diff --git a/SOURCES/0005-websocket-Fix-possible-integer-overflow.patch b/SOURCES/0005-websocket-Fix-possible-integer-overflow.patch new file mode 100644 index 0000000..cbb2b1c --- /dev/null +++ b/SOURCES/0005-websocket-Fix-possible-integer-overflow.patch @@ -0,0 +1,32 @@ +From b8f4d7d2c7a3d08a82f4bc7588cdff15cee54292 Mon Sep 17 00:00:00 2001 +From: Frediano Ziglio +Date: Tue, 16 Jun 2020 11:49:19 +0100 +Subject: [PATCH] websocket: Fix possible integer overflow + +The shift of a uint_8 number by a number > 32 causes an overflow. + +Signed-off-by: Frediano Ziglio +Acked-by: Uri Lublin +--- + server/websocket.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/server/websocket.c b/server/websocket.c +index f5df63f8..82b20b49 100644 +--- a/server/websocket.c ++++ b/server/websocket.c +@@ -165,8 +165,9 @@ static uint64_t extract_length(const uint8_t *buf, int *used) + case LENGTH_64BIT: + *used += 8; + outlen = 0; +- for (i = 56; i >= 0; i -= 8) { +- outlen |= (*buf++) << i; ++ for (i = 0; i < 8; ++i) { ++ outlen <<= 8; ++ outlen |= *buf++; + } + break; + +-- +2.26.2 + diff --git a/SOURCES/0006-test-websocket-check-setsockopt-return-value.patch b/SOURCES/0006-test-websocket-check-setsockopt-return-value.patch new file mode 100644 index 0000000..7095610 --- /dev/null +++ b/SOURCES/0006-test-websocket-check-setsockopt-return-value.patch @@ -0,0 +1,41 @@ +From 954eabaeb76a0f93a32210b6bf63157ad2c0fb22 Mon Sep 17 00:00:00 2001 +From: Uri Lublin +Date: Wed, 17 Jun 2020 11:52:05 +0300 +Subject: [PATCH] test-websocket: check setsockopt return value + +Acked-by: Frediano Ziglio +--- + server/tests/test-websocket.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/server/tests/test-websocket.c b/server/tests/test-websocket.c +index 2115411e..701f5408 100644 +--- a/server/tests/test-websocket.c ++++ b/server/tests/test-websocket.c +@@ -146,7 +146,10 @@ main(int argc, char **argv) + } + + int enable = 1; +- setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, &enable, sizeof(enable)); ++ if (setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, ++ (const void *) &enable, sizeof(enable)) < 0) { ++ err(1, "setsockopt reuseaddr"); ++ } + + if (non_blocking) { + red_socket_set_non_blocking(sock, true); +@@ -200,7 +203,10 @@ handle_client(int new_sock) + } + + int enable = 1; +- setsockopt(new_sock, SOL_TCP, TCP_NODELAY, (const void *) &enable, sizeof(enable)); ++ if (setsockopt(new_sock, SOL_TCP, TCP_NODELAY, ++ (const void *) &enable, sizeof(enable)) < 0) { ++ err(1, "setsockopt nodelay"); ++ } + + // wait header + wait_for(new_sock, POLLIN); +-- +2.26.2 + diff --git a/SPECS/spice.spec b/SPECS/spice.spec index 631428c..3556483 100644 --- a/SPECS/spice.spec +++ b/SPECS/spice.spec @@ -1,6 +1,6 @@ Name: spice Version: 0.14.3 -Release: 2%{?dist} +Release: 3%{?dist} Summary: Implements the SPICE protocol Group: User Interface/Desktops License: LGPLv2+ @@ -13,6 +13,9 @@ Patch2: 0002-quic-Check-image-size-in-quic_decode_begin.patch Patch3: 0003-quic-Check-RLE-lengths.patch Patch4: 0004-quic-Avoid-possible-buffer-overflow-in-find_bucket.patch +Patch5: 0005-websocket-Fix-possible-integer-overflow.patch +Patch6: 0006-test-websocket-check-setsockopt-return-value.patch + # https://bugzilla.redhat.com/show_bug.cgi?id=613529 %if 0%{?rhel} && 0%{?rhel} <= 7 ExclusiveArch: x86_64 @@ -46,7 +49,6 @@ variety of machine architectures. %package server Summary: Implements the server side of the SPICE protocol Group: System Environment/Libraries -Obsoletes: spice-client < %{version}-%{release} %description server The Simple Protocol for Independent Computing Environments (SPICE) is @@ -110,6 +112,11 @@ mkdir -p %{buildroot}%{_libexecdir} %changelog +* Wed Jun 17 2020 Uri Lublin - 0.14.3-3 +- Fix some static analyzer issues +- Removed Obsoletes line for spice-client + Related: rhbz#1840240 + * Mon Jun 1 2020 Frediano Ziglio - 0.14.3-2 - Fix multiple buffer overflows in QUIC decoding code Resolves: rhbz#1829946