diff options
| author | Peter Korsgaard <peter@korsgaard.com> | 2018-10-17 11:45:19 +0200 |
|---|---|---|
| committer | Peter Korsgaard <peter@korsgaard.com> | 2018-10-20 15:35:04 +0200 |
| commit | f33f7a4f6407f624edb4b4ffe54cb09e029a49b2 (patch) | |
| tree | 6456847b016f1e2443ef77de4e776e4154bec142 /package/spice/0002-Prevent-integer-overflows-in-capability-checks.patch | |
| parent | de8a4b747fb82f4a260d7d0451eaf99dfc745bc4 (diff) | |
| download | buildroot-f33f7a4f6407f624edb4b4ffe54cb09e029a49b2.tar.gz buildroot-f33f7a4f6407f624edb4b4ffe54cb09e029a49b2.zip | |
spice: security bump to version 0.14.1
Fixes CVE-2018-10873: A vulnerability was discovered in SPICE before version
0.14.1 where the generated code used for demarshalling messages lacked
sufficient bounds checks. A malicious client or server, after
authentication, could send specially crafted messages to its peer which
would result in a crash or, potentially, other impacts.
Drop patches as they are now upstream.
Add host-pkgconf as the configure script uses pkg-config. Drop removed
--disable-automated-tests configure flag.
Add optional opus support, as that is now supported and needs to be
explicitly disabled to not use. Explicitly disable optional gstreamer
support for now as the dependency tree is fairly complicated.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Diffstat (limited to 'package/spice/0002-Prevent-integer-overflows-in-capability-checks.patch')
| -rw-r--r-- | package/spice/0002-Prevent-integer-overflows-in-capability-checks.patch | 43 |
1 files changed, 0 insertions, 43 deletions
diff --git a/package/spice/0002-Prevent-integer-overflows-in-capability-checks.patch b/package/spice/0002-Prevent-integer-overflows-in-capability-checks.patch deleted file mode 100644 index 5bf9b89d17..0000000000 --- a/package/spice/0002-Prevent-integer-overflows-in-capability-checks.patch +++ /dev/null @@ -1,43 +0,0 @@ -From f66dc643635518e53dfbe5262f814a64eec54e4a Mon Sep 17 00:00:00 2001 -From: Frediano Ziglio <fziglio@redhat.com> -Date: Tue, 13 Dec 2016 14:40:10 +0000 -Subject: [PATCH] Prevent integer overflows in capability checks - -The limits for capabilities are specified using 32 bit unsigned integers. -This could cause possible integer overflows causing buffer overflows. -For instance the sum of num_common_caps and num_caps can be 0 avoiding -additional checks. -As the link message is now capped to 4096 and the capabilities are -contained in the link message limit the capabilities to 1024 -(capabilities are expressed in number of uint32_t items). - -[Peter: fixes CVE-2016-9578] -Signed-off-by: Frediano Ziglio <fziglio@redhat.com> -Acked-by: Christophe Fergeau <cfergeau@redhat.com> -Signed-off-by: Peter Korsgaard <peter@korsgaard.com> ---- - server/reds.c | 8 ++++++++ - 1 file changed, 8 insertions(+) - -diff --git a/server/reds.c b/server/reds.c -index 86a33d53..91504544 100644 ---- a/server/reds.c -+++ b/server/reds.c -@@ -2110,6 +2110,14 @@ static void reds_handle_read_link_done(void *opaque) - link_mess->num_channel_caps = GUINT32_FROM_LE(link_mess->num_channel_caps); - link_mess->num_common_caps = GUINT32_FROM_LE(link_mess->num_common_caps); - -+ /* Prevent DoS. Currently we defined only 13 capabilities, -+ * I expect 1024 to be valid for quite a lot time */ -+ if (link_mess->num_channel_caps > 1024 || link_mess->num_common_caps > 1024) { -+ reds_send_link_error(link, SPICE_LINK_ERR_INVALID_DATA); -+ reds_link_free(link); -+ return; -+ } -+ - num_caps = link_mess->num_common_caps + link_mess->num_channel_caps; - caps = (uint32_t *)((uint8_t *)link_mess + link_mess->caps_offset); - --- -2.11.0 - |
