buildroot/package/spice, branch 2017.08

spice: add upstream security fixes for CVE-2017-7506

2017-07-14T17:29:31+00:00

Fixes CVE-2017-7506 - Possible buffer overflow via invalid monitor configurations. For more details, see: https://marc.info/?l=oss-security&m=150001782924095 Signed-off-by: Peter Korsgaard Signed-off-by: Thomas Petazzoni

spice: add post-0.12.8 upstream security fixes

2017-06-22T21:25:38+00:00

Fixes the following security issues: CVE-2016-9577 Frediano Ziglio of Red Hat discovered a buffer overflow vulnerability in the main_channel_alloc_msg_rcv_buf function. An authenticated attacker can take advantage of this flaw to cause a denial of service (spice server crash), or possibly, execute arbitrary code. CVE-2016-9578 Frediano Ziglio of Red Hat discovered that spice does not properly validate incoming messages. An attacker able to connect to the spice server could send crafted messages which would cause the process to crash. Signed-off-by: Peter Korsgaard Reviewed-by: "Yann E. MORIN" Signed-off-by: Peter Korsgaard

spice: security bump to version 0.12.8

2017-06-22T21:25:30+00:00

Fixes the following security issues: CVE-2016-0749: The smartcard interaction in SPICE allows remote attackers to cause a denial of service (QEMU-KVM process crash) or possibly execute arbitrary code via vectors related to connecting to a guest VM, which triggers a heap-based buffer overflow. CVE-2016-2150: SPICE allows local guest OS users to read from or write to arbitrary host memory locations via crafted primary surface parameters, a similar issue to CVE-2015-5261. The pyparsing check has been dropped from configure, and the spice protocol definition is again included, so the workarounds can be removed. Signed-off-by: Peter Korsgaard Reviewed-by: "Yann E. MORIN" Signed-off-by: Peter Korsgaard

spice: security bump to version 0.12.6

2017-06-22T21:25:24+00:00

Fixes the following security issues: CVE-2015-3247: Race condition in the worker_update_monitors_config function in SPICE 0.12.4 allows a remote authenticated guest user to cause a denial of service (heap-based memory corruption and QEMU-KVM crash) or possibly execute arbitrary code on the host via unspecified vectors. CVE-2015-5260: Heap-based buffer overflow in SPICE before 0.12.6 allows guest OS users to cause a denial of service (heap-based memory corruption and QEMU-KVM crash) or possibly execute arbitrary code on the host via QXL commands related to the surface_id parameter. CVE-2015-5261: Heap-based buffer overflow in SPICE before 0.12.6 allows guest OS users to read and write to arbitrary memory locations on the host via guest QXL commands related to surface creation. Client/gui support is gone upstream (moved to spice-gtk / virt-viewer), so add Config.in.legacy handling for them. Lz4 is a new optional dependency, so handle it. The spice protocol definition is no longer included and instead used from spice-protocol. The build system uses pkg-config --variable=codegendir to find the build time path of this, which doesn't take our STAGING_DIR prefix into consideration, so it needs some help. The installed protocol definition will likewise be newer than the generated files, so we need to workaround that to ensure they are not regenerated (which needs host python / pyparsing). Signed-off-by: Peter Korsgaard Reviewed-by: "Yann E. MORIN" Signed-off-by: Peter Korsgaard

spice: bump to version 0.12.5

2017-06-22T21:25:18+00:00

Tunneling support is gone upstream, so drop the patch and add Config.in.legacy handling for the option. Celt051 is no longer a hard dependency, and opus is a new optional dependency, so adjust the dependencies to match. Python / pyparsing are not needed as the tarball contains the generated files (this should presumably have been host-python in the first place as these are used at build time), but we need a small workaround to convince configure that they really aren't needed. Alsa-lib is only needed for client support, and the configure script checks for X11/Xext/Xrender, so adjust the dependencies to match. A user manual is now generated by default if asciidoc is available, so explicitly disable that. Signed-off-by: Peter Korsgaard Reviewed-by: "Yann E. MORIN" Signed-off-by: Peter Korsgaard

package makefiles: clean up backslash spacing.

2017-04-22T13:57:23+00:00

The check-package script when ran gave warnings on only using one space before backslashes on all of these makefiles. This patch cleans up all warnings related to the one space before backslashes rule in the make files in the package directory. Signed-off-by: Adam Duskett Signed-off-by: Thomas Petazzoni

package: remove trailing backslash

2017-04-06T20:41:45+00:00

Occurrences were searched using [1]: check-package --include-only TrailingBackslash $(find * -type f) and manually removed. [1] http://patchwork.ozlabs.org/patch/729669/ Signed-off-by: Ricardo Martincoski Signed-off-by: Thomas Petazzoni

boot, package: use SPDX short identifier for LGPLv2.1/LGPLv2.1+

2017-04-01T13:18:10+00:00

We want to use SPDX identifier for license string as much as possible. SPDX short identifier for LGPLv2.1/LGPLv2.1+ is LGPL-2.1/LGPL-2.1+. This change is done using following command. find . -name "*.mk" | xargs sed -ri '/LICENSE( )?[\+:]?=/s/LGPLv2.1(\+)?/LGPL-2.1\1/g' Signed-off-by: Rahul Bedarkar Signed-off-by: Thomas Petazzoni

package/spice: depend on libglib2

2016-02-21T22:45:59+00:00

The package selects BR2_PACKAGE_LIBGLIB2 but did not depend on it. The buildsystem treats libglib2 as a hard-dependency: https://cgit.freedesktop.org/spice/spice/tree/configure.ac?h=0.12#n117 Signed-off-by: Bernd Kuhls Signed-off-by: Thomas Petazzoni

spice: arch-mask toolchain comment

2016-02-17T20:32:47+00:00

Otherwise it shows up for other architectures with minimal toolchains giving the impression that it's available/tested. Signed-off-by: Gustavo Zacarias Signed-off-by: Peter Korsgaard