debian/0000755000000000000000000000000013422350334007165 5ustar debian/libspice-server-dev.install0000644000000000000000000000010712176767010014435 0ustar usr/include/* usr/lib/*/lib*.a usr/lib/*/lib*.so usr/lib/*/pkgconfig/* debian/spice-client.manpages0000644000000000000000000000002012176767010013261 0ustar debian/spicec.1 debian/spice-client.install0000644000000000000000000000001712176767010013142 0ustar usr/bin/spicec debian/rules0000755000000000000000000000035512176767010010260 0ustar #!/usr/bin/make -f %: dh $@ --with autoreconf override_dh_auto_configure: dh_auto_configure -- --disable-celt051 --disable-silent-rules \ --disable-smartcard --enable-client override_dh_auto_clean: -$(RM) .version dh_auto_clean debian/control0000644000000000000000000000602512521712356010600 0ustar Source: spice Section: misc Priority: optional Maintainer: Ubuntu Developers XSBC-Original-Maintainer: Liang Guo Uploaders: Michael Tokarev Build-Depends: debhelper (>= 9), pkg-config, dh-autoreconf, python, # libspice-protocol is actually not needed for build, # 0.12 always uses included definitions # libspice-protocol-dev (>= 0.10.1~), libpixman-1-dev (>= 0.17.7~), libxrandr-dev (>= 1.2~), libasound2-dev, libssl-dev, libxfixes-dev, # these might be required for opengl support # which has to be enabled explicitly and is not recommended # libglu1-mesa-dev, libgl1-mesa-dev, libsasl2-dev, libjpeg-dev, libxinerama-dev, python-pyparsing, libglib2.0-dev (>= 2.22~), Standards-Version: 3.9.4 Homepage: http://spice-space.org/ Vcs-Git: git://anonscm.debian.org/collab-maint/spice.git Vcs-Browser: http://anonscm.debian.org/git/collab-maint/spice.git Package: spice-client Architecture: i386 amd64 Depends: ${shlibs:Depends}, ${misc:Depends} Description: Implements the client side of the SPICE protocol The Simple Protocol for Independent Computing Environments (SPICE) is a remote display system built for virtual environments which allows you to view a computing 'desktop' environment not only on the machine where it is running, but from anywhere on the Internet and from a wide variety of machine architectures. . This package contains the SPICE client application. Package: libspice-server1 Section: libs Architecture: i386 amd64 Multi-Arch: same Pre-Depends: ${misc:Pre-Depends} Depends: ${shlibs:Depends}, ${misc:Depends} Breaks: spice-client-gtk (<= 0.12-2), python-spice-client-gtk (<= 0.12-2), libspice-client-glib-2.0-1 (<= 0.12-2), libspice-client-gtk-2.0-1 (<= 0.12-2), libspice-client-gtk-3.0-1 (<= 0.12-2) Description: Implements the server side of the SPICE protocol The Simple Protocol for Independent Computing Environments (SPICE) is a remote display system built for virtual environments which allows you to view a computing 'desktop' environment not only on the machine where it is running, but from anywhere on the Internet and from a wide variety of machine architectures. . This package contains the run-time libraries for any application that wishes to be a SPICE server. Package: libspice-server-dev Section: libdevel Architecture: i386 amd64 Depends: libspice-server1 (= ${binary:Version}), ${misc:Depends}, libglib2.0-dev (>= 2.22~), libpixman-1-dev (>= 0.17.7~), libssl-dev, libxinerama-dev, libspice-protocol-dev (>= 0.12.0~) Suggests: pkg-config Description: Header files and development documentation for spice-server The Simple Protocol for Independent Computing Environments (SPICE) is a remote display system built for virtual environments which allows you to view a computing 'desktop' environment not only on the machine where it is running, but from anywhere on the Internet and from a wide variety of machine architectures. . This package contains the header files, static libraries and development documentation for spice-server. debian/watch0000644000000000000000000000013612176767010010226 0ustar version=3 http://www.spice-space.org/download/releases/spice-(\d+\.\d*[02468]\.\d+)\.tar\.bz2 debian/patches/0000755000000000000000000000000013422347645010627 5ustar debian/patches/CVE-2018-10873.patch0000644000000000000000000000246613336614724013344 0ustar Backported of: From bb15d4815ab586b4c4a20f4a565970a44824c42c Mon Sep 17 00:00:00 2001 From: Frediano Ziglio Date: Fri, 18 May 2018 11:41:57 +0100 Subject: [PATCH] Fix flexible array buffer overflow This is kind of a DoS, possibly flexible array in the protocol causes the network size check to be ignored due to integer overflows. The size of flexible array is computed as (message_end - position), then this size is added to the number of bytes before the array and this number is used to check if we overflow initial message. Signed-off-by: Frediano Ziglio Signed-off-by: Christophe Fergeau Index: spice-0.12.4/spice-common/python_modules/demarshal.py =================================================================== --- spice-0.12.4.orig/spice-common/python_modules/demarshal.py +++ spice-0.12.4/spice-common/python_modules/demarshal.py @@ -311,6 +311,7 @@ def write_validate_array_item(writer, co writer.assign(nelements, array.size) elif array.is_remaining_length(): if element_type.is_fixed_nw_size(): + writer.error_check("%s > message_end" % item.get_position()) if element_type.get_fixed_nw_size() == 1: writer.assign(nelements, "message_end - %s" % item.get_position()) else: debian/patches/CVE-2016-0749/0000755000000000000000000000000012722505575012233 5ustar debian/patches/CVE-2016-0749/0001-smartcard-add-a-ref-to-item-before-adding-to-pipe.patch0000644000000000000000000001525312722505575024751 0ustar From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Marc-Andre Lureau Date: Thu, 17 Dec 2015 18:13:47 +0100 Subject: [PATCH] smartcard: add a ref to item before adding to pipe There is an unref when the message is sent. ==17204== ERROR: AddressSanitizer: heap-use-after-free on address 0x6008000144a8 at pc 0x7fffee0ce245 bp 0x7fffffffc630 sp 0x7fffffffc620 READ of size 4 at 0x6008000144a8 thread T0 #0 0x7fffee0ce244 in smartcard_unref_vsc_msg_item /home/elmarco/src/spice/spice/server/smartcard.c:608 #1 0x7fffee0cb451 in smartcard_unref_msg_to_client /home/elmarco/src/spice/spice/server/smartcard.c:178 #2 0x7fffedfcdf14 in spice_char_device_read_from_device /home/elmarco/src/spice/spice/server/char-device.c:330 #3 0x7fffedfd1763 in spice_char_device_wakeup /home/elmarco/src/spice/spice/server/char-device.c:901 #4 0x7fffee05da98 in spice_server_char_device_wakeup /home/elmarco/src/spice/spice/server/reds.c:2990 #5 0x55555593fa34 in spice_chr_write /home/elmarco/src/qemu/spice-qemu-char.c:189 #6 0x5555559375f1 in qemu_chr_fe_write /home/elmarco/src/qemu/qemu-char.c:220 #7 0x555555b3b682 in ccid_card_vscard_send_msg.isra.2 /home/elmarco/src/qemu/hw/usb/ccid-card-passthru.c:76 #8 0x555555b3c466 in ccid_card_vscard_send_error /home/elmarco/src/qemu/hw/usb/ccid-card-passthru.c:91 #9 0x555555b3c466 in ccid_card_vscard_handle_message /home/elmarco/src/qemu/hw/usb/ccid-card-passthru.c:242 #10 0x555555b3c466 in ccid_card_vscard_read /home/elmarco/src/qemu/hw/usb/ccid-card-passthru.c:289 #11 0x55555593f169 in vmc_write /home/elmarco/src/qemu/spice-qemu-char.c:41 #12 0x7fffedfcee6d in spice_char_device_write_to_device /home/elmarco/src/spice/spice/server/char-device.c:477 #13 0x7fffedfcfd31 in spice_char_device_write_buffer_add /home/elmarco/src/spice/spice/server/char-device.c:629 #14 0x7fffee0ce9df in smartcard_channel_write_to_reader /home/elmarco/src/spice/spice/server/smartcard.c:675 #15 0x7fffee0cc7db in smartcard_char_device_notify_reader_add /home/elmarco/src/spice/spice/server/smartcard.c:341 #16 0x7fffee0ce4f3 in smartcard_add_reader /home/elmarco/src/spice/spice/server/smartcard.c:648 #17 0x7fffee0cf2e2 in smartcard_channel_handle_message /home/elmarco/src/spice/spice/server/smartcard.c:763 #18 0x7fffedffe21f in red_peer_handle_incoming /home/elmarco/src/spice/spice/server/red-channel.c:307 #19 0x7fffedffe4f6 in red_channel_client_receive /home/elmarco/src/spice/spice/server/red-channel.c:325 #20 0x7fffee00726c in red_channel_client_event /home/elmarco/src/spice/spice/server/red-channel.c:1566 #21 0x555555c3c53d in qemu_iohandler_poll /home/elmarco/src/qemu/iohandler.c:143 #22 0x555555c3b800 in main_loop_wait /home/elmarco/src/qemu/main-loop.c:504 #23 0x5555556f160c in main_loop /home/elmarco/src/qemu/vl.c:1818 #24 0x5555556f160c in main /home/elmarco/src/qemu/vl.c:4394 #25 0x7fffed7d0b14 in __libc_start_main /usr/src/debug/glibc-2.17-c758a686/csu/libc-start.c:274 #26 0x5555556f9c20 in _start (/home/elmarco/src/qemu/x86_64-softmmu/qemu-system-x86_64+0x1a5c20) 0x6008000144a8 is located 24 bytes inside of 40-byte region [0x600800014490,0x6008000144b8) freed by thread T0 here: #0 0x7ffff4e61009 in __interceptor_free /usr/src/debug/gcc-4.8.5-20150702/obj-x86_64-redhat-linux/x86_64-redhat-linux/libsanitizer/asan/../../../../libsanitizer/asan/asan_malloc_linux.cc:61 #1 0x7fffee0ce2a1 in smartcard_unref_vsc_msg_item /home/elmarco/src/spice/spice/server/smartcard.c:610 #2 0x7fffee0cdd58 in smartcard_channel_release_pipe_item /home/elmarco/src/spice/spice/server/smartcard.c:548 #3 0x7fffee000668 in red_channel_client_release_item /home/elmarco/src/spice/spice/server/red-channel.c:602 #4 0x7fffee0006ef in red_channel_client_release_sent_item /home/elmarco/src/spice/spice/server/red-channel.c:609 #5 0x7fffee0007b5 in red_channel_peer_on_out_msg_done /home/elmarco/src/spice/spice/server/red-channel.c:620 #6 0x7fffedffed7e in red_peer_handle_outgoing /home/elmarco/src/spice/spice/server/red-channel.c:385 #7 0x7fffee0057bb in red_channel_client_send /home/elmarco/src/spice/spice/server/red-channel.c:1294 #8 0x7fffee0076e6 in red_channel_client_begin_send_message /home/elmarco/src/spice/spice/server/red-channel.c:1605 #9 0x7fffee0cdccd in smartcard_channel_send_item /home/elmarco/src/spice/spice/server/smartcard.c:541 #10 0x7fffee000570 in red_channel_client_send_item /home/elmarco/src/spice/spice/server/red-channel.c:588 #11 0x7fffee005bfb in red_channel_client_push /home/elmarco/src/spice/spice/server/red-channel.c:1347 #12 0x7fffee007ef7 in red_channel_client_pipe_add_push /home/elmarco/src/spice/spice/server/red-channel.c:1673 #13 0x7fffee0cde4d in smartcard_channel_client_pipe_add_push /home/elmarco/src/spice/spice/server/smartcard.c:571 #14 0x7fffee0cb567 in smartcard_send_msg_to_client /home/elmarco/src/spice/spice/server/smartcard.c:187 #15 0x7fffedfcdba2 in spice_char_device_send_msg_to_clients /home/elmarco/src/spice/spice/server/char-device.c:282 #16 0x7fffedfcdea4 in spice_char_device_read_from_device /home/elmarco/src/spice/spice/server/char-device.c:329 #17 0x7fffedfd1763 in spice_char_device_wakeup /home/elmarco/src/spice/spice/server/char-device.c:901 #18 0x7fffee05da98 in spice_server_char_device_wakeup /home/elmarco/src/spice/spice/server/reds.c:2990 #19 0x55555593fa34 in spice_chr_write /home/elmarco/src/qemu/spice-qemu-char.c:189 Signed-off-by: Marc-Andre Lureau --- server/smartcard.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/server/smartcard.c b/server/smartcard.c index aad22aa..8d529fe 100644 --- a/server/smartcard.c +++ b/server/smartcard.c @@ -172,14 +172,17 @@ static void smartcard_unref_msg_to_client(SpiceCharDeviceMsgToClient *msg, smartcard_unref_vsc_msg_item((MsgItem *)msg); } -static void smartcard_send_msg_to_client(SpiceCharDeviceMsgToClient *msg, +static void smartcard_send_msg_to_client(SpiceCharDeviceMsgToClient *message, RedClient *client, void *opaque) { SmartCardDeviceState *dev = opaque; - spice_assert(dev->scc && dev->scc->base.client == client); - smartcard_channel_client_pipe_add_push(&dev->scc->base, &((MsgItem *)msg)->base); + MsgItem *msg = (MsgItem *)message; + PipeItem *item = &msg->base; + spice_assert(dev->scc && dev->scc->base.client == client); + smartcard_ref_vsc_msg_item(msg); + smartcard_channel_client_pipe_add_push(&dev->scc->base, item); } static void smartcard_send_tokens_to_client(RedClient *client, uint32_t tokens, void *opaque) debian/patches/CVE-2016-0749/0002-smartcard-allocate-msg-with-the-expected-size.patch0000644000000000000000000001045112722505575024460 0ustar From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Marc-Andre Lureau Date: Thu, 17 Dec 2015 18:16:22 +0100 Subject: [PATCH] smartcard: allocate msg with the expected size ==529== ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60040009c098 at pc 0x7fffee0eda6d bp 0x7fffffffcd00 sp 0x7fffffffccf0 WRITE of size 4 at 0x60040009c098 thread T0 #0 0x7fffee0eda6c in smartcard_char_device_notify_reader_add /home/elmarco/pkg/spice/spice-0.12.4/server/smartcard.c:334 #1 0x7fffee0ef783 in smartcard_add_reader /home/elmarco/pkg/spice/spice-0.12.4/server/smartcard.c:642 #2 0x7fffee0f0568 in smartcard_channel_handle_message /home/elmarco/pkg/spice/spice-0.12.4/server/smartcard.c:757 #3 0x7fffee032f3f in red_peer_handle_incoming /home/elmarco/pkg/spice/spice-0.12.4/server/red_channel.c:304 #4 0x7fffee033216 in red_channel_client_receive /home/elmarco/pkg/spice/spice-0.12.4/server/red_channel.c:322 #5 0x7fffee03bf1f in red_channel_client_event /home/elmarco/pkg/spice/spice-0.12.4/server/red_channel.c:1561 #6 0x555555c3c53d in qemu_iohandler_poll /home/elmarco/src/qemu/iohandler.c:143 #7 0x555555c3b800 in main_loop_wait /home/elmarco/src/qemu/main-loop.c:504 #8 0x5555556f160c in main_loop /home/elmarco/src/qemu/vl.c:1818 #9 0x5555556f160c in main /home/elmarco/src/qemu/vl.c:4394 #10 0x7fffed80eb14 in __libc_start_main /usr/src/debug/glibc-2.17-c758a686/csu/libc-start.c:274 #11 0x5555556f9c20 in _start (/home/elmarco/src/qemu/x86_64-softmmu/qemu-system-x86_64+0x1a5c20) 0x60040009c098 is located 0 bytes to the right of 8-byte region [0x60040009c090,0x60040009c098) allocated by thread T0 here: #0 0x7ffff4e612be in __interceptor_realloc /usr/src/debug/gcc-4.8.5-20150702/obj-x86_64-redhat-linux/x86_64-redhat-linux/libsanitizer/asan/../../../../libsanitizer/asan/asan_malloc_linux.cc:92 #1 0x7fffee121308 in spice_realloc /home/elmarco/pkg/spice/spice-0.12.4/spice-common/common/mem.c:123 #2 0x7fffee004a48 in __spice_char_device_write_buffer_get /home/elmarco/pkg/spice/spice-0.12.4/server/char_device.c:516 #3 0x7fffee004e87 in spice_char_device_write_buffer_get /home/elmarco/pkg/spice/spice-0.12.4/server/char_device.c:557 #4 0x7fffee0ed8b9 in smartcard_char_device_notify_reader_add /home/elmarco/pkg/spice/spice-0.12.4/server/smartcard.c:325 #5 0x7fffee0ef783 in smartcard_add_reader /home/elmarco/pkg/spice/spice-0.12.4/server/smartcard.c:642 #6 0x7fffee0f0568 in smartcard_channel_handle_message /home/elmarco/pkg/spice/spice-0.12.4/server/smartcard.c:757 #7 0x7fffee032f3f in red_peer_handle_incoming /home/elmarco/pkg/spice/spice-0.12.4/server/red_channel.c:304 #8 0x7fffee033216 in red_channel_client_receive /home/elmarco/pkg/spice/spice-0.12.4/server/red_channel.c:322 #9 0x7fffee03bf1f in red_channel_client_event /home/elmarco/pkg/spice/spice-0.12.4/server/red_channel.c:1561 #10 0x555555c3c53d in qemu_iohandler_poll /home/elmarco/src/qemu/iohandler.c:143 SUMMARY: AddressSanitizer: heap-buffer-overflow /home/elmarco/pkg/spice/spice-0.12.4/server/smartcard.c:334 smartcard_char_device_notify_reader_add Signed-off-by: Marc-Andre Lureau --- server/smartcard.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/server/smartcard.c b/server/smartcard.c index 8d529fe..3043ad1 100644 --- a/server/smartcard.c +++ b/server/smartcard.c @@ -325,7 +325,7 @@ static void smartcard_char_device_notify_reader_add(SmartCardDeviceState *st) SpiceCharDeviceWriteBuffer *write_buf; VSCMsgHeader *vheader; - write_buf = spice_char_device_write_buffer_get(st->chardev_st, NULL, sizeof(vheader)); + write_buf = spice_char_device_write_buffer_get(st->chardev_st, NULL, sizeof(*vheader)); if (!write_buf) { spice_error("failed to allocate write buffer"); return; @@ -372,7 +372,7 @@ static void smartcard_char_device_notify_reader_remove(SmartCardDeviceState *st) spice_debug("reader add was never sent to the device"); return; } - write_buf = spice_char_device_write_buffer_get(st->chardev_st, NULL, sizeof(vheader)); + write_buf = spice_char_device_write_buffer_get(st->chardev_st, NULL, sizeof(*vheader)); if (!write_buf) { spice_error("failed to allocate write buffer"); return; debian/patches/CVE-2017-7506-3.patch0000644000000000000000000000360513133443660013410 0ustar Backport of: From a957a90baf2c62d31f3547e56bba7d0e812d2331 Mon Sep 17 00:00:00 2001 From: Frediano Ziglio Date: Mon, 15 May 2017 15:57:28 +0100 Subject: reds: Avoid buffer overflows handling monitor configuration It was also possible for a malicious client to set VDAgentMonitorsConfig::num_of_monitors to a number larger than the actual size of VDAgentMOnitorsConfig::monitors. This would lead to buffer overflows, which could allow the guest to read part of the host memory. This might cause write overflows in the host as well, but controlling the content of such buffers seems complicated. Signed-off-by: Frediano Ziglio Index: spice-0.12.4/server/reds.c =================================================================== --- spice-0.12.4.orig/server/reds.c 2017-07-18 13:38:08.182914383 -0400 +++ spice-0.12.4/server/reds.c 2017-07-18 13:38:37.982915772 -0400 @@ -1093,6 +1093,7 @@ static void reds_on_main_agent_monitors_ VDAgentMessage *msg_header; VDAgentMonitorsConfig *monitors_config; RedsClientMonitorsConfig *cmc = &reds->client_monitors_config; + uint32_t max_monitors; // limit size of message sent by the client as this can cause a DoS through // memory exhaustion, or potentially some integer overflows @@ -1121,6 +1122,12 @@ static void reds_on_main_agent_monitors_ goto overflow; } monitors_config = (VDAgentMonitorsConfig *)(cmc->buffer + sizeof(*msg_header)); + // limit the monitor number to avoid buffer overflows + max_monitors = (msg_header->size - sizeof(VDAgentMonitorsConfig)) / + sizeof(VDAgentMonConfig); + if (monitors_config->num_of_monitors > max_monitors) { + goto overflow; + } spice_debug("%s: %d\n", __func__, monitors_config->num_of_monitors); red_dispatcher_client_monitors_config(monitors_config); reds_client_monitors_config_cleanup(); debian/patches/CVE-2016-9578-2.patch0000644000000000000000000000315613051123346013415 0ustar Backport of: From f66dc643635518e53dfbe5262f814a64eec54e4a Mon Sep 17 00:00:00 2001 From: Frediano Ziglio Date: Tue, 13 Dec 2016 14:40:10 +0000 Subject: Prevent integer overflows in capability checks The limits for capabilities are specified using 32 bit unsigned integers. This could cause possible integer overflows causing buffer overflows. For instance the sum of num_common_caps and num_caps can be 0 avoiding additional checks. As the link message is now capped to 4096 and the capabilities are contained in the link message limit the capabilities to 1024 (capabilities are expressed in number of uint32_t items). Signed-off-by: Frediano Ziglio Acked-by: Christophe Fergeau Index: spice-0.12.4/server/reds.c =================================================================== --- spice-0.12.4.orig/server/reds.c 2017-02-15 14:03:14.870684685 -0500 +++ spice-0.12.4/server/reds.c 2017-02-15 14:06:53.697637109 -0500 @@ -2698,6 +2698,14 @@ uint32_t *caps = (uint32_t *)((uint8_t *)link_mess + link_mess->caps_offset); int auth_selection; + /* Prevent DoS. Currently we defined only 13 capabilities, + * I expect 1024 to be valid for quite a lot time */ + if (link_mess->num_channel_caps > 1024 || link_mess->num_common_caps > 1024) { + reds_send_link_error(link, SPICE_LINK_ERR_INVALID_DATA); + reds_link_free(link); + return; + } + if (num_caps && (num_caps * sizeof(uint32_t) + link_mess->caps_offset > link->link_header.size || link_mess->caps_offset < sizeof(*link_mess))) { debian/patches/series0000644000000000000000000000400613422347642012041 0ustar fix-tests-warnings.patch make-celt-to-be-optional.patch link-server-test-with-libm-libpthread.patch enable_subdir-objects.patch fix-buffer-overflow-when-decrypting-client-spice-ticket.patch CVE-2015-3247.patch CVE-2015-526x/0001-worker-validate-correctly-surfaces.patch CVE-2015-526x/0002-worker-avoid-double-free-or-double-create-of-surface.patch CVE-2015-526x/0041-Define-a-constant-to-limit-data-from-guest.patch CVE-2015-526x/0042-Fix-some-integer-overflow-causing-large-memory-alloc.patch CVE-2015-526x/0043-Check-properly-surface-to-be-created.patch CVE-2015-526x/0044-Fix-buffer-reading-overflow.patch CVE-2015-526x/0045-Prevent-32-bit-integer-overflow-in-bitmap_consistent.patch CVE-2015-526x/0046-Fix-race-condition-on-red_get_clip_rects.patch CVE-2015-526x/0047-Fix-race-in-red_get_image.patch CVE-2015-526x/0048-Fix-race-condition-in-red_get_string.patch CVE-2015-526x/0049-Fix-integer-overflow-computing-glyph_size-in-red_get.patch CVE-2015-526x/0050-Fix-race-condition-in-red_get_data_chunks_ptr.patch CVE-2015-526x/0051-Prevent-memory-leak-if-red_get_data_chunks_ptr-fails.patch CVE-2015-526x/0052-Prevent-DoS-from-guest-trying-to-allocate-too-much-d.patch CVE-2015-526x/0053-Fix-some-possible-overflows-in-red_get_string-for-32.patch CVE-2015-526x/0054-Make-sure-we-can-read-QXLPathSeg-structures.patch CVE-2015-526x/0055-Avoid-race-condition-copying-segments-in-red_get_pat.patch CVE-2015-526x/0056-Prevent-data_size-to-be-set-independently-from-data.patch CVE-2015-526x/0057-Prevent-leak-if-size-from-red_get_data_chunks-don-t-.patch CVE-2016-0749/0001-smartcard-add-a-ref-to-item-before-adding-to-pipe.patch CVE-2016-0749/0002-smartcard-allocate-msg-with-the-expected-size.patch CVE-2016-2150/0001-create-a-function-to-validate-surface-parameters.patch CVE-2016-2150/0002-improve-primary-surface-parameter-checks.patch CVE-2016-9577.patch CVE-2016-9578-1.patch CVE-2016-9578-2.patch CVE-2017-7506-1.patch CVE-2017-7506-2.patch CVE-2017-7506-3.patch CVE-2017-12194-1.patch CVE-2017-12194-2.patch CVE-2018-10873.patch CVE-2019-3813.patch debian/patches/CVE-2016-2150/0000755000000000000000000000000012726552617012222 5ustar debian/patches/CVE-2016-2150/0002-improve-primary-surface-parameter-checks.patch0000644000000000000000000000262712726552617023635 0ustar From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Frediano Ziglio Date: Mon, 29 Feb 2016 14:34:49 +0000 Subject: [PATCH] improve primary surface parameter checks Primary surface, as additional surfaces, can be used to access host memory from the guest using invalid parameters. Signed-off-by: Frediano Ziglio --- server/red_worker.c | 9 +++++++++ 1 file changed, 9 insertions(+) Index: spice-0.12.4/server/red_worker.c =================================================================== --- spice-0.12.4.orig/server/red_worker.c 2016-06-10 10:58:22.081707787 -0400 +++ spice-0.12.4/server/red_worker.c 2016-06-10 10:58:22.077707741 -0400 @@ -11426,6 +11426,15 @@ spice_warn_if(((uint64_t)abs(surface.stride) * (uint64_t)surface.height) != abs(surface.stride) * surface.height); + /* surface can arrive from guest unchecked so make sure + * guest is not a malicious one and drop invalid requests + */ + if (!red_validate_surface(surface.width, surface.height, + surface.stride, surface.format)) { + spice_warning("wrong primary surface creation request"); + return; + } + line_0 = (uint8_t*)get_virt(&worker->mem_slots, surface.mem, surface.height * abs(surface.stride), surface.group_id, &error); debian/patches/CVE-2016-2150/0001-create-a-function-to-validate-surface-parameters.patch0000644000000000000000000001046612726552614025127 0ustar From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Frediano Ziglio Date: Mon, 29 Feb 2016 14:24:03 +0000 Subject: [PATCH] create a function to validate surface parameters Make possible to reuse it outside red-parse-qxl.c Signed-off-by: Frediano Ziglio --- server/red_parse_qxl.c | 50 ++++++++++++++++++++++++++++++++------------------ server/red_parse_qxl.h | 5 +++++ 2 files changed, 37 insertions(+), 18 deletions(-) Index: spice-0.12.4/server/red_parse_qxl.c =================================================================== --- spice-0.12.4.orig/server/red_parse_qxl.c 2016-06-10 10:58:19.481677377 -0400 +++ spice-0.12.4/server/red_parse_qxl.c 2016-06-10 10:58:19.477677331 -0400 @@ -19,7 +19,6 @@ #include #endif -#include #include #include #include "common/lz_common.h" @@ -1306,13 +1305,41 @@ return 0; } +bool red_validate_surface(uint32_t width, uint32_t height, + int32_t stride, uint32_t format) +{ + unsigned int bpp; + uint64_t size; + + bpp = surface_format_to_bpp(format); + + /* check if format is valid */ + if (!bpp) { + return false; + } + + /* check stride is larger than required bytes */ + size = ((uint64_t) width * bpp + 7u) / 8u; + /* the uint32_t conversion is here to avoid problems with -2^31 value */ + if (stride == G_MININT32 || size > (uint32_t) abs(stride)) { + return false; + } + + /* the multiplication can overflow, also abs(-2^31) may return a negative value */ + size = (uint64_t) height * abs(stride); + if (size > MAX_DATA_CHUNK) { + return false; + } + + return true; +} + int red_get_surface_cmd(RedMemSlotInfo *slots, int group_id, RedSurfaceCmd *red, QXLPHYSICAL addr) { QXLSurfaceCmd *qxl; uint64_t size; int error; - unsigned int bpp; qxl = (QXLSurfaceCmd *)get_virt(slots, addr, sizeof(*qxl), group_id, &error); @@ -1331,26 +1358,13 @@ red->u.surface_create.width = qxl->u.surface_create.width; red->u.surface_create.height = qxl->u.surface_create.height; red->u.surface_create.stride = qxl->u.surface_create.stride; - bpp = surface_format_to_bpp(red->u.surface_create.format); - /* check if format is valid */ - if (!bpp) { + if (!red_validate_surface(red->u.surface_create.width, red->u.surface_create.height, + red->u.surface_create.stride, red->u.surface_create.format)) { return 1; } - /* check stride is larger than required bytes */ - size = ((uint64_t) red->u.surface_create.width * bpp + 7u) / 8u; - /* the uint32_t conversion is here to avoid problems with -2^31 value */ - if (red->u.surface_create.stride == G_MININT32 - || size > (uint32_t) abs(red->u.surface_create.stride)) { - return 1; - } - - /* the multiplication can overflow, also abs(-2^31) may return a negative value */ - size = (uint64_t) red->u.surface_create.height * abs(red->u.surface_create.stride); - if (size > MAX_DATA_CHUNK) { - return 1; - } + size = red->u.surface_create.height * abs(red->u.surface_create.stride); red->u.surface_create.data = (uint8_t*)get_virt(slots, qxl->u.surface_create.data, size, group_id, &error); if (error) { Index: spice-0.12.4/server/red_parse_qxl.h =================================================================== --- spice-0.12.4.orig/server/red_parse_qxl.h 2016-06-10 10:58:19.481677377 -0400 +++ spice-0.12.4/server/red_parse_qxl.h 2016-06-10 10:58:19.477677331 -0400 @@ -19,6 +19,8 @@ #ifndef RED_ABI_TRANSLATE_H #define RED_ABI_TRANSLATE_H +#include + #include #include "red_common.h" #include "red_memslots.h" @@ -128,6 +130,9 @@ RedMessage *red, QXLPHYSICAL addr); void red_put_message(RedMessage *red); +bool red_validate_surface(uint32_t width, uint32_t height, + int32_t stride, uint32_t format); + int red_get_surface_cmd(RedMemSlotInfo *slots, int group_id, RedSurfaceCmd *red, QXLPHYSICAL addr); void red_put_surface_cmd(RedSurfaceCmd *red); debian/patches/CVE-2017-12194-1.patch0000644000000000000000000002241013301037254013453 0ustar Backported of: From a69fb1ec3425baf0a6dadced29669f4b708da923 Mon Sep 17 00:00:00 2001 From: Frediano Ziglio Date: Fri, 19 Jun 2015 14:44:37 +0100 Subject: [PATCH] Fix integer overflows computing sizes Make code safe using both 32 and 64 bit machine. Consider that this code can be compiled for machines with 32 bit. There are some arrays length which are 32 bit. If size_t this can cause easily an overflow. For instance message_len sending SPICE_MSG_NOTIFY messages are 32 bit and code add a small constant (currently 24) before doing the test for size. Now passing (uint32_t) -20 as message_len would lead to a size of 4 after the addition. This overflow does not happen on 64 bit machine as the length is converted to size_t. There are also some array length where some item are bigger than 1 byte. For instance SPICE_MAIN_CHANNELS_LIST message have a number of channels and each channel is composed by 2 bytes. Now the code generated try to do length * 2 where length is still a 32 bit so if we put a value like 0x80000002u we get 4 as length. This will cause an overflow as code will allocate very few bytes but try to fill with a huge number of elements. This overflow happen in both 32 and 64 bit machine. To avoid all these possible overflows this patch use only 64 bit for nelements (number of elements), nw_size (network size) and mem_size (memory size needed) checking the sizes to avoid other overflows (like pointers conversions under 32 bit machines). Signed-off-by: Frediano Ziglio Acked-by: Christophe de Dinechin diff --git a/spice-common/python_modules/demarshal.py b/spice-common/python_modules/demarshal.py index cf48d74..233f02d 100644 --- a/spice-common/python_modules/demarshal.py +++ b/spice-common/python_modules/demarshal.py @@ -84,7 +84,7 @@ def write_parser_helpers(writer): writer.variable_def("uint64_t", "offset") writer.variable_def("parse_func_t", "parse") writer.variable_def("void **", "dest") - writer.variable_def("uint32_t", "nelements") + writer.variable_def("uint64_t", "nelements") writer.end_block(semicolon=True) def write_read_primitive(writer, start, container, name, scope): @@ -166,7 +166,7 @@ def write_validate_switch_member(writer, container, switch_member, scope, parent all_as_extra_size = m.is_extra_size() and want_extra_size if not want_mem_size and all_as_extra_size and not scope.variable_defined(item.mem_size()): - scope.variable_def("uint32_t", item.mem_size()) + scope.variable_def("uint64_t", item.mem_size()) sub_want_mem_size = want_mem_size or all_as_extra_size sub_want_extra_size = want_extra_size and not all_as_extra_size @@ -199,7 +199,7 @@ def write_validate_struct_function(writer, struct): scope = writer.function(validate_function, "static intptr_t", "uint8_t *message_start, uint8_t *message_end, uint64_t offset, int minor") scope.variable_def("uint8_t *", "start = message_start + offset") scope.variable_def("SPICE_GNUC_UNUSED uint8_t *", "pos") - scope.variable_def("size_t", "mem_size", "nw_size") + scope.variable_def("uint64_t", "mem_size", "nw_size") num_pointers = struct.get_num_pointers() if num_pointers != 0: scope.variable_def("SPICE_GNUC_UNUSED intptr_t", "ptr_size") @@ -216,7 +216,7 @@ def write_validate_struct_function(writer, struct): writer.newline() writer.comment("Check if struct fits in reported side").newline() - writer.error_check("start + nw_size > message_end") + writer.error_check("nw_size > (uintptr_t) (message_end - start)") writer.statement("return mem_size") @@ -244,26 +244,26 @@ def write_validate_pointer_item(writer, container, item, scope, parent_scope, st # if array, need no function check if target_type.is_array(): - writer.error_check("message_start + %s >= message_end" % v) + writer.error_check("%s >= (uintptr_t) (message_end - message_start)" % v) assert target_type.element_type.is_primitive() array_item = ItemInfo(target_type, "%s__array" % item.prefix, start) - scope.variable_def("uint32_t", array_item.nw_size()) + scope.variable_def("uint64_t", array_item.nw_size()) # don't create a variable that isn't used, fixes -Werror=unused-but-set-variable need_mem_size = want_mem_size or ( want_extra_size and not item.member.has_attr("chunk") and not target_type.is_cstring_length()) if need_mem_size: - scope.variable_def("uint32_t", array_item.mem_size()) + scope.variable_def("uint64_t", array_item.mem_size()) if target_type.is_cstring_length(): writer.assign(array_item.nw_size(), "spice_strnlen((char *)message_start + %s, message_end - (message_start + %s))" % (v, v)) writer.error_check("*(message_start + %s + %s) != 0" % (v, array_item.nw_size())) else: write_validate_array_item(writer, container, array_item, scope, parent_scope, start, True, want_mem_size=need_mem_size, want_extra_size=False) - writer.error_check("message_start + %s + %s > message_end" % (v, array_item.nw_size())) + writer.error_check("%s + %s > (uintptr_t) (message_end - message_start)" % (v, array_item.nw_size())) if want_extra_size: if item.member and item.member.has_attr("chunk"): @@ -301,11 +301,11 @@ def write_validate_array_item(writer, container, item, scope, parent_scope, star nelements = "%s__nbytes" %(item.prefix) real_nelements = "%s__nelements" %(item.prefix) if not parent_scope.variable_defined(real_nelements): - parent_scope.variable_def("uint32_t", real_nelements) + parent_scope.variable_def("uint64_t", real_nelements) else: nelements = "%s__nelements" %(item.prefix) if not parent_scope.variable_defined(nelements): - parent_scope.variable_def("uint32_t", nelements) + parent_scope.variable_def("uint64_t", nelements) if array.is_constant_length(): writer.assign(nelements, array.size) @@ -400,10 +400,10 @@ def write_validate_array_item(writer, container, item, scope, parent_scope, star element_nw_size = element_item.nw_size() element_mem_size = element_item.mem_size() element_extra_size = element_item.extra_size() - scope.variable_def("uint32_t", element_nw_size) - scope.variable_def("uint32_t", element_mem_size) + scope.variable_def("uint64_t", element_nw_size) + scope.variable_def("uint64_t", element_mem_size) if want_extra_size: - scope.variable_def("uint32_t", element_extra_size) + scope.variable_def("uint64_t", element_extra_size) if want_nw_size: writer.assign(nw_size, 0) @@ -531,7 +531,7 @@ def write_validate_container(writer, prefix, container, start, parent_scope, wan sub_want_mem_size = m.is_extra_size() and want_mem_size sub_want_extra_size = not m.is_extra_size() and m.contains_extra_size() - defs = ["size_t"] + defs = ["uint64_t"] if sub_want_nw_size: defs.append (m.name + "__nw_size") if sub_want_mem_size: @@ -667,7 +667,7 @@ def read_array_len(writer, prefix, array, dest, scope, is_ptr): if dest.is_toplevel() and scope.variable_defined(nelements): return nelements # Already there for toplevel, need not recalculate element_type = array.element_type - scope.variable_def("uint32_t", nelements) + scope.variable_def("uint64_t", nelements) if array.is_constant_length(): writer.assign(nelements, array.size) elif array.is_identifier_length(): @@ -1023,9 +1023,9 @@ def write_msg_parser(writer, message): parent_scope.variable_def("SPICE_GNUC_UNUSED uint8_t *", "pos") parent_scope.variable_def("uint8_t *", "start = message_start") parent_scope.variable_def("uint8_t *", "data = NULL") - parent_scope.variable_def("size_t", "nw_size") + parent_scope.variable_def("uint64_t", "nw_size") if want_mem_size: - parent_scope.variable_def("size_t", "mem_size") + parent_scope.variable_def("uint64_t", "mem_size") if not message.has_attr("nocopy"): parent_scope.variable_def("uint8_t *", "in", "end") num_pointers = message.get_num_pointers() @@ -1043,7 +1043,7 @@ def write_msg_parser(writer, message): writer.newline() writer.comment("Check if message fits in reported side").newline() - with writer.block("if (start + nw_size > message_end)"): + with writer.block("if (nw_size > (uintptr_t) (message_end - start))"): writer.statement("return NULL") writer.newline().comment("Validated extents and calculated size").newline() @@ -1054,7 +1054,7 @@ def write_msg_parser(writer, message): writer.assign("*size", "message_end - message_start") writer.assign("*free_message", "nofree") else: - writer.assign("data", "(uint8_t *)malloc(mem_size)") + writer.assign("data", "(uint8_t *)(mem_size > UINT32_MAX ? NULL : malloc(mem_size))") writer.error_check("data == NULL") writer.assign("end", "data + %s" % (msg_sizeof)) writer.assign("in", "start").newline() debian/patches/CVE-2017-12194-2.patch0000644000000000000000000000705113301037277013465 0ustar Backported of: From 617be0f74b88ce53d84d417c00696b8c1630b6ec Mon Sep 17 00:00:00 2001 From: Frediano Ziglio Date: Fri, 19 Jun 2015 19:08:55 +0100 Subject: [PATCH] Avoid integer overflow computing image sizes Use always 64, sizes can be 32x32. Signed-off-by: Frediano Ziglio Acked-by: Jonathon Jongsma diff --git a/spice-common/python_modules/demarshal.py b/spice-common/python_modules/demarshal.py index 233f02d..4a16122 100644 --- a/spice-common/python_modules/demarshal.py +++ b/spice-common/python_modules/demarshal.py @@ -326,13 +326,12 @@ def write_validate_array_item(writer, container, item, scope, parent_scope, star rows = array.size[3] width_v = write_read_primitive(writer, start, container, width, scope) rows_v = write_read_primitive(writer, start, container, rows, scope) - # TODO: Handle multiplication overflow if bpp == 8: - writer.assign(nelements, "%s * %s" % (width_v, rows_v)) + writer.assign(nelements, "(uint64_t) %s * %s" % (width_v, rows_v)) elif bpp == 1: - writer.assign(nelements, "((%s + 7) / 8 ) * %s" % (width_v, rows_v)) + writer.assign(nelements, "(((uint64_t) %s + 7U) / 8U ) * %s" % (width_v, rows_v)) else: - writer.assign(nelements, "((%s * %s + 7) / 8 ) * %s" % (bpp, width_v, rows_v)) + writer.assign(nelements, "((%sU * (uint64_t) %s + 7U) / 8U ) * %s" % (bpp, width_v, rows_v)) elif array.is_bytes_length(): is_byte_size = True v = write_read_primitive(writer, start, container, array.size[1], scope) @@ -683,13 +682,12 @@ def read_array_len(writer, prefix, array, dest, scope, is_ptr): rows = array.size[3] width_v = dest.get_ref(width) rows_v = dest.get_ref(rows) - # TODO: Handle multiplication overflow if bpp == 8: - writer.assign(nelements, "%s * %s" % (width_v, rows_v)) + writer.assign(nelements, "((uint64_t) %s * %s)" % (width_v, rows_v)) elif bpp == 1: - writer.assign(nelements, "((%s + 7) / 8 ) * %s" % (width_v, rows_v)) + writer.assign(nelements, "(((uint64_t) %s + 7U) / 8U ) * %s" % (width_v, rows_v)) else: - writer.assign(nelements, "((%s * %s + 7) / 8 ) * %s" % (bpp, width_v, rows_v)) + writer.assign(nelements, "((%sU * (uint64_t) %s + 7U) / 8U ) * %s" % (bpp, width_v, rows_v)) elif array.is_bytes_length(): writer.assign(nelements, dest.get_ref(array.size[2])) else: diff --git a/spice-common/python_modules/marshal.py b/spice-common/python_modules/marshal.py index 4020799..58844e4 100644 --- a/spice-common/python_modules/marshal.py +++ b/spice-common/python_modules/marshal.py @@ -160,13 +160,12 @@ def get_array_size(array, container_src): rows = array.size[3] width_v = container_src.get_ref(width) rows_v = container_src.get_ref(rows) - # TODO: Handle multiplication overflow if bpp == 8: - return "(%s * %s)" % (width_v, rows_v) + return "((uint64_t) %s * %s)" % (width_v, rows_v) elif bpp == 1: - return "(((%s + 7) / 8 ) * %s)" % (width_v, rows_v) + return "((((uint64_t) %s + 7U) / 8U ) * %s)" % (width_v, rows_v) else: - return "(((%s * %s + 7) / 8 ) * %s)" % (bpp, width_v, rows_v) + return "((((uint64_t) %s * %s + 7U) / 8U ) * %s)" % (bpp, width_v, rows_v) elif array.is_bytes_length(): return container_src.get_ref(array.size[2]) else: debian/patches/fix-buffer-overflow-when-decrypting-client-spice-ticket.patch0000644000000000000000000000706712236723474024523 0ustar From 8af619009660b24e0b41ad26b30289eea288fcc2 Mon Sep 17 00:00:00 2001 From: Christophe Fergeau Date: Fri, 23 Aug 2013 09:29:44 +0000 Subject: Fix buffer overflow when decrypting client SPICE ticket reds_handle_ticket uses a fixed size 'password' buffer for the decrypted password whose size is SPICE_MAX_PASSWORD_LENGTH. However, RSA_private_decrypt which we call for the decryption expects the destination buffer to be at least RSA_size(link->tiTicketing.rsa) bytes long. On my spice-server build, SPICE_MAX_PASSWORD_LENGTH is 60 while RSA_size() is 128, so we end up overflowing 'password' when using long passwords (this was reproduced using the string: 'fullscreen=1proxy=#enter proxy here; e.g spice_proxy = http://[proxy]:[port]' as a password). When the overflow occurs, QEMU dies with: --- a/server/reds.c +++ b/server/reds.c @@ -1931,39 +1931,59 @@ static void reds_handle_ticket(void *opaque) { RedLinkInfo *link = (RedLinkInfo *)opaque; - char password[SPICE_MAX_PASSWORD_LENGTH]; + char *password; time_t ltime; + int password_size; //todo: use monotonic time time(<ime); - RSA_private_decrypt(link->tiTicketing.rsa_size, - link->tiTicketing.encrypted_ticket.encrypted_data, - (unsigned char *)password, link->tiTicketing.rsa, RSA_PKCS1_OAEP_PADDING); + if (RSA_size(link->tiTicketing.rsa) < SPICE_MAX_PASSWORD_LENGTH) { + spice_warning("RSA modulus size is smaller than SPICE_MAX_PASSWORD_LENGTH (%d < %d), " + "SPICE ticket sent from client may be truncated", + RSA_size(link->tiTicketing.rsa), SPICE_MAX_PASSWORD_LENGTH); + } + + password = g_malloc0(RSA_size(link->tiTicketing.rsa) + 1); + password_size = RSA_private_decrypt(link->tiTicketing.rsa_size, + link->tiTicketing.encrypted_ticket.encrypted_data, + (unsigned char *)password, + link->tiTicketing.rsa, + RSA_PKCS1_OAEP_PADDING); + if (password_size == -1) { + spice_warning("failed to decrypt RSA encrypted password: %s", + ERR_error_string(ERR_get_error(), NULL)); + goto error; + } + password[password_size] = '\0'; if (ticketing_enabled && !link->skip_auth) { int expired = taTicket.expiration_time < ltime; if (strlen(taTicket.password) == 0) { - reds_send_link_result(link, SPICE_LINK_ERR_PERMISSION_DENIED); spice_warning("Ticketing is enabled, but no password is set. " - "please set a ticket first"); - reds_link_free(link); - return; + "please set a ticket first"); + goto error; } - if (expired || strncmp(password, taTicket.password, SPICE_MAX_PASSWORD_LENGTH) != 0) { + if (expired || strcmp(password, taTicket.password) != 0) { if (expired) { spice_warning("Ticket has expired"); } else { spice_warning("Invalid password"); } - reds_send_link_result(link, SPICE_LINK_ERR_PERMISSION_DENIED); - reds_link_free(link); - return; + goto error; } } reds_handle_link(link); + goto end; + +error: + reds_send_link_result(link, SPICE_LINK_ERR_PERMISSION_DENIED); + reds_link_free(link); + +end: + g_free(password); } static inline void async_read_clear_handlers(AsyncRead *obj) debian/patches/link-server-test-with-libm-libpthread.patch0000644000000000000000000000052312521712247021065 0ustar Compile server/test/* with -lm -lpthread option, or compile will fail --- a/server/tests/Makefile.am +++ b/server/tests/Makefile.am @@ -17,6 +17,7 @@ LDADD = \ $(top_builddir)/spice-common/common/libspice-common.la \ $(top_builddir)/server/libspice-server.la \ + $(SPICE_NONPKGCONFIG_LIBS) \ $(NULL) COMMON_BASE = \ debian/patches/fix-tests-warnings.patch0000644000000000000000000000322012176767010015416 0ustar Date: Mon, 11 Feb 2013 08:49:58 -0600 From: Serge Hallyn Subject: [PATCH (v2)] Small cleanups to address compiler warnings Message-ID: <20130211144958.GA6481@sergelap> Forwarded: yes Changelog: Feb 11: Address feedback by Marc-André: Signed-off-by: Serge Hallyn --- server/tests/basic_event_loop.c | 4 ++-- server/tests/test_display_base.c | 8 +++++--- 2 files changed, 7 insertions(+), 5 deletions(-) --- a/server/tests/basic_event_loop.c +++ b/server/tests/basic_event_loop.c @@ -115,7 +115,7 @@ static void channel_event(int event, SpiceChannelEventInfo *info) { - DPRINTF(0, "channel event con, type, id, event: %ld, %d, %d, %d", + DPRINTF(0, "channel event con, type, id, event: %d, %d, %d, %d", info->connection_id, info->type, info->id, event); } @@ -215,7 +215,7 @@ if ((next_timer = get_next_timer()) != NULL) { calc_next_timeout(next_timer, &next_timer_timeout); timeout = &next_timer_timeout; - DPRINTF(2, "timeout of %zd.%06zd", + DPRINTF(2, "timeout of %ld.%06ld", timeout->tv_sec, timeout->tv_usec); } else { timeout = NULL; --- a/server/tests/test_display_base.c +++ b/server/tests/test_display_base.c @@ -88,10 +88,11 @@ pid = fork(); if (pid == 0) { char buf[PATH_MAX]; + char *argp[] = {NULL}; char *envp[] = {buf, NULL}; snprintf(buf, sizeof(buf), "PATH=%s", getenv("PATH")); - execve("regression_test.py", NULL, envp); + execve("regression_test.py", argp, envp); } else if (pid > 0) { return; } debian/patches/CVE-2017-7506-2.patch0000644000000000000000000000201013133443544013375 0ustar From ec6229c79abe05d731953df5f7e9a05ec9f6df79 Mon Sep 17 00:00:00 2001 From: Frediano Ziglio Date: Mon, 15 May 2017 15:57:28 +0100 Subject: reds: Avoid integer overflows handling monitor configuration Avoid VDAgentMessage::size integer overflows. Signed-off-by: Frediano Ziglio Index: spice-0.12.4/server/reds.c =================================================================== --- spice-0.12.4.orig/server/reds.c 2017-07-18 13:37:38.146912982 -0400 +++ spice-0.12.4/server/reds.c 2017-07-18 13:37:38.126912981 -0400 @@ -1117,6 +1117,9 @@ static void reds_on_main_agent_monitors_ spice_debug("not enough data yet. %d\n", cmc->buffer_size); return; } + if (msg_header->size < sizeof(VDAgentMonitorsConfig)) { + goto overflow; + } monitors_config = (VDAgentMonitorsConfig *)(cmc->buffer + sizeof(*msg_header)); spice_debug("%s: %d\n", __func__, monitors_config->num_of_monitors); red_dispatcher_client_monitors_config(monitors_config); debian/patches/CVE-2017-7506-1.patch0000644000000000000000000000564713133443520013411 0ustar Backport of: From f1e7ec03e26ab6b8ca9b7ec060846a5b706a963d Mon Sep 17 00:00:00 2001 From: Frediano Ziglio Date: Mon, 15 May 2017 15:57:28 +0100 Subject: reds: Disconnect when receiving overly big ClientMonitorsConfig Total message size received from the client was unlimited. There is a 2kiB size check on individual agent messages, but the MonitorsConfig message can be split in multiple chunks, and the size of the non-chunked MonitorsConfig message was never checked. This could easily lead to memory exhaustion on the host. Signed-off-by: Frediano Ziglio Index: spice-0.12.4/server/reds.c =================================================================== --- spice-0.12.4.orig/server/reds.c 2017-07-18 13:35:23.810906718 -0400 +++ spice-0.12.4/server/reds.c 2017-07-18 13:36:45.870910544 -0400 @@ -1086,19 +1086,34 @@ static void reds_client_monitors_config_ static void reds_on_main_agent_monitors_config( MainChannelClient *mcc, void *message, size_t size) { + const unsigned int MAX_MONITORS = 256; + const unsigned int MAX_MONITOR_CONFIG_SIZE = + sizeof(VDAgentMonitorsConfig) + MAX_MONITORS * sizeof(VDAgentMonConfig); + VDAgentMessage *msg_header; VDAgentMonitorsConfig *monitors_config; RedsClientMonitorsConfig *cmc = &reds->client_monitors_config; + // limit size of message sent by the client as this can cause a DoS through + // memory exhaustion, or potentially some integer overflows + if (sizeof(VDAgentMessage) + MAX_MONITOR_CONFIG_SIZE - cmc->buffer_size < size) { + goto overflow; + } cmc->buffer_size += size; cmc->buffer = realloc(cmc->buffer, cmc->buffer_size); spice_assert(cmc->buffer); cmc->mcc = mcc; memcpy(cmc->buffer + cmc->buffer_pos, message, size); cmc->buffer_pos += size; + if (sizeof(VDAgentMessage) > cmc->buffer_size) { + spice_debug("not enough data yet. %d", cmc->buffer_size); + return; + } msg_header = (VDAgentMessage *)cmc->buffer; - if (sizeof(VDAgentMessage) > cmc->buffer_size || - msg_header->size > cmc->buffer_size - sizeof(VDAgentMessage)) { + if (msg_header->size > MAX_MONITOR_CONFIG_SIZE) { + goto overflow; + } + if (msg_header->size > cmc->buffer_size - sizeof(VDAgentMessage)) { spice_debug("not enough data yet. %d\n", cmc->buffer_size); return; } @@ -1106,6 +1121,12 @@ static void reds_on_main_agent_monitors_ spice_debug("%s: %d\n", __func__, monitors_config->num_of_monitors); red_dispatcher_client_monitors_config(monitors_config); reds_client_monitors_config_cleanup(); + return; + +overflow: + spice_warning("received invalid MonitorsConfig request from client, disconnecting"); + red_channel_client_disconnect(main_channel_client_get_base(mcc)); + reds_client_monitors_config_cleanup(); } void reds_on_main_agent_data(MainChannelClient *mcc, void *message, size_t size) debian/patches/CVE-2016-9578-1.patch0000644000000000000000000000334713051122754013420 0ustar From 1c6517973095a67c8cb57f3550fc1298404ab556 Mon Sep 17 00:00:00 2001 From: Frediano Ziglio Date: Tue, 13 Dec 2016 14:39:48 +0000 Subject: Prevent possible DoS attempts during protocol handshake The limit for link message is specified using a 32 bit unsigned integer. This could cause possible DoS due to excessive memory allocations and some possible crashes. For instance a value >= 2^31 causes a spice_assert to be triggered in async_read_handler (reds-stream.c) due to an integer overflow at this line: int n = async->end - async->now; This could be easily triggered with a program like #!/usr/bin/env python import socket import time from struct import pack server = '127.0.0.1' port = 5900 s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((server, port)) data = pack('<4sIII', 'REDQ', 2, 2, 0xaaaaaaaa) s.send(data) time.sleep(1) without requiring any authentication (the same can be done with TLS). Signed-off-by: Frediano Ziglio Acked-by: Christophe Fergeau Index: spice-0.12.4/server/reds.c =================================================================== --- spice-0.12.4.orig/server/reds.c 2017-02-15 14:03:06.398568736 -0500 +++ spice-0.12.4/server/reds.c 2017-02-15 14:03:06.382568517 -0500 @@ -2780,7 +2780,8 @@ reds->peer_minor_version = header->minor_version; - if (header->size < sizeof(SpiceLinkMess)) { + /* the check for 4096 is to avoid clients to cause arbitrary big memory allocations */ + if (header->size < sizeof(SpiceLinkMess) || header->size > 4096) { reds_send_link_error(link, SPICE_LINK_ERR_INVALID_DATA); spice_warning("bad size %u", header->size); reds_link_free(link); debian/patches/CVE-2019-3813.patch0000644000000000000000000000431613422347645013256 0ustar Backport of: From 6eff47e72cb2f23d168be58bab8bdd60df49afd0 Mon Sep 17 00:00:00 2001 From: Christophe Fergeau Date: Thu, 29 Nov 2018 14:18:39 +0100 Subject: [spice-server] memslot: Fix off-by-one error in group/slot boundary check RedMemSlotInfo keeps an array of groups, and each group contains an array of slots. Unfortunately, these checks are off by 1, they check that the index is greater or equal to the number of elements in the array, while these arrays are 0 based. The check should only check for strictly greater than the number of elements. For the group array, this is not a big issue, as these memslot groups are created by spice-server users (eg QEMU), and the group ids used to index that array are also generated by the spice-server user, so it should not be possible for the guest to set them to arbitrary values. The slot id is more problematic, as it's calculated from a QXLPHYSICAL address, and such addresses are usually set by the guest QXL driver, so the guest can set these to arbitrary values, including malicious values, which are probably easy to build from the guest PCI configuration. This patch fixes the arrays bound check, and adds a test case for this. Signed-off-by: Christophe Fergeau --- server/memslot.c | 4 ++-- server/tests/test-qxl-parsing.c | 30 ++++++++++++++++++++++++++++++ 2 files changed, 32 insertions(+), 2 deletions(-) Index: spice-0.12.4/server/red_memslots.c =================================================================== --- spice-0.12.4.orig/server/red_memslots.c 2019-01-24 09:45:55.444475075 -0500 +++ spice-0.12.4/server/red_memslots.c 2019-01-24 09:45:55.440475060 -0500 @@ -111,14 +111,14 @@ unsigned long get_virt(RedMemSlotInfo *i MemSlot *slot; *error = 0; - if (group_id > info->num_memslots_groups) { + if (group_id >= info->num_memslots_groups) { spice_critical("group_id too big"); *error = 1; return 0; } slot_id = get_memslot_id(info, addr); - if (slot_id > info->num_memslots) { + if (slot_id >= info->num_memslots) { print_memslots(info); spice_critical("slot_id %d too big, addr=%" PRIx64, slot_id, addr); *error = 1; debian/patches/make-celt-to-be-optional.patch0000644000000000000000000004573412176767010016353 0ustar From 29942be38e11b297164dcd838e82c96ea152f6ff Mon Sep 17 00:00:00 2001 From: Michael Tokarev Date: Sat, 5 May 2012 19:15:49 +0400 Subject: [PATCH] make celt to be optional Forwarded: yes Comment: upstream apparently does not want this patch With this patch applied, celt051 library isn't required anymore. It is still required by default, but there's a new configure option, --disable-celt051, which makes the configure code to omit checking/finding the celt library and makes resulting spice library to not use celt codec at all. The changes in the code - there are relatively many - are located in 3 source files (see diffstat): client/playback_channel.cpp client/record_channel.cpp server/snd_worker.c and are local/private to the library (client and server), so no external ABI/API is done. I found and marked hopefully all places where celt codec is being touched/referenced. The patch may help future development too, indicating all places where codec-specific code is used (just grep source for HAVE_CELT051 to see these). I plan to use this patch in the upcoming Debian release, codename wheezy, to get rid of celt codec library there, since we decided celt051 is not going to be included, but it is obviously not a good idea to drop spice entirely. I did some interoperability tests and the thing appears to work -- unpatched client to patched server, patched client to unpatched server and patched client to patched server. I didn't check old clients and servers, however. In all cases, raw audio stream is being choosen and used. But since I don't really know how spice works internally, maybe I didn't perform correct testing. Signed-off-By: Michael Tokarev Cc: Ron Lee Cc: Liang Guo --- client/audio_channels.h | 8 +++++ client/playback_channel.cpp | 25 ++++++++++--- client/record_channel.cpp | 21 +++++++++-- configure.ac | 16 ++++++--- server/snd_worker.c | 82 ++++++++++++++++++++++++++++++++++--------- 5 files changed, 122 insertions(+), 30 deletions(-) --- a/client/audio_channels.h +++ b/client/audio_channels.h @@ -18,7 +18,9 @@ #ifndef _H_AUDIO_CHANNELS #define _H_AUDIO_CHANNELS +#if HAVE_CELT051 #include +#endif #include "red_channel.h" #include "debug.h" @@ -45,7 +47,9 @@ void handle_start(RedPeer::InMessage* message); void handle_stop(RedPeer::InMessage* message); void handle_raw_data(RedPeer::InMessage* message); +#if HAVE_CELT051 void handle_celt_data(RedPeer::InMessage* message); +#endif void null_handler(RedPeer::InMessage* message); void disable(); @@ -57,8 +61,10 @@ WavePlaybackAbstract* _wave_player; uint32_t _mode; uint32_t _frame_bytes; +#if HAVE_CELT051 CELTMode *_celt_mode; CELTDecoder *_celt_decoder; +#endif bool _playing; uint32_t _frame_count; }; @@ -96,8 +102,10 @@ Mutex _messages_lock; std::list _messages; int _mode; +#if HAVE_CELT051 CELTMode *_celt_mode; CELTEncoder *_celt_encoder; +#endif uint32_t _frame_bytes; static int data_mode; --- a/client/playback_channel.cpp +++ b/client/playback_channel.cpp @@ -151,8 +151,10 @@ Platform::PRIORITY_HIGH) , _wave_player (NULL) , _mode (SPICE_AUDIO_DATA_MODE_INVALID) +#if HAVE_CELT051 , _celt_mode (NULL) , _celt_decoder (NULL) +#endif , _playing (false) { #ifdef WAVE_CAPTURE @@ -169,7 +171,9 @@ handler->set_handler(SPICE_MSG_PLAYBACK_MODE, &PlaybackChannel::handle_mode); +#if HAVE_CELT051 set_capability(SPICE_PLAYBACK_CAP_CELT_0_5_1); +#endif } void PlaybackChannel::clear() @@ -182,6 +186,7 @@ } _mode = SPICE_AUDIO_DATA_MODE_INVALID; +#if HAVE_CELT051 if (_celt_decoder) { celt051_decoder_destroy(_celt_decoder); _celt_decoder = NULL; @@ -191,6 +196,7 @@ celt051_mode_destroy(_celt_mode); _celt_mode = NULL; } +#endif } void PlaybackChannel::on_disconnect() @@ -214,8 +220,10 @@ if (_mode == SPICE_AUDIO_DATA_MODE_RAW) { handler->set_handler(SPICE_MSG_PLAYBACK_DATA, &PlaybackChannel::handle_raw_data); +#if HAVE_CELT051 } else if (_mode == SPICE_AUDIO_DATA_MODE_CELT_0_5_1) { handler->set_handler(SPICE_MSG_PLAYBACK_DATA, &PlaybackChannel::handle_celt_data); +#endif } else { THROW("invalid mode"); } @@ -224,8 +232,11 @@ void PlaybackChannel::handle_mode(RedPeer::InMessage* message) { SpiceMsgPlaybackMode* playbacke_mode = (SpiceMsgPlaybackMode*)message->data(); - if (playbacke_mode->mode != SPICE_AUDIO_DATA_MODE_RAW && - playbacke_mode->mode != SPICE_AUDIO_DATA_MODE_CELT_0_5_1) { + if (playbacke_mode->mode != SPICE_AUDIO_DATA_MODE_RAW +#if HAVE_CELT051 + && playbacke_mode->mode != SPICE_AUDIO_DATA_MODE_CELT_0_5_1 +#endif + ) { THROW("invalid mode"); } @@ -265,9 +276,6 @@ start_wave(); #endif if (!_wave_player) { - // for now support only one setting - int celt_mode_err; - if (start->format != SPICE_AUDIO_FMT_S16) { THROW("unexpected format"); } @@ -284,6 +292,10 @@ return; } +#if HAVE_CELT051 + // for now support only one setting + int celt_mode_err; + if (!(_celt_mode = celt051_mode_create(start->frequency, start->channels, frame_size, &celt_mode_err))) { THROW("create celt mode failed %d", celt_mode_err); @@ -292,6 +304,7 @@ if (!(_celt_decoder = celt051_decoder_create(_celt_mode))) { THROW("create celt decoder"); } +#endif } _playing = true; _frame_count = 0; @@ -333,6 +346,7 @@ _wave_player->write(data); } +#if HAVE_CELT051 void PlaybackChannel::handle_celt_data(RedPeer::InMessage* message) { SpiceMsgPlaybackPacket* packet = (SpiceMsgPlaybackPacket*)message->data(); @@ -352,6 +366,7 @@ } _wave_player->write((uint8_t *)pcm); } +#endif class PlaybackFactory: public ChannelFactory { public: --- a/client/record_channel.cpp +++ b/client/record_channel.cpp @@ -72,8 +72,10 @@ : RedChannel(client, SPICE_CHANNEL_RECORD, id, new RecordHandler(*this)) , _wave_recorder (NULL) , _mode (SPICE_AUDIO_DATA_MODE_INVALID) +#if HAVE_CELT051 , _celt_mode (NULL) , _celt_encoder (NULL) +#endif { for (int i = 0; i < NUM_SAMPLES_MESSAGES; i++) { _messages.push_front(new RecordSamplesMessage(*this)); @@ -89,8 +91,9 @@ handler->set_handler(SPICE_MSG_NOTIFY, &RecordChannel::handle_notify); handler->set_handler(SPICE_MSG_RECORD_START, &RecordChannel::handle_start); - +#if HAVE_CELT051 set_capability(SPICE_RECORD_CAP_CELT_0_5_1); +#endif } RecordChannel::~RecordChannel(void) @@ -115,7 +118,9 @@ SpiceMsgcRecordMode mode; mode.time = get_mm_time(); mode.mode = _mode = +#if HAVE_CELT051 test_capability(SPICE_RECORD_CAP_CELT_0_5_1) ? RecordChannel::data_mode : +#endif SPICE_AUDIO_DATA_MODE_RAW; _marshallers->msgc_record_mode(message->marshaller(), &mode); post_message(message); @@ -142,7 +147,11 @@ handler->set_handler(SPICE_MSG_RECORD_START, NULL); handler->set_handler(SPICE_MSG_RECORD_STOP, &RecordChannel::handle_stop); +#if HAVE_CELT051 ASSERT(!_wave_recorder && !_celt_mode && !_celt_encoder); +#else + ASSERT(!_wave_recorder); +#endif // for now support only one setting if (start->format != SPICE_AUDIO_FMT_S16) { @@ -160,8 +169,9 @@ } int frame_size = 256; - int celt_mode_err; _frame_bytes = frame_size * bits_per_sample * start->channels / 8; +#if HAVE_CELT051 + int celt_mode_err; if (!(_celt_mode = celt051_mode_create(start->frequency, start->channels, frame_size, &celt_mode_err))) { THROW("create celt mode failed %d", celt_mode_err); @@ -170,6 +180,7 @@ if (!(_celt_encoder = celt051_encoder_create(_celt_mode))) { THROW("create celt encoder failed"); } +#endif send_start_mark(); _wave_recorder->start(); @@ -182,6 +193,7 @@ delete _wave_recorder; _wave_recorder = NULL; } +#if HAVE_CELT051 if (_celt_encoder) { celt051_encoder_destroy(_celt_encoder); _celt_encoder = NULL; @@ -190,6 +202,7 @@ celt051_mode_destroy(_celt_mode); _celt_mode = NULL; } +#endif } void RecordChannel::handle_stop(RedPeer::InMessage* message) @@ -200,7 +213,9 @@ if (!_wave_recorder) { return; } +#if HAVE_CELT051 ASSERT(_celt_mode && _celt_encoder); +#endif clear(); } @@ -254,8 +269,9 @@ DBG(0, "blocked"); return; } - uint8_t celt_buf[CELT_COMPRESSED_FRAME_BYTES]; int n; +#if HAVE_CELT051 + uint8_t celt_buf[CELT_COMPRESSED_FRAME_BYTES]; if (_mode == SPICE_AUDIO_DATA_MODE_CELT_0_5_1) { n = celt051_encode(_celt_encoder, (celt_int16_t *)frame, NULL, celt_buf, @@ -264,7 +280,9 @@ THROW("celt encode failed"); } frame = celt_buf; - } else { + } else +#endif + { n = _frame_bytes; } RedPeer::OutMessage& peer_message = message->peer_message(); --- a/configure.ac +++ b/configure.ac @@ -147,6 +147,9 @@ if test "x$enable_smartcard" = "xyes"; then AC_DEFINE([USE_SMARTCARD], [1], [Define if supporting smartcard proxying]) fi +AC_ARG_ENABLE(celt051, +[ --disable-celt051 Disable celt051 audio codec (enabled by default)],, +[enable_celt051="yes"]) AC_ARG_ENABLE(client, [ --enable-client Enable spice client],, @@ -246,11 +249,14 @@ AC_SUBST(PIXMAN_LIBS) SPICE_REQUIRES+=" pixman-1 >= 0.17.7" -PKG_CHECK_MODULES(CELT051, celt051 >= 0.5.1.1) -AC_SUBST(CELT051_CFLAGS) -AC_SUBST(CELT051_LIBS) -AC_SUBST(CELT051_LIBDIR) -SPICE_REQUIRES+=" celt051 >= 0.5.1.1" +if test "x$enable_celt051" = "xyes"; then + PKG_CHECK_MODULES(CELT051, celt051 >= 0.5.1.1) + SPICE_REQUIRES+=" celt051 >= 0.5.1.1" + AC_DEFINE([HAVE_CELT051], 1, [Define if we have celt051 codec]) + AC_SUBST(CELT051_CFLAGS) + AC_SUBST(CELT051_LIBS) + AC_SUBST(CELT051_LIBDIR) +fi if test ! -e client/generated_marshallers.cpp; then AC_MSG_CHECKING([for pyparsing python module]) --- a/server/snd_worker.c +++ b/server/snd_worker.c @@ -25,7 +25,9 @@ #include #include #include +#if HAVE_CELT051 #include +#endif #include "common/marshaller.h" #include "common/generated_server_marshallers.h" @@ -140,12 +142,16 @@ AudioFrame *free_frames; AudioFrame *in_progress; AudioFrame *pending_frame; +#if HAVE_CELT051 CELTMode *celt_mode; CELTEncoder *celt_encoder; +#endif uint32_t mode; +#if HAVE_CELT051 struct { uint8_t celt_buf[CELT_COMPRESSED_FRAME_BYTES]; } send_data; +#endif uint32_t latency; }; @@ -182,13 +188,21 @@ uint32_t mode; uint32_t mode_time; uint32_t start_time; +#if HAVE_CELT051 CELTDecoder *celt_decoder; CELTMode *celt_mode; uint32_t celt_buf[FRAME_SIZE]; +#endif } RecordChannel; static SndWorker *workers; -static uint32_t playback_compression = SPICE_AUDIO_DATA_MODE_CELT_0_5_1; +static uint32_t playback_compression = +#if HAVE_CELT051 + SPICE_AUDIO_DATA_MODE_CELT_0_5_1 +#else + SPICE_AUDIO_DATA_MODE_RAW +#endif + ; static void snd_receive(void* data); @@ -323,6 +337,7 @@ packet = (SpiceMsgcRecordPacket *)message; size = packet->data_size; +#if HAVE_CELT051 if (record_channel->mode == SPICE_AUDIO_DATA_MODE_CELT_0_5_1) { int celt_err = celt051_decode(record_channel->celt_decoder, packet->data, size, (celt_int16_t *)record_channel->celt_buf); @@ -332,7 +347,9 @@ } data = record_channel->celt_buf; size = FRAME_SIZE; - } else if (record_channel->mode == SPICE_AUDIO_DATA_MODE_RAW) { + } else +#endif + if (record_channel->mode == SPICE_AUDIO_DATA_MODE_RAW) { data = (uint32_t *)packet->data; size = size >> 2; size = MIN(size, RECORD_SAMPLES_SIZE); @@ -387,8 +404,11 @@ SpiceMsgcRecordMode *mode = (SpiceMsgcRecordMode *)message; record_channel->mode = mode->mode; record_channel->mode_time = mode->time; - if (record_channel->mode != SPICE_AUDIO_DATA_MODE_CELT_0_5_1 && - record_channel->mode != SPICE_AUDIO_DATA_MODE_RAW) { + if (record_channel->mode != SPICE_AUDIO_DATA_MODE_RAW +#if HAVE_CELT051 + && record_channel->mode != SPICE_AUDIO_DATA_MODE_CELT_0_5_1 +#endif + ) { spice_printerr("unsupported mode"); } break; @@ -758,6 +778,7 @@ spice_marshall_msg_playback_data(channel->send_data.marshaller, &msg); +#if HAVE_CELT051 if (playback_channel->mode == SPICE_AUDIO_DATA_MODE_CELT_0_5_1) { int n = celt051_encode(playback_channel->celt_encoder, (celt_int16_t *)frame->samples, NULL, playback_channel->send_data.celt_buf, CELT_COMPRESSED_FRAME_BYTES); @@ -768,7 +789,9 @@ } spice_marshaller_add_ref(channel->send_data.marshaller, playback_channel->send_data.celt_buf, n); - } else { + } else +#endif + { spice_marshaller_add_ref(channel->send_data.marshaller, (uint8_t *)frame->samples, sizeof(frame->samples)); } @@ -1168,8 +1191,10 @@ reds_enable_mm_timer(); } +#if HAVE_CELT051 celt051_encoder_destroy(playback_channel->celt_encoder); celt051_mode_destroy(playback_channel->celt_mode); +#endif } static void snd_set_playback_peer(RedChannel *channel, RedClient *client, RedsStream *stream, @@ -1179,13 +1204,13 @@ SndWorker *worker = channel->data; PlaybackChannel *playback_channel; SpicePlaybackState *st = SPICE_CONTAINEROF(worker, SpicePlaybackState, worker); - CELTEncoder *celt_encoder; - CELTMode *celt_mode; - int celt_error; - RedChannelClient *rcc; snd_disconnect_channel(worker->connection); +#if HAVE_CELT051 + CELTEncoder *celt_encoder; + CELTMode *celt_mode; + int celt_error; if (!(celt_mode = celt051_mode_create(SPICE_INTERFACE_PLAYBACK_FREQ, SPICE_INTERFACE_PLAYBACK_CHAN, FRAME_SIZE, &celt_error))) { @@ -1197,6 +1222,7 @@ spice_printerr("create celt encoder failed"); goto error_1; } +#endif if (!(playback_channel = (PlaybackChannel *)__new_channel(worker, sizeof(*playback_channel), @@ -1213,16 +1239,20 @@ goto error_2; } worker->connection = &playback_channel->base; - rcc = playback_channel->base.channel_client; snd_playback_free_frame(playback_channel, &playback_channel->frames[0]); snd_playback_free_frame(playback_channel, &playback_channel->frames[1]); snd_playback_free_frame(playback_channel, &playback_channel->frames[2]); +#if HAVE_CELT051 playback_channel->celt_mode = celt_mode; playback_channel->celt_encoder = celt_encoder; - playback_channel->mode = red_channel_client_test_remote_cap(rcc, - SPICE_PLAYBACK_CAP_CELT_0_5_1) ? + playback_channel->mode = + red_channel_client_test_remote_cap(playback_channel->base.channel_client, + SPICE_PLAYBACK_CAP_CELT_0_5_1) ? playback_compression : SPICE_AUDIO_DATA_MODE_RAW; +#else + playback_channel->mode = SPICE_AUDIO_DATA_MODE_RAW; +#endif on_new_playback_channel(worker); if (worker->active) { @@ -1232,10 +1262,13 @@ return; error_2: +#if HAVE_CELT051 celt051_encoder_destroy(celt_encoder); error_1: celt051_mode_destroy(celt_mode); +#endif + return; } static void snd_record_migrate_channel_client(RedChannelClient *rcc) @@ -1379,10 +1412,12 @@ static void snd_record_cleanup(SndChannel *channel) { +#if HAVE_CELT051 RecordChannel *record_channel = SPICE_CONTAINEROF(channel, RecordChannel, base); celt051_decoder_destroy(record_channel->celt_decoder); celt051_mode_destroy(record_channel->celt_mode); +#endif } static void snd_set_record_peer(RedChannel *channel, RedClient *client, RedsStream *stream, @@ -1392,12 +1427,13 @@ SndWorker *worker = channel->data; RecordChannel *record_channel; SpiceRecordState *st = SPICE_CONTAINEROF(worker, SpiceRecordState, worker); - CELTDecoder *celt_decoder; - CELTMode *celt_mode; - int celt_error; snd_disconnect_channel(worker->connection); +#if HAVE_CELT051 + CELTDecoder *celt_decoder; + CELTMode *celt_mode; + int celt_error; if (!(celt_mode = celt051_mode_create(SPICE_INTERFACE_RECORD_FREQ, SPICE_INTERFACE_RECORD_CHAN, FRAME_SIZE, &celt_error))) { @@ -1409,6 +1445,7 @@ spice_printerr("create celt decoder failed"); goto error_1; } +#endif if (!(record_channel = (RecordChannel *)__new_channel(worker, sizeof(*record_channel), @@ -1427,8 +1464,10 @@ worker->connection = &record_channel->base; +#if HAVE_CELT051 record_channel->celt_mode = celt_mode; record_channel->celt_decoder = celt_decoder; +#endif on_new_record_channel(worker); if (worker->active) { @@ -1438,10 +1477,13 @@ return; error_2: +#if HAVE_CELT051 celt051_decoder_destroy(celt_decoder); error_1: celt051_mode_destroy(celt_mode); +#endif + return; } static void snd_playback_migrate_channel_client(RedChannelClient *rcc) @@ -1498,7 +1540,9 @@ client_cbs.migrate = snd_playback_migrate_channel_client; red_channel_register_client_cbs(channel, &client_cbs); red_channel_set_data(channel, playback_worker); +#if HAVE_CELT051 red_channel_set_cap(channel, SPICE_PLAYBACK_CAP_CELT_0_5_1); +#endif red_channel_set_cap(channel, SPICE_PLAYBACK_CAP_VOLUME); playback_worker->base_channel = channel; @@ -1525,7 +1569,9 @@ client_cbs.migrate = snd_record_migrate_channel_client; red_channel_register_client_cbs(channel, &client_cbs); red_channel_set_data(channel, record_worker); +#if HAVE_CELT051 red_channel_set_cap(channel, SPICE_RECORD_CAP_CELT_0_5_1); +#endif red_channel_set_cap(channel, SPICE_RECORD_CAP_VOLUME); record_worker->base_channel = channel; @@ -1572,7 +1618,11 @@ { SndWorker *now = workers; - playback_compression = on ? SPICE_AUDIO_DATA_MODE_CELT_0_5_1 : SPICE_AUDIO_DATA_MODE_RAW; + playback_compression = +#if HAVE_CELT051 + on ? SPICE_AUDIO_DATA_MODE_CELT_0_5_1 : +#endif + SPICE_AUDIO_DATA_MODE_RAW; for (; now; now = now->next) { if (now->base_channel->type == SPICE_CHANNEL_PLAYBACK && now->connection) { SndChannel* sndchannel = now->connection; debian/patches/CVE-2015-526x/0000755000000000000000000000000012726552544012335 5ustar debian/patches/CVE-2015-526x/0041-Define-a-constant-to-limit-data-from-guest.patch0000644000000000000000000000250212603215360023711 0ustar From 247209c1f1c6a41d9fe0532ae17f19ae1cdcc2f7 Mon Sep 17 00:00:00 2001 From: Frediano Ziglio Date: Tue, 8 Sep 2015 11:58:11 +0100 Subject: [PATCH 41/57] Define a constant to limit data from guest. This limit will prevent guest trying to do nasty things and DoS to host. Signed-off-by: Frediano Ziglio --- server/red_parse_qxl.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/server/red_parse_qxl.c b/server/red_parse_qxl.c index 6c0b065..4449f2c 100644 --- a/server/red_parse_qxl.c +++ b/server/red_parse_qxl.c @@ -21,11 +21,22 @@ #include #include +#include #include "common/lz_common.h" #include "red_common.h" #include "red_memslots.h" #include "red_parse_qxl.h" +/* Max size in bytes for any data field used in a QXL command. + * This will for example be useful to prevent the guest from saturating the + * host memory if it tries to send overlapping chunks. + * This value should be big enough for all requests but limited + * to 32 bits. Even better if it fits on 31 bits to detect integer overflows. + */ +#define MAX_DATA_CHUNK 0x7ffffffflu + +G_STATIC_ASSERT(MAX_DATA_CHUNK <= G_MAXINT32); + #if 0 static void hexdump_qxl(RedMemSlotInfo *slots, int group_id, QXLPHYSICAL addr, uint8_t bytes) -- 2.4.3 debian/patches/CVE-2015-526x/0050-Fix-race-condition-in-red_get_data_chunks_ptr.patch0000644000000000000000000000475012603215360024616 0ustar From 20979131dee0f81972ca159e5f754d42890e75e6 Mon Sep 17 00:00:00 2001 From: Frediano Ziglio Date: Tue, 8 Sep 2015 12:12:19 +0100 Subject: [PATCH 50/57] Fix race condition in red_get_data_chunks_ptr Do not read multiple times data from guest as this can be changed by other guest vcpus. This causes races and security problems if these data are used for buffer allocation or checks. Actually, the 'data' member can't change during read as it is just a pointer to a fixed array contained in qxl. However, this change will make it clear that there can be no race condition. Signed-off-by: Frediano Ziglio --- server/red_parse_qxl.c | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) diff --git a/server/red_parse_qxl.c b/server/red_parse_qxl.c index c4b82be..7cc20e6 100644 --- a/server/red_parse_qxl.c +++ b/server/red_parse_qxl.c @@ -102,30 +102,33 @@ static size_t red_get_data_chunks_ptr(RedMemSlotInfo *slots, int group_id, RedDataChunk *red_prev; size_t data_size = 0; int error; + QXLPHYSICAL next_chunk; red->data_size = qxl->data_size; data_size += red->data_size; - if (!validate_virt(slots, (intptr_t)qxl->data, memslot_id, red->data_size, group_id)) { + red->data = qxl->data; + if (!validate_virt(slots, (intptr_t)red->data, memslot_id, red->data_size, group_id)) { + red->data = NULL; return 0; } - red->data = qxl->data; red->prev_chunk = NULL; - while (qxl->next_chunk) { + while ((next_chunk = qxl->next_chunk) != 0) { red_prev = red; red = spice_new(RedDataChunk, 1); - memslot_id = get_memslot_id(slots, qxl->next_chunk); - qxl = (QXLDataChunk *)get_virt(slots, qxl->next_chunk, sizeof(*qxl), group_id, + memslot_id = get_memslot_id(slots, next_chunk); + qxl = (QXLDataChunk *)get_virt(slots, next_chunk, sizeof(*qxl), group_id, &error); if (error) { return 0; } red->data_size = qxl->data_size; data_size += red->data_size; - if (!validate_virt(slots, (intptr_t)qxl->data, memslot_id, red->data_size, group_id)) { + red->data = qxl->data; + if (!validate_virt(slots, (intptr_t)red->data, memslot_id, red->data_size, group_id)) { + red->data = NULL; return 0; } - red->data = qxl->data; red->prev_chunk = red_prev; red_prev->next_chunk = red; } -- 2.4.3 debian/patches/CVE-2015-526x/0045-Prevent-32-bit-integer-overflow-in-bitmap_consistent.patch0000644000000000000000000000342512603215537026004 0ustar Backport of: From 7baa8c39757b46a834e20198e4b18e9f1752e20e Mon Sep 17 00:00:00 2001 From: Frediano Ziglio Date: Tue, 8 Sep 2015 13:09:35 +0100 Subject: [PATCH 45/57] Prevent 32 bit integer overflow in bitmap_consistent The overflow may lead to buffer overflow as the row size computed from width (bitmap->x) can be bigger than the size in bytes (bitmap->stride). This can make spice-server accept the invalid sizes. Signed-off-by: Frediano Ziglio Acked-by: Christophe Fergeau --- server/red_parse_qxl.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) Index: spice-0.12.4/server/red_parse_qxl.c =================================================================== --- spice-0.12.4.orig/server/red_parse_qxl.c 2015-10-01 07:38:25.587989209 -0400 +++ spice-0.12.4/server/red_parse_qxl.c 2015-10-01 07:38:52.659771136 -0400 @@ -357,11 +357,12 @@ return "unknown"; } -static const int MAP_BITMAP_FMT_TO_BITS_PER_PIXEL[] = {0, 1, 1, 4, 4, 8, 16, 24, 32, 32, 8}; +static const unsigned int MAP_BITMAP_FMT_TO_BITS_PER_PIXEL[] = + {0, 1, 1, 4, 4, 8, 16, 24, 32, 32, 8}; static int bitmap_consistent(SpiceBitmap *bitmap) { - int bpp; + unsigned int bpp; if (bitmap->format >= SPICE_N_ELEMENTS(MAP_BITMAP_FMT_TO_BITS_PER_PIXEL)) { spice_warning("wrong format specified for image\n"); @@ -370,7 +371,7 @@ bpp = MAP_BITMAP_FMT_TO_BITS_PER_PIXEL[bitmap->format]; - if (bitmap->stride < ((bitmap->x * bpp + 7) / 8)) { + if (bitmap->stride < (((uint64_t) bitmap->x * bpp + 7u) / 8u)) { spice_error("image stride too small for width: %d < ((%d * %d + 7) / 8) (%s=%d)\n", bitmap->stride, bitmap->x, bpp, bitmap_format_to_string(bitmap->format), debian/patches/CVE-2015-526x/0051-Prevent-memory-leak-if-red_get_data_chunks_ptr-fails.patch0000644000000000000000000000460612603215360026124 0ustar From 173645bea63ad31ba0d6d4c58a06272aa488fb92 Mon Sep 17 00:00:00 2001 From: Frediano Ziglio Date: Tue, 8 Sep 2015 12:14:55 +0100 Subject: [PATCH 51/57] Prevent memory leak if red_get_data_chunks_ptr fails Free linked list if client tries to do nasty things Signed-off-by: Frediano Ziglio Acked-by: Christophe Fergeau --- server/red_parse_qxl.c | 31 ++++++++++++++++++++----------- 1 file changed, 20 insertions(+), 11 deletions(-) diff --git a/server/red_parse_qxl.c b/server/red_parse_qxl.c index 7cc20e6..fe3ae78 100644 --- a/server/red_parse_qxl.c +++ b/server/red_parse_qxl.c @@ -107,34 +107,43 @@ static size_t red_get_data_chunks_ptr(RedMemSlotInfo *slots, int group_id, red->data_size = qxl->data_size; data_size += red->data_size; red->data = qxl->data; + red->prev_chunk = red->next_chunk = NULL; if (!validate_virt(slots, (intptr_t)red->data, memslot_id, red->data_size, group_id)) { red->data = NULL; return 0; } - red->prev_chunk = NULL; while ((next_chunk = qxl->next_chunk) != 0) { red_prev = red; - red = spice_new(RedDataChunk, 1); + red = spice_new0(RedDataChunk, 1); + red->prev_chunk = red_prev; + red_prev->next_chunk = red; + memslot_id = get_memslot_id(slots, next_chunk); qxl = (QXLDataChunk *)get_virt(slots, next_chunk, sizeof(*qxl), group_id, &error); - if (error) { - return 0; - } + if (error) + goto error; red->data_size = qxl->data_size; data_size += red->data_size; red->data = qxl->data; - if (!validate_virt(slots, (intptr_t)red->data, memslot_id, red->data_size, group_id)) { - red->data = NULL; - return 0; - } - red->prev_chunk = red_prev; - red_prev->next_chunk = red; + if (!validate_virt(slots, (intptr_t)red->data, memslot_id, red->data_size, group_id)) + goto error; } red->next_chunk = NULL; return data_size; + +error: + while (red->prev_chunk) { + red_prev = red->prev_chunk; + free(red); + red = red_prev; + } + red->data_size = 0; + red->next_chunk = NULL; + red->data = NULL; + return 0; } static size_t red_get_data_chunks(RedMemSlotInfo *slots, int group_id, -- 2.4.3 debian/patches/CVE-2015-526x/0042-Fix-some-integer-overflow-causing-large-memory-alloc.patch0000644000000000000000000000537212603215746026042 0ustar From b9ee3c381ef823b6a4f246e0df3112efdd349b6a Mon Sep 17 00:00:00 2001 From: Frediano Ziglio Date: Thu, 17 Sep 2015 15:00:22 +0100 Subject: [PATCH 42/57] Fix some integer overflow causing large memory allocations Prevent integer overflow when computing image sizes. Image index computations are done using 32 bit so this can cause easily security issues. MAX_DATA_CHUNK is larger than the virtual card limit, so this is not going to cause change in behaviours. Comparing size calculation results with MAX_DATA_CHUNK will allow us to catch overflows. Prevent guest from allocating large amount of memory. Signed-off-by: Frediano Ziglio --- server/red_parse_qxl.c | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) Index: spice-0.12.4/server/red_parse_qxl.c =================================================================== --- spice-0.12.4.orig/server/red_parse_qxl.c 2015-10-01 07:41:24.414548824 -0400 +++ spice-0.12.4/server/red_parse_qxl.c 2015-10-01 07:41:24.414548824 -0400 @@ -384,7 +384,7 @@ QXLImage *qxl; SpiceImage *red = NULL; SpicePalette *rp = NULL; - size_t bitmap_size, size; + uint64_t bitmap_size, size; uint8_t qxl_flags; int error; @@ -460,7 +460,10 @@ red->u.bitmap.palette = rp; red->u.bitmap.palette_id = rp->unique; } - bitmap_size = red->u.bitmap.y * abs(red->u.bitmap.stride); + bitmap_size = (uint64_t) red->u.bitmap.y * red->u.bitmap.stride; + if (bitmap_size > MAX_DATA_CHUNK) { + goto error; + } if (qxl_flags & QXL_BITMAP_DIRECT) { red->u.bitmap.data = red_get_image_data_flat(slots, group_id, qxl->bitmap.data, @@ -1220,7 +1223,7 @@ RedSurfaceCmd *red, QXLPHYSICAL addr) { QXLSurfaceCmd *qxl; - size_t size; + uint64_t size; int error; qxl = (QXLSurfaceCmd *)get_virt(slots, addr, sizeof(*qxl), group_id, @@ -1240,7 +1243,11 @@ red->u.surface_create.width = qxl->u.surface_create.width; red->u.surface_create.height = qxl->u.surface_create.height; red->u.surface_create.stride = qxl->u.surface_create.stride; - size = red->u.surface_create.height * abs(red->u.surface_create.stride); + /* the multiplication can overflow, also abs(-2^31) may return a negative value */ + size = (uint64_t) red->u.surface_create.height * abs(red->u.surface_create.stride); + if (size > MAX_DATA_CHUNK || red->u.surface_create.stride == G_MININT32) { + return 1; + } red->u.surface_create.data = (uint8_t*)get_virt(slots, qxl->u.surface_create.data, size, group_id, &error); if (error) { debian/patches/CVE-2015-526x/0002-worker-avoid-double-free-or-double-create-of-surface.patch0000644000000000000000000000344412726552544025721 0ustar From 097c638b121e595d9daf79285c447088027a58e2 Mon Sep 17 00:00:00 2001 From: Frediano Ziglio Date: Wed, 9 Sep 2015 12:45:06 +0100 Subject: [PATCH 02/19] worker: avoid double free or double create of surfaces A driver can overwrite surface state creating a surface with the same id of a previous one. Also can try to destroy surfaces that are not created. Both requests cause invalid internal states that could lead to crashes or memory corruptions. Signed-off-by: Frediano Ziglio --- server/red_worker.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) Index: spice-0.12.4/server/red_worker.c =================================================================== --- spice-0.12.4.orig/server/red_worker.c 2016-06-10 10:57:38.737200747 -0400 +++ spice-0.12.4/server/red_worker.c 2016-06-10 10:57:38.733200700 -0400 @@ -4282,6 +4282,10 @@ int32_t stride = surface->u.surface_create.stride; int reloaded_surface = loadvm || (surface->flags & QXL_SURF_FLAG_KEEP_DATA); + if (red_surface->refs) { + spice_warning("avoiding creating a surface twice"); + break; + } data = surface->u.surface_create.data; if (stride < 0) { data -= (int32_t)(stride * (height - 1)); @@ -4295,7 +4299,10 @@ break; } case QXL_SURFACE_CMD_DESTROY: - spice_warn_if(!red_surface->context.canvas); + if (!red_surface->refs) { + spice_warning("avoiding destroying a surface twice"); + break; + } set_surface_release_info(worker, surface_id, 0, surface->release_info, group_id); red_handle_depends_on_target_surface(worker, surface_id); /* note that red_handle_depends_on_target_surface must be called before red_current_clear. debian/patches/CVE-2015-526x/0043-Check-properly-surface-to-be-created.patch0000644000000000000000000000525512603215736022670 0ustar From b15d9c6d94bf426d61aaa4631ed55271c0d12b14 Mon Sep 17 00:00:00 2001 From: Frediano Ziglio Date: Tue, 8 Sep 2015 16:02:59 +0100 Subject: [PATCH 43/57] Check properly surface to be created Check format is valid. Check stride is at least the size of required bytes for a row. Signed-off-by: Frediano Ziglio Acked-by: Christophe Fergeau --- server/red_parse_qxl.c | 35 ++++++++++++++++++++++++++++++++++- 1 file changed, 34 insertions(+), 1 deletion(-) Index: spice-0.12.4/server/red_parse_qxl.c =================================================================== --- spice-0.12.4.orig/server/red_parse_qxl.c 2015-10-01 07:41:12.782642506 -0400 +++ spice-0.12.4/server/red_parse_qxl.c 2015-10-01 07:41:12.778642538 -0400 @@ -1219,12 +1219,30 @@ /* nothing yet */ } +static unsigned int surface_format_to_bpp(uint32_t format) +{ + switch (format) { + case SPICE_SURFACE_FMT_1_A: + return 1; + case SPICE_SURFACE_FMT_8_A: + return 8; + case SPICE_SURFACE_FMT_16_555: + case SPICE_SURFACE_FMT_16_565: + return 16; + case SPICE_SURFACE_FMT_32_xRGB: + case SPICE_SURFACE_FMT_32_ARGB: + return 32; + } + return 0; +} + int red_get_surface_cmd(RedMemSlotInfo *slots, int group_id, RedSurfaceCmd *red, QXLPHYSICAL addr) { QXLSurfaceCmd *qxl; uint64_t size; int error; + unsigned int bpp; qxl = (QXLSurfaceCmd *)get_virt(slots, addr, sizeof(*qxl), group_id, &error); @@ -1243,9 +1261,24 @@ red->u.surface_create.width = qxl->u.surface_create.width; red->u.surface_create.height = qxl->u.surface_create.height; red->u.surface_create.stride = qxl->u.surface_create.stride; + bpp = surface_format_to_bpp(red->u.surface_create.format); + + /* check if format is valid */ + if (!bpp) { + return 1; + } + + /* check stride is larger than required bytes */ + size = ((uint64_t) red->u.surface_create.width * bpp + 7u) / 8u; + /* the uint32_t conversion is here to avoid problems with -2^31 value */ + if (red->u.surface_create.stride == G_MININT32 + || size > (uint32_t) abs(red->u.surface_create.stride)) { + return 1; + } + /* the multiplication can overflow, also abs(-2^31) may return a negative value */ size = (uint64_t) red->u.surface_create.height * abs(red->u.surface_create.stride); - if (size > MAX_DATA_CHUNK || red->u.surface_create.stride == G_MININT32) { + if (size > MAX_DATA_CHUNK) { return 1; } red->u.surface_create.data = debian/patches/CVE-2015-526x/0055-Avoid-race-condition-copying-segments-in-red_get_pat.patch0000644000000000000000000000210312603215360026031 0ustar From 14f53eef04c38a3c537a1a1012c2f7101a298194 Mon Sep 17 00:00:00 2001 From: Frediano Ziglio Date: Tue, 15 Sep 2015 16:38:23 +0100 Subject: [PATCH 55/57] Avoid race condition copying segments in red_get_path The guest can attempt to increase the number of segments while spice-server is reading them. Make sure we don't copy more then the allocated segments. Signed-off-by: Frediano Ziglio Acked-by: Christophe Fergeau --- server/red_parse_qxl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/server/red_parse_qxl.c b/server/red_parse_qxl.c index 4663bfd..c1df8e8 100644 --- a/server/red_parse_qxl.c +++ b/server/red_parse_qxl.c @@ -272,7 +272,7 @@ static SpicePath *red_get_path(RedMemSlotInfo *slots, int group_id, seg = (SpicePathSeg*)&red->segments[n_segments]; n_segments = 0; mem_size2 = sizeof(*red); - while (start+1 < end) { + while (start+1 < end && n_segments < red->num_segments) { red->segments[n_segments++] = seg; count = start->count; -- 2.4.3 debian/patches/CVE-2015-526x/0057-Prevent-leak-if-size-from-red_get_data_chunks-don-t-.patch0000644000000000000000000000253312603215360025645 0ustar From 5580cac5502cd518adad0a3682fd53aeeaf86a86 Mon Sep 17 00:00:00 2001 From: Frediano Ziglio Date: Thu, 17 Sep 2015 15:01:05 +0100 Subject: [PATCH 57/57] Prevent leak if size from red_get_data_chunks don't match in red_get_image Signed-off-by: Frediano Ziglio --- server/red_parse_qxl.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/server/red_parse_qxl.c b/server/red_parse_qxl.c index 8e3dd55..bd0c408 100644 --- a/server/red_parse_qxl.c +++ b/server/red_parse_qxl.c @@ -530,6 +530,7 @@ static SpiceImage *red_get_image(RedMemSlotInfo *slots, int group_id, &chunks, qxl->bitmap.data); spice_assert(size == bitmap_size); if (size != bitmap_size) { + red_put_data_chunks(&chunks); goto error; } red->u.bitmap.data = red_get_image_data_chunked(slots, group_id, @@ -550,6 +551,7 @@ static SpiceImage *red_get_image(RedMemSlotInfo *slots, int group_id, &chunks, (QXLDataChunk *)qxl->quic.data); spice_assert(size == red->u.quic.data_size); if (size != red->u.quic.data_size) { + red_put_data_chunks(&chunks); goto error; } red->u.quic.data = red_get_image_data_chunked(slots, group_id, -- 2.4.3 debian/patches/CVE-2015-526x/0053-Fix-some-possible-overflows-in-red_get_string-for-32.patch0000644000000000000000000000357112603215662025700 0ustar From 8f60fc6ec611aa6ad6fa31f3dfc8027462dbb442 Mon Sep 17 00:00:00 2001 From: Frediano Ziglio Date: Tue, 8 Sep 2015 13:06:03 +0100 Subject: [PATCH 53/57] Fix some possible overflows in red_get_string for 32 bit Signed-off-by: Frediano Ziglio Acked-by: Christophe Fergeau --- server/red_parse_qxl.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) Index: spice-0.12.4/server/red_parse_qxl.c =================================================================== --- spice-0.12.4.orig/server/red_parse_qxl.c 2015-10-01 07:40:32.938963411 -0400 +++ spice-0.12.4/server/red_parse_qxl.c 2015-10-01 07:40:32.938963411 -0400 @@ -895,6 +895,11 @@ glyphs++; glyph_size = start->height * ((start->width * bpp + 7u) / 8u); red_size += sizeof(SpiceRasterGlyph *) + SPICE_ALIGN(sizeof(SpiceRasterGlyph) + glyph_size, 4); + /* do the test correctly, we know end - start->data[0] cannot + * overflow, don't use start->data[glyph_size] to test for + * buffer overflow as this on 32 bit can cause overflow + * on the pointer arithmetic */ + spice_assert(glyph_size <= (char*) end - (char*) &start->data[0]); start = (QXLRasterGlyph*)(&start->data[glyph_size]); } spice_assert(start <= end); @@ -915,7 +920,8 @@ red_get_point_ptr(&glyph->render_pos, &start->render_pos); red_get_point_ptr(&glyph->glyph_origin, &start->glyph_origin); glyph_size = glyph->height * ((glyph->width * bpp + 7u) / 8u); - spice_assert((QXLRasterGlyph*)(&start->data[glyph_size]) <= end); + /* see above for similar test */ + spice_assert(glyph_size <= (char*) end - (char*) &start->data[0]); memcpy(glyph->data, start->data, glyph_size); start = (QXLRasterGlyph*)(&start->data[glyph_size]); glyph = (SpiceRasterGlyph*) debian/patches/CVE-2015-526x/0044-Fix-buffer-reading-overflow.patch0000644000000000000000000000246112603215722021177 0ustar From 18087073df84885642d9b0b1efd0e86e18409bbe Mon Sep 17 00:00:00 2001 From: Frediano Ziglio Date: Tue, 8 Sep 2015 10:00:37 +0100 Subject: [PATCH 44/57] Fix buffer reading overflow Not security risk as just for read. However, this could be used to attempt integer overflows in the following lines. Signed-off-by: Frediano Ziglio Acked-by: Christophe Fergeau --- server/red_parse_qxl.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) Index: spice-0.12.4/server/red_parse_qxl.c =================================================================== --- spice-0.12.4.orig/server/red_parse_qxl.c 2015-10-01 07:41:04.650708000 -0400 +++ spice-0.12.4/server/red_parse_qxl.c 2015-10-01 07:41:04.650708000 -0400 @@ -361,7 +361,14 @@ static int bitmap_consistent(SpiceBitmap *bitmap) { - int bpp = MAP_BITMAP_FMT_TO_BITS_PER_PIXEL[bitmap->format]; + int bpp; + + if (bitmap->format >= SPICE_N_ELEMENTS(MAP_BITMAP_FMT_TO_BITS_PER_PIXEL)) { + spice_warning("wrong format specified for image\n"); + return FALSE; + } + + bpp = MAP_BITMAP_FMT_TO_BITS_PER_PIXEL[bitmap->format]; if (bitmap->stride < ((bitmap->x * bpp + 7) / 8)) { spice_error("image stride too small for width: %d < ((%d * %d + 7) / 8) (%s=%d)\n", debian/patches/CVE-2015-526x/0052-Prevent-DoS-from-guest-trying-to-allocate-too-much-d.patch0000644000000000000000000000730612603215360025614 0ustar From ffbe1b2e3bff5fec022030836a9319d57c6f94c5 Mon Sep 17 00:00:00 2001 From: Frediano Ziglio Date: Tue, 8 Sep 2015 12:28:54 +0100 Subject: [PATCH 52/57] Prevent DoS from guest trying to allocate too much data on host for chunks Limit number of chunks to a given amount to avoid guest trying to allocate too much memory. Using circular or nested chunks lists guest could try to allocate huge amounts of memory. Considering the list can be infinite and guest can change data this also prevents strange security attacks from guest. Signed-off-by: Frediano Ziglio --- server/red_parse_qxl.c | 49 +++++++++++++++++++++++++++++++++++++++++-------- 1 file changed, 41 insertions(+), 8 deletions(-) diff --git a/server/red_parse_qxl.c b/server/red_parse_qxl.c index fe3ae78..f183248 100644 --- a/server/red_parse_qxl.c +++ b/server/red_parse_qxl.c @@ -37,6 +37,13 @@ G_STATIC_ASSERT(MAX_DATA_CHUNK <= G_MAXINT32); +/* Limit number of chunks. + * The guest can attempt to make host allocate too much memory + * just with a large number of small chunks. + * Prevent that the chunk list take more memory than the data itself. + */ +#define MAX_CHUNKS (MAX_DATA_CHUNK/1024u) + #if 0 static void hexdump_qxl(RedMemSlotInfo *slots, int group_id, QXLPHYSICAL addr, uint8_t bytes) @@ -100,9 +107,11 @@ static size_t red_get_data_chunks_ptr(RedMemSlotInfo *slots, int group_id, RedDataChunk *red, QXLDataChunk *qxl) { RedDataChunk *red_prev; - size_t data_size = 0; + uint64_t data_size = 0; + uint32_t chunk_data_size; int error; QXLPHYSICAL next_chunk; + unsigned num_chunks = 0; red->data_size = qxl->data_size; data_size += red->data_size; @@ -114,19 +123,43 @@ static size_t red_get_data_chunks_ptr(RedMemSlotInfo *slots, int group_id, } while ((next_chunk = qxl->next_chunk) != 0) { + /* somebody is trying to use too much memory using a lot of chunks. + * Or made a circular list of chunks + */ + if (++num_chunks >= MAX_CHUNKS) { + spice_warning("data split in too many chunks, avoiding DoS\n"); + goto error; + } + + memslot_id = get_memslot_id(slots, next_chunk); + qxl = (QXLDataChunk *)get_virt(slots, next_chunk, sizeof(*qxl), + group_id, &error); + if (error) + goto error; + + /* do not waste space for empty chunks. + * This could be just a driver issue or an attempt + * to allocate too much memory or a circular list. + * All above cases are handled by the check for number + * of chunks. + */ + chunk_data_size = qxl->data_size; + if (chunk_data_size == 0) + continue; + red_prev = red; red = spice_new0(RedDataChunk, 1); + red->data_size = chunk_data_size; red->prev_chunk = red_prev; + red->data = qxl->data; red_prev->next_chunk = red; - memslot_id = get_memslot_id(slots, next_chunk); - qxl = (QXLDataChunk *)get_virt(slots, next_chunk, sizeof(*qxl), group_id, - &error); - if (error) + data_size += chunk_data_size; + /* this can happen if client is sending nested chunks */ + if (data_size > MAX_DATA_CHUNK) { + spice_warning("too much data inside chunks, avoiding DoS\n"); goto error; - red->data_size = qxl->data_size; - data_size += red->data_size; - red->data = qxl->data; + } if (!validate_virt(slots, (intptr_t)red->data, memslot_id, red->data_size, group_id)) goto error; } -- 2.4.3 debian/patches/CVE-2015-526x/0047-Fix-race-in-red_get_image.patch0000644000000000000000000000610612603215360020546 0ustar From d2fc5cee16c10e53d81c6251e6929da54270a6f4 Mon Sep 17 00:00:00 2001 From: Frediano Ziglio Date: Tue, 8 Sep 2015 10:04:10 +0100 Subject: [PATCH 47/57] Fix race in red_get_image Do not read multiple times data from guest as this could be changed by other vcpu threads. This causes races and security problems if these data are used for buffer allocation or checks. Signed-off-by: Frediano Ziglio Acked-by: Christophe Fergeau --- server/red_parse_qxl.c | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/server/red_parse_qxl.c b/server/red_parse_qxl.c index affd3a2..84ea526 100644 --- a/server/red_parse_qxl.c +++ b/server/red_parse_qxl.c @@ -397,6 +397,7 @@ static SpiceImage *red_get_image(RedMemSlotInfo *slots, int group_id, uint64_t bitmap_size, size; uint8_t qxl_flags; int error; + QXLPHYSICAL palette; if (addr == 0) { return NULL; @@ -422,12 +423,16 @@ static SpiceImage *red_get_image(RedMemSlotInfo *slots, int group_id, switch (red->descriptor.type) { case SPICE_IMAGE_TYPE_BITMAP: red->u.bitmap.format = qxl->bitmap.format; - if (!bitmap_fmt_is_rgb(qxl->bitmap.format) && !qxl->bitmap.palette && !is_mask) { + red->u.bitmap.x = qxl->bitmap.x; + red->u.bitmap.y = qxl->bitmap.y; + red->u.bitmap.stride = qxl->bitmap.stride; + palette = qxl->bitmap.palette; + if (!bitmap_fmt_is_rgb(red->u.bitmap.format) && !palette && !is_mask) { spice_warning("guest error: missing palette on bitmap format=%d\n", red->u.bitmap.format); goto error; } - if (qxl->bitmap.x == 0 || qxl->bitmap.y == 0) { + if (red->u.bitmap.x == 0 || red->u.bitmap.y == 0) { spice_warning("guest error: zero area bitmap\n"); goto error; } @@ -435,23 +440,20 @@ static SpiceImage *red_get_image(RedMemSlotInfo *slots, int group_id, if (qxl_flags & QXL_BITMAP_TOP_DOWN) { red->u.bitmap.flags = SPICE_BITMAP_FLAGS_TOP_DOWN; } - red->u.bitmap.x = qxl->bitmap.x; - red->u.bitmap.y = qxl->bitmap.y; - red->u.bitmap.stride = qxl->bitmap.stride; if (!bitmap_consistent(&red->u.bitmap)) { goto error; } - if (qxl->bitmap.palette) { + if (palette) { QXLPalette *qp; int i, num_ents; - qp = (QXLPalette *)get_virt(slots, qxl->bitmap.palette, + qp = (QXLPalette *)get_virt(slots, palette, sizeof(*qp), group_id, &error); if (error) { goto error; } num_ents = qp->num_ents; if (!validate_virt(slots, (intptr_t)qp->ents, - get_memslot_id(slots, qxl->bitmap.palette), + get_memslot_id(slots, palette), num_ents * sizeof(qp->ents[0]), group_id)) { goto error; } -- 2.4.3 debian/patches/CVE-2015-526x/0046-Fix-race-condition-on-red_get_clip_rects.patch0000644000000000000000000000301012603215360023573 0ustar From 078a903d55f44aedd22b4fa8dd86e4b03b82c01c Mon Sep 17 00:00:00 2001 From: Frediano Ziglio Date: Tue, 8 Sep 2015 10:01:51 +0100 Subject: [PATCH 46/57] Fix race condition on red_get_clip_rects Do not read multiple time an array size that can be changed. Signed-off-by: Frediano Ziglio Acked-by: Christophe Fergeau --- server/red_parse_qxl.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/server/red_parse_qxl.c b/server/red_parse_qxl.c index 3385f52..affd3a2 100644 --- a/server/red_parse_qxl.c +++ b/server/red_parse_qxl.c @@ -273,6 +273,7 @@ static SpiceClipRects *red_get_clip_rects(RedMemSlotInfo *slots, int group_id, size_t size; int i; int error; + uint32_t num_rects; qxl = (QXLClipRects *)get_virt(slots, addr, sizeof(*qxl), group_id, &error); if (error) { @@ -284,9 +285,10 @@ static SpiceClipRects *red_get_clip_rects(RedMemSlotInfo *slots, int group_id, data = red_linearize_chunk(&chunks, size, &free_data); red_put_data_chunks(&chunks); - spice_assert(qxl->num_rects * sizeof(QXLRect) == size); - red = spice_malloc(sizeof(*red) + qxl->num_rects * sizeof(SpiceRect)); - red->num_rects = qxl->num_rects; + num_rects = qxl->num_rects; + spice_assert(num_rects * sizeof(QXLRect) == size); + red = spice_malloc(sizeof(*red) + num_rects * sizeof(SpiceRect)); + red->num_rects = num_rects; start = (QXLRect*)data; for (i = 0; i < red->num_rects; i++) { -- 2.4.3 debian/patches/CVE-2015-526x/0049-Fix-integer-overflow-computing-glyph_size-in-red_get.patch0000644000000000000000000000502212603215700026142 0ustar From e28c08d63490a2fb6b8cc07bf968eb16243e9c63 Mon Sep 17 00:00:00 2001 From: Frediano Ziglio Date: Tue, 8 Sep 2015 10:13:24 +0100 Subject: [PATCH 49/57] Fix integer overflow computing glyph_size in red_get_string If bpp is int the formula can lead to weird overflows. width and height are uint16_t so the formula is: size_t = u16 * (u16 * int + const_int) / const_int; so it became size_t = (int) u16 * ((int) u16 * int + const_int) / const_int; However the (int) u16 * (int) u16 can then became negative to overflow. Under 64 bit architectures size_t is 64 and int usually 32 so converting this negative 32 bit number to a unsigned 64 bit lead to a very big number as the signed is extended and then converted to unsigned. Using unsigned arithmetic prevent extending the sign. Signed-off-by: Frediano Ziglio Acked-by: Christophe Fergeau --- server/red_parse_qxl.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) Index: spice-0.12.4/server/red_parse_qxl.c =================================================================== --- spice-0.12.4.orig/server/red_parse_qxl.c 2015-10-01 07:40:46.278855969 -0400 +++ spice-0.12.4/server/red_parse_qxl.c 2015-10-01 07:40:46.274856001 -0400 @@ -807,7 +807,9 @@ uint8_t *data; bool free_data; size_t chunk_size, qxl_size, red_size, glyph_size; - int glyphs, bpp = 0, i; + int glyphs, i; + /* use unsigned to prevent integer overflow in multiplication below */ + unsigned int bpp = 0; int error; uint16_t qxl_flags, qxl_length; @@ -846,7 +848,7 @@ while (start < end) { spice_assert((QXLRasterGlyph*)(&start->data[0]) <= end); glyphs++; - glyph_size = start->height * ((start->width * bpp + 7) / 8); + glyph_size = start->height * ((start->width * bpp + 7u) / 8u); red_size += sizeof(SpiceRasterGlyph *) + SPICE_ALIGN(sizeof(SpiceRasterGlyph) + glyph_size, 4); start = (QXLRasterGlyph*)(&start->data[glyph_size]); } @@ -867,7 +869,7 @@ glyph->height = start->height; red_get_point_ptr(&glyph->render_pos, &start->render_pos); red_get_point_ptr(&glyph->glyph_origin, &start->glyph_origin); - glyph_size = glyph->height * ((glyph->width * bpp + 7) / 8); + glyph_size = glyph->height * ((glyph->width * bpp + 7u) / 8u); spice_assert((QXLRasterGlyph*)(&start->data[glyph_size]) <= end); memcpy(glyph->data, start->data, glyph_size); start = (QXLRasterGlyph*)(&start->data[glyph_size]); debian/patches/CVE-2015-526x/0054-Make-sure-we-can-read-QXLPathSeg-structures.patch0000644000000000000000000000256412603215360024006 0ustar From 289301f33c7da81fcb034448d96e8c276b4fc06a Mon Sep 17 00:00:00 2001 From: Frediano Ziglio Date: Tue, 15 Sep 2015 16:25:17 +0100 Subject: [PATCH 54/57] Make sure we can read QXLPathSeg structures start pointer points to a QXLPathSeg structure. Before reading from the structure, make sure the structure is contained in the memory range checked. Signed-off-by: Frediano Ziglio Acked-by: Christophe Fergeau --- server/red_parse_qxl.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/server/red_parse_qxl.c b/server/red_parse_qxl.c index 668ce10..4663bfd 100644 --- a/server/red_parse_qxl.c +++ b/server/red_parse_qxl.c @@ -256,7 +256,7 @@ static SpicePath *red_get_path(RedMemSlotInfo *slots, int group_id, start = (QXLPathSeg*)data; end = (QXLPathSeg*)(data + size); - while (start < end) { + while (start+1 < end) { n_segments++; count = start->count; segment_size = sizeof(SpicePathSeg) + count * sizeof(SpicePointFix); @@ -272,7 +272,7 @@ static SpicePath *red_get_path(RedMemSlotInfo *slots, int group_id, seg = (SpicePathSeg*)&red->segments[n_segments]; n_segments = 0; mem_size2 = sizeof(*red); - while (start < end) { + while (start+1 < end) { red->segments[n_segments++] = seg; count = start->count; -- 2.4.3 debian/patches/CVE-2015-526x/0001-worker-validate-correctly-surfaces.patch0000644000000000000000000000756612726552537022671 0ustar From dd558bb833254fb49069eca052b92ae1abe3e8ff Mon Sep 17 00:00:00 2001 From: Frediano Ziglio Date: Wed, 9 Sep 2015 12:42:09 +0100 Subject: [PATCH 01/19] worker: validate correctly surfaces Do not just give warning and continue to use an invalid index into an array. Resolves: CVE-2015-5260 Signed-off-by: Frediano Ziglio Acked-by: Christophe Fergeau --- server/red_worker.c | 33 ++++++++++++++++++--------------- 1 file changed, 18 insertions(+), 15 deletions(-) Index: spice-0.12.4/server/red_worker.c =================================================================== --- spice-0.12.4.orig/server/red_worker.c 2016-06-10 10:57:33.397138268 -0400 +++ spice-0.12.4/server/red_worker.c 2016-06-10 10:57:33.393138221 -0400 @@ -1058,6 +1058,7 @@ SpiceRect lossy_rect; } BitmapData; +static inline int validate_surface(RedWorker *worker, uint32_t surface_id); static void red_draw_qxl_drawable(RedWorker *worker, Drawable *drawable); static void red_current_flush(RedWorker *worker, int surface_id); #ifdef DRAW_ALL @@ -1273,14 +1274,12 @@ return FALSE; } -static inline void __validate_surface(RedWorker *worker, uint32_t surface_id) -{ - spice_warn_if(surface_id >= worker->n_surfaces); -} - static inline int validate_surface(RedWorker *worker, uint32_t surface_id) { - spice_warn_if(surface_id >= worker->n_surfaces); + if SPICE_UNLIKELY(surface_id >= worker->n_surfaces) { + spice_warning("invalid surface_id %u", surface_id); + return 0; + } if (!worker->surfaces[surface_id].context.canvas) { spice_warning("canvas address is %p for %d (and is NULL)\n", &(worker->surfaces[surface_id].context.canvas), surface_id); @@ -4266,12 +4265,14 @@ static inline void red_process_surface(RedWorker *worker, RedSurfaceCmd *surface, uint32_t group_id, int loadvm) { - int surface_id; + uint32_t surface_id; RedSurface *red_surface; uint8_t *data; surface_id = surface->surface_id; - __validate_surface(worker, surface_id); + if SPICE_UNLIKELY(surface_id >= worker->n_surfaces) { + goto exit; + } red_surface = &worker->surfaces[surface_id]; @@ -4307,6 +4308,7 @@ default: spice_error("unknown surface command"); }; +exit: red_put_surface_cmd(surface); free(surface); } @@ -11150,7 +11152,7 @@ { RedWorker *worker = opaque; RedWorkerMessageUpdate *msg = payload; - SpiceRect *rect = spice_new0(SpiceRect, 1); + SpiceRect *rect; RedSurface *surface; uint32_t surface_id = msg->surface_id; const QXLRect *qxl_area = msg->qxl_area; @@ -11158,17 +11160,16 @@ QXLRect *qxl_dirty_rects = msg->qxl_dirty_rects; uint32_t clear_dirty_region = msg->clear_dirty_region; + VALIDATE_SURFACE_RET(worker, surface_id); + + rect = spice_new0(SpiceRect, 1); surface = &worker->surfaces[surface_id]; red_get_rect_ptr(rect, qxl_area); flush_display_commands(worker); spice_assert(worker->running); - if (validate_surface(worker, surface_id)) { - red_update_area(worker, rect, surface_id); - } else { - rendering_incorrect(__func__); - } + red_update_area(worker, rect, surface_id); free(rect); surface_dirty_region_to_rects(surface, qxl_dirty_rects, num_dirty_rects, @@ -11207,6 +11208,7 @@ * surface_id == 0, maybe move the assert upward and merge the two functions? */ static inline void destroy_surface_wait(RedWorker *worker, int surface_id) { + VALIDATE_SURFACE_RET(worker, surface_id); if (!worker->surfaces[surface_id].context.canvas) { return; } @@ -11458,6 +11460,7 @@ static void dev_destroy_primary_surface(RedWorker *worker, uint32_t surface_id) { + VALIDATE_SURFACE_RET(worker, surface_id); spice_warn_if(surface_id != 0); spice_debug(NULL); debian/patches/CVE-2015-526x/0048-Fix-race-condition-in-red_get_string.patch0000644000000000000000000000405112603215711022754 0ustar From 932e27e50032c1c7032be3616217a2ab0586fe78 Mon Sep 17 00:00:00 2001 From: Frediano Ziglio Date: Tue, 8 Sep 2015 10:05:20 +0100 Subject: [PATCH 48/57] Fix race condition in red_get_string Do not read multiple time an array size that can be changed. Signed-off-by: Frediano Ziglio Acked-by: Christophe Fergeau --- server/red_parse_qxl.c | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) Index: spice-0.12.4/server/red_parse_qxl.c =================================================================== --- spice-0.12.4.orig/server/red_parse_qxl.c 2015-10-01 07:40:55.714779970 -0400 +++ spice-0.12.4/server/red_parse_qxl.c 2015-10-01 07:40:55.710780003 -0400 @@ -809,6 +809,7 @@ size_t chunk_size, qxl_size, red_size, glyph_size; int glyphs, bpp = 0, i; int error; + uint16_t qxl_flags, qxl_length; qxl = (QXLString *)get_virt(slots, addr, sizeof(*qxl), group_id, &error); if (error) { @@ -825,13 +826,15 @@ red_put_data_chunks(&chunks); qxl_size = qxl->data_size; + qxl_flags = qxl->flags; + qxl_length = qxl->length; spice_assert(chunk_size == qxl_size); - if (qxl->flags & SPICE_STRING_FLAGS_RASTER_A1) { + if (qxl_flags & SPICE_STRING_FLAGS_RASTER_A1) { bpp = 1; - } else if (qxl->flags & SPICE_STRING_FLAGS_RASTER_A4) { + } else if (qxl_flags & SPICE_STRING_FLAGS_RASTER_A4) { bpp = 4; - } else if (qxl->flags & SPICE_STRING_FLAGS_RASTER_A8) { + } else if (qxl_flags & SPICE_STRING_FLAGS_RASTER_A8) { bpp = 8; } spice_assert(bpp != 0); @@ -848,11 +851,11 @@ start = (QXLRasterGlyph*)(&start->data[glyph_size]); } spice_assert(start <= end); - spice_assert(glyphs == qxl->length); + spice_assert(glyphs == qxl_length); red = spice_malloc(red_size); - red->length = qxl->length; - red->flags = qxl->flags; + red->length = qxl_length; + red->flags = qxl_flags; start = (QXLRasterGlyph*)data; end = (QXLRasterGlyph*)(data + chunk_size); debian/patches/CVE-2015-526x/0056-Prevent-data_size-to-be-set-independently-from-data.patch0000644000000000000000000000216212603215637025631 0ustar From c2cdd1daf8edceec8adbb456dca656efe3648eec Mon Sep 17 00:00:00 2001 From: Frediano Ziglio Date: Thu, 17 Sep 2015 14:28:36 +0100 Subject: [PATCH 56/57] Prevent data_size to be set independently from data There was not check for data_size field so one could set data to a small set of data and data_size much bigger than size of data leading to buffer overflow. Signed-off-by: Frediano Ziglio --- server/red_parse_qxl.c | 1 + 1 file changed, 1 insertion(+) Index: spice-0.12.4/server/red_parse_qxl.c =================================================================== --- spice-0.12.4.orig/server/red_parse_qxl.c 2015-10-01 07:40:11.763133969 -0400 +++ spice-0.12.4/server/red_parse_qxl.c 2015-10-01 07:40:11.759134001 -0400 @@ -1391,6 +1391,7 @@ size = red_get_data_chunks_ptr(slots, group_id, get_memslot_id(slots, addr), &chunks, &qxl->chunk); + red->data_size = MIN(red->data_size, size); data = red_linearize_chunk(&chunks, size, &free_data); red_put_data_chunks(&chunks); if (free_data) { debian/patches/CVE-2015-3247.patch0000644000000000000000000001130412573547215013247 0ustar From 524eef10c6c6c2f3f30be28c56b8f96adc7901f0 Mon Sep 17 00:00:00 2001 From: Frediano Ziglio Date: Tue, 9 Jun 2015 08:50:46 +0100 Subject: [PATCH] Avoid race conditions reading monitor configs from guest For security reasons do not assume guest do not change structures it pass to Qemu. Guest could change count field while Qemu is copying QXLMonitorsConfig structure leading to heap corruption. This patch avoid it reading count only once. Signed-off-by: Frediano Ziglio --- server/red_worker.c | 46 ++++++++++++++++++++++++++++++++-------------- 1 file changed, 32 insertions(+), 14 deletions(-) Index: spice-0.12.4/server/red_worker.c =================================================================== --- spice-0.12.4.orig/server/red_worker.c 2015-09-08 08:03:23.128702069 -0400 +++ spice-0.12.4/server/red_worker.c 2015-09-08 08:03:23.124701836 -0400 @@ -11323,7 +11323,8 @@ } static void worker_update_monitors_config(RedWorker *worker, - QXLMonitorsConfig *dev_monitors_config) + QXLMonitorsConfig *dev_monitors_config, + uint16_t count, uint16_t max_allowed) { int heads_size; MonitorsConfig *monitors_config; @@ -11332,22 +11333,22 @@ monitors_config_decref(worker->monitors_config); spice_debug("monitors config %d(%d)", - dev_monitors_config->count, - dev_monitors_config->max_allowed); - for (i = 0; i < dev_monitors_config->count; i++) { + count, + max_allowed); + for (i = 0; i < count; i++) { spice_debug("+%d+%d %dx%d", dev_monitors_config->heads[i].x, dev_monitors_config->heads[i].y, dev_monitors_config->heads[i].width, dev_monitors_config->heads[i].height); } - heads_size = dev_monitors_config->count * sizeof(QXLHead); + heads_size = count * sizeof(QXLHead); worker->monitors_config = monitors_config = spice_malloc(sizeof(*monitors_config) + heads_size); monitors_config->refs = 1; monitors_config->worker = worker; - monitors_config->count = dev_monitors_config->count; - monitors_config->max_allowed = dev_monitors_config->max_allowed; + monitors_config->count = count; + monitors_config->max_allowed = max_allowed; memcpy(monitors_config->heads, dev_monitors_config->heads, heads_size); } @@ -11723,33 +11724,50 @@ red_migrate_display(worker, rcc); } +static inline uint32_t qxl_monitors_config_size(uint32_t heads) +{ + return sizeof(QXLMonitorsConfig) + sizeof(QXLHead) * heads; +} + static void handle_dev_monitors_config_async(void *opaque, void *payload) { RedWorkerMessageMonitorsConfigAsync *msg = payload; RedWorker *worker = opaque; - int min_size = sizeof(QXLMonitorsConfig) + sizeof(QXLHead); int error; + uint16_t count, max_allowed; QXLMonitorsConfig *dev_monitors_config = (QXLMonitorsConfig*)get_virt(&worker->mem_slots, msg->monitors_config, - min_size, msg->group_id, &error); + qxl_monitors_config_size(1), + msg->group_id, &error); if (error) { /* TODO: raise guest bug (requires added QXL interface) */ return; } worker->driver_cap_monitors_config = 1; - if (dev_monitors_config->count == 0) { + count = dev_monitors_config->count; + max_allowed = dev_monitors_config->max_allowed; + if (count == 0) { spice_warning("ignoring an empty monitors config message from driver"); return; } - if (dev_monitors_config->count > dev_monitors_config->max_allowed) { + if (count > max_allowed) { spice_warning("ignoring malformed monitors_config from driver, " "count > max_allowed %d > %d", - dev_monitors_config->count, - dev_monitors_config->max_allowed); + count, + max_allowed); + return; + } + /* get pointer again to check virtual size */ + dev_monitors_config = + (QXLMonitorsConfig*)get_virt(&worker->mem_slots, msg->monitors_config, + qxl_monitors_config_size(count), + msg->group_id, &error); + if (error) { + /* TODO: raise guest bug (requires added QXL interface) */ return; } - worker_update_monitors_config(worker, dev_monitors_config); + worker_update_monitors_config(worker, dev_monitors_config, count, max_allowed); red_worker_push_monitors_config(worker); } debian/patches/CVE-2016-9577.patch0000644000000000000000000000176313051122746013262 0ustar From 5f96b596353d73bdf4bb3cd2de61e48a7fd5b4c3 Mon Sep 17 00:00:00 2001 From: Frediano Ziglio Date: Tue, 29 Nov 2016 16:46:56 +0000 Subject: main-channel: Prevent overflow reading messages from client Caller is supposed the function return a buffer able to store size bytes. Signed-off-by: Frediano Ziglio Acked-by: Christophe Fergeau Index: spice-0.12.4/server/main_channel.c =================================================================== --- spice-0.12.4.orig/server/main_channel.c 2017-02-15 14:03:00.134482921 -0500 +++ spice-0.12.4/server/main_channel.c 2017-02-15 14:03:00.110482592 -0500 @@ -1014,6 +1014,9 @@ if (type == SPICE_MSGC_MAIN_AGENT_DATA) { return reds_get_agent_data_buffer(mcc, size); + } else if (size > sizeof(main_chan->recv_buf)) { + /* message too large, caller will log a message and close the connection */ + return NULL; } else { return main_chan->recv_buf; } debian/patches/enable_subdir-objects.patch0000644000000000000000000000107212231234214016055 0ustar Description: enable sudir-objects in spice-common dir, too Bug-Debian: http://bugs.debian.org/724093 Forwarded: no Last-Update: 2013-10-21 --- spice-0.12.4.orig/spice-common/configure.ac +++ spice-0.12.4/spice-common/configure.ac @@ -13,7 +13,7 @@ AC_CONFIG_AUX_DIR([build-aux]) m4_ifdef([AM_PROG_AR], [AM_PROG_AR]) # Checks for programs -AM_INIT_AUTOMAKE([1.11 dist-xz no-dist-gzip tar-ustar foreign -Wall -Werror]) +AM_INIT_AUTOMAKE([1.11 dist-xz no-dist-gzip tar-ustar subdir-objects foreign -Wall -Werror]) AM_MAINTAINER_MODE AM_SILENT_RULES([yes]) LT_INIT debian/spicec.10000644000000000000000000000765712176767010010544 0ustar .\" Hey, EMACS: -*- nroff -*- .\" First parameter, NAME, should be all caps .\" Second parameter, SECTION, should be 1-8, maybe w/ subsection .\" other parameters are allowed: see man(7), man(1) .TH SPICEC 1 "November 29, 2010" .\" Please adjust this date whenever revising the manpage. .\" .\" Some roff macros, for reference: .\" .nh disable hyphenation .\" .hy enable hyphenation .\" .ad l left justify .\" .ad b justify to both left and right margins .\" .nf disable filling .\" .fi enable filling .\" .br insert line break .\" .sp insert n+1 empty lines .\" for manpage-specific macros, see man(7) .SH NAME spicec \- Spice client .SH SYNOPSIS .B spicec .RI [ \-h,\ \-\-host\ ] .RI [\-p,\ \-\-port\ ] .RI [ \-s,\ \-\-secure\-port\ ] .RI [ \-\-secure\-channels\ ] .RI [ \-\-unsecure\-channels\ ] .RI [ \-w,\ \-\-password\ ] .RI [ \-f,\ \-\-full\-screen[\=auto\-conf] ] .RI [ \-\-canvas\-type\ ] .RI [ \-\-enable\-channels\ ] .RI [ \-\-disable\-channels\ ] .RI [ \-\-help ] .SH DESCRIPTION spicec is a Spice client, it can be used to connect to Spice server, such as spice compatible QEMU .SH OPTIONS .TP .B \-h,\ \-\-host\ Spice server address. .TP .B \-p,\ \-\-port\ Spice server port .TP .B \-s,\ \-\-secure\-port\ Spice server secure port .TP .B \-\-secure\-channels\ Force secure connection on the specified channels Channels are: main, display, inputs, cursor, playback and record By default, any channel can be secured, depending on the \-\-secure-port availability. .TP .B \-\-unsecure\-channels\ Force unsecure connection on the specified channels Channels are: main, display, inputs, cursor, playback and record. By default, any channel can be unsecured, depending on the \-\-port availability. .TP .B \-w,\ \-\-password\ Set a ticketing password (default is none) .TP .B \-s,\ \-\-secure\-port\ Spice server secure port .TP .B \-f,\ \-\-full\-screen[\=auto\-conf] Open in a full screen mode. Optional automatic configuration of the remote display settings according to the client display settings. A guest agent must be installed and started for this option. .TP .B \-\-canvas\-type\ Select the available renderer. The order determines precedence For Linux client : only “cairo” canvas type is available. For Windows client : available types are “gdi” and “cairo”. The default is “gdi”. .TP .B \-\-enable\-channels\ Enable the specified channels. Use “all” for enabling all possible channels. Use the following names for enabling only the selected channels: “display”, “inputs”, “cursor”, “playback” and “record”. By default all channels are enabled. .TP .B \-\-disable\-channels\ Disable the specified channels. Use “all” for disabling all possible channels. Use the following names for enabling only the selected channels: “display”, “inputs”, “cursor”, “playback” and “record.” By default all channels are enabled. .TP .B \-\-help Show command help. .SH CONTROL HOT KEYS .B Shift \+ F11 Toggle full-screen / window mode .TP .B Shift \+ F12 Release the cursor if captured in window .TP On debug mode, these are available as well: .TP .B Shift \+ F5 Connect to the server .TP .B Shift \+ F6 Disconnect from the server .SH SEE ALSO Spice related documents can be found at http://www.spice-space.org/documentation.html .SH AUTHOR Spice project .PP This manual page was written by Liang Guo , for the Debian project (and may be used by others). Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-Share Alike 3.0 United States License. (See http://creativecommons.org/licenses/by-sa/3.0/us/legalcode) . debian/libspice-server1.symbols0000644000000000000000000001231412176767010013767 0ustar libspice-server.so.1 libspice-server1 #MINVER# SPICE_SERVER_0.10.0@SPICE_SERVER_0.10.0 0.10.0 SPICE_SERVER_0.10.1@SPICE_SERVER_0.10.1 0.10.1 SPICE_SERVER_0.10.2@SPICE_SERVER_0.10.2 0.11.0 SPICE_SERVER_0.10.3@SPICE_SERVER_0.10.3 0.11.0 SPICE_SERVER_0.10.4@SPICE_SERVER_0.10.4 0.12.2 SPICE_SERVER_0.11.2@SPICE_SERVER_0.11.2 0.12.2 SPICE_SERVER_0.11.4@SPICE_SERVER_0.11.4 0.12.2 SPICE_SERVER_0.12.2@SPICE_SERVER_0.12.2 0.12.2 SPICE_SERVER_0.12.3@SPICE_SERVER_0.12.3 0.12.3 SPICE_SERVER_0.12.4@SPICE_SERVER_0.12.4 0.12.4 SPICE_SERVER_0.6.0@SPICE_SERVER_0.6.0 0.8.2 SPICE_SERVER_0.6.1@SPICE_SERVER_0.6.1 0.8.2 SPICE_SERVER_0.8.0@SPICE_SERVER_0.8.0 0.8.2 SPICE_SERVER_0.8.1@SPICE_SERVER_0.8.1 0.8.2 SPICE_SERVER_0.8.2@SPICE_SERVER_0.8.2 0.8.2 SPICE_SERVER_0.8.3@SPICE_SERVER_0.8.3 0.8.3 spice_get_current_compat_version@SPICE_SERVER_0.6.1 0.8.2 spice_qxl_add_memslot@SPICE_SERVER_0.8.2 0.8.2 spice_qxl_add_memslot_async@SPICE_SERVER_0.8.2 0.8.2 spice_qxl_create_primary_surface@SPICE_SERVER_0.8.2 0.8.2 spice_qxl_create_primary_surface_async@SPICE_SERVER_0.8.2 0.8.2 spice_qxl_del_memslot@SPICE_SERVER_0.8.2 0.8.2 spice_qxl_destroy_primary_surface@SPICE_SERVER_0.8.2 0.8.2 spice_qxl_destroy_primary_surface_async@SPICE_SERVER_0.8.2 0.8.2 spice_qxl_destroy_surface_async@SPICE_SERVER_0.8.2 0.8.2 spice_qxl_destroy_surface_wait@SPICE_SERVER_0.8.2 0.8.2 spice_qxl_destroy_surfaces@SPICE_SERVER_0.8.2 0.8.2 spice_qxl_destroy_surfaces_async@SPICE_SERVER_0.8.2 0.8.2 spice_qxl_driver_unload@SPICE_SERVER_0.12.3 0.12.3 spice_qxl_flush_surfaces_async@SPICE_SERVER_0.8.2 0.8.2 spice_qxl_loadvm_commands@SPICE_SERVER_0.8.2 0.8.2 spice_qxl_monitors_config_async@SPICE_SERVER_0.10.4 0.12.2 spice_qxl_oom@SPICE_SERVER_0.8.2 0.8.2 spice_qxl_reset_cursor@SPICE_SERVER_0.8.2 0.8.2 spice_qxl_reset_image_cache@SPICE_SERVER_0.8.2 0.8.2 spice_qxl_reset_memslots@SPICE_SERVER_0.8.2 0.8.2 spice_qxl_start@SPICE_SERVER_0.8.2 0.8.2 spice_qxl_stop@SPICE_SERVER_0.8.2 0.8.2 spice_qxl_update_area@SPICE_SERVER_0.8.2 0.8.2 spice_qxl_update_area_async@SPICE_SERVER_0.8.2 0.8.2 spice_qxl_wakeup@SPICE_SERVER_0.8.2 0.8.2 spice_server_add_client@SPICE_SERVER_0.10.1 0.10.1 spice_server_add_interface@SPICE_SERVER_0.6.0 0.8.2 spice_server_add_renderer@SPICE_SERVER_0.6.0 0.8.2 spice_server_add_ssl_client@SPICE_SERVER_0.10.1 0.10.1 spice_server_char_device_recognized_subtypes@SPICE_SERVER_0.6.0 0.8.2 spice_server_char_device_wakeup@SPICE_SERVER_0.6.0 0.8.2 spice_server_destroy@SPICE_SERVER_0.6.0 0.8.2 spice_server_get_image_compression@SPICE_SERVER_0.6.0 0.8.2 spice_server_get_num_clients@SPICE_SERVER_0.10.0 0.10.0 spice_server_get_peer_info@SPICE_SERVER_0.6.0 0.8.2 spice_server_get_sock_info@SPICE_SERVER_0.6.0 0.8.2 spice_server_init@SPICE_SERVER_0.6.0 0.8.2 spice_server_is_server_mouse@SPICE_SERVER_0.10.3 0.11.0 spice_server_kbd_leds@SPICE_SERVER_0.6.0 0.8.2 spice_server_migrate_client_state@SPICE_SERVER_0.6.0 0.8.2 spice_server_migrate_connect@SPICE_SERVER_0.8.3 0.8.3 spice_server_migrate_end@SPICE_SERVER_0.6.0 0.8.2 spice_server_migrate_info@SPICE_SERVER_0.6.0 0.8.2 spice_server_migrate_start@SPICE_SERVER_0.6.0 0.8.2 spice_server_migrate_switch@SPICE_SERVER_0.8.0 0.8.2 spice_server_new@SPICE_SERVER_0.6.0 0.8.2 spice_server_playback_get_buffer@SPICE_SERVER_0.6.0 0.8.2 spice_server_playback_put_samples@SPICE_SERVER_0.6.0 0.8.2 spice_server_playback_set_mute@SPICE_SERVER_0.10.0 0.10.0 spice_server_playback_set_volume@SPICE_SERVER_0.10.0 0.10.0 spice_server_playback_start@SPICE_SERVER_0.6.0 0.8.2 spice_server_playback_stop@SPICE_SERVER_0.6.0 0.8.2 spice_server_port_event@SPICE_SERVER_0.12.2 0.12.2 spice_server_record_get_samples@SPICE_SERVER_0.6.0 0.8.2 spice_server_record_set_mute@SPICE_SERVER_0.10.0 0.10.0 spice_server_record_set_volume@SPICE_SERVER_0.10.0 0.10.0 spice_server_record_start@SPICE_SERVER_0.6.0 0.8.2 spice_server_record_stop@SPICE_SERVER_0.6.0 0.8.2 spice_server_remove_interface@SPICE_SERVER_0.6.0 0.8.2 spice_server_set_addr@SPICE_SERVER_0.6.0 0.8.2 spice_server_set_agent_copypaste@SPICE_SERVER_0.8.1 0.8.2 spice_server_set_agent_file_xfer@SPICE_SERVER_0.12.4 0.12.4 spice_server_set_agent_mouse@SPICE_SERVER_0.6.0 0.8.2 spice_server_set_channel_security@SPICE_SERVER_0.6.0 0.8.2 spice_server_set_compat_version@SPICE_SERVER_0.6.1 0.8.2 spice_server_set_exit_on_disconnect@SPICE_SERVER_0.11.4 0.12.2 spice_server_set_image_compression@SPICE_SERVER_0.6.0 0.8.2 spice_server_set_jpeg_compression@SPICE_SERVER_0.6.0 0.8.2 spice_server_set_listen_socket_fd@SPICE_SERVER_0.10.2 0.11.0 spice_server_set_name@SPICE_SERVER_0.10.2 0.11.0 spice_server_set_noauth@SPICE_SERVER_0.6.0 0.8.2 spice_server_set_playback_compression@SPICE_SERVER_0.6.0 0.8.2 spice_server_set_port@SPICE_SERVER_0.6.0 0.8.2 spice_server_set_sasl@SPICE_SERVER_0.8.2 0.8.2 spice_server_set_sasl_appname@SPICE_SERVER_0.8.2 0.8.2 spice_server_set_seamless_migration@SPICE_SERVER_0.11.2 0.12.2 spice_server_set_streaming_video@SPICE_SERVER_0.6.0 0.8.2 spice_server_set_ticket@SPICE_SERVER_0.6.0 0.8.2 spice_server_set_tls@SPICE_SERVER_0.6.0 0.8.2 spice_server_set_uuid@SPICE_SERVER_0.10.2 0.11.0 spice_server_set_zlib_glz_compression@SPICE_SERVER_0.6.0 0.8.2 spice_server_vm_start@SPICE_SERVER_0.11.2 0.12.2 spice_server_vm_stop@SPICE_SERVER_0.11.2 0.12.2 debian/compat0000644000000000000000000000000212176767010010373 0ustar 9 debian/copyright0000644000000000000000000007174312176767010011144 0ustar Format: http://svn.debian.org/wsvn/dep/web/deps/dep5.mdwn?op=file&rev=174 Upstream-Name: spice Source: http://www.spice-space.org/ Files: * spice-common/spice-protocol/spice/controller_prot.h spice-common/spice-protocol/spice/foreign_menu_prot.h Copyright: Copyright (C) 2009,2010,2011 Red Hat, Inc. License: LGPL-2.1+ Files: client/windows/stdint.h Copyright: NOT COPYRIGHTED License: Based on ISO/IEC SC22/WG14 9899 Committee draft (SC22 N2794) THIS SOFTWARE IS NOT COPYRIGHTED Contributor: Danny Smith This source code is offered for use in the public domain. You may use, modify or distribute it freely. This code is distributed in the hope that it will be useful but WITHOUT ANY WARRANTY. ALL WARRANTIES, EXPRESS OR IMPLIED ARE HEREBY DISCLAIMED. This includes but is not limited to warranties of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. Files: spice-common/common/draw.h spice-common/common/messages.h server/zlib_encoder.h server/jpeg_encoder.h spice-common/spice-protocol/* Copyright: Copyright (C) 2009-2010 Red Hat, Inc. License: BSD-3-clause Files: spice-common/common/lines.h spice-common/common/lines.c Copyright: Copyright 1987, 1998 The Open Group Copyright 1987 by Digital Equipment Corporation License: Copyright 1987, 1998 The Open Group . Permission to use, copy, modify, distribute, and sell this software and its documentation for any purpose is hereby granted without fee, provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation. . The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. . THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE OPEN GROUP BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. . Except as contained in this notice, the name of The Open Group shall not be used in advertising or otherwise to promote the sale, use or other dealings in this Software without prior written authorization from The Open Group. . Copyright 1987 by Digital Equipment Corporation, Maynard, Massachusetts. . All Rights Reserved . Permission to use, copy, modify, and distribute this software and its documentation for any purpose and without fee is hereby granted, provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation, and that the name of Digital not be used in advertising or publicity pertaining to distribution of the software without specific, written prior permission. . DIGITAL DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO EVENT SHALL DIGITAL BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. Files: spice-common/common/lz_decompress_tmpl.c spice-common/common/lz.c spice-common/common/lz_compress_tmpl.c Copyright: Copyright 2009 Red Hat, Inc. and/or its affiliates Copyright (C) 2005, 2006, 2007 Ariya Hidayat (ariya@kde.org) License: LGPL-2.1+ This library is free software; you can redistribute it and/or modify it under the terms of the GNU Lesser General Public License as published by the Free Software Foundation; either version 2.1 of the License, or (at your option) any later version. . This library is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details. . This file incorporates work covered by the following copyright and permission notice: . Copyright (C) 2007 Ariya Hidayat (ariya@kde.org) Copyright (C) 2006 Ariya Hidayat (ariya@kde.org) Copyright (C) 2005 Ariya Hidayat (ariya@kde.org) . Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: . The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. . THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. . Files: spice-common/common/lz.h Copyright: NOT COPYRIGHTED License: MIT Files: debian/* Copyright: Copyright (C) 2010 Liang Guo License: LGPL-2.1+ Files: debian/spicec.1 Copyright: Copyright (C) 2010 Liang Guo License: CC-BY-SA-3.0 License: LGPL-2.1+ This library is free software; you can redistribute it and/or modify it under the terms of the GNU Lesser General Public License as published by the Free Software Foundation; either version 2.1 of the License, or (at your option) any later version. . This library is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details. . You should have received a copy of the GNU Lesser General Public License along with this library; if not, see . . On Debian systems, the complete text of the GNU Lesser General Public License can be found in "/usr/share/common-licenses/LGPL-2.1". License: BSD-3-clause Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: . \* Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. \* Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. \* Neither the name of the copyright holder nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. . THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDER AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. License: MIT Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: . The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. . THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. License: CC-BY-SA-3.0 THE WORK (AS DEFINED BELOW) IS PROVIDED UNDER THE TERMS OF THIS CREATIVE COMMONS PUBLIC LICENSE ("CCPL" OR "LICENSE"). THE WORK IS PROTECTED BY COPYRIGHT AND/OR OTHER APPLICABLE LAW. ANY USE OF THE WORK OTHER THAN AS AUTHORIZED UNDER THIS LICENSE OR COPYRIGHT LAW IS PROHIBITED. . BY EXERCISING ANY RIGHTS TO THE WORK PROVIDED HERE, YOU ACCEPT AND AGREE TO BE BOUND BY THE TERMS OF THIS LICENSE. TO THE EXTENT THIS LICENSE MAY BE CONSIDERED TO BE A CONTRACT, THE LICENSOR GRANTS YOU THE RIGHTS CONTAINED HERE IN CONSIDERATION OF YOUR ACCEPTANCE OF SUCH TERMS AND CONDITIONS. . 1. Definitions . a. "Adaptation" means a work based upon the Work, or upon the Work and other pre-existing works, such as a translation, adaptation, derivative work, arrangement of music or other alterations of a literary or artistic work, or phonogram or performance and includes cinematographic adaptations or any other form in which the Work may be recast, transformed, or adapted including in any form recognizably derived from the original, except that a work that constitutes a Collection will not be considered an Adaptation for the purpose of this License. For the avoidance of doubt, where the Work is a musical work, performance or phonogram, the synchronization of the Work in timed-relation with a moving image ("synching") will be considered an Adaptation for the purpose of this License. . b. "Collection" means a collection of literary or artistic works, such as encyclopedias and anthologies, or performances, phonograms or broadcasts, or other works or subject matter other than works listed in Section 1(f) below, which, by reason of the selection and arrangement of their contents, constitute intellectual creations, in which the Work is included in its entirety in unmodified form along with one or more other contributions, each constituting separate and independent works in themselves, which together are assembled into a collective whole. A work that constitutes a Collection will not be considered an Adaptation (as defined below) for the purposes of this License. . c. "Creative Commons Compatible License" means a license that is listed at http://creativecommons.org/compatiblelicenses that has been approved by Creative Commons as being essentially equivalent to this License, including, at a minimum, because that license: (i) contains terms that have the same purpose, meaning and effect as the License Elements of this License; and, (ii) explicitly permits the relicensing of adaptations of works made available under that license under this License or a Creative Commons jurisdiction license with the same License Elements as this License. . d. "Distribute" means to make available to the public the original and copies of the Work or Adaptation, as appropriate, through sale or other transfer of ownership. . e. "License Elements" means the following high-level license attributes as selected by Licensor and indicated in the title of this License: Attribution, ShareAlike. . f. "Licensor" means the individual, individuals, entity or entities that offer(s) the Work under the terms of this License. . g. "Original Author" means, in the case of a literary or artistic work, the individual, individuals, entity or entities who created the Work or if no individual or entity can be identified, the publisher; and in addition (i) in the case of a performance the actors, singers, musicians, dancers, and other persons who act, sing, deliver, declaim, play in, interpret or otherwise perform literary or artistic works or expressions of folklore; (ii) in the case of a phonogram the producer being the person or legal entity who first fixes the sounds of a performance or other sounds; and, (iii) in the case of broadcasts, the organization that transmits the broadcast. . h. "Work" means the literary and/or artistic work offered under the terms of this License including without limitation any production in the literary, scientific and artistic domain, whatever may be the mode or form of its expression including digital form, such as a book, pamphlet and other writing; a lecture, address, sermon or other work of the same nature; a dramatic or dramatico-musical work; a choreographic work or entertainment in dumb show; a musical composition with or without words; a cinematographic work to which are assimilated works expressed by a process analogous to cinematography; a work of drawing, painting, architecture, sculpture, engraving or lithography; a photographic work to which are assimilated works expressed by a process analogous to photography; a work of applied art; an illustration, map, plan, sketch or three-dimensional work relative to geography, topography, architecture or science; a performance; a broadcast; a phonogram; a compilation of data to the extent it is protected as a copyrightable work; or a work performed by a variety or circus performer to the extent it is not otherwise considered a literary or artistic work. . i. "You" means an individual or entity exercising rights under this License who has not previously violated the terms of this License with respect to the Work, or who has received express permission from the Licensor to exercise rights under this License despite a previous violation. . j. "Publicly Perform" means to perform public recitations of the Work and to communicate to the public those public recitations, by any means or process, including by wire or wireless means or public digital performances; to make available to the public Works in such a way that members of the public may access these Works from a place and at a place individually chosen by them; to perform the Work to the public by any means or process and the communication to the public of the performances of the Work, including by public digital performance; to broadcast and rebroadcast the Work by any means including signs, sounds or images. . k. "Reproduce" means to make copies of the Work by any means including without limitation by sound or visual recordings and the right of fixation and reproducing fixations of the Work, including storage of a protected performance or phonogram in digital form or other electronic medium. . 2. Fair Dealing Rights. Nothing in this License is intended to reduce, limit, or restrict any uses free from copyright or rights arising from limitations or exceptions that are provided for in connection with the copyright protection under copyright law or other applicable laws. . 3. License Grant. Subject to the terms and conditions of this License, Licensor hereby grants You a worldwide, royalty-free, non-exclusive, perpetual (for the duration of the applicable copyright) license to exercise the rights in the Work as stated below: . a. to Reproduce the Work, to incorporate the Work into one or more Collections, and to Reproduce the Work as incorporated in the Collections; . b. to create and Reproduce Adaptations provided that any such Adaptation, including any translation in any medium, takes reasonable steps to clearly label, demarcate or otherwise identify that changes were made to the original Work. For example, a translation could be marked "The original work was translated from English to Spanish," or a modification could indicate "The original work has been modified."; . c. to Distribute and Publicly Perform the Work including as incorporated in Collections; and, . d. to Distribute and Publicly Perform Adaptations. . e. For the avoidance of doubt: . i. Non-waivable Compulsory License Schemes. In those jurisdictions in which the right to collect royalties through any statutory or compulsory licensing scheme cannot be waived, the Licensor reserves the exclusive right to collect such royalties for any exercise by You of the rights granted under this License; . ii. Waivable Compulsory License Schemes. In those jurisdictions in which the right to collect royalties through any statutory or compulsory licensing scheme can be waived, the Licensor waives the exclusive right to collect such royalties for any exercise by You of the rights granted under this License; and, . iii. Voluntary License Schemes. The Licensor waives the right to collect royalties, whether individually or, in the event that the Licensor is a member of a collecting society that administers voluntary licensing schemes, via that society, from any exercise by You of the rights granted under this License. . The above rights may be exercised in all media and formats whether now known or hereafter devised. The above rights include the right to make such modifications as are technically necessary to exercise the rights in other media and formats. Subject to Section 8(f), all rights not expressly granted by Licensor are hereby reserved. . 4. Restrictions. The license granted in Section 3 above is expressly made subject to and limited by the following restrictions: . a. You may Distribute or Publicly Perform the Work only under the terms of this License. You must include a copy of, or the Uniform Resource Identifier (URI) for, this License with every copy of the Work You Distribute or Publicly Perform. You may not offer or impose any terms on the Work that restrict the terms of this License or the ability of the recipient of the Work to exercise the rights granted to that recipient under the terms of the License. You may not sublicense the Work. You must keep intact all notices that refer to this License and to the disclaimer of warranties with every copy of the Work You Distribute or Publicly Perform. When You Distribute or Publicly Perform the Work, You may not impose any effective technological measures on the Work that restrict the ability of a recipient of the Work from You to exercise the rights granted to that recipient under the terms of the License. This Section 4(a) applies to the Work as incorporated in a Collection, but this does not require the Collection apart from the Work itself to be made subject to the terms of this License. If You create a Collection, upon notice from any Licensor You must, to the extent practicable, remove from the Collection any credit as required by Section 4(c), as requested. If You create an Adaptation, upon notice from any Licensor You must, to the extent practicable, remove from the Adaptation any credit as required by Section 4(c), as requested. . b. You may Distribute or Publicly Perform an Adaptation only under the terms of: (i) this License; (ii) a later version of this License with the same License Elements as this License; (iii) a Creative Commons jurisdiction license (either this or a later license version) that contains the same License Elements as this License (e.g., Attribution-ShareAlike 3.0 US)); (iv) a Creative Commons Compatible License. If you license the Adaptation under one of the licenses mentioned in (iv), you must comply with the terms of that license. If you license the Adaptation under the terms of any of the licenses mentioned in (i), (ii) or (iii) (the "Applicable License"), you must comply with the terms of the Applicable License generally and the following provisions: (I) You must include a copy of, or the URI for, the Applicable License with every copy of each Adaptation You Distribute or Publicly Perform; (II) You may not offer or impose any terms on the Adaptation that restrict the terms of the Applicable License or the ability of the recipient of the Adaptation to exercise the rights granted to that recipient under the terms of the Applicable License; (III) You must keep intact all notices that refer to the Applicable License and to the disclaimer of warranties with every copy of the Work as included in the Adaptation You Distribute or Publicly Perform; (IV) when You Distribute or Publicly Perform the Adaptation, You may not impose any effective technological measures on the Adaptation that restrict the ability of a recipient of the Adaptation from You to exercise the rights granted to that recipient under the terms of the Applicable License. This Section 4(b) applies to the Adaptation as incorporated in a Collection, but this does not require the Collection apart from the Adaptation itself to be made subject to the terms of the Applicable License. . c. If You Distribute, or Publicly Perform the Work or any Adaptations or Collections, You must, unless a request has been made pursuant to Section 4(a), keep intact all copyright notices for the Work and provide, reasonable to the medium or means You are utilizing: (i) the name of the Original Author (or pseudonym, if applicable) if supplied, and/or if the Original Author and/or Licensor designate another party or parties (e.g., a sponsor institute, publishing entity, journal) for attribution ("Attribution Parties") in Licensor's copyright notice, terms of service or by other reasonable means, the name of such party or parties; (ii) the title of the Work if supplied; (iii) to the extent reasonably practicable, the URI, if any, that Licensor specifies to be associated with the Work, unless such URI does not refer to the copyright notice or licensing information for the Work; and (iv) , consistent with Ssection 3(b), in the case of an Adaptation, a credit identifying the use of the Work in the Adaptation (e.g., "French translation of the Work by Original Author," or "Screenplay based on original Work by Original Author"). The credit required by this Section 4(c) may be implemented in any reasonable manner; provided, however, that in the case of a Adaptation or Collection, at a minimum such credit will appear, if a credit for all contributing authors of the Adaptation or Collection appears, then as part of these credits and in a manner at least as prominent as the credits for the other contributing authors. For the avoidance of doubt, You may only use the credit required by this Section for the purpose of attribution in the manner set out above and, by exercising Your rights under this License, You may not implicitly or explicitly assert or imply any connection with, sponsorship or endorsement by the Original Author, Licensor and/or Attribution Parties, as appropriate, of You or Your use of the Work, without the separate, express prior written permission of the Original Author, Licensor and/or Attribution Parties. . d. Except as otherwise agreed in writing by the Licensor or as may be otherwise permitted by applicable law, if You Reproduce, Distribute or Publicly Perform the Work either by itself or as part of any Adaptations or Collections, You must not distort, mutilate, modify or take other derogatory action in relation to the Work which would be prejudicial to the Original Author's honor or reputation. Licensor agrees that in those jurisdictions (e.g. Japan), in which any exercise of the right granted in Section 3(b) of this License (the right to make Adaptations) would be deemed to be a distortion, mutilation, modification or other derogatory action prejudicial to the Original Author's honor and reputation, the Licensor will waive or not assert, as appropriate, this Section, to the fullest extent permitted by the applicable national law, to enable You to reasonably exercise Your right under Section 3(b) of this License (right to make Adaptations) but not otherwise. . 5. Representations, Warranties and Disclaimer . UNLESS OTHERWISE MUTUALLY AGREED TO BY THE PARTIES IN WRITING, LICENSOR OFFERS THE WORK AS-IS AND MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND CONCERNING THE WORK, EXPRESS, IMPLIED, STATUTORY OR OTHERWISE, INCLUDING, WITHOUT LIMITATION, WARRANTIES OF TITLE, MERCHANTIBILITY, FITNESS FOR A PARTICULAR PURPOSE, NONINFRINGEMENT, OR THE ABSENCE OF LATENT OR OTHER DEFECTS, ACCURACY, OR THE PRESENCE OF ABSENCE OF ERRORS, WHETHER OR NOT DISCOVERABLE. SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OF IMPLIED WARRANTIES, SO SUCH EXCLUSION MAY NOT APPLY TO YOU. . 6. Limitation on Liability. EXCEPT TO THE EXTENT REQUIRED BY APPLICABLE LAW, IN NO EVENT WILL LICENSOR BE LIABLE TO YOU ON ANY LEGAL THEORY FOR ANY SPECIAL, INCIDENTAL, CONSEQUENTIAL, PUNITIVE OR EXEMPLARY DAMAGES ARISING OUT OF THIS LICENSE OR THE USE OF THE WORK, EVEN IF LICENSOR HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. . 7. Termination . a. This License and the rights granted hereunder will terminate automatically upon any breach by You of the terms of this License. Individuals or entities who have received Adaptations or Collections from You under this License, however, will not have their licenses terminated provided such individuals or entities remain in full compliance with those licenses. Sections 1, 2, 5, 6, 7, and 8 will survive any termination of this License. . b. Subject to the above terms and conditions, the license granted here is perpetual (for the duration of the applicable copyright in the Work). Notwithstanding the above, Licensor reserves the right to release the Work under different license terms or to stop distributing the Work at any time; provided, however that any such election will not serve to withdraw this License (or any other license that has been, or is required to be, granted under the terms of this License), and this License will continue in full force and effect unless terminated as stated above. . 8. Miscellaneous . a. Each time You Distribute or Publicly Perform the Work or a Collection, the Licensor offers to the recipient a license to the Work on the same terms and conditions as the license granted to You under this License. . b. Each time You Distribute or Publicly Perform an Adaptation, Licensor offers to the recipient a license to the original Work on the same terms and conditions as the license granted to You under this License. . c. If any provision of this License is invalid or unenforceable under applicable law, it shall not affect the validity or enforceability of the remainder of the terms of this License, and without further action by the parties to this agreement, such provision shall be reformed to the minimum extent necessary to make such provision valid and enforceable. . d. No term or provision of this License shall be deemed waived and no breach consented to unless such waiver or consent shall be in writing and signed by the party to be charged with such waiver or consent. . e. This License constitutes the entire agreement between the parties with respect to the Work licensed here. There are no understandings, agreements or representations with respect to the Work not specified here. Licensor shall not be bound by any additional provisions that may appear in any communication from You. This License may not be modified without the mutual written agreement of the Licensor and You. . f. The rights granted under, and the subject matter referenced, in this License were drafted utilizing the terminology of the Berne Convention for the Protection of Literary and Artistic Works (as amended on September 28, 1979), the Rome Convention of 1961, the WIPO Copyright Treaty of 1996, the WIPO Performances and Phonograms Treaty of 1996 and the Universal Copyright Convention (as revised on July 24, 1971). These rights and subject matter take effect in the relevant jurisdiction in which the License terms are sought to be enforced according to the corresponding provisions of the implementation of those treaty provisions in the applicable national law. If the standard suite of rights granted under applicable copyright law includes additional rights not granted under this License, such additional rights are deemed to be included in the License; this License is not intended to restrict the license of any rights under applicable law. debian/source/0000755000000000000000000000000012176767010010475 5ustar debian/source/format0000644000000000000000000000001412176767010011703 0ustar 3.0 (quilt) debian/docs0000644000000000000000000000001412176767010010043 0ustar NEWS README debian/libspice-server1.install0000644000000000000000000000002412176767010013740 0ustar usr/lib/*/lib*.so.* debian/changelog0000644000000000000000000002636413422347654011065 0ustar spice (0.12.4-0nocelt2ubuntu1.8) trusty-security; urgency=medium * SECURITY UPDATE: off-by-one error in memslot_get_virt - debian/patches/CVE-2019-3813.patch: fix checks in server/red_memslots.c. - CVE-2019-3813 -- Marc Deslauriers Thu, 24 Jan 2019 09:46:04 -0500 spice (0.12.4-0nocelt2ubuntu1.7) trusty-security; urgency=medium * SECURITY UPDATE: Denial of service - debian/patches/CVE-2018-10873.patch: fix in spice-common/python_modules/demarshal.py, - CVE-2018-10873 -- Leonidas S. Barbosa Mon, 20 Aug 2018 15:45:59 -0300 spice (0.12.4-0nocelt2ubuntu1.6) trusty-security; urgency=medium * SECURITY UPDATE: Integer overflow and buffer overflow - debian/patches/CVE-2017-12194-1.patch: fix a integer overflow computing sizes in spice-common/python_modules/demarshal.py. - debian/patches/CVE-2017-12194-2.patch: avoid integer overflow in spice-common/python_modules/demarshal.py, spice-common/python_modules/marshal.py. - CVE-2017-12194 -- Leonidas S. Barbosa Tue, 22 May 2018 13:01:14 -0300 spice (0.12.4-0nocelt2ubuntu1.5) trusty-security; urgency=medium * SECURITY UPDATE: buffer overflow via invalid monitor configurations - debian/patches/CVE-2017-7506-1.patch: disconnect when receiving overly big ClientMonitorsConfig in server/reds.c. - debian/patches/CVE-2017-7506-2.patch: avoid integer overflows handling monitor configuration in server/reds.c. - debian/patches/CVE-2017-7506-3.patch: avoid buffer overflows handling monitor configuration in server/reds.c. - CVE-2017-7506 -- Marc Deslauriers Tue, 18 Jul 2017 13:39:05 -0400 spice (0.12.4-0nocelt2ubuntu1.4) trusty-security; urgency=medium * SECURITY UPDATE: overflow when reading large messages - debian/patches/CVE-2016-9577.patch: check size in server/main_channel.c. - CVE-2016-9577 * SECURITY UPDATE: DoS via crafted message - debian/patches/CVE-2016-9578-1.patch: limit size in server/reds.c. - debian/patches/CVE-2016-9578-2.patch: limit caps in server/reds.c. - CVE-2016-9578 -- Marc Deslauriers Wed, 15 Feb 2017 14:07:29 -0500 spice (0.12.4-0nocelt2ubuntu1.3) trusty-security; urgency=medium * SECURITY UPDATE: denial of service and possible code execution via memory allocation flaw in smartcard interaction - debian/patches/CVE-2016-0749/*.patch: add a ref to item and allocate msg with the expected size in server/smartcard.c. - CVE-2016-0749 * SECURITY UPDATE: host memory access from guest with invalid primary surface parameters - debian/patches/CVE-2016-2150/*.patch: create a function to validate surface parameters in server/red_parse_qxl.*, improve primary surface parameter checks in server/red_worker.c. - CVE-2016-2150 * Added two extra commits to previous security update: - 0001-worker-validate-correctly-surfaces.patch - 0002-worker-avoid-double-free-or-double-create-of-surface.patch -- Marc Deslauriers Fri, 10 Jun 2016 10:58:27 -0400 spice (0.12.4-0nocelt2ubuntu1.2) trusty-security; urgency=medium * SECURITY UPDATE: multiple security issues - debian/patches/CVE-2015-526x/*.patch: apply series of patches from Red Hat to fix overflows, race conditions, memory leaks and denial of service issues. - CVE-2015-5260 - CVE-2015-5261 -- Marc Deslauriers Thu, 01 Oct 2015 07:37:43 -0400 spice (0.12.4-0nocelt2ubuntu1.1) trusty-security; urgency=medium * SECURITY UPDATE: heap corruption via monitor configs - debian/patches/CVE-2015-3247.patch: only read count once in server/red_worker.c. - CVE-2015-3247 -- Marc Deslauriers Tue, 08 Sep 2015 08:03:35 -0400 spice (0.12.4-0nocelt2ubuntu1) trusty-proposed; urgency=medium [Gregory Boyce] * Fix newline-damaged patch (LP: #1450043) -- Serge Hallyn Mon, 04 May 2015 10:47:58 -0500 spice (0.12.4-0nocelt2) unstable; urgency=high * Fix CVE-2013-4282 (Closes: #728314) -- Liang Guo Thu, 07 Nov 2013 22:44:29 +0800 spice (0.12.4-0nocelt1.1) unstable; urgency=low * Non-maintainer upload. * debian/patches - add enable_subdir-objects.patch (Closes: #724093) -- Hideki Yamane Mon, 21 Oct 2013 12:27:35 +0900 spice (0.12.4-0nocelt1) unstable; urgency=low * New upstream release (Closes: #717030) * Remove .version after build (Closes: #671627) * debian/control: - Bump Standards-Version to 3.9.4 (no changes) - Update VCS-* to use canonical URIs * debian/patches: - fix-tests-warnings.patch, refresh - link-server-test-with-libm-libpthread.patch, add (Closes: #713681) * Refresh libspice-server1.symbols -- Liang Guo Thu, 25 Jul 2013 00:10:00 +0800 spice (0.12.3-0nocelt1) unstable; urgency=low * New upstream release * debian/patches: - fix-build-warning-PIXEL.patch, remove, applied upstream - link-libspice-server-with-libm-libpthread.patch, remove, applied upstream - spice-common-remove-version-construction.patch, remove, applied upstream - fix-tests-warnings.patch, refresh - make-celt-to-be-optional.patch, refresh * libspice-server-dev should depends on libglib2.0-dev, or qxl driver compile will fail. * Refresh libspice-server1.symbols -- Liang Guo Sun, 19 May 2013 11:10:10 +0800 spice (0.12.2-0nocelt3) unstable; urgency=low * Upload to unstable -- Liang Guo Fri, 10 May 2013 09:10:16 +0800 spice (0.12.2-0nocelt2exp) experimental; urgency=low * added two patches from Serge Hallyn to fix numerous compiler warnings: fix-build-warning-PIXEL.patch fix-tests-warnings.patch * spice-common-remove-version-construction.patch - to stop spice-common from produce a ton of `build-aux/git-version-gen: not found' errors during autoreconf. -- Michael Tokarev Mon, 11 Feb 2013 23:29:11 +0400 spice (0.12.2-0nocelt1exp) experimental; urgency=low * New upstream release * debian/patches: - Refresh link-libspice-server-with-libm-libpthread.patch * Refresh debian/cpyright, new files added * Build client, upstream don't build client by default * Refresh libspice-server1.symbols * Add libglib2.0-dev to Build-Depends [ Michael Tokarev ] * refresh make-celt-to-be-optional.patch (minor context diff) * do not build-depend on libspice-protocol-dev (upstream always uses included copy) * add (versioned) dependency on libspice-protocol-dev to libspice-server-dev package, since when the latter is installed, embedded protocol headers are not installed * do not build-depend on mesa libs (OpenGL is not enabled by default and is not recommended by upstream) * do not build-depend on libogg-dev * configure with --disable-silent-rules, so that the compiler command line is visible (this fixes the lintian warnings about hardening flags) -- Michael Tokarev Thu, 17 Jan 2013 19:19:30 +0400 spice (0.11.0-1) unstable; urgency=low * New upstream release * Breaks spice-gtk (<= 0.12-2) * Refresh debian/libspice-server1.symbols * debian/control: - Update my e-mail address - Add python-pyparsing to Build-Depends * debian/patches: - Remove fix-error-path-return-in-snd_set_record_peer.patch, applied upstream - Refresh make-celt-to-be-optional.patch - Refresh link-libspice-server-with-libm-libpthread.patch * Simplify debian/rules, celt removed, no reason to use traditional one * Disable smartcard, not in debian yet * Refresh debian/copyright -- Liang Guo Sat, 09 Jun 2012 11:33:05 +0800 spice (0.10.1-3~nocelt) experimental; urgency=low * Applying for co-maintenance, adding myself to Uploaders (Closes: #671627) * Bump Standards-Version to 3.9.3 (no changes) * link-libspice-server-with-libm-libpthread.patch - missing libraries * Enable multiarch for libspice-server, bump debhelper compat to 9 * do not require root in clean target * build-depend on dh-autoreconf and python to be able to run autoreconf and python code generator * use dh_autoreconf, do not ship debian/source/options anymore * consolidate clean target in debian/rules * 2 patches: - fix-error-path-return-in-snd_set_record_peer.patch (from upstream git), which is a pre-requisite for the next patch, and - make-celt-to-be-optional.patch (sent to upstream). This makes it possible to build spice without celt. * Disable celt051 usage. -- Michael Tokarev Sat, 02 Jun 2012 16:18:56 +0400 spice (0.10.1-2) unstable; urgency=low * added dependency on libxinerama-dev to libspice-server-dev, temporarily, till either upstream or we will have better solution. libspice-server does not use xinerama in any way, yet it is listed in the requiriments in the pkg-config file, which is generated at configure time. (Closes: #658173) -- Michael Tokarev Wed, 01 Feb 2012 01:08:34 +0400 spice (0.10.1-1) unstable; urgency=low * New upstream release * Refresh libspice-server1.symbols * debian/control - Change Build-Depends on libspice-protocol-dev to (>= 0.10.1~) - Add libxinerama-dev to Build-Depends -- Liang Guo Fri, 27 Jan 2012 23:28:26 +0800 spice (0.10.0-1) unstable; urgency=low [ Liang Guo ] * New upstream release (Closes: #651262) * Refresh debian/copyright * Remove fix-typo-in-cmd_line_parser-cpp.patch, applied upstream * Remove fix-typo-in-record-cpp.patch, applied upstream * Remove use-requires-private-for-libspice-pkgconfig.patch, applied upstream * Change Build-Depends on libspice-protocol-dev to (>= 0.9.1~) * Refresh libspice-server1.symbols * Update debian/rules clean target * Ignore common/win/my_getopt-1.5/Makefile change when building package * debian/control: set DMUA [ Michael Tokarev ] * use `rm -f' instead of `-rm' in debian/rules clean targets * remove python_modules/*.pyc in clean target -- Liang Guo Tue, 29 Nov 2011 14:37:08 +0800 spice (0.8.3-1) unstable; urgency=low * New upstream release * Update debian/copyright to fit DEP-5 * Remove drop-unnecessary-build-request.patch, applied upstream * Update Build-Depends on libspice-protocol-dev to 0.8.2~ * Disable GUI support, CEGUI version in Debian not supported * Add libjpeg-dev to Build-Depends * Refresh libspice-server1.symbols -- Liang Guo Thu, 20 Oct 2011 11:13:23 +0800 spice (0.8.2-2) unstable; urgency=low [ Michael Tokarev ] * move libraries used internally by libspice-server from Requires to Requires.private in pkg-config file [ Liang Guo ] * Add libpixman-1-dev and libssl-dev to libspice-server-dev Depends (Closes: #637189) * Remove alsa, xrandr, xfixes, x11, xext and xrender from spice-server.pc Requires * Fix typo in debian/spicec.1 -- Liang Guo Tue, 16 Aug 2011 10:36:31 +0800 spice (0.8.2-1) unstable; urgency=low * Initial release (Closes: #560721) -- Liang Guo Sat, 23 Jul 2011 12:21:04 +0800