diff -Nru spice-0.12.8/debian/changelog spice-0.12.8/debian/changelog --- spice-0.12.8/debian/changelog 2017-02-15 18:58:19.000000000 +0000 +++ spice-0.12.8/debian/changelog 2017-02-13 20:42:01.000000000 +0000 @@ -1,15 +1,16 @@ -spice (0.12.8-2ubuntu1) zesty; urgency=medium +spice (0.12.8-2.1) unstable; urgency=medium - * SECURITY UPDATE: overflow when reading large messages - - debian/patches/CVE-2016-9577.patch: check size in - server/main_channel.c. - - CVE-2016-9577 - * SECURITY UPDATE: DoS via crafted message - - debian/patches/CVE-2016-9578-1.patch: limit size in server/reds.c. - - debian/patches/CVE-2016-9578-2.patch: limit caps in server/reds.c. - - CVE-2016-9578 + * Non-maintainer upload. + * Add CVE-2016-9577-and-CVE-2016-9578.patch: + - CVE-2016-9577: A buffer overflow vulnerability in + main_channel_alloc_msg_rcv_buf was found that occurs when reading large + messages due to missing buffer size check. + - CVE-2016-9578: A vulnerability was discovered in the server's + protocol handling. An attacker able to connect to the spice server could + send crafted messages which would cause the process to crash. + (Closes: #854336) - -- Marc Deslauriers Wed, 15 Feb 2017 13:58:19 -0500 + -- Markus Koschany Mon, 13 Feb 2017 21:42:01 +0100 spice (0.12.8-2) unstable; urgency=medium diff -Nru spice-0.12.8/debian/control spice-0.12.8/debian/control --- spice-0.12.8/debian/control 2017-02-15 18:58:19.000000000 +0000 +++ spice-0.12.8/debian/control 2017-02-13 20:42:01.000000000 +0000 @@ -1,8 +1,7 @@ Source: spice Section: misc Priority: optional -Maintainer: Ubuntu Developers -XSBC-Original-Maintainer: Liang Guo +Maintainer: Liang Guo Uploaders: Michael Tokarev Build-Depends: debhelper (>= 9), pkg-config, dh-autoreconf, diff -Nru spice-0.12.8/debian/patches/CVE-2016-9577-and-CVE-2016-9578.patch spice-0.12.8/debian/patches/CVE-2016-9577-and-CVE-2016-9578.patch --- spice-0.12.8/debian/patches/CVE-2016-9577-and-CVE-2016-9578.patch 1970-01-01 00:00:00.000000000 +0000 +++ spice-0.12.8/debian/patches/CVE-2016-9577-and-CVE-2016-9578.patch 2017-02-13 20:42:01.000000000 +0000 @@ -0,0 +1,54 @@ +From: Markus Koschany +Date: Mon, 13 Feb 2017 21:38:02 +0100 +Subject: CVE-2016-9577 and CVE-2016-9578 + +Bug-Debian: https://bugs.debian.org/854336 +Origin: http://pkgs.fedoraproject.org/cgit/rpms/spice.git/commit/?id=d919d639ae5f83a9735a04d843eed675f9357c0d +--- + server/main_channel.c | 3 +++ + server/reds.c | 11 ++++++++++- + 2 files changed, 13 insertions(+), 1 deletion(-) + +diff --git a/server/main_channel.c b/server/main_channel.c +index 0ecc9df..1fc3915 100644 +--- a/server/main_channel.c ++++ b/server/main_channel.c +@@ -1026,6 +1026,9 @@ static uint8_t *main_channel_alloc_msg_rcv_buf(RedChannelClient *rcc, + + if (type == SPICE_MSGC_MAIN_AGENT_DATA) { + return reds_get_agent_data_buffer(mcc, size); ++ } else if (size > sizeof(main_chan->recv_buf)) { ++ /* message too large, caller will log a message and close the connection */ ++ return NULL; + } else { + return main_chan->recv_buf; + } +diff --git a/server/reds.c b/server/reds.c +index 61bf735..4c60f58 100644 +--- a/server/reds.c ++++ b/server/reds.c +@@ -2110,6 +2110,14 @@ static void reds_handle_read_link_done(void *opaque) + link_mess->num_channel_caps = GUINT32_FROM_LE(link_mess->num_channel_caps); + link_mess->num_common_caps = GUINT32_FROM_LE(link_mess->num_common_caps); + ++ /* Prevent DoS. Currently we defined only 13 capabilities, ++ * I expect 1024 to be valid for quite a lot time */ ++ if (link_mess->num_channel_caps > 1024 || link_mess->num_common_caps > 1024) { ++ reds_send_link_error(link, SPICE_LINK_ERR_INVALID_DATA); ++ reds_link_free(link); ++ return; ++ } ++ + num_caps = link_mess->num_common_caps + link_mess->num_channel_caps; + caps = (uint32_t *)((uint8_t *)link_mess + link_mess->caps_offset); + +@@ -2202,7 +2210,8 @@ static void reds_handle_read_header_done(void *opaque) + + reds->peer_minor_version = header->minor_version; + +- if (header->size < sizeof(SpiceLinkMess)) { ++ /* the check for 4096 is to avoid clients to cause arbitrary big memory allocations */ ++ if (header->size < sizeof(SpiceLinkMess) || header->size > 4096) { + reds_send_link_error(link, SPICE_LINK_ERR_INVALID_DATA); + spice_warning("bad size %u", header->size); + reds_link_free(link); diff -Nru spice-0.12.8/debian/patches/CVE-2016-9577.patch spice-0.12.8/debian/patches/CVE-2016-9577.patch --- spice-0.12.8/debian/patches/CVE-2016-9577.patch 2017-02-15 18:58:06.000000000 +0000 +++ spice-0.12.8/debian/patches/CVE-2016-9577.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,28 +0,0 @@ -From 5f96b596353d73bdf4bb3cd2de61e48a7fd5b4c3 Mon Sep 17 00:00:00 2001 -From: Frediano Ziglio -Date: Tue, 29 Nov 2016 16:46:56 +0000 -Subject: main-channel: Prevent overflow reading messages from client - -Caller is supposed the function return a buffer able to store -size bytes. - -Signed-off-by: Frediano Ziglio -Acked-by: Christophe Fergeau - -diff --git a/server/main_channel.c b/server/main_channel.c -index 0ecc9df..1fc3915 100644 ---- a/server/main_channel.c -+++ b/server/main_channel.c -@@ -1026,6 +1026,9 @@ static uint8_t *main_channel_alloc_msg_rcv_buf(RedChannelClient *rcc, - - if (type == SPICE_MSGC_MAIN_AGENT_DATA) { - return reds_get_agent_data_buffer(mcc, size); -+ } else if (size > sizeof(main_chan->recv_buf)) { -+ /* message too large, caller will log a message and close the connection */ -+ return NULL; - } else { - return main_chan->recv_buf; - } --- -cgit v0.10.2 - diff -Nru spice-0.12.8/debian/patches/CVE-2016-9578-1.patch spice-0.12.8/debian/patches/CVE-2016-9578-1.patch --- spice-0.12.8/debian/patches/CVE-2016-9578-1.patch 2017-02-15 18:58:10.000000000 +0000 +++ spice-0.12.8/debian/patches/CVE-2016-9578-1.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,55 +0,0 @@ -From 1c6517973095a67c8cb57f3550fc1298404ab556 Mon Sep 17 00:00:00 2001 -From: Frediano Ziglio -Date: Tue, 13 Dec 2016 14:39:48 +0000 -Subject: Prevent possible DoS attempts during protocol handshake - -The limit for link message is specified using a 32 bit unsigned integer. -This could cause possible DoS due to excessive memory allocations and -some possible crashes. -For instance a value >= 2^31 causes a spice_assert to be triggered in -async_read_handler (reds-stream.c) due to an integer overflow at this -line: - - int n = async->end - async->now; - -This could be easily triggered with a program like - - #!/usr/bin/env python - - import socket - import time - from struct import pack - - server = '127.0.0.1' - port = 5900 - - s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) - s.connect((server, port)) - data = pack('<4sIII', 'REDQ', 2, 2, 0xaaaaaaaa) - s.send(data) - - time.sleep(1) - -without requiring any authentication (the same can be done -with TLS). - -Signed-off-by: Frediano Ziglio -Acked-by: Christophe Fergeau - -diff --git a/server/reds.c b/server/reds.c -index f40b65c..86a33d5 100644 ---- a/server/reds.c -+++ b/server/reds.c -@@ -2202,7 +2202,8 @@ static void reds_handle_read_header_done(void *opaque) - - reds->peer_minor_version = header->minor_version; - -- if (header->size < sizeof(SpiceLinkMess)) { -+ /* the check for 4096 is to avoid clients to cause arbitrary big memory allocations */ -+ if (header->size < sizeof(SpiceLinkMess) || header->size > 4096) { - reds_send_link_error(link, SPICE_LINK_ERR_INVALID_DATA); - spice_warning("bad size %u", header->size); - reds_link_free(link); --- -cgit v0.10.2 - diff -Nru spice-0.12.8/debian/patches/CVE-2016-9578-2.patch spice-0.12.8/debian/patches/CVE-2016-9578-2.patch --- spice-0.12.8/debian/patches/CVE-2016-9578-2.patch 2017-02-15 18:58:14.000000000 +0000 +++ spice-0.12.8/debian/patches/CVE-2016-9578-2.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,38 +0,0 @@ -From f66dc643635518e53dfbe5262f814a64eec54e4a Mon Sep 17 00:00:00 2001 -From: Frediano Ziglio -Date: Tue, 13 Dec 2016 14:40:10 +0000 -Subject: Prevent integer overflows in capability checks - -The limits for capabilities are specified using 32 bit unsigned integers. -This could cause possible integer overflows causing buffer overflows. -For instance the sum of num_common_caps and num_caps can be 0 avoiding -additional checks. -As the link message is now capped to 4096 and the capabilities are -contained in the link message limit the capabilities to 1024 -(capabilities are expressed in number of uint32_t items). - -Signed-off-by: Frediano Ziglio -Acked-by: Christophe Fergeau - -diff --git a/server/reds.c b/server/reds.c -index 86a33d5..9150454 100644 ---- a/server/reds.c -+++ b/server/reds.c -@@ -2110,6 +2110,14 @@ static void reds_handle_read_link_done(void *opaque) - link_mess->num_channel_caps = GUINT32_FROM_LE(link_mess->num_channel_caps); - link_mess->num_common_caps = GUINT32_FROM_LE(link_mess->num_common_caps); - -+ /* Prevent DoS. Currently we defined only 13 capabilities, -+ * I expect 1024 to be valid for quite a lot time */ -+ if (link_mess->num_channel_caps > 1024 || link_mess->num_common_caps > 1024) { -+ reds_send_link_error(link, SPICE_LINK_ERR_INVALID_DATA); -+ reds_link_free(link); -+ return; -+ } -+ - num_caps = link_mess->num_common_caps + link_mess->num_channel_caps; - caps = (uint32_t *)((uint8_t *)link_mess + link_mess->caps_offset); - --- -cgit v0.10.2 - diff -Nru spice-0.12.8/debian/patches/series spice-0.12.8/debian/patches/series --- spice-0.12.8/debian/patches/series 2017-02-15 18:58:14.000000000 +0000 +++ spice-0.12.8/debian/patches/series 2017-02-13 20:42:01.000000000 +0000 @@ -1,4 +1,2 @@ stop-linking-with-libcacard.diff -CVE-2016-9577.patch -CVE-2016-9578-1.patch -CVE-2016-9578-2.patch +CVE-2016-9577-and-CVE-2016-9578.patch