diff --git a/SOURCES/0023-sound-Don-t-mute-recording-when-client-reconnects.patch b/SOURCES/0023-sound-Don-t-mute-recording-when-client-reconnects.patch
index 698e825..7afa627 100644
--- a/SOURCES/0023-sound-Don-t-mute-recording-when-client-reconnects.patch
+++ b/SOURCES/0023-sound-Don-t-mute-recording-when-client-reconnects.patch
@@ -1,7 +1,7 @@
-From fbc7799f94bb5d38421324a4270741e1ffe9d435 Mon Sep 17 00:00:00 2001
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Christophe Fergeau <cfergeau@redhat.com>
Date: Fri, 25 May 2018 11:12:40 +0200
-Subject: [PATCH] sound: Don't mute recording when client reconnects
+Subject: [spice-server] sound: Don't mute recording when client reconnects
When a new record channel is added, the code relies on a snd_send() call
in record_channel_client_constructed() to send RECORD_START to the
@@ -223,6 +223,3 @@ index 9073626..8c6cf8a 100644
object_class->finalize = record_channel_client_finalize;
}
---
-2.17.1
-
diff --git a/SOURCES/0024-Fix-flexible-array-buffer-overflow.patch b/SOURCES/0024-Fix-flexible-array-buffer-overflow.patch
deleted file mode 100644
index 6c5eaec..0000000
--- a/SOURCES/0024-Fix-flexible-array-buffer-overflow.patch
+++ /dev/null
@@ -1,301 +0,0 @@
-From c182f8e4a445e93842faf6c2bd8583894da36a1a Mon Sep 17 00:00:00 2001
-From: Frediano Ziglio <fziglio@redhat.com>
-Date: Fri, 18 May 2018 11:41:57 +0100
-Subject: [PATCH] Fix flexible array buffer overflow
-
-This is kind of a DoS, possibly flexible array in the protocol
-causes the network size check to be ignored due to integer overflows.
-
-The size of flexible array is computed as (message_end - position),
-then this size is added to the number of bytes before the array and
-this number is used to check if we overflow initial message.
-
-An example is:
-
- message {
- uint32 dummy[2];
- uint8 data[] @end;
- } LenMessage;
-
-which generated this (simplified remove useless code) code:
-
- { /* data */
- data__nelements = message_end - (start + 8);
-
- data__nw_size = data__nelements;
- }
-
- nw_size = 8 + data__nw_size;
-
- /* Check if message fits in reported side */
- if (nw_size > (uintptr_t) (message_end - start)) {
- return NULL;
- }
-
-Following code:
-- data__nelements == message_end - (start + 8)
-- data__nw_size == data__nelements == message_end - (start + 8)
-- nw_size == 8 + data__nw_size == 8 + message_end - (start + 8) ==
- 8 + message_end - start - 8 == message_end -start
-- the check for overflow is (nw_size > (message_end - start)) but
- nw_size == message_end - start so the check is doing
- ((message_end - start) > (message_end - start)) which is always false.
-
-If message_end - start < 8 then data__nelements (number of element
-on the array above) computation generate an integer underflow that
-later create a buffer overflow.
-
-Add a check to make sure that the array starts before the message ends
-to avoid the overflow.
-
-Difference is:
- diff -u save/generated_client_demarshallers1.c common/generated_client_demarshallers1.c
- --- save/generated_client_demarshallers1.c 2018-06-22 22:13:48.626793919 +0100
- +++ common/generated_client_demarshallers1.c 2018-06-22 22:14:03.408163291 +0100
- @@ -225,6 +225,9 @@
- uint64_t data__nelements;
-
- { /* data */
- + if (SPICE_UNLIKELY((start + 0) > message_end)) {
- + goto error;
- + }
- data__nelements = message_end - (start + 0);
-
- data__nw_size = data__nelements;
- @@ -243,6 +246,9 @@
- *free_message = nofree;
- return data;
-
- + error:
- + free(data);
- + return NULL;
- }
-
- static uint8_t * parse_msg_set_ack(uint8_t *message_start, uint8_t *message_end, SPICE_GNUC_UNUSED int minor, size_t *size, message_destructor_t *free_message)
- @@ -301,6 +307,9 @@
- SpiceMsgPing *out;
-
- { /* data */
- + if (SPICE_UNLIKELY((start + 12) > message_end)) {
- + goto error;
- + }
- data__nelements = message_end - (start + 12);
-
- data__nw_size = data__nelements;
- @@ -5226,6 +5235,9 @@
- uint64_t cursor_data__nw_size;
- uint64_t cursor_data__nelements;
- { /* data */
- + if (SPICE_UNLIKELY((start2 + 22) > message_end)) {
- + goto error;
- + }
- cursor_data__nelements = message_end - (start2 + 22);
-
- cursor_data__nw_size = cursor_data__nelements;
- @@ -5305,6 +5317,9 @@
- uint64_t cursor_data__nw_size;
- uint64_t cursor_data__nelements;
- { /* data */
- + if (SPICE_UNLIKELY((start2 + 22) > message_end)) {
- + goto error;
- + }
- cursor_data__nelements = message_end - (start2 + 22);
-
- cursor_data__nw_size = cursor_data__nelements;
- @@ -5540,6 +5555,9 @@
- SpiceMsgPlaybackPacket *out;
-
- { /* data */
- + if (SPICE_UNLIKELY((start + 4) > message_end)) {
- + goto error;
- + }
- data__nelements = message_end - (start + 4);
-
- data__nw_size = data__nelements;
- @@ -5594,6 +5612,9 @@
- SpiceMsgPlaybackMode *out;
-
- { /* data */
- + if (SPICE_UNLIKELY((start + 8) > message_end)) {
- + goto error;
- + }
- data__nelements = message_end - (start + 8);
-
- data__nw_size = data__nelements;
- diff -u save/generated_client_demarshallers.c common/generated_client_demarshallers.c
- --- save/generated_client_demarshallers.c 2018-06-22 22:13:48.626793919 +0100
- +++ common/generated_client_demarshallers.c 2018-06-22 22:14:03.004153195 +0100
- @@ -225,6 +225,9 @@
- uint64_t data__nelements;
-
- { /* data */
- + if (SPICE_UNLIKELY((start + 0) > message_end)) {
- + goto error;
- + }
- data__nelements = message_end - (start + 0);
-
- data__nw_size = data__nelements;
- @@ -243,6 +246,9 @@
- *free_message = nofree;
- return data;
-
- + error:
- + free(data);
- + return NULL;
- }
-
- static uint8_t * parse_msg_set_ack(uint8_t *message_start, uint8_t *message_end, SPICE_GNUC_UNUSED int minor, size_t *size, message_destructor_t *free_message)
- @@ -301,6 +307,9 @@
- SpiceMsgPing *out;
-
- { /* data */
- + if (SPICE_UNLIKELY((start + 12) > message_end)) {
- + goto error;
- + }
- data__nelements = message_end - (start + 12);
-
- data__nw_size = data__nelements;
- @@ -6574,6 +6583,9 @@
- }
-
- { /* data */
- + if (SPICE_UNLIKELY((start2 + 2 + cursor_u__nw_size) > message_end)) {
- + goto error;
- + }
- cursor_data__nelements = message_end - (start2 + 2 + cursor_u__nw_size);
-
- cursor_data__nw_size = cursor_data__nelements;
- @@ -6670,6 +6682,9 @@
- }
-
- { /* data */
- + if (SPICE_UNLIKELY((start2 + 2 + cursor_u__nw_size) > message_end)) {
- + goto error;
- + }
- cursor_data__nelements = message_end - (start2 + 2 + cursor_u__nw_size);
-
- cursor_data__nw_size = cursor_data__nelements;
- @@ -6907,6 +6922,9 @@
- SpiceMsgPlaybackPacket *out;
-
- { /* data */
- + if (SPICE_UNLIKELY((start + 4) > message_end)) {
- + goto error;
- + }
- data__nelements = message_end - (start + 4);
-
- data__nw_size = data__nelements;
- @@ -6961,6 +6979,9 @@
- SpiceMsgPlaybackMode *out;
-
- { /* data */
- + if (SPICE_UNLIKELY((start + 6) > message_end)) {
- + goto error;
- + }
- data__nelements = message_end - (start + 6);
-
- data__nw_size = data__nelements;
- @@ -7559,6 +7580,9 @@
- SpiceMsgTunnelSocketData *out;
-
- { /* data */
- + if (SPICE_UNLIKELY((start + 2) > message_end)) {
- + goto error;
- + }
- data__nelements = message_end - (start + 2);
-
- data__nw_size = data__nelements;
- @@ -7840,6 +7864,9 @@
- }
-
- { /* compressed_data */
- + if (SPICE_UNLIKELY((start + 1 + u__nw_size) > message_end)) {
- + goto error;
- + }
- compressed_data__nelements = message_end - (start + 1 + u__nw_size);
-
- compressed_data__nw_size = compressed_data__nelements;
- diff -u save/generated_server_demarshallers.c common/generated_server_demarshallers.c
- --- save/generated_server_demarshallers.c 2018-06-22 22:13:48.627793944 +0100
- +++ common/generated_server_demarshallers.c 2018-06-22 22:14:05.231208847 +0100
- @@ -306,6 +306,9 @@
- uint64_t data__nelements;
-
- { /* data */
- + if (SPICE_UNLIKELY((start + 0) > message_end)) {
- + goto error;
- + }
- data__nelements = message_end - (start + 0);
-
- data__nw_size = data__nelements;
- @@ -324,6 +327,9 @@
- *free_message = nofree;
- return data;
-
- + error:
- + free(data);
- + return NULL;
- }
-
- static uint8_t * parse_msgc_disconnecting(uint8_t *message_start, uint8_t *message_end, SPICE_GNUC_UNUSED int minor, size_t *size, message_destructor_t *free_message)
- @@ -1259,6 +1265,9 @@
- SpiceMsgcRecordPacket *out;
-
- { /* data */
- + if (SPICE_UNLIKELY((start + 4) > message_end)) {
- + goto error;
- + }
- data__nelements = message_end - (start + 4);
-
- data__nw_size = data__nelements;
- @@ -1313,6 +1322,9 @@
- SpiceMsgcRecordMode *out;
-
- { /* data */
- + if (SPICE_UNLIKELY((start + 6) > message_end)) {
- + goto error;
- + }
- data__nelements = message_end - (start + 6);
-
- data__nw_size = data__nelements;
- @@ -1841,6 +1853,9 @@
- SpiceMsgcTunnelSocketData *out;
-
- { /* data */
- + if (SPICE_UNLIKELY((start + 2) > message_end)) {
- + goto error;
- + }
- data__nelements = message_end - (start + 2);
-
- data__nw_size = data__nelements;
- @@ -2057,6 +2072,9 @@
- }
-
- { /* compressed_data */
- + if (SPICE_UNLIKELY((start + 1 + u__nw_size) > message_end)) {
- + goto error;
- + }
- compressed_data__nelements = message_end - (start + 1 + u__nw_size);
-
- compressed_data__nw_size = compressed_data__nelements;
-
-Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
----
- spice-common/python_modules/demarshal.py | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/spice-common/python_modules/demarshal.py b/spice-common/python_modules/demarshal.py
-index 1ea131d..7172762 100644
---- a/spice-common/python_modules/demarshal.py
-+++ b/spice-common/python_modules/demarshal.py
-@@ -318,6 +318,7 @@ def write_validate_array_item(writer, container, item, scope, parent_scope, star
- writer.assign(nelements, array.size)
- elif array.is_remaining_length():
- if element_type.is_fixed_nw_size():
-+ writer.error_check("%s > message_end" % item.get_position())
- if element_type.get_fixed_nw_size() == 1:
- writer.assign(nelements, "message_end - %s" % item.get_position())
- else:
---
-2.17.1
-
diff --git a/SOURCES/0024-tls-Parse-spice.cnf-OpenSSL-configuration-file.patch b/SOURCES/0024-tls-Parse-spice.cnf-OpenSSL-configuration-file.patch
new file mode 100644
index 0000000..1db419a
--- /dev/null
+++ b/SOURCES/0024-tls-Parse-spice.cnf-OpenSSL-configuration-file.patch
@@ -0,0 +1,167 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Christophe Fergeau <cfergeau@redhat.com>
+Date: Mon, 18 Jun 2018 12:39:37 +0200
+Subject: [spice-server] tls: Parse spice.cnf OpenSSL configuration file
+
+SPICE tries to use the OpenSSL system-wide defaults as much as possible
+for the TLS ciphers and protocols it uses. However, this is not enough
+for some customers who want it to use a more restrictive set of TLS
+features. spice-server should not try to override the system defaults
+OpenSSL uses, so this is not going to be hardcoded in spice-server code.
+
+This is addressed with crypto policies in recent fedoras, and is being
+solved upstream through https://github.com/openssl/openssl/pull/4848
+This issue has become pressing enough that we need to solve it in el7
+which unfortunately does not have any of these system-wide settings.
+
+As a stop-gap measure, this downstream-only patch adds a
+/etc/pki/tls/spice.cnf configuration file which can be used to configure
+the TLS ciphers/protocols used for SPICE. This is only meant to be a
+temporary solution, and will be superseded by crypto-policies when they
+land in RHEL.
+
+Signed-off-by: Christophe Fergeau <cfergeau@redhat.com>
+---
+ docs/Makefile.am | 1 +
+ server/reds.c | 102 +++++++++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 103 insertions(+)
+
+diff --git a/docs/Makefile.am b/docs/Makefile.am
+index 45667a6..909ed15 100644
+--- a/docs/Makefile.am
++++ b/docs/Makefile.am
+@@ -6,6 +6,7 @@ EXTRA_DIST = \
+ spice_style.txt \
+ spice_threading_model.html \
+ spice_threading_model.txt \
++ spice.cnf.sample \
+ $(NULL)
+
+ if BUILD_MANUAL
+diff --git a/server/reds.c b/server/reds.c
+index 0af5643..846e44d 100644
+--- a/server/reds.c
++++ b/server/reds.c
+@@ -33,6 +33,7 @@
+ #include <sys/mman.h>
+ #include <ctype.h>
+
++#include <openssl/conf.h>
+ #include <openssl/err.h>
+
+ #if HAVE_SASL
+@@ -2827,6 +2828,102 @@ static gpointer openssl_global_init(gpointer arg)
+ return NULL;
+ }
+
++#define SPICE_OPENSSL_CNF_FILENAME "/etc/pki/tls/spice.cnf"
++
++static int reds_ssl_config_file_apply(RedsState *reds, STACK_OF(CONF_VALUE) *sect)
++{
++ int openssl_status;
++ int return_value = 0;
++ SSL_CONF_CTX *cctx = NULL;
++ unsigned int i;
++
++ cctx = SSL_CONF_CTX_new();
++ SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_SERVER);
++ SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_FILE);
++ SSL_CONF_CTX_set_ssl_ctx(cctx, reds->ctx);
++
++ for (i = 0; i < sk_CONF_VALUE_num(sect); i++) {
++ CONF_VALUE *option_value;
++ option_value = sk_CONF_VALUE_value(sect, i);
++ g_message("setting TLS option '%s' to '%s' from %s configuration file",
++ option_value->name, option_value->value,
++ SPICE_OPENSSL_CNF_FILENAME);
++ openssl_status = SSL_CONF_cmd(cctx, option_value->name, option_value->value);
++ switch(openssl_status) {
++ case 1: /* fallthrough */
++ case 2:
++ /* The option was successfully processed */
++ break;
++ case 0:
++ g_warning("failure to set option '%s'", option_value->name);
++ return_value = -1;
++ break;
++ case -2:
++ g_warning("unknown option '%s'", option_value->name);
++ return_value = -1;
++ break;
++ case -3:
++ g_warning("missing value for option '%s'", option_value->name);
++ return_value = -1;
++ break;
++ default:
++ g_warning("unknown SSL_CONF_cmd return value: %d", openssl_status);
++ return_value = -1;
++ break;
++ }
++ }
++
++ openssl_status = SSL_CONF_CTX_finish(cctx);
++ if (!openssl_status) {
++ g_warning("SSL_CONF_CTX_finish() failed");
++ return_value = -1;
++ }
++
++ SSL_CONF_CTX_free(cctx);
++
++ return return_value;
++}
++
++static int reds_ssl_config_file_try_load(RedsState *reds)
++{
++ int status = -1;
++ int openssl_status;
++ CONF *ssl_conf = NULL;
++ STACK_OF(CONF_VALUE) *default_section;
++ long error_line = -1;
++
++ if (!g_file_test(SPICE_OPENSSL_CNF_FILENAME, G_FILE_TEST_IS_REGULAR)) {
++ /* The configuration file is not mandatory, it's only meant to be used
++ * when the sysadmin does not want to use the system-wide OpenSSL defaults
++ */
++ return 0;
++ }
++
++ ssl_conf = NCONF_new(NULL);
++ openssl_status = NCONF_load(ssl_conf, SPICE_OPENSSL_CNF_FILENAME, &error_line);
++ if (openssl_status <= 0) {
++ if (error_line <= 0) {
++ g_warning("error loading config file %s", SPICE_OPENSSL_CNF_FILENAME);
++ } else {
++ g_warning("error parsing config file %s at %ld", SPICE_OPENSSL_CNF_FILENAME, error_line);
++ }
++ goto end;
++ }
++
++ default_section = NCONF_get_section(ssl_conf, "default");
++ if (default_section == NULL) {
++ g_warning("could not find any content in %s config file (no toplevel section?)", SPICE_OPENSSL_CNF_FILENAME);
++ goto end;
++ }
++
++ status = reds_ssl_config_file_apply(reds, default_section);
++
++end:
++ NCONF_free(ssl_conf);
++
++ return status;
++}
++
+ static int reds_init_ssl(RedsState *reds)
+ {
+ static GOnce openssl_once = G_ONCE_INIT;
+@@ -2911,6 +3008,11 @@ static int reds_init_ssl(RedsState *reds)
+ sk_zero(cmp_stack);
+ #endif
+
++ /* must be last to override whatever was configured previously */
++ if (reds_ssl_config_file_try_load(reds) != 0) {
++ return -1;
++ }
++
+ return 0;
+ }
+
diff --git a/SOURCES/0025-ssl-Allow-to-use-ECDH-ciphers-with-OpenSSL-1.0.patch b/SOURCES/0025-ssl-Allow-to-use-ECDH-ciphers-with-OpenSSL-1.0.patch
new file mode 100644
index 0000000..16ad761
--- /dev/null
+++ b/SOURCES/0025-ssl-Allow-to-use-ECDH-ciphers-with-OpenSSL-1.0.patch
@@ -0,0 +1,30 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Christophe Fergeau <cfergeau@redhat.com>
+Date: Wed, 20 Jun 2018 17:02:14 +0200
+Subject: [spice-server] ssl: Allow to use ECDH ciphers with OpenSSL 1.0
+
+Without an explicit call to SSL_CTX_set_ecdh_auto(reds->ctx, 1), OpenSSL
+1.0 (still used by el7) would not use ECDH ciphers (this is now
+automatic with OpenSSL 1.1.0). This commit adds this missing call. It's
+based on a suggestion from David Jasa
+
+Signed-off-by: Christophe Fergeau <cfergeau@redhat.com>
+Acked-by: Frediano Ziglio <fziglio@redhat.com>
+
+https://bugzilla.redhat.com/show_bug.cgi?id=1566597
+---
+ server/reds.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/server/reds.c b/server/reds.c
+index 846e44d..a7b9c38 100644
+--- a/server/reds.c
++++ b/server/reds.c
+@@ -2955,6 +2955,7 @@ static int reds_init_ssl(RedsState *reds)
+ ssl_options |= SSL_OP_NO_COMPRESSION;
+ #endif
+ SSL_CTX_set_options(reds->ctx, ssl_options);
++ SSL_CTX_set_ecdh_auto(reds->ctx, 1);
+
+ /* Load our keys and certificates*/
+ return_code = SSL_CTX_use_certificate_chain_file(reds->ctx, reds->config->ssl_parameters.certs_file);
diff --git a/SOURCES/0026-Fix-flexible-array-buffer-overflow.patch b/SOURCES/0026-Fix-flexible-array-buffer-overflow.patch
new file mode 100644
index 0000000..6c5eaec
--- /dev/null
+++ b/SOURCES/0026-Fix-flexible-array-buffer-overflow.patch
@@ -0,0 +1,301 @@
+From c182f8e4a445e93842faf6c2bd8583894da36a1a Mon Sep 17 00:00:00 2001
+From: Frediano Ziglio <fziglio@redhat.com>
+Date: Fri, 18 May 2018 11:41:57 +0100
+Subject: [PATCH] Fix flexible array buffer overflow
+
+This is kind of a DoS, possibly flexible array in the protocol
+causes the network size check to be ignored due to integer overflows.
+
+The size of flexible array is computed as (message_end - position),
+then this size is added to the number of bytes before the array and
+this number is used to check if we overflow initial message.
+
+An example is:
+
+ message {
+ uint32 dummy[2];
+ uint8 data[] @end;
+ } LenMessage;
+
+which generated this (simplified remove useless code) code:
+
+ { /* data */
+ data__nelements = message_end - (start + 8);
+
+ data__nw_size = data__nelements;
+ }
+
+ nw_size = 8 + data__nw_size;
+
+ /* Check if message fits in reported side */
+ if (nw_size > (uintptr_t) (message_end - start)) {
+ return NULL;
+ }
+
+Following code:
+- data__nelements == message_end - (start + 8)
+- data__nw_size == data__nelements == message_end - (start + 8)
+- nw_size == 8 + data__nw_size == 8 + message_end - (start + 8) ==
+ 8 + message_end - start - 8 == message_end -start
+- the check for overflow is (nw_size > (message_end - start)) but
+ nw_size == message_end - start so the check is doing
+ ((message_end - start) > (message_end - start)) which is always false.
+
+If message_end - start < 8 then data__nelements (number of element
+on the array above) computation generate an integer underflow that
+later create a buffer overflow.
+
+Add a check to make sure that the array starts before the message ends
+to avoid the overflow.
+
+Difference is:
+ diff -u save/generated_client_demarshallers1.c common/generated_client_demarshallers1.c
+ --- save/generated_client_demarshallers1.c 2018-06-22 22:13:48.626793919 +0100
+ +++ common/generated_client_demarshallers1.c 2018-06-22 22:14:03.408163291 +0100
+ @@ -225,6 +225,9 @@
+ uint64_t data__nelements;
+
+ { /* data */
+ + if (SPICE_UNLIKELY((start + 0) > message_end)) {
+ + goto error;
+ + }
+ data__nelements = message_end - (start + 0);
+
+ data__nw_size = data__nelements;
+ @@ -243,6 +246,9 @@
+ *free_message = nofree;
+ return data;
+
+ + error:
+ + free(data);
+ + return NULL;
+ }
+
+ static uint8_t * parse_msg_set_ack(uint8_t *message_start, uint8_t *message_end, SPICE_GNUC_UNUSED int minor, size_t *size, message_destructor_t *free_message)
+ @@ -301,6 +307,9 @@
+ SpiceMsgPing *out;
+
+ { /* data */
+ + if (SPICE_UNLIKELY((start + 12) > message_end)) {
+ + goto error;
+ + }
+ data__nelements = message_end - (start + 12);
+
+ data__nw_size = data__nelements;
+ @@ -5226,6 +5235,9 @@
+ uint64_t cursor_data__nw_size;
+ uint64_t cursor_data__nelements;
+ { /* data */
+ + if (SPICE_UNLIKELY((start2 + 22) > message_end)) {
+ + goto error;
+ + }
+ cursor_data__nelements = message_end - (start2 + 22);
+
+ cursor_data__nw_size = cursor_data__nelements;
+ @@ -5305,6 +5317,9 @@
+ uint64_t cursor_data__nw_size;
+ uint64_t cursor_data__nelements;
+ { /* data */
+ + if (SPICE_UNLIKELY((start2 + 22) > message_end)) {
+ + goto error;
+ + }
+ cursor_data__nelements = message_end - (start2 + 22);
+
+ cursor_data__nw_size = cursor_data__nelements;
+ @@ -5540,6 +5555,9 @@
+ SpiceMsgPlaybackPacket *out;
+
+ { /* data */
+ + if (SPICE_UNLIKELY((start + 4) > message_end)) {
+ + goto error;
+ + }
+ data__nelements = message_end - (start + 4);
+
+ data__nw_size = data__nelements;
+ @@ -5594,6 +5612,9 @@
+ SpiceMsgPlaybackMode *out;
+
+ { /* data */
+ + if (SPICE_UNLIKELY((start + 8) > message_end)) {
+ + goto error;
+ + }
+ data__nelements = message_end - (start + 8);
+
+ data__nw_size = data__nelements;
+ diff -u save/generated_client_demarshallers.c common/generated_client_demarshallers.c
+ --- save/generated_client_demarshallers.c 2018-06-22 22:13:48.626793919 +0100
+ +++ common/generated_client_demarshallers.c 2018-06-22 22:14:03.004153195 +0100
+ @@ -225,6 +225,9 @@
+ uint64_t data__nelements;
+
+ { /* data */
+ + if (SPICE_UNLIKELY((start + 0) > message_end)) {
+ + goto error;
+ + }
+ data__nelements = message_end - (start + 0);
+
+ data__nw_size = data__nelements;
+ @@ -243,6 +246,9 @@
+ *free_message = nofree;
+ return data;
+
+ + error:
+ + free(data);
+ + return NULL;
+ }
+
+ static uint8_t * parse_msg_set_ack(uint8_t *message_start, uint8_t *message_end, SPICE_GNUC_UNUSED int minor, size_t *size, message_destructor_t *free_message)
+ @@ -301,6 +307,9 @@
+ SpiceMsgPing *out;
+
+ { /* data */
+ + if (SPICE_UNLIKELY((start + 12) > message_end)) {
+ + goto error;
+ + }
+ data__nelements = message_end - (start + 12);
+
+ data__nw_size = data__nelements;
+ @@ -6574,6 +6583,9 @@
+ }
+
+ { /* data */
+ + if (SPICE_UNLIKELY((start2 + 2 + cursor_u__nw_size) > message_end)) {
+ + goto error;
+ + }
+ cursor_data__nelements = message_end - (start2 + 2 + cursor_u__nw_size);
+
+ cursor_data__nw_size = cursor_data__nelements;
+ @@ -6670,6 +6682,9 @@
+ }
+
+ { /* data */
+ + if (SPICE_UNLIKELY((start2 + 2 + cursor_u__nw_size) > message_end)) {
+ + goto error;
+ + }
+ cursor_data__nelements = message_end - (start2 + 2 + cursor_u__nw_size);
+
+ cursor_data__nw_size = cursor_data__nelements;
+ @@ -6907,6 +6922,9 @@
+ SpiceMsgPlaybackPacket *out;
+
+ { /* data */
+ + if (SPICE_UNLIKELY((start + 4) > message_end)) {
+ + goto error;
+ + }
+ data__nelements = message_end - (start + 4);
+
+ data__nw_size = data__nelements;
+ @@ -6961,6 +6979,9 @@
+ SpiceMsgPlaybackMode *out;
+
+ { /* data */
+ + if (SPICE_UNLIKELY((start + 6) > message_end)) {
+ + goto error;
+ + }
+ data__nelements = message_end - (start + 6);
+
+ data__nw_size = data__nelements;
+ @@ -7559,6 +7580,9 @@
+ SpiceMsgTunnelSocketData *out;
+
+ { /* data */
+ + if (SPICE_UNLIKELY((start + 2) > message_end)) {
+ + goto error;
+ + }
+ data__nelements = message_end - (start + 2);
+
+ data__nw_size = data__nelements;
+ @@ -7840,6 +7864,9 @@
+ }
+
+ { /* compressed_data */
+ + if (SPICE_UNLIKELY((start + 1 + u__nw_size) > message_end)) {
+ + goto error;
+ + }
+ compressed_data__nelements = message_end - (start + 1 + u__nw_size);
+
+ compressed_data__nw_size = compressed_data__nelements;
+ diff -u save/generated_server_demarshallers.c common/generated_server_demarshallers.c
+ --- save/generated_server_demarshallers.c 2018-06-22 22:13:48.627793944 +0100
+ +++ common/generated_server_demarshallers.c 2018-06-22 22:14:05.231208847 +0100
+ @@ -306,6 +306,9 @@
+ uint64_t data__nelements;
+
+ { /* data */
+ + if (SPICE_UNLIKELY((start + 0) > message_end)) {
+ + goto error;
+ + }
+ data__nelements = message_end - (start + 0);
+
+ data__nw_size = data__nelements;
+ @@ -324,6 +327,9 @@
+ *free_message = nofree;
+ return data;
+
+ + error:
+ + free(data);
+ + return NULL;
+ }
+
+ static uint8_t * parse_msgc_disconnecting(uint8_t *message_start, uint8_t *message_end, SPICE_GNUC_UNUSED int minor, size_t *size, message_destructor_t *free_message)
+ @@ -1259,6 +1265,9 @@
+ SpiceMsgcRecordPacket *out;
+
+ { /* data */
+ + if (SPICE_UNLIKELY((start + 4) > message_end)) {
+ + goto error;
+ + }
+ data__nelements = message_end - (start + 4);
+
+ data__nw_size = data__nelements;
+ @@ -1313,6 +1322,9 @@
+ SpiceMsgcRecordMode *out;
+
+ { /* data */
+ + if (SPICE_UNLIKELY((start + 6) > message_end)) {
+ + goto error;
+ + }
+ data__nelements = message_end - (start + 6);
+
+ data__nw_size = data__nelements;
+ @@ -1841,6 +1853,9 @@
+ SpiceMsgcTunnelSocketData *out;
+
+ { /* data */
+ + if (SPICE_UNLIKELY((start + 2) > message_end)) {
+ + goto error;
+ + }
+ data__nelements = message_end - (start + 2);
+
+ data__nw_size = data__nelements;
+ @@ -2057,6 +2072,9 @@
+ }
+
+ { /* compressed_data */
+ + if (SPICE_UNLIKELY((start + 1 + u__nw_size) > message_end)) {
+ + goto error;
+ + }
+ compressed_data__nelements = message_end - (start + 1 + u__nw_size);
+
+ compressed_data__nw_size = compressed_data__nelements;
+
+Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
+---
+ spice-common/python_modules/demarshal.py | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/spice-common/python_modules/demarshal.py b/spice-common/python_modules/demarshal.py
+index 1ea131d..7172762 100644
+--- a/spice-common/python_modules/demarshal.py
++++ b/spice-common/python_modules/demarshal.py
+@@ -318,6 +318,7 @@ def write_validate_array_item(writer, container, item, scope, parent_scope, star
+ writer.assign(nelements, array.size)
+ elif array.is_remaining_length():
+ if element_type.is_fixed_nw_size():
++ writer.error_check("%s > message_end" % item.get_position())
+ if element_type.get_fixed_nw_size() == 1:
+ writer.assign(nelements, "message_end - %s" % item.get_position())
+ else:
+--
+2.17.1
+
diff --git a/SPECS/spice.spec b/SPECS/spice.spec
index 3eb478f..b8ae490 100644
--- a/SPECS/spice.spec
+++ b/SPECS/spice.spec
@@ -1,6 +1,6 @@
Name: spice
Version: 0.14.0
-Release: 2%{?dist}.5
+Release: 6%{?dist}
Summary: Implements the SPICE protocol
Group: User Interface/Desktops
License: LGPLv2+
@@ -29,7 +29,9 @@ Patch20: 0020-stream-channel-Activate-streaming-report-from-client.patch
Patch21: 0021-reds-Disable-TLS-1.0.patch
Patch22: 0022-cursor-Delay-release-of-QXL-guest-cursor-resources.patch
Patch23: 0023-sound-Don-t-mute-recording-when-client-reconnects.patch
-Patch24: 0024-Fix-flexible-array-buffer-overflow.patch
+Patch24: 0024-tls-Parse-spice.cnf-OpenSSL-configuration-file.patch
+Patch25: 0025-ssl-Allow-to-use-ECDH-ciphers-with-OpenSSL-1.0.patch
+Patch26: 0026-Fix-flexible-array-buffer-overflow.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=613529
%if 0%{?rhel}
@@ -119,27 +121,28 @@ mkdir -p %{buildroot}%{_libexecdir}
%changelog
-* Thu Aug 09 2018 Frediano Ziglio <fziglio@redhat.com> - 0.14.0-2.5
+* Thu Aug 09 2018 Frediano Ziglio <fziglio@redhat.com> - 0.14.0-6
- Fix flexible array buffer overflow
Resolves: rhbz#1596008
-* Tue Jun 12 2018 Victor Toso <victortoso@redhat.com> - 0.14.0-2.4
+* Wed Jun 20 2018 Christophe Fergeau <cfergeau@redhat.com> - 0.14.0-5
- Don't mute Record channel on client reconnection
- Resolves: rhbz#1582601
-
-* Fri Apr 27 2018 Christophe Fergeau <cfergeau@redhat.com> - 0.14.0-2.3
+ Resolves: rhbz#1549132
+- Allow to configure TLS protocol versions and ciphers which SPICE will use for
+ TLS communications
+ Resolves: rhbz#1562213
+- Enable ECDH ciphers with OpenSSL 1.0
+ Resolves: rhbz#1566597
+
+* Fri Apr 27 2018 Christophe Fergeau <cfergeau@redhat.com> - 0.14.0-4
- Revert back to spice 0.12 behaviour where QXL guest resources for cursor
commands are only released when the current cursor is replaced. This avoids
a QEMU regression causing crashes during migration
- Resolves: rhbz#1572489
-
-* Mon Mar 19 2018 Christophe Fergeau <cfergeau@redhat.com> - 0.14.0-2.2
-- Rebuild for missing changelog entry
- Related: rhbz#1551072
+ Resolves: rhbz#1567944
-* Thu Mar 15 2018 Christophe Fergeau <cfergeau@redhat.com> - 0.14.0-2.1
+* Tue Apr 03 2018 Christophe Fergeau <cfergeau@redhat.com> - 0.14.0-3
- Disable TLSv1.0
- Related: rhbz#1551072
+ Resolves: rhbz#1521053
* Thu Oct 12 2017 Christophe Fergeau <cfergeau@redhat.com> - 0.14.0-2
- Add streaming patches for use with spice-streaming-agent