From c56f30cb7e997dd6039adabe35ce38358530183f Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Aug 06 2019 10:55:42 +0000 Subject: import spice-0.14.0-7.el7 --- diff --git a/SOURCES/0024-tls-Parse-spice.cnf-OpenSSL-configuration-file.patch b/SOURCES/0024-tls-Parse-spice.cnf-OpenSSL-configuration-file.patch index 1db419a..72ad808 100644 --- a/SOURCES/0024-tls-Parse-spice.cnf-OpenSSL-configuration-file.patch +++ b/SOURCES/0024-tls-Parse-spice.cnf-OpenSSL-configuration-file.patch @@ -1,7 +1,7 @@ From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Christophe Fergeau Date: Mon, 18 Jun 2018 12:39:37 +0200 -Subject: [spice-server] tls: Parse spice.cnf OpenSSL configuration file +Subject: [PATCH] tls: Parse spice.cnf OpenSSL configuration file SPICE tries to use the OpenSSL system-wide defaults as much as possible for the TLS ciphers and protocols it uses. However, this is not enough @@ -22,9 +22,11 @@ land in RHEL. Signed-off-by: Christophe Fergeau --- - docs/Makefile.am | 1 + - server/reds.c | 102 +++++++++++++++++++++++++++++++++++++++++++++++ - 2 files changed, 103 insertions(+) + docs/Makefile.am | 1 + + docs/spice.cnf.sample | 15 +++++++ + server/reds.c | 102 ++++++++++++++++++++++++++++++++++++++++++ + 3 files changed, 118 insertions(+) + create mode 100644 docs/spice.cnf.sample diff --git a/docs/Makefile.am b/docs/Makefile.am index 45667a6..909ed15 100644 @@ -38,6 +40,27 @@ index 45667a6..909ed15 100644 $(NULL) if BUILD_MANUAL +diff --git a/docs/spice.cnf.sample b/docs/spice.cnf.sample +new file mode 100644 +index 0000000..e5404ae +--- /dev/null ++++ b/docs/spice.cnf.sample +@@ -0,0 +1,15 @@ ++# SPICE OpenSSL configuration file ++# ++# Sample configuration file for SPICE TLS communication ++# Edit the file according to your needs, and put it in ++# /etc/pki/tls/spice.cnf ++# ++# See "SUPPORTED CONFIGURATION FILE COMMANDS" in SSL_CONF_cmd(3) ++# for the valid options, as well a ciphers(1) for the format ++# of CipherString ++ ++# Configure available ciphers ++CipherString = DEFAULT:-RC4:-3DES:-DES ++ ++# Only enable TLSv1.2 (and newer TLS versions the day OpenSSL supports them) ++Protocol = ALL,-SSLv2,-SSLv3,-TLSv1,-TLSv1.1 diff --git a/server/reds.c b/server/reds.c index 0af5643..846e44d 100644 --- a/server/reds.c diff --git a/SOURCES/0027-dcc-Fix-QUIC-fallback-in-get_compression_for_bitmap.patch b/SOURCES/0027-dcc-Fix-QUIC-fallback-in-get_compression_for_bitmap.patch new file mode 100644 index 0000000..f64c2cb --- /dev/null +++ b/SOURCES/0027-dcc-Fix-QUIC-fallback-in-get_compression_for_bitmap.patch @@ -0,0 +1,48 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Christophe Fergeau +Date: Fri, 20 Jul 2018 11:44:51 +0200 +Subject: [PATCH] dcc: Fix QUIC fallback in get_compression_for_bitmap() + +There was a small regression introduced in get_compression_for_bitmap() +by f401eb07f dcc: Rewrite dcc_image_compress. +If SPICE_IMAGE_COMPRESSION_AUTO_GLZ is specified, and the bitmap has a +stride which is bigger than its width (ie it has padding), then +get_compression_for_bitmap() will return SPICE_IMAGE_COMPRESSION_OFF +while in that case, we used to use QUIC for compression. + +This happens because that function in the AUTO_GLZ case first checks if +QUIC should be used, if not, it decides to use GLZ, but then decides it +can't because of the stride, so falls back to OFF, while it used to +fall back to QUIC. + +This commit only slightly reworks a preexisting if (!can_lz_compress()) +check so that it's unconditional rather than depending on the previous +checks having been unsuccessful. + +This issue could be observed by using a spice-html5 without support for +uncompressed bitmaps with end-of-line padding by simply starting a f28 +VM and connecting to it/moving the mouse cursor in it. + +Signed-off-by: Christophe Fergeau +Acked-by: Frediano Ziglio +--- + server/dcc.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/server/dcc.c b/server/dcc.c +index 3bf75a7..b632905 100644 +--- a/server/dcc.c ++++ b/server/dcc.c +@@ -806,8 +806,10 @@ static SpiceImageCompression get_compression_for_bitmap(SpiceBitmap *bitmap, + bitmap_get_graduality_level(bitmap) == BITMAP_GRADUAL_HIGH) { + return SPICE_IMAGE_COMPRESSION_QUIC; + } +- } else if (!can_lz_compress(bitmap) || +- drawable->copy_bitmap_graduality == BITMAP_GRADUAL_HIGH) { ++ } else if (drawable->copy_bitmap_graduality == BITMAP_GRADUAL_HIGH) { ++ return SPICE_IMAGE_COMPRESSION_QUIC; ++ } ++ if (!can_lz_compress(bitmap)) { + return SPICE_IMAGE_COMPRESSION_QUIC; + } + } diff --git a/SOURCES/0027-memslot-Fix-off-by-one-error-in-group-slot-boundary-.patch b/SOURCES/0027-memslot-Fix-off-by-one-error-in-group-slot-boundary-.patch deleted file mode 100644 index ad8a9aa..0000000 --- a/SOURCES/0027-memslot-Fix-off-by-one-error-in-group-slot-boundary-.patch +++ /dev/null @@ -1,100 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Christophe Fergeau -Date: Thu, 29 Nov 2018 14:18:39 +0100 -Subject: [PATCH] memslot: Fix off-by-one error in group/slot boundary check - -RedMemSlotInfo keeps an array of groups, and each group contains an -array of slots. Unfortunately, these checks are off by 1, they check -that the index is greater or equal to the number of elements in the -array, while these arrays are 0 based. The check should only check for -strictly greater than the number of elements. - -For the group array, this is not a big issue, as these memslot groups -are created by spice-server users (eg QEMU), and the group ids used to -index that array are also generated by the spice-server user, so it -should not be possible for the guest to set them to arbitrary values. - -The slot id is more problematic, as it's calculated from a QXLPHYSICAL -address, and such addresses are usually set by the guest QXL driver, so -the guest can set these to arbitrary values, including malicious values, -which are probably easy to build from the guest PCI configuration. - -This patch fixes the arrays bound check, and adds a test case for this. - -Signed-off-by: Christophe Fergeau ---- - server/memslot.c | 4 ++-- - server/tests/test-qxl-parsing.c | 32 ++++++++++++++++++++++++++++++++ - 2 files changed, 34 insertions(+), 2 deletions(-) - -diff --git a/server/memslot.c b/server/memslot.c -index 7074b43..8c59c38 100644 ---- a/server/memslot.c -+++ b/server/memslot.c -@@ -99,14 +99,14 @@ unsigned long memslot_get_virt(RedMemSlotInfo *info, QXLPHYSICAL addr, uint32_t - MemSlot *slot; - - *error = 0; -- if (group_id > info->num_memslots_groups) { -+ if (group_id >= info->num_memslots_groups) { - spice_critical("group_id too big"); - *error = 1; - return 0; - } - - slot_id = memslot_get_id(info, addr); -- if (slot_id > info->num_memslots) { -+ if (slot_id >= info->num_memslots) { - print_memslots(info); - spice_critical("slot_id %d too big, addr=%" PRIx64, slot_id, addr); - *error = 1; -diff --git a/server/tests/test-qxl-parsing.c b/server/tests/test-qxl-parsing.c -index 9c0c3b1..83f2083 100644 ---- a/server/tests/test-qxl-parsing.c -+++ b/server/tests/test-qxl-parsing.c -@@ -85,6 +85,33 @@ static void deinit_qxl_surface(QXLSurfaceCmd *qxl) - free(from_physical(qxl->u.surface_create.data)); - } - -+static void test_memslot_invalid_group_id(void) -+{ -+ RedMemSlotInfo mem_info; -+ int error; -+ init_meminfo(&mem_info); -+ -+ memslot_get_virt(&mem_info, 0, 16, 1, &error); -+} -+ -+static void test_memslot_invalid_slot_id(void) -+{ -+ RedMemSlotInfo mem_info; -+ int error; -+ init_meminfo(&mem_info); -+ -+ memslot_get_virt(&mem_info, 1 << mem_info.memslot_id_shift, 16, 0, &error); -+} -+ -+static void test_memslot_invalid_addresses(void) -+{ -+ g_test_trap_subprocess("/server/memslot-invalid-addresses/subprocess/group_id", 0, 0); -+ g_test_trap_assert_stderr("*group_id too big*"); -+ -+ g_test_trap_subprocess("/server/memslot-invalid-addresses/subprocess/slot_id", 0, 0); -+ g_test_trap_assert_stderr("*slot_id 1 too big*"); -+} -+ - static void test_no_issues(void) - { - RedMemSlotInfo mem_info; -@@ -262,6 +289,11 @@ int main(int argc, char *argv[]) - { - g_test_init(&argc, &argv, NULL); - -+ /* try to use invalid memslot group/slot */ -+ g_test_add_func("/server/memslot-invalid-addresses", test_memslot_invalid_addresses); -+ g_test_add_func("/server/memslot-invalid-addresses/subprocess/group_id", test_memslot_invalid_group_id); -+ g_test_add_func("/server/memslot-invalid-addresses/subprocess/slot_id", test_memslot_invalid_slot_id); -+ - /* try to create a surface with no issues, should succeed */ - g_test_add_func("/server/qxl-parsing-no-issues", test_no_issues); - diff --git a/SOURCES/0028-memslot-Fix-off-by-one-error-in-group-slot-boundary-.patch b/SOURCES/0028-memslot-Fix-off-by-one-error-in-group-slot-boundary-.patch new file mode 100644 index 0000000..ad8a9aa --- /dev/null +++ b/SOURCES/0028-memslot-Fix-off-by-one-error-in-group-slot-boundary-.patch @@ -0,0 +1,100 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Christophe Fergeau +Date: Thu, 29 Nov 2018 14:18:39 +0100 +Subject: [PATCH] memslot: Fix off-by-one error in group/slot boundary check + +RedMemSlotInfo keeps an array of groups, and each group contains an +array of slots. Unfortunately, these checks are off by 1, they check +that the index is greater or equal to the number of elements in the +array, while these arrays are 0 based. The check should only check for +strictly greater than the number of elements. + +For the group array, this is not a big issue, as these memslot groups +are created by spice-server users (eg QEMU), and the group ids used to +index that array are also generated by the spice-server user, so it +should not be possible for the guest to set them to arbitrary values. + +The slot id is more problematic, as it's calculated from a QXLPHYSICAL +address, and such addresses are usually set by the guest QXL driver, so +the guest can set these to arbitrary values, including malicious values, +which are probably easy to build from the guest PCI configuration. + +This patch fixes the arrays bound check, and adds a test case for this. + +Signed-off-by: Christophe Fergeau +--- + server/memslot.c | 4 ++-- + server/tests/test-qxl-parsing.c | 32 ++++++++++++++++++++++++++++++++ + 2 files changed, 34 insertions(+), 2 deletions(-) + +diff --git a/server/memslot.c b/server/memslot.c +index 7074b43..8c59c38 100644 +--- a/server/memslot.c ++++ b/server/memslot.c +@@ -99,14 +99,14 @@ unsigned long memslot_get_virt(RedMemSlotInfo *info, QXLPHYSICAL addr, uint32_t + MemSlot *slot; + + *error = 0; +- if (group_id > info->num_memslots_groups) { ++ if (group_id >= info->num_memslots_groups) { + spice_critical("group_id too big"); + *error = 1; + return 0; + } + + slot_id = memslot_get_id(info, addr); +- if (slot_id > info->num_memslots) { ++ if (slot_id >= info->num_memslots) { + print_memslots(info); + spice_critical("slot_id %d too big, addr=%" PRIx64, slot_id, addr); + *error = 1; +diff --git a/server/tests/test-qxl-parsing.c b/server/tests/test-qxl-parsing.c +index 9c0c3b1..83f2083 100644 +--- a/server/tests/test-qxl-parsing.c ++++ b/server/tests/test-qxl-parsing.c +@@ -85,6 +85,33 @@ static void deinit_qxl_surface(QXLSurfaceCmd *qxl) + free(from_physical(qxl->u.surface_create.data)); + } + ++static void test_memslot_invalid_group_id(void) ++{ ++ RedMemSlotInfo mem_info; ++ int error; ++ init_meminfo(&mem_info); ++ ++ memslot_get_virt(&mem_info, 0, 16, 1, &error); ++} ++ ++static void test_memslot_invalid_slot_id(void) ++{ ++ RedMemSlotInfo mem_info; ++ int error; ++ init_meminfo(&mem_info); ++ ++ memslot_get_virt(&mem_info, 1 << mem_info.memslot_id_shift, 16, 0, &error); ++} ++ ++static void test_memslot_invalid_addresses(void) ++{ ++ g_test_trap_subprocess("/server/memslot-invalid-addresses/subprocess/group_id", 0, 0); ++ g_test_trap_assert_stderr("*group_id too big*"); ++ ++ g_test_trap_subprocess("/server/memslot-invalid-addresses/subprocess/slot_id", 0, 0); ++ g_test_trap_assert_stderr("*slot_id 1 too big*"); ++} ++ + static void test_no_issues(void) + { + RedMemSlotInfo mem_info; +@@ -262,6 +289,11 @@ int main(int argc, char *argv[]) + { + g_test_init(&argc, &argv, NULL); + ++ /* try to use invalid memslot group/slot */ ++ g_test_add_func("/server/memslot-invalid-addresses", test_memslot_invalid_addresses); ++ g_test_add_func("/server/memslot-invalid-addresses/subprocess/group_id", test_memslot_invalid_group_id); ++ g_test_add_func("/server/memslot-invalid-addresses/subprocess/slot_id", test_memslot_invalid_slot_id); ++ + /* try to create a surface with no issues, should succeed */ + g_test_add_func("/server/qxl-parsing-no-issues", test_no_issues); + diff --git a/SPECS/spice.spec b/SPECS/spice.spec index a76b70c..e75c578 100644 --- a/SPECS/spice.spec +++ b/SPECS/spice.spec @@ -1,6 +1,6 @@ Name: spice Version: 0.14.0 -Release: 6%{?dist}.1 +Release: 7%{?dist} Summary: Implements the SPICE protocol Group: User Interface/Desktops License: LGPLv2+ @@ -32,7 +32,8 @@ Patch23: 0023-sound-Don-t-mute-recording-when-client-reconnects.patch Patch24: 0024-tls-Parse-spice.cnf-OpenSSL-configuration-file.patch Patch25: 0025-ssl-Allow-to-use-ECDH-ciphers-with-OpenSSL-1.0.patch Patch26: 0026-Fix-flexible-array-buffer-overflow.patch -Patch27: 0027-memslot-Fix-off-by-one-error-in-group-slot-boundary-.patch +Patch27: 0027-dcc-Fix-QUIC-fallback-in-get_compression_for_bitmap.patch +Patch28: 0028-memslot-Fix-off-by-one-error-in-group-slot-boundary-.patch # https://bugzilla.redhat.com/show_bug.cgi?id=613529 %if 0%{?rhel} @@ -65,6 +66,9 @@ variety of machine architectures. Summary: Implements the server side of the SPICE protocol Group: System Environment/Libraries Obsoletes: spice-client < %{version}-%{release} +# Ensure SSL_CONF_CTX_set_ssl_ctx (needed by Patch24) is present +# https://bugzilla.redhat.com/show_bug.cgi?id=1627693 +Requires: openssl-libs >= 1.0.2k-16 %description server The Simple Protocol for Independent Computing Environments (SPICE) is @@ -112,7 +116,7 @@ mkdir -p %{buildroot}%{_libexecdir} %files server -%doc COPYING README NEWS +%doc COPYING README NEWS docs/spice.cnf.sample %{_libdir}/libspice-server.so.1* %files server-devel @@ -122,9 +126,14 @@ mkdir -p %{buildroot}%{_libexecdir} %changelog -* Thu Jan 24 2019 Christophe Fergeau - 0.14.0-6.1 +* Tue Dec 18 2018 Christophe Fergeau - 0.14.0-7 - Fix off-by-one error during guest-to-host memory address conversion Resolves: CVE-2019-3813 +- Add patch for upstream commit 48179332d9da0. This should help with corrupted + spice-html5 displays + Resolves: rhbz#1573739 +- Add missing minimum openssl version Requires for patch #24 + Resolves: rhbz#1627693 * Thu Aug 09 2018 Frediano Ziglio - 0.14.0-6 - Fix flexible array buffer overflow