diff --git a/SOURCES/0023-sound-Don-t-mute-recording-when-client-reconnects.patch b/SOURCES/0023-sound-Don-t-mute-recording-when-client-reconnects.patch index 698e825..7afa627 100644 --- a/SOURCES/0023-sound-Don-t-mute-recording-when-client-reconnects.patch +++ b/SOURCES/0023-sound-Don-t-mute-recording-when-client-reconnects.patch @@ -1,7 +1,7 @@ -From fbc7799f94bb5d38421324a4270741e1ffe9d435 Mon Sep 17 00:00:00 2001 +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Christophe Fergeau Date: Fri, 25 May 2018 11:12:40 +0200 -Subject: [PATCH] sound: Don't mute recording when client reconnects +Subject: [spice-server] sound: Don't mute recording when client reconnects When a new record channel is added, the code relies on a snd_send() call in record_channel_client_constructed() to send RECORD_START to the @@ -223,6 +223,3 @@ index 9073626..8c6cf8a 100644 object_class->finalize = record_channel_client_finalize; } --- -2.17.1 - diff --git a/SOURCES/0024-Fix-flexible-array-buffer-overflow.patch b/SOURCES/0024-Fix-flexible-array-buffer-overflow.patch deleted file mode 100644 index 6c5eaec..0000000 --- a/SOURCES/0024-Fix-flexible-array-buffer-overflow.patch +++ /dev/null @@ -1,301 +0,0 @@ -From c182f8e4a445e93842faf6c2bd8583894da36a1a Mon Sep 17 00:00:00 2001 -From: Frediano Ziglio -Date: Fri, 18 May 2018 11:41:57 +0100 -Subject: [PATCH] Fix flexible array buffer overflow - -This is kind of a DoS, possibly flexible array in the protocol -causes the network size check to be ignored due to integer overflows. - -The size of flexible array is computed as (message_end - position), -then this size is added to the number of bytes before the array and -this number is used to check if we overflow initial message. - -An example is: - - message { - uint32 dummy[2]; - uint8 data[] @end; - } LenMessage; - -which generated this (simplified remove useless code) code: - - { /* data */ - data__nelements = message_end - (start + 8); - - data__nw_size = data__nelements; - } - - nw_size = 8 + data__nw_size; - - /* Check if message fits in reported side */ - if (nw_size > (uintptr_t) (message_end - start)) { - return NULL; - } - -Following code: -- data__nelements == message_end - (start + 8) -- data__nw_size == data__nelements == message_end - (start + 8) -- nw_size == 8 + data__nw_size == 8 + message_end - (start + 8) == - 8 + message_end - start - 8 == message_end -start -- the check for overflow is (nw_size > (message_end - start)) but - nw_size == message_end - start so the check is doing - ((message_end - start) > (message_end - start)) which is always false. - -If message_end - start < 8 then data__nelements (number of element -on the array above) computation generate an integer underflow that -later create a buffer overflow. - -Add a check to make sure that the array starts before the message ends -to avoid the overflow. - -Difference is: - diff -u save/generated_client_demarshallers1.c common/generated_client_demarshallers1.c - --- save/generated_client_demarshallers1.c 2018-06-22 22:13:48.626793919 +0100 - +++ common/generated_client_demarshallers1.c 2018-06-22 22:14:03.408163291 +0100 - @@ -225,6 +225,9 @@ - uint64_t data__nelements; - - { /* data */ - + if (SPICE_UNLIKELY((start + 0) > message_end)) { - + goto error; - + } - data__nelements = message_end - (start + 0); - - data__nw_size = data__nelements; - @@ -243,6 +246,9 @@ - *free_message = nofree; - return data; - - + error: - + free(data); - + return NULL; - } - - static uint8_t * parse_msg_set_ack(uint8_t *message_start, uint8_t *message_end, SPICE_GNUC_UNUSED int minor, size_t *size, message_destructor_t *free_message) - @@ -301,6 +307,9 @@ - SpiceMsgPing *out; - - { /* data */ - + if (SPICE_UNLIKELY((start + 12) > message_end)) { - + goto error; - + } - data__nelements = message_end - (start + 12); - - data__nw_size = data__nelements; - @@ -5226,6 +5235,9 @@ - uint64_t cursor_data__nw_size; - uint64_t cursor_data__nelements; - { /* data */ - + if (SPICE_UNLIKELY((start2 + 22) > message_end)) { - + goto error; - + } - cursor_data__nelements = message_end - (start2 + 22); - - cursor_data__nw_size = cursor_data__nelements; - @@ -5305,6 +5317,9 @@ - uint64_t cursor_data__nw_size; - uint64_t cursor_data__nelements; - { /* data */ - + if (SPICE_UNLIKELY((start2 + 22) > message_end)) { - + goto error; - + } - cursor_data__nelements = message_end - (start2 + 22); - - cursor_data__nw_size = cursor_data__nelements; - @@ -5540,6 +5555,9 @@ - SpiceMsgPlaybackPacket *out; - - { /* data */ - + if (SPICE_UNLIKELY((start + 4) > message_end)) { - + goto error; - + } - data__nelements = message_end - (start + 4); - - data__nw_size = data__nelements; - @@ -5594,6 +5612,9 @@ - SpiceMsgPlaybackMode *out; - - { /* data */ - + if (SPICE_UNLIKELY((start + 8) > message_end)) { - + goto error; - + } - data__nelements = message_end - (start + 8); - - data__nw_size = data__nelements; - diff -u save/generated_client_demarshallers.c common/generated_client_demarshallers.c - --- save/generated_client_demarshallers.c 2018-06-22 22:13:48.626793919 +0100 - +++ common/generated_client_demarshallers.c 2018-06-22 22:14:03.004153195 +0100 - @@ -225,6 +225,9 @@ - uint64_t data__nelements; - - { /* data */ - + if (SPICE_UNLIKELY((start + 0) > message_end)) { - + goto error; - + } - data__nelements = message_end - (start + 0); - - data__nw_size = data__nelements; - @@ -243,6 +246,9 @@ - *free_message = nofree; - return data; - - + error: - + free(data); - + return NULL; - } - - static uint8_t * parse_msg_set_ack(uint8_t *message_start, uint8_t *message_end, SPICE_GNUC_UNUSED int minor, size_t *size, message_destructor_t *free_message) - @@ -301,6 +307,9 @@ - SpiceMsgPing *out; - - { /* data */ - + if (SPICE_UNLIKELY((start + 12) > message_end)) { - + goto error; - + } - data__nelements = message_end - (start + 12); - - data__nw_size = data__nelements; - @@ -6574,6 +6583,9 @@ - } - - { /* data */ - + if (SPICE_UNLIKELY((start2 + 2 + cursor_u__nw_size) > message_end)) { - + goto error; - + } - cursor_data__nelements = message_end - (start2 + 2 + cursor_u__nw_size); - - cursor_data__nw_size = cursor_data__nelements; - @@ -6670,6 +6682,9 @@ - } - - { /* data */ - + if (SPICE_UNLIKELY((start2 + 2 + cursor_u__nw_size) > message_end)) { - + goto error; - + } - cursor_data__nelements = message_end - (start2 + 2 + cursor_u__nw_size); - - cursor_data__nw_size = cursor_data__nelements; - @@ -6907,6 +6922,9 @@ - SpiceMsgPlaybackPacket *out; - - { /* data */ - + if (SPICE_UNLIKELY((start + 4) > message_end)) { - + goto error; - + } - data__nelements = message_end - (start + 4); - - data__nw_size = data__nelements; - @@ -6961,6 +6979,9 @@ - SpiceMsgPlaybackMode *out; - - { /* data */ - + if (SPICE_UNLIKELY((start + 6) > message_end)) { - + goto error; - + } - data__nelements = message_end - (start + 6); - - data__nw_size = data__nelements; - @@ -7559,6 +7580,9 @@ - SpiceMsgTunnelSocketData *out; - - { /* data */ - + if (SPICE_UNLIKELY((start + 2) > message_end)) { - + goto error; - + } - data__nelements = message_end - (start + 2); - - data__nw_size = data__nelements; - @@ -7840,6 +7864,9 @@ - } - - { /* compressed_data */ - + if (SPICE_UNLIKELY((start + 1 + u__nw_size) > message_end)) { - + goto error; - + } - compressed_data__nelements = message_end - (start + 1 + u__nw_size); - - compressed_data__nw_size = compressed_data__nelements; - diff -u save/generated_server_demarshallers.c common/generated_server_demarshallers.c - --- save/generated_server_demarshallers.c 2018-06-22 22:13:48.627793944 +0100 - +++ common/generated_server_demarshallers.c 2018-06-22 22:14:05.231208847 +0100 - @@ -306,6 +306,9 @@ - uint64_t data__nelements; - - { /* data */ - + if (SPICE_UNLIKELY((start + 0) > message_end)) { - + goto error; - + } - data__nelements = message_end - (start + 0); - - data__nw_size = data__nelements; - @@ -324,6 +327,9 @@ - *free_message = nofree; - return data; - - + error: - + free(data); - + return NULL; - } - - static uint8_t * parse_msgc_disconnecting(uint8_t *message_start, uint8_t *message_end, SPICE_GNUC_UNUSED int minor, size_t *size, message_destructor_t *free_message) - @@ -1259,6 +1265,9 @@ - SpiceMsgcRecordPacket *out; - - { /* data */ - + if (SPICE_UNLIKELY((start + 4) > message_end)) { - + goto error; - + } - data__nelements = message_end - (start + 4); - - data__nw_size = data__nelements; - @@ -1313,6 +1322,9 @@ - SpiceMsgcRecordMode *out; - - { /* data */ - + if (SPICE_UNLIKELY((start + 6) > message_end)) { - + goto error; - + } - data__nelements = message_end - (start + 6); - - data__nw_size = data__nelements; - @@ -1841,6 +1853,9 @@ - SpiceMsgcTunnelSocketData *out; - - { /* data */ - + if (SPICE_UNLIKELY((start + 2) > message_end)) { - + goto error; - + } - data__nelements = message_end - (start + 2); - - data__nw_size = data__nelements; - @@ -2057,6 +2072,9 @@ - } - - { /* compressed_data */ - + if (SPICE_UNLIKELY((start + 1 + u__nw_size) > message_end)) { - + goto error; - + } - compressed_data__nelements = message_end - (start + 1 + u__nw_size); - - compressed_data__nw_size = compressed_data__nelements; - -Signed-off-by: Frediano Ziglio ---- - spice-common/python_modules/demarshal.py | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/spice-common/python_modules/demarshal.py b/spice-common/python_modules/demarshal.py -index 1ea131d..7172762 100644 ---- a/spice-common/python_modules/demarshal.py -+++ b/spice-common/python_modules/demarshal.py -@@ -318,6 +318,7 @@ def write_validate_array_item(writer, container, item, scope, parent_scope, star - writer.assign(nelements, array.size) - elif array.is_remaining_length(): - if element_type.is_fixed_nw_size(): -+ writer.error_check("%s > message_end" % item.get_position()) - if element_type.get_fixed_nw_size() == 1: - writer.assign(nelements, "message_end - %s" % item.get_position()) - else: --- -2.17.1 - diff --git a/SOURCES/0024-tls-Parse-spice.cnf-OpenSSL-configuration-file.patch b/SOURCES/0024-tls-Parse-spice.cnf-OpenSSL-configuration-file.patch new file mode 100644 index 0000000..1db419a --- /dev/null +++ b/SOURCES/0024-tls-Parse-spice.cnf-OpenSSL-configuration-file.patch @@ -0,0 +1,167 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Christophe Fergeau +Date: Mon, 18 Jun 2018 12:39:37 +0200 +Subject: [spice-server] tls: Parse spice.cnf OpenSSL configuration file + +SPICE tries to use the OpenSSL system-wide defaults as much as possible +for the TLS ciphers and protocols it uses. However, this is not enough +for some customers who want it to use a more restrictive set of TLS +features. spice-server should not try to override the system defaults +OpenSSL uses, so this is not going to be hardcoded in spice-server code. + +This is addressed with crypto policies in recent fedoras, and is being +solved upstream through https://github.com/openssl/openssl/pull/4848 +This issue has become pressing enough that we need to solve it in el7 +which unfortunately does not have any of these system-wide settings. + +As a stop-gap measure, this downstream-only patch adds a +/etc/pki/tls/spice.cnf configuration file which can be used to configure +the TLS ciphers/protocols used for SPICE. This is only meant to be a +temporary solution, and will be superseded by crypto-policies when they +land in RHEL. + +Signed-off-by: Christophe Fergeau +--- + docs/Makefile.am | 1 + + server/reds.c | 102 +++++++++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 103 insertions(+) + +diff --git a/docs/Makefile.am b/docs/Makefile.am +index 45667a6..909ed15 100644 +--- a/docs/Makefile.am ++++ b/docs/Makefile.am +@@ -6,6 +6,7 @@ EXTRA_DIST = \ + spice_style.txt \ + spice_threading_model.html \ + spice_threading_model.txt \ ++ spice.cnf.sample \ + $(NULL) + + if BUILD_MANUAL +diff --git a/server/reds.c b/server/reds.c +index 0af5643..846e44d 100644 +--- a/server/reds.c ++++ b/server/reds.c +@@ -33,6 +33,7 @@ + #include + #include + ++#include + #include + + #if HAVE_SASL +@@ -2827,6 +2828,102 @@ static gpointer openssl_global_init(gpointer arg) + return NULL; + } + ++#define SPICE_OPENSSL_CNF_FILENAME "/etc/pki/tls/spice.cnf" ++ ++static int reds_ssl_config_file_apply(RedsState *reds, STACK_OF(CONF_VALUE) *sect) ++{ ++ int openssl_status; ++ int return_value = 0; ++ SSL_CONF_CTX *cctx = NULL; ++ unsigned int i; ++ ++ cctx = SSL_CONF_CTX_new(); ++ SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_SERVER); ++ SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_FILE); ++ SSL_CONF_CTX_set_ssl_ctx(cctx, reds->ctx); ++ ++ for (i = 0; i < sk_CONF_VALUE_num(sect); i++) { ++ CONF_VALUE *option_value; ++ option_value = sk_CONF_VALUE_value(sect, i); ++ g_message("setting TLS option '%s' to '%s' from %s configuration file", ++ option_value->name, option_value->value, ++ SPICE_OPENSSL_CNF_FILENAME); ++ openssl_status = SSL_CONF_cmd(cctx, option_value->name, option_value->value); ++ switch(openssl_status) { ++ case 1: /* fallthrough */ ++ case 2: ++ /* The option was successfully processed */ ++ break; ++ case 0: ++ g_warning("failure to set option '%s'", option_value->name); ++ return_value = -1; ++ break; ++ case -2: ++ g_warning("unknown option '%s'", option_value->name); ++ return_value = -1; ++ break; ++ case -3: ++ g_warning("missing value for option '%s'", option_value->name); ++ return_value = -1; ++ break; ++ default: ++ g_warning("unknown SSL_CONF_cmd return value: %d", openssl_status); ++ return_value = -1; ++ break; ++ } ++ } ++ ++ openssl_status = SSL_CONF_CTX_finish(cctx); ++ if (!openssl_status) { ++ g_warning("SSL_CONF_CTX_finish() failed"); ++ return_value = -1; ++ } ++ ++ SSL_CONF_CTX_free(cctx); ++ ++ return return_value; ++} ++ ++static int reds_ssl_config_file_try_load(RedsState *reds) ++{ ++ int status = -1; ++ int openssl_status; ++ CONF *ssl_conf = NULL; ++ STACK_OF(CONF_VALUE) *default_section; ++ long error_line = -1; ++ ++ if (!g_file_test(SPICE_OPENSSL_CNF_FILENAME, G_FILE_TEST_IS_REGULAR)) { ++ /* The configuration file is not mandatory, it's only meant to be used ++ * when the sysadmin does not want to use the system-wide OpenSSL defaults ++ */ ++ return 0; ++ } ++ ++ ssl_conf = NCONF_new(NULL); ++ openssl_status = NCONF_load(ssl_conf, SPICE_OPENSSL_CNF_FILENAME, &error_line); ++ if (openssl_status <= 0) { ++ if (error_line <= 0) { ++ g_warning("error loading config file %s", SPICE_OPENSSL_CNF_FILENAME); ++ } else { ++ g_warning("error parsing config file %s at %ld", SPICE_OPENSSL_CNF_FILENAME, error_line); ++ } ++ goto end; ++ } ++ ++ default_section = NCONF_get_section(ssl_conf, "default"); ++ if (default_section == NULL) { ++ g_warning("could not find any content in %s config file (no toplevel section?)", SPICE_OPENSSL_CNF_FILENAME); ++ goto end; ++ } ++ ++ status = reds_ssl_config_file_apply(reds, default_section); ++ ++end: ++ NCONF_free(ssl_conf); ++ ++ return status; ++} ++ + static int reds_init_ssl(RedsState *reds) + { + static GOnce openssl_once = G_ONCE_INIT; +@@ -2911,6 +3008,11 @@ static int reds_init_ssl(RedsState *reds) + sk_zero(cmp_stack); + #endif + ++ /* must be last to override whatever was configured previously */ ++ if (reds_ssl_config_file_try_load(reds) != 0) { ++ return -1; ++ } ++ + return 0; + } + diff --git a/SOURCES/0025-ssl-Allow-to-use-ECDH-ciphers-with-OpenSSL-1.0.patch b/SOURCES/0025-ssl-Allow-to-use-ECDH-ciphers-with-OpenSSL-1.0.patch new file mode 100644 index 0000000..16ad761 --- /dev/null +++ b/SOURCES/0025-ssl-Allow-to-use-ECDH-ciphers-with-OpenSSL-1.0.patch @@ -0,0 +1,30 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Christophe Fergeau +Date: Wed, 20 Jun 2018 17:02:14 +0200 +Subject: [spice-server] ssl: Allow to use ECDH ciphers with OpenSSL 1.0 + +Without an explicit call to SSL_CTX_set_ecdh_auto(reds->ctx, 1), OpenSSL +1.0 (still used by el7) would not use ECDH ciphers (this is now +automatic with OpenSSL 1.1.0). This commit adds this missing call. It's +based on a suggestion from David Jasa + +Signed-off-by: Christophe Fergeau +Acked-by: Frediano Ziglio + +https://bugzilla.redhat.com/show_bug.cgi?id=1566597 +--- + server/reds.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/server/reds.c b/server/reds.c +index 846e44d..a7b9c38 100644 +--- a/server/reds.c ++++ b/server/reds.c +@@ -2955,6 +2955,7 @@ static int reds_init_ssl(RedsState *reds) + ssl_options |= SSL_OP_NO_COMPRESSION; + #endif + SSL_CTX_set_options(reds->ctx, ssl_options); ++ SSL_CTX_set_ecdh_auto(reds->ctx, 1); + + /* Load our keys and certificates*/ + return_code = SSL_CTX_use_certificate_chain_file(reds->ctx, reds->config->ssl_parameters.certs_file); diff --git a/SOURCES/0026-Fix-flexible-array-buffer-overflow.patch b/SOURCES/0026-Fix-flexible-array-buffer-overflow.patch new file mode 100644 index 0000000..6c5eaec --- /dev/null +++ b/SOURCES/0026-Fix-flexible-array-buffer-overflow.patch @@ -0,0 +1,301 @@ +From c182f8e4a445e93842faf6c2bd8583894da36a1a Mon Sep 17 00:00:00 2001 +From: Frediano Ziglio +Date: Fri, 18 May 2018 11:41:57 +0100 +Subject: [PATCH] Fix flexible array buffer overflow + +This is kind of a DoS, possibly flexible array in the protocol +causes the network size check to be ignored due to integer overflows. + +The size of flexible array is computed as (message_end - position), +then this size is added to the number of bytes before the array and +this number is used to check if we overflow initial message. + +An example is: + + message { + uint32 dummy[2]; + uint8 data[] @end; + } LenMessage; + +which generated this (simplified remove useless code) code: + + { /* data */ + data__nelements = message_end - (start + 8); + + data__nw_size = data__nelements; + } + + nw_size = 8 + data__nw_size; + + /* Check if message fits in reported side */ + if (nw_size > (uintptr_t) (message_end - start)) { + return NULL; + } + +Following code: +- data__nelements == message_end - (start + 8) +- data__nw_size == data__nelements == message_end - (start + 8) +- nw_size == 8 + data__nw_size == 8 + message_end - (start + 8) == + 8 + message_end - start - 8 == message_end -start +- the check for overflow is (nw_size > (message_end - start)) but + nw_size == message_end - start so the check is doing + ((message_end - start) > (message_end - start)) which is always false. + +If message_end - start < 8 then data__nelements (number of element +on the array above) computation generate an integer underflow that +later create a buffer overflow. + +Add a check to make sure that the array starts before the message ends +to avoid the overflow. + +Difference is: + diff -u save/generated_client_demarshallers1.c common/generated_client_demarshallers1.c + --- save/generated_client_demarshallers1.c 2018-06-22 22:13:48.626793919 +0100 + +++ common/generated_client_demarshallers1.c 2018-06-22 22:14:03.408163291 +0100 + @@ -225,6 +225,9 @@ + uint64_t data__nelements; + + { /* data */ + + if (SPICE_UNLIKELY((start + 0) > message_end)) { + + goto error; + + } + data__nelements = message_end - (start + 0); + + data__nw_size = data__nelements; + @@ -243,6 +246,9 @@ + *free_message = nofree; + return data; + + + error: + + free(data); + + return NULL; + } + + static uint8_t * parse_msg_set_ack(uint8_t *message_start, uint8_t *message_end, SPICE_GNUC_UNUSED int minor, size_t *size, message_destructor_t *free_message) + @@ -301,6 +307,9 @@ + SpiceMsgPing *out; + + { /* data */ + + if (SPICE_UNLIKELY((start + 12) > message_end)) { + + goto error; + + } + data__nelements = message_end - (start + 12); + + data__nw_size = data__nelements; + @@ -5226,6 +5235,9 @@ + uint64_t cursor_data__nw_size; + uint64_t cursor_data__nelements; + { /* data */ + + if (SPICE_UNLIKELY((start2 + 22) > message_end)) { + + goto error; + + } + cursor_data__nelements = message_end - (start2 + 22); + + cursor_data__nw_size = cursor_data__nelements; + @@ -5305,6 +5317,9 @@ + uint64_t cursor_data__nw_size; + uint64_t cursor_data__nelements; + { /* data */ + + if (SPICE_UNLIKELY((start2 + 22) > message_end)) { + + goto error; + + } + cursor_data__nelements = message_end - (start2 + 22); + + cursor_data__nw_size = cursor_data__nelements; + @@ -5540,6 +5555,9 @@ + SpiceMsgPlaybackPacket *out; + + { /* data */ + + if (SPICE_UNLIKELY((start + 4) > message_end)) { + + goto error; + + } + data__nelements = message_end - (start + 4); + + data__nw_size = data__nelements; + @@ -5594,6 +5612,9 @@ + SpiceMsgPlaybackMode *out; + + { /* data */ + + if (SPICE_UNLIKELY((start + 8) > message_end)) { + + goto error; + + } + data__nelements = message_end - (start + 8); + + data__nw_size = data__nelements; + diff -u save/generated_client_demarshallers.c common/generated_client_demarshallers.c + --- save/generated_client_demarshallers.c 2018-06-22 22:13:48.626793919 +0100 + +++ common/generated_client_demarshallers.c 2018-06-22 22:14:03.004153195 +0100 + @@ -225,6 +225,9 @@ + uint64_t data__nelements; + + { /* data */ + + if (SPICE_UNLIKELY((start + 0) > message_end)) { + + goto error; + + } + data__nelements = message_end - (start + 0); + + data__nw_size = data__nelements; + @@ -243,6 +246,9 @@ + *free_message = nofree; + return data; + + + error: + + free(data); + + return NULL; + } + + static uint8_t * parse_msg_set_ack(uint8_t *message_start, uint8_t *message_end, SPICE_GNUC_UNUSED int minor, size_t *size, message_destructor_t *free_message) + @@ -301,6 +307,9 @@ + SpiceMsgPing *out; + + { /* data */ + + if (SPICE_UNLIKELY((start + 12) > message_end)) { + + goto error; + + } + data__nelements = message_end - (start + 12); + + data__nw_size = data__nelements; + @@ -6574,6 +6583,9 @@ + } + + { /* data */ + + if (SPICE_UNLIKELY((start2 + 2 + cursor_u__nw_size) > message_end)) { + + goto error; + + } + cursor_data__nelements = message_end - (start2 + 2 + cursor_u__nw_size); + + cursor_data__nw_size = cursor_data__nelements; + @@ -6670,6 +6682,9 @@ + } + + { /* data */ + + if (SPICE_UNLIKELY((start2 + 2 + cursor_u__nw_size) > message_end)) { + + goto error; + + } + cursor_data__nelements = message_end - (start2 + 2 + cursor_u__nw_size); + + cursor_data__nw_size = cursor_data__nelements; + @@ -6907,6 +6922,9 @@ + SpiceMsgPlaybackPacket *out; + + { /* data */ + + if (SPICE_UNLIKELY((start + 4) > message_end)) { + + goto error; + + } + data__nelements = message_end - (start + 4); + + data__nw_size = data__nelements; + @@ -6961,6 +6979,9 @@ + SpiceMsgPlaybackMode *out; + + { /* data */ + + if (SPICE_UNLIKELY((start + 6) > message_end)) { + + goto error; + + } + data__nelements = message_end - (start + 6); + + data__nw_size = data__nelements; + @@ -7559,6 +7580,9 @@ + SpiceMsgTunnelSocketData *out; + + { /* data */ + + if (SPICE_UNLIKELY((start + 2) > message_end)) { + + goto error; + + } + data__nelements = message_end - (start + 2); + + data__nw_size = data__nelements; + @@ -7840,6 +7864,9 @@ + } + + { /* compressed_data */ + + if (SPICE_UNLIKELY((start + 1 + u__nw_size) > message_end)) { + + goto error; + + } + compressed_data__nelements = message_end - (start + 1 + u__nw_size); + + compressed_data__nw_size = compressed_data__nelements; + diff -u save/generated_server_demarshallers.c common/generated_server_demarshallers.c + --- save/generated_server_demarshallers.c 2018-06-22 22:13:48.627793944 +0100 + +++ common/generated_server_demarshallers.c 2018-06-22 22:14:05.231208847 +0100 + @@ -306,6 +306,9 @@ + uint64_t data__nelements; + + { /* data */ + + if (SPICE_UNLIKELY((start + 0) > message_end)) { + + goto error; + + } + data__nelements = message_end - (start + 0); + + data__nw_size = data__nelements; + @@ -324,6 +327,9 @@ + *free_message = nofree; + return data; + + + error: + + free(data); + + return NULL; + } + + static uint8_t * parse_msgc_disconnecting(uint8_t *message_start, uint8_t *message_end, SPICE_GNUC_UNUSED int minor, size_t *size, message_destructor_t *free_message) + @@ -1259,6 +1265,9 @@ + SpiceMsgcRecordPacket *out; + + { /* data */ + + if (SPICE_UNLIKELY((start + 4) > message_end)) { + + goto error; + + } + data__nelements = message_end - (start + 4); + + data__nw_size = data__nelements; + @@ -1313,6 +1322,9 @@ + SpiceMsgcRecordMode *out; + + { /* data */ + + if (SPICE_UNLIKELY((start + 6) > message_end)) { + + goto error; + + } + data__nelements = message_end - (start + 6); + + data__nw_size = data__nelements; + @@ -1841,6 +1853,9 @@ + SpiceMsgcTunnelSocketData *out; + + { /* data */ + + if (SPICE_UNLIKELY((start + 2) > message_end)) { + + goto error; + + } + data__nelements = message_end - (start + 2); + + data__nw_size = data__nelements; + @@ -2057,6 +2072,9 @@ + } + + { /* compressed_data */ + + if (SPICE_UNLIKELY((start + 1 + u__nw_size) > message_end)) { + + goto error; + + } + compressed_data__nelements = message_end - (start + 1 + u__nw_size); + + compressed_data__nw_size = compressed_data__nelements; + +Signed-off-by: Frediano Ziglio +--- + spice-common/python_modules/demarshal.py | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/spice-common/python_modules/demarshal.py b/spice-common/python_modules/demarshal.py +index 1ea131d..7172762 100644 +--- a/spice-common/python_modules/demarshal.py ++++ b/spice-common/python_modules/demarshal.py +@@ -318,6 +318,7 @@ def write_validate_array_item(writer, container, item, scope, parent_scope, star + writer.assign(nelements, array.size) + elif array.is_remaining_length(): + if element_type.is_fixed_nw_size(): ++ writer.error_check("%s > message_end" % item.get_position()) + if element_type.get_fixed_nw_size() == 1: + writer.assign(nelements, "message_end - %s" % item.get_position()) + else: +-- +2.17.1 + diff --git a/SPECS/spice.spec b/SPECS/spice.spec index 3eb478f..b8ae490 100644 --- a/SPECS/spice.spec +++ b/SPECS/spice.spec @@ -1,6 +1,6 @@ Name: spice Version: 0.14.0 -Release: 2%{?dist}.5 +Release: 6%{?dist} Summary: Implements the SPICE protocol Group: User Interface/Desktops License: LGPLv2+ @@ -29,7 +29,9 @@ Patch20: 0020-stream-channel-Activate-streaming-report-from-client.patch Patch21: 0021-reds-Disable-TLS-1.0.patch Patch22: 0022-cursor-Delay-release-of-QXL-guest-cursor-resources.patch Patch23: 0023-sound-Don-t-mute-recording-when-client-reconnects.patch -Patch24: 0024-Fix-flexible-array-buffer-overflow.patch +Patch24: 0024-tls-Parse-spice.cnf-OpenSSL-configuration-file.patch +Patch25: 0025-ssl-Allow-to-use-ECDH-ciphers-with-OpenSSL-1.0.patch +Patch26: 0026-Fix-flexible-array-buffer-overflow.patch # https://bugzilla.redhat.com/show_bug.cgi?id=613529 %if 0%{?rhel} @@ -119,27 +121,28 @@ mkdir -p %{buildroot}%{_libexecdir} %changelog -* Thu Aug 09 2018 Frediano Ziglio - 0.14.0-2.5 +* Thu Aug 09 2018 Frediano Ziglio - 0.14.0-6 - Fix flexible array buffer overflow Resolves: rhbz#1596008 -* Tue Jun 12 2018 Victor Toso - 0.14.0-2.4 +* Wed Jun 20 2018 Christophe Fergeau - 0.14.0-5 - Don't mute Record channel on client reconnection - Resolves: rhbz#1582601 - -* Fri Apr 27 2018 Christophe Fergeau - 0.14.0-2.3 + Resolves: rhbz#1549132 +- Allow to configure TLS protocol versions and ciphers which SPICE will use for + TLS communications + Resolves: rhbz#1562213 +- Enable ECDH ciphers with OpenSSL 1.0 + Resolves: rhbz#1566597 + +* Fri Apr 27 2018 Christophe Fergeau - 0.14.0-4 - Revert back to spice 0.12 behaviour where QXL guest resources for cursor commands are only released when the current cursor is replaced. This avoids a QEMU regression causing crashes during migration - Resolves: rhbz#1572489 - -* Mon Mar 19 2018 Christophe Fergeau - 0.14.0-2.2 -- Rebuild for missing changelog entry - Related: rhbz#1551072 + Resolves: rhbz#1567944 -* Thu Mar 15 2018 Christophe Fergeau - 0.14.0-2.1 +* Tue Apr 03 2018 Christophe Fergeau - 0.14.0-3 - Disable TLSv1.0 - Related: rhbz#1551072 + Resolves: rhbz#1521053 * Thu Oct 12 2017 Christophe Fergeau - 0.14.0-2 - Add streaming patches for use with spice-streaming-agent