__nelements;
}
nw_size = 8 + data__nw_size;
/* Check if message fits in reported side */
if (nw_size > (uintptr_t) (message_end - start)) {
return NULL;
}
Following code:
- data__nelements == message_end - (start + 8)
- data__nw_size == data__nelements == message_end - (start + 8)
- nw_size == 8 + data__nw_size == 8 + message_end - (start + 8) ==
8 + message_end - start - 8 == message_end -start
- the check for overflow is (nw_size > (message_end - start)) but
nw_size == message_end - start so the check is doing
((message_end - start) > (message_end - start)) which is always false.
If message_end - start < 8 then data__nelements (number of element
on the array above) computation generate an integer underflow that
later create a buffer overflow.
Add a check to make sure that the array starts before the message ends
to avoid the overflow.
Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
Signed-off-by: Christophe Fergeau <cfergeau@redhat.com>
---
python_modules/demarshal.py | 1 +
tests/test-marshallers.c | 8 ++++++++
tests/test-marshallers.h | 5 +++++
tests/test-marshallers.proto | 5 +++++
4 files changed, 19 insertions(+)
diff --git a/spice-commmon/python_modules/demarshal.py b/spice-common/python_modules/demarshal.py
index 7b53361..5a237a6 100644
--- a/spice-common/python_modules/demarshal.py
+++ b/spice-common/python_modules/demarshal.py
@@ -331,6 +331,7 @@ def write_validate_array_item(writer, container, item, scope, parent_scope, star
writer.assign(nelements, array.size)
elif array.is_remaining_length():
if element_type.is_fixed_nw_size():
+ writer.error_check("%s > message_end" % item.get_position())
if element_type.get_fixed_nw_size() == 1:
writer.assign(nelements, "message_end - %s" % item.get_position())
else:
--
2.18.1
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment