From cc113247079009ba1d1085732b158699b3a3aca0 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Jan 27 2021 00:18:20 +0000 Subject: import spice-0.14.3-4.el8 --- diff --git a/SOURCES/0007-OpenSSL-1.0.2-disable-client-side-renegotiation.patch b/SOURCES/0007-OpenSSL-1.0.2-disable-client-side-renegotiation.patch new file mode 100644 index 0000000..96d6f4f --- /dev/null +++ b/SOURCES/0007-OpenSSL-1.0.2-disable-client-side-renegotiation.patch @@ -0,0 +1,38 @@ +From 95a0cfac8a1c8eff50f05e65df945da3bb501fc9 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Julien=20Rop=C3=A9?= +Date: Thu, 3 Dec 2020 09:33:48 +0100 +Subject: [PATCH] With OpenSSL 1.0.2 and earlier: disable client-side + renegotiation. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Fixed issue #49 +Fixes BZ#1904459 + +Signed-off-by: Julien Ropé +Reported-by: BlackKD +Acked-by: Frediano Ziglio +--- + server/red-stream.cpp | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/server/red-stream.cpp b/server/red-stream.cpp +index 420433bd..c1f0f00c 100644 +--- a/server/red-stream.c ++++ b/server/red-stream.c +@@ -523,6 +523,11 @@ RedStreamSslStatus red_stream_ssl_accept(RedStream *stream) + return RED_STREAM_SSL_STATUS_OK; + } + ++#ifndef SSL_OP_NO_RENEGOTIATION ++ // With OpenSSL 1.0.2 and earlier: disable client-side renogotiation ++ stream->priv->ssl->s3->flags |= SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS; ++#endif ++ + ssl_error = SSL_get_error(stream->priv->ssl, return_code); + if (return_code == -1 && (ssl_error == SSL_ERROR_WANT_READ || + ssl_error == SSL_ERROR_WANT_WRITE)) { +-- +2.29.2 + diff --git a/SOURCES/0008-OpenSSL-1.1-disable-client-side-renegotiation.patch b/SOURCES/0008-OpenSSL-1.1-disable-client-side-renegotiation.patch new file mode 100644 index 0000000..cfd6cd1 --- /dev/null +++ b/SOURCES/0008-OpenSSL-1.1-disable-client-side-renegotiation.patch @@ -0,0 +1,36 @@ +From ca5bbc5692e052159bce1a75f55dc60b36078749 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Julien=20Rop=C3=A9?= +Date: Wed, 2 Dec 2020 13:39:27 +0100 +Subject: [PATCH 1/2] With OpenSSL 1.1: Disable client-initiated renegotiation. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Fixes issue #49 +Fixes BZ#1904459 + +Signed-off-by: Julien Ropé +Reported-by: BlackKD +Acked-by: Frediano Ziglio +--- + server/reds.cpp | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/server/reds.cpp b/server/reds.cpp +index fe69508e..f61086cb 100644 +--- a/server/reds.c ++++ b/server/reds.c +@@ -2862,6 +2862,10 @@ static int reds_init_ssl(RedsState *reds) + * When some other SSL/TLS version becomes obsolete, add it to this + * variable. */ + long ssl_options = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_COMPRESSION | SSL_OP_NO_TLSv1; ++#ifdef SSL_OP_NO_RENEGOTIATION ++ // With OpenSSL 1.1: Disable all renegotiation in TLSv1.2 and earlier ++ ssl_options |= SSL_OP_NO_RENEGOTIATION; ++#endif + + /* Global system initialization*/ + openssl_global_init(); +-- +2.29.2 + diff --git a/SPECS/spice.spec b/SPECS/spice.spec index 3556483..f1c1dd8 100644 --- a/SPECS/spice.spec +++ b/SPECS/spice.spec @@ -1,6 +1,6 @@ Name: spice Version: 0.14.3 -Release: 3%{?dist} +Release: 4%{?dist} Summary: Implements the SPICE protocol Group: User Interface/Desktops License: LGPLv2+ @@ -15,6 +15,8 @@ Patch4: 0004-quic-Avoid-possible-buffer-overflow-in-find_bucket.patch Patch5: 0005-websocket-Fix-possible-integer-overflow.patch Patch6: 0006-test-websocket-check-setsockopt-return-value.patch +Patch7: 0007-OpenSSL-1.0.2-disable-client-side-renegotiation.patch +Patch8: 0008-OpenSSL-1.1-disable-client-side-renegotiation.patch # https://bugzilla.redhat.com/show_bug.cgi?id=613529 %if 0%{?rhel} && 0%{?rhel} <= 7 @@ -112,6 +114,10 @@ mkdir -p %{buildroot}%{_libexecdir} %changelog +* Tue Jan 19 2021 Julien Ropé - 0.14.3-4 +- Disable client-side renegotiation to prevent potential DoS + Resolves: rhbz#1904459 + * Wed Jun 17 2020 Uri Lublin - 0.14.3-3 - Fix some static analyzer issues - Removed Obsoletes line for spice-client