diff --git a/.gitignore b/.gitignore
index f5eb8ca..407492b 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,2 @@
-SOURCES/cfergeau-29AC6C82.keyring
-SOURCES/spice-0.14.0.tar.bz2
+SOURCES/spice-0.14.2.tar.bz2
+SOURCES/victortoso-E37A484F.keyring
diff --git a/.spice.metadata b/.spice.metadata
index 5408cf4..f6aea0d 100644
--- a/.spice.metadata
+++ b/.spice.metadata
@@ -1,2 +1,2 @@
-84d3abd436c6f4e194aa3f7a58be17ec9ced0a82 SOURCES/cfergeau-29AC6C82.keyring
-93e42588d1aac0a3c127ada1e5d8f40be84776a9 SOURCES/spice-0.14.0.tar.bz2
+83a93e47546d496cf2dcc3f4641db3a285044b9e SOURCES/spice-0.14.2.tar.bz2
+da7a529db1ea28a1540c5892ea9836abeb378c3e SOURCES/victortoso-E37A484F.keyring
diff --git a/SOURCES/0001-Fix-flexible-array-buffer-overflow.patch b/SOURCES/0001-Fix-flexible-array-buffer-overflow.patch
deleted file mode 100644
index 6c5eaec..0000000
--- a/SOURCES/0001-Fix-flexible-array-buffer-overflow.patch
+++ /dev/null
@@ -1,301 +0,0 @@
-From c182f8e4a445e93842faf6c2bd8583894da36a1a Mon Sep 17 00:00:00 2001
-From: Frediano Ziglio <fziglio@redhat.com>
-Date: Fri, 18 May 2018 11:41:57 +0100
-Subject: [PATCH] Fix flexible array buffer overflow
-
-This is kind of a DoS, possibly flexible array in the protocol
-causes the network size check to be ignored due to integer overflows.
-
-The size of flexible array is computed as (message_end - position),
-then this size is added to the number of bytes before the array and
-this number is used to check if we overflow initial message.
-
-An example is:
-
- message {
- uint32 dummy[2];
- uint8 data[] @end;
- } LenMessage;
-
-which generated this (simplified remove useless code) code:
-
- { /* data */
- data__nelements = message_end - (start + 8);
-
- data__nw_size = data__nelements;
- }
-
- nw_size = 8 + data__nw_size;
-
- /* Check if message fits in reported side */
- if (nw_size > (uintptr_t) (message_end - start)) {
- return NULL;
- }
-
-Following code:
-- data__nelements == message_end - (start + 8)
-- data__nw_size == data__nelements == message_end - (start + 8)
-- nw_size == 8 + data__nw_size == 8 + message_end - (start + 8) ==
- 8 + message_end - start - 8 == message_end -start
-- the check for overflow is (nw_size > (message_end - start)) but
- nw_size == message_end - start so the check is doing
- ((message_end - start) > (message_end - start)) which is always false.
-
-If message_end - start < 8 then data__nelements (number of element
-on the array above) computation generate an integer underflow that
-later create a buffer overflow.
-
-Add a check to make sure that the array starts before the message ends
-to avoid the overflow.
-
-Difference is:
- diff -u save/generated_client_demarshallers1.c common/generated_client_demarshallers1.c
- --- save/generated_client_demarshallers1.c 2018-06-22 22:13:48.626793919 +0100
- +++ common/generated_client_demarshallers1.c 2018-06-22 22:14:03.408163291 +0100
- @@ -225,6 +225,9 @@
- uint64_t data__nelements;
-
- { /* data */
- + if (SPICE_UNLIKELY((start + 0) > message_end)) {
- + goto error;
- + }
- data__nelements = message_end - (start + 0);
-
- data__nw_size = data__nelements;
- @@ -243,6 +246,9 @@
- *free_message = nofree;
- return data;
-
- + error:
- + free(data);
- + return NULL;
- }
-
- static uint8_t * parse_msg_set_ack(uint8_t *message_start, uint8_t *message_end, SPICE_GNUC_UNUSED int minor, size_t *size, message_destructor_t *free_message)
- @@ -301,6 +307,9 @@
- SpiceMsgPing *out;
-
- { /* data */
- + if (SPICE_UNLIKELY((start + 12) > message_end)) {
- + goto error;
- + }
- data__nelements = message_end - (start + 12);
-
- data__nw_size = data__nelements;
- @@ -5226,6 +5235,9 @@
- uint64_t cursor_data__nw_size;
- uint64_t cursor_data__nelements;
- { /* data */
- + if (SPICE_UNLIKELY((start2 + 22) > message_end)) {
- + goto error;
- + }
- cursor_data__nelements = message_end - (start2 + 22);
-
- cursor_data__nw_size = cursor_data__nelements;
- @@ -5305,6 +5317,9 @@
- uint64_t cursor_data__nw_size;
- uint64_t cursor_data__nelements;
- { /* data */
- + if (SPICE_UNLIKELY((start2 + 22) > message_end)) {
- + goto error;
- + }
- cursor_data__nelements = message_end - (start2 + 22);
-
- cursor_data__nw_size = cursor_data__nelements;
- @@ -5540,6 +5555,9 @@
- SpiceMsgPlaybackPacket *out;
-
- { /* data */
- + if (SPICE_UNLIKELY((start + 4) > message_end)) {
- + goto error;
- + }
- data__nelements = message_end - (start + 4);
-
- data__nw_size = data__nelements;
- @@ -5594,6 +5612,9 @@
- SpiceMsgPlaybackMode *out;
-
- { /* data */
- + if (SPICE_UNLIKELY((start + 8) > message_end)) {
- + goto error;
- + }
- data__nelements = message_end - (start + 8);
-
- data__nw_size = data__nelements;
- diff -u save/generated_client_demarshallers.c common/generated_client_demarshallers.c
- --- save/generated_client_demarshallers.c 2018-06-22 22:13:48.626793919 +0100
- +++ common/generated_client_demarshallers.c 2018-06-22 22:14:03.004153195 +0100
- @@ -225,6 +225,9 @@
- uint64_t data__nelements;
-
- { /* data */
- + if (SPICE_UNLIKELY((start + 0) > message_end)) {
- + goto error;
- + }
- data__nelements = message_end - (start + 0);
-
- data__nw_size = data__nelements;
- @@ -243,6 +246,9 @@
- *free_message = nofree;
- return data;
-
- + error:
- + free(data);
- + return NULL;
- }
-
- static uint8_t * parse_msg_set_ack(uint8_t *message_start, uint8_t *message_end, SPICE_GNUC_UNUSED int minor, size_t *size, message_destructor_t *free_message)
- @@ -301,6 +307,9 @@
- SpiceMsgPing *out;
-
- { /* data */
- + if (SPICE_UNLIKELY((start + 12) > message_end)) {
- + goto error;
- + }
- data__nelements = message_end - (start + 12);
-
- data__nw_size = data__nelements;
- @@ -6574,6 +6583,9 @@
- }
-
- { /* data */
- + if (SPICE_UNLIKELY((start2 + 2 + cursor_u__nw_size) > message_end)) {
- + goto error;
- + }
- cursor_data__nelements = message_end - (start2 + 2 + cursor_u__nw_size);
-
- cursor_data__nw_size = cursor_data__nelements;
- @@ -6670,6 +6682,9 @@
- }
-
- { /* data */
- + if (SPICE_UNLIKELY((start2 + 2 + cursor_u__nw_size) > message_end)) {
- + goto error;
- + }
- cursor_data__nelements = message_end - (start2 + 2 + cursor_u__nw_size);
-
- cursor_data__nw_size = cursor_data__nelements;
- @@ -6907,6 +6922,9 @@
- SpiceMsgPlaybackPacket *out;
-
- { /* data */
- + if (SPICE_UNLIKELY((start + 4) > message_end)) {
- + goto error;
- + }
- data__nelements = message_end - (start + 4);
-
- data__nw_size = data__nelements;
- @@ -6961,6 +6979,9 @@
- SpiceMsgPlaybackMode *out;
-
- { /* data */
- + if (SPICE_UNLIKELY((start + 6) > message_end)) {
- + goto error;
- + }
- data__nelements = message_end - (start + 6);
-
- data__nw_size = data__nelements;
- @@ -7559,6 +7580,9 @@
- SpiceMsgTunnelSocketData *out;
-
- { /* data */
- + if (SPICE_UNLIKELY((start + 2) > message_end)) {
- + goto error;
- + }
- data__nelements = message_end - (start + 2);
-
- data__nw_size = data__nelements;
- @@ -7840,6 +7864,9 @@
- }
-
- { /* compressed_data */
- + if (SPICE_UNLIKELY((start + 1 + u__nw_size) > message_end)) {
- + goto error;
- + }
- compressed_data__nelements = message_end - (start + 1 + u__nw_size);
-
- compressed_data__nw_size = compressed_data__nelements;
- diff -u save/generated_server_demarshallers.c common/generated_server_demarshallers.c
- --- save/generated_server_demarshallers.c 2018-06-22 22:13:48.627793944 +0100
- +++ common/generated_server_demarshallers.c 2018-06-22 22:14:05.231208847 +0100
- @@ -306,6 +306,9 @@
- uint64_t data__nelements;
-
- { /* data */
- + if (SPICE_UNLIKELY((start + 0) > message_end)) {
- + goto error;
- + }
- data__nelements = message_end - (start + 0);
-
- data__nw_size = data__nelements;
- @@ -324,6 +327,9 @@
- *free_message = nofree;
- return data;
-
- + error:
- + free(data);
- + return NULL;
- }
-
- static uint8_t * parse_msgc_disconnecting(uint8_t *message_start, uint8_t *message_end, SPICE_GNUC_UNUSED int minor, size_t *size, message_destructor_t *free_message)
- @@ -1259,6 +1265,9 @@
- SpiceMsgcRecordPacket *out;
-
- { /* data */
- + if (SPICE_UNLIKELY((start + 4) > message_end)) {
- + goto error;
- + }
- data__nelements = message_end - (start + 4);
-
- data__nw_size = data__nelements;
- @@ -1313,6 +1322,9 @@
- SpiceMsgcRecordMode *out;
-
- { /* data */
- + if (SPICE_UNLIKELY((start + 6) > message_end)) {
- + goto error;
- + }
- data__nelements = message_end - (start + 6);
-
- data__nw_size = data__nelements;
- @@ -1841,6 +1853,9 @@
- SpiceMsgcTunnelSocketData *out;
-
- { /* data */
- + if (SPICE_UNLIKELY((start + 2) > message_end)) {
- + goto error;
- + }
- data__nelements = message_end - (start + 2);
-
- data__nw_size = data__nelements;
- @@ -2057,6 +2072,9 @@
- }
-
- { /* compressed_data */
- + if (SPICE_UNLIKELY((start + 1 + u__nw_size) > message_end)) {
- + goto error;
- + }
- compressed_data__nelements = message_end - (start + 1 + u__nw_size);
-
- compressed_data__nw_size = compressed_data__nelements;
-
-Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
----
- spice-common/python_modules/demarshal.py | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/spice-common/python_modules/demarshal.py b/spice-common/python_modules/demarshal.py
-index 1ea131d..7172762 100644
---- a/spice-common/python_modules/demarshal.py
-+++ b/spice-common/python_modules/demarshal.py
-@@ -318,6 +318,7 @@ def write_validate_array_item(writer, container, item, scope, parent_scope, star
- writer.assign(nelements, array.size)
- elif array.is_remaining_length():
- if element_type.is_fixed_nw_size():
-+ writer.error_check("%s > message_end" % item.get_position())
- if element_type.get_fixed_nw_size() == 1:
- writer.assign(nelements, "message_end - %s" % item.get_position())
- else:
---
-2.17.1
-
diff --git a/SOURCES/0002-memslot-Fix-off-by-one-error-in-group-slot-boundary-.patch b/SOURCES/0002-memslot-Fix-off-by-one-error-in-group-slot-boundary-.patch
deleted file mode 100644
index ad8a9aa..0000000
--- a/SOURCES/0002-memslot-Fix-off-by-one-error-in-group-slot-boundary-.patch
+++ /dev/null
@@ -1,100 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Christophe Fergeau <cfergeau@redhat.com>
-Date: Thu, 29 Nov 2018 14:18:39 +0100
-Subject: [PATCH] memslot: Fix off-by-one error in group/slot boundary check
-
-RedMemSlotInfo keeps an array of groups, and each group contains an
-array of slots. Unfortunately, these checks are off by 1, they check
-that the index is greater or equal to the number of elements in the
-array, while these arrays are 0 based. The check should only check for
-strictly greater than the number of elements.
-
-For the group array, this is not a big issue, as these memslot groups
-are created by spice-server users (eg QEMU), and the group ids used to
-index that array are also generated by the spice-server user, so it
-should not be possible for the guest to set them to arbitrary values.
-
-The slot id is more problematic, as it's calculated from a QXLPHYSICAL
-address, and such addresses are usually set by the guest QXL driver, so
-the guest can set these to arbitrary values, including malicious values,
-which are probably easy to build from the guest PCI configuration.
-
-This patch fixes the arrays bound check, and adds a test case for this.
-
-Signed-off-by: Christophe Fergeau <cfergeau@redhat.com>
----
- server/memslot.c | 4 ++--
- server/tests/test-qxl-parsing.c | 32 ++++++++++++++++++++++++++++++++
- 2 files changed, 34 insertions(+), 2 deletions(-)
-
-diff --git a/server/memslot.c b/server/memslot.c
-index 7074b43..8c59c38 100644
---- a/server/memslot.c
-+++ b/server/memslot.c
-@@ -99,14 +99,14 @@ unsigned long memslot_get_virt(RedMemSlotInfo *info, QXLPHYSICAL addr, uint32_t
- MemSlot *slot;
-
- *error = 0;
-- if (group_id > info->num_memslots_groups) {
-+ if (group_id >= info->num_memslots_groups) {
- spice_critical("group_id too big");
- *error = 1;
- return 0;
- }
-
- slot_id = memslot_get_id(info, addr);
-- if (slot_id > info->num_memslots) {
-+ if (slot_id >= info->num_memslots) {
- print_memslots(info);
- spice_critical("slot_id %d too big, addr=%" PRIx64, slot_id, addr);
- *error = 1;
-diff --git a/server/tests/test-qxl-parsing.c b/server/tests/test-qxl-parsing.c
-index 9c0c3b1..83f2083 100644
---- a/server/tests/test-qxl-parsing.c
-+++ b/server/tests/test-qxl-parsing.c
-@@ -85,6 +85,33 @@ static void deinit_qxl_surface(QXLSurfaceCmd *qxl)
- free(from_physical(qxl->u.surface_create.data));
- }
-
-+static void test_memslot_invalid_group_id(void)
-+{
-+ RedMemSlotInfo mem_info;
-+ int error;
-+ init_meminfo(&mem_info);
-+
-+ memslot_get_virt(&mem_info, 0, 16, 1, &error);
-+}
-+
-+static void test_memslot_invalid_slot_id(void)
-+{
-+ RedMemSlotInfo mem_info;
-+ int error;
-+ init_meminfo(&mem_info);
-+
-+ memslot_get_virt(&mem_info, 1 << mem_info.memslot_id_shift, 16, 0, &error);
-+}
-+
-+static void test_memslot_invalid_addresses(void)
-+{
-+ g_test_trap_subprocess("/server/memslot-invalid-addresses/subprocess/group_id", 0, 0);
-+ g_test_trap_assert_stderr("*group_id too big*");
-+
-+ g_test_trap_subprocess("/server/memslot-invalid-addresses/subprocess/slot_id", 0, 0);
-+ g_test_trap_assert_stderr("*slot_id 1 too big*");
-+}
-+
- static void test_no_issues(void)
- {
- RedMemSlotInfo mem_info;
-@@ -262,6 +289,11 @@ int main(int argc, char *argv[])
- {
- g_test_init(&argc, &argv, NULL);
-
-+ /* try to use invalid memslot group/slot */
-+ g_test_add_func("/server/memslot-invalid-addresses", test_memslot_invalid_addresses);
-+ g_test_add_func("/server/memslot-invalid-addresses/subprocess/group_id", test_memslot_invalid_group_id);
-+ g_test_add_func("/server/memslot-invalid-addresses/subprocess/slot_id", test_memslot_invalid_slot_id);
-+
- /* try to create a surface with no issues, should succeed */
- g_test_add_func("/server/qxl-parsing-no-issues", test_no_issues);
-
diff --git a/SOURCES/spice-0.14.0.tar.bz2.sign b/SOURCES/spice-0.14.0.tar.bz2.sign
deleted file mode 100644
index 37d8fe2..0000000
--- a/SOURCES/spice-0.14.0.tar.bz2.sign
+++ /dev/null
@@ -1,16 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQIzBAABCAAdFiEElKn3VmH3emFoZJsjqdjCFCmsbIIFAlneAaYACgkQqdjCFCms
-bIJupA//TUYdq6tx777hplIgm4q6M8Szh8XnYEvmj8UUrVWJ2Js4fRgtIRnR/u0I
-Drwn2pf5QIjpfhf7EFFhyAuErG9MeiL5Z9SM2WmOgNkPfATJ7tf0VsKQjH11axip
-n9atFPz6Jb6IEI56oidhySYz9Rgvicw45yEui7ncMKsST3zTQlWfI+n6Mv48dkiJ
-bUYauebvEzPuG5ecaILmHreVxDLh9/SyTKOc3+F46epkyyCxPQDX7JLK/+081Z3l
-jUaMlyb0GROsY43c88Lb4H0jbsLlqfUNk5ztxvplwMXOFAgrOwbrIsLaOHSwzegc
-5ZknyTwbQOx8CGLS91pgqbyyRKLMrTbMYU4KDfizQIqkNKDvQUohENcKe66aeUAk
-LLEvud0VVFZSg+VEm/ISU/8Rua7DSR2tcA04bQg6ei0d/QM0hpXsL7AOB+H3ha0m
-vqBrz3ivfvDh17pFCpaSCuRi5DSlT5OW6nML1Pd8w+MbrJmu/757bNpdfhynDSq+
-KWmhPIChvChA0f8LfmxGXYqcfNAZ9Ss59SkFLHEaPT49TQR9jZT9jtiHre0GV4WU
-RS+CmivFB7fPlONYVOJ2i8mGT9dtVf5SfHwLLgaWzUG5aDK0KSK2o21G4Ajr6bXl
-yVDP2EeAjK4WsyD8AvWM3tzSbqnGryA8ErijFZCYuP+HNzrIUeE=
-=ufAb
------END PGP SIGNATURE-----
diff --git a/SOURCES/spice-0.14.2.tar.bz2.sig b/SOURCES/spice-0.14.2.tar.bz2.sig
new file mode 100644
index 0000000..d145839
Binary files /dev/null and b/SOURCES/spice-0.14.2.tar.bz2.sig differ
diff --git a/SPECS/spice.spec b/SPECS/spice.spec
index ddc6cd9..725f405 100644
--- a/SPECS/spice.spec
+++ b/SPECS/spice.spec
@@ -1,15 +1,13 @@
Name: spice
-Version: 0.14.0
-Release: 7%{?dist}
+Version: 0.14.2
+Release: 1%{?dist}
Summary: Implements the SPICE protocol
Group: User Interface/Desktops
License: LGPLv2+
-URL: http://www.spice-space.org/
-Source0: http://www.spice-space.org/download/releases/%{name}-%{version}.tar.bz2
-Source1: http://www.spice-space.org/download/releases/%{name}-%{version}.tar.bz2.sign
-Source2: cfergeau-29AC6C82.keyring
-Patch1: 0001-Fix-flexible-array-buffer-overflow.patch
-Patch2: 0002-memslot-Fix-off-by-one-error-in-group-slot-boundary-.patch
+URL: https://www.spice-space.org/
+Source0: https://www.spice-space.org/download/releases/%{name}-%{version}.tar.bz2
+Source1: https://www.spice-space.org/download/releases/%{name}-%{version}.tar.bz2.sig
+Source2: victortoso-E37A484F.keyring
# https://bugzilla.redhat.com/show_bug.cgi?id=613529
%if 0%{?rhel} && 0%{?rhel} <= 7
@@ -19,8 +17,8 @@ ExclusiveArch: %{ix86} x86_64 %{arm} aarch64
%endif
BuildRequires: pkgconfig
-BuildRequires: glib2-devel >= 2.22
-BuildRequires: spice-protocol >= 0.12.3
+BuildRequires: glib2-devel >= 2.38
+BuildRequires: spice-protocol >= 0.14.0
BuildRequires: celt051-devel
BuildRequires: opus-devel
BuildRequires: pixman-devel openssl-devel libjpeg-devel
@@ -76,7 +74,12 @@ gpgv2 --quiet --keyring %{SOURCE2} %{SOURCE1} %{SOURCE0}
%build
%define configure_client --disable-client
-%configure --enable-smartcard --disable-client --enable-lz4 --enable-gstreamer=1.0
+%configure \
+ --enable-smartcard \
+ --disable-client \
+ --enable-lz4 \
+ --enable-celt051 \
+ --enable-gstreamer=1.0
make %{?_smp_mflags} WARN_CFLAGS='' V=1
@@ -103,6 +106,15 @@ mkdir -p %{buildroot}%{_libexecdir}
%changelog
+* Fri May 17 2019 Victor Toso <victortoso@redhat.com> - 0.14.2-1
+- Update to 0.14.2
+ Resolves: rhbz#1562123
+
+* Fri May 10 2019 Victor Toso <victortoso@redhat.com> - 0.14.0-8
+- Fix builds on 8.1.0 branch
+- Fix gating test (add bug)
+ Resolves: rhbz#1686518
+
* Tue Dec 18 2018 Christophe Fergeau <cfergeau@redhat.com> - 0.14.0-7
- Fix off-by-one error during guest-to-host memory address conversion
Resolves: CVE-2019-3813