From: Daniel Sabogal <dsabogalcc@gmail.com>
To: alpine-aports@lists.alpinelinux.org
Subject: [alpine-aports] [PATCH 1/1] main/spice: security upgrade to 0.12.8
Date: Wed, 17 Aug 2016 00:07:49 -0400
Message-Id: <20160817040749.6932-1-dsabogalcc@gmail.com>
Precedence: list

CVE-2016-0749
CVE-2016-2150

Removed unused patch (CVE-2015-3247 fixed in 0.12.6)
https://cgit.freedesktop.org/spice/spice/tree/NEWS?h=0.12
---
 main/spice/APKBUILD            |  28 ++++------
 main/spice/CVE-2015-3247.patch | 116 -----------------------------------------
 2 files changed, 9 insertions(+), 135 deletions(-)
 delete mode 100644 main/spice/CVE-2015-3247.patch

diff --git a/main/spice/APKBUILD b/main/spice/APKBUILD
index 53ef2b1..de6d052 100644
--- a/main/spice/APKBUILD
+++ b/main/spice/APKBUILD
@@ -1,8 +1,8 @@
 # Contributor: Natanael Copa <ncopa@alpinelinux.org>
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=spice
-pkgver=0.12.7
-pkgrel=1
+pkgver=0.12.8
+pkgrel=0
 pkgdesc="Implements the SPICE protocol"
 url="http://www.spice-space.org/"
 arch="all"
@@ -14,22 +14,12 @@ makedepends="$depends_dev alsa-lib-dev libjpeg-turbo-dev libxrandr-dev
 	py-six glib-dev opus-dev"
 install=""
 subpackages="$pkgname-dev $pkgname-server"
-source="http://www.spice-space.org/download/releases/spice-$pkgver.tar.bz2
+source="http://www.spice-space.org/download/releases/$pkgname-$pkgver.tar.bz2
 	"
 
-_builddir="$srcdir"/spice-$pkgver
-prepare() {
-	local i
-	cd "$_builddir"
-	for i in $source; do
-		case $i in
-		*.patch) msg $i; patch -p1 -i "$srcdir"/$i || return 1;;
-		esac
-	done
-}
-
+builddir="$srcdir"/$pkgname-$pkgver
 build() {
-	cd "$_builddir"
+	cd "$builddir"
 	./configure \
 		--build=$CBUILD \
 		--host=$CHOST \
@@ -48,7 +38,7 @@ build() {
 }
 
 package() {
-	cd "$_builddir"
+	cd "$builddir"
 	make DESTDIR="$pkgdir" install || return 1
 }
 
@@ -58,6 +48,6 @@ server() {
 	mv "$pkgdir"/usr/lib/*server.so.* "$subpkgdir"/usr/lib/
 }
 
-md5sums="28d4294e6d055de3b6ce5b8f2b7ca03b  spice-0.12.7.tar.bz2"
-sha256sums="1c8e96cb9e833e23372e2f461508135903b697fd8c6daff565e9e87f6d2f6aba  spice-0.12.7.tar.bz2"
-sha512sums="a740d500d0ccad3edd1f2f71e51c5a120d6ae98e44125f33870c12f5d1eeb30b809e588d05b2d0cadb4216e889b38e57d2278916817538311b875ff22e3b31ae  spice-0.12.7.tar.bz2"
+md5sums="376853d11b9921aa34a06c4dbef81874  spice-0.12.8.tar.bz2"
+sha256sums="f901a5c5873d61acac84642f9eea5c4d6386fc3e525c2b68792322794e1c407d  spice-0.12.8.tar.bz2"
+sha512sums="6485d3522af1cde93d2c0abad7f7ef9f2e4d3e5049314fb93b6dd4b86e33d67d353a3ff42a355c8fd991bad447bbde1e6320c083bbc6f02b576bd9cebe7269ed  spice-0.12.8.tar.bz2"
diff --git a/main/spice/CVE-2015-3247.patch b/main/spice/CVE-2015-3247.patch
deleted file mode 100644
index 47ee3c4..0000000
--- a/main/spice/CVE-2015-3247.patch
+++ /dev/null
@@ -1,116 +0,0 @@
-From bd6ea0db84949ac903c27708166604de892f4671 Mon Sep 17 00:00:00 2001
-From: Frediano Ziglio <fziglio@redhat.com>
-Date: Tue, 9 Jun 2015 08:50:46 +0100
-Subject: Avoid race conditions reading monitor configs from guest
-
-For security reasons do not assume guest do not change structures it
-pass to Qemu.
-Guest could change count field while Qemu is copying QXLMonitorsConfig
-structure leading to heap corruption.
-This patch avoid it reading count only once.
-
-This patch solves CVE-2015-3247.
-
-Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
-Acked-by: Christophe Fergeau <cfergeau@redhat.com>
-
-diff --git a/server/red_worker.c b/server/red_worker.c
-index 2f2d5a9..e2feb23 100644
---- a/server/red_worker.c
-+++ b/server/red_worker.c
-@@ -11222,19 +11222,18 @@ static inline void red_monitors_config_item_add(DisplayChannelClient *dcc)
- 
- static void worker_update_monitors_config(RedWorker *worker,
-                                           QXLMonitorsConfig *dev_monitors_config,
--                                          unsigned int max_monitors)
-+                                          uint16_t count, uint16_t max_allowed)
- {
-     int heads_size;
-     MonitorsConfig *monitors_config;
-     int i;
--    unsigned int count = MIN(dev_monitors_config->count, max_monitors);
- 
-     monitors_config_decref(worker->monitors_config);
- 
-     spice_debug("monitors config %d(%d)",
--                dev_monitors_config->count,
--                dev_monitors_config->max_allowed);
--    for (i = 0; i < dev_monitors_config->count; i++) {
-+                count,
-+                max_allowed);
-+    for (i = 0; i < count; i++) {
-         spice_debug("+%d+%d %dx%d",
-                     dev_monitors_config->heads[i].x,
-                     dev_monitors_config->heads[i].y,
-@@ -11247,7 +11246,7 @@ static void worker_update_monitors_config(RedWorker *worker,
-     monitors_config->refs = 1;
-     monitors_config->worker = worker;
-     monitors_config->count = count;
--    monitors_config->max_allowed = MIN(dev_monitors_config->max_allowed, max_monitors);
-+    monitors_config->max_allowed = max_allowed;
-     memcpy(monitors_config->heads, dev_monitors_config->heads, heads_size);
- }
- 
-@@ -11636,33 +11635,52 @@ void handle_dev_display_migrate(void *opaque, void *payload)
-     red_migrate_display(worker, rcc);
- }
- 
-+static inline uint32_t qxl_monitors_config_size(uint32_t heads)
-+{
-+    return sizeof(QXLMonitorsConfig) + sizeof(QXLHead) * heads;
-+}
-+
- static void handle_dev_monitors_config_async(void *opaque, void *payload)
- {
-     RedWorkerMessageMonitorsConfigAsync *msg = payload;
-     RedWorker *worker = opaque;
--    int min_size = sizeof(QXLMonitorsConfig) + sizeof(QXLHead);
-     int error;
-+    uint16_t count, max_allowed;
-     QXLMonitorsConfig *dev_monitors_config =
-         (QXLMonitorsConfig*)get_virt(&worker->mem_slots, msg->monitors_config,
--                                     min_size, msg->group_id, &error);
-+                                     qxl_monitors_config_size(1),
-+                                     msg->group_id, &error);
- 
-     if (error) {
-         /* TODO: raise guest bug (requires added QXL interface) */
-         return;
-     }
-     worker->driver_cap_monitors_config = 1;
--    if (dev_monitors_config->count == 0) {
-+    count = dev_monitors_config->count;
-+    max_allowed = dev_monitors_config->max_allowed;
-+    if (count == 0) {
-         spice_warning("ignoring an empty monitors config message from driver");
-         return;
-     }
--    if (dev_monitors_config->count > dev_monitors_config->max_allowed) {
-+    if (count > max_allowed) {
-         spice_warning("ignoring malformed monitors_config from driver, "
-                       "count > max_allowed %d > %d",
--                      dev_monitors_config->count,
--                      dev_monitors_config->max_allowed);
-+                      count,
-+                      max_allowed);
-+        return;
-+    }
-+    /* get pointer again to check virtual size */
-+    dev_monitors_config =
-+        (QXLMonitorsConfig*)get_virt(&worker->mem_slots, msg->monitors_config,
-+                                     qxl_monitors_config_size(count),
-+                                     msg->group_id, &error);
-+    if (error) {
-+        /* TODO: raise guest bug (requires added QXL interface) */
-         return;
-     }
--    worker_update_monitors_config(worker, dev_monitors_config, msg->max_monitors);
-+    worker_update_monitors_config(worker, dev_monitors_config,
-+                                  MIN(count, msg->max_monitors),
-+                                  MIN(max_allowed, msg->max_monitors));
-     red_worker_push_monitors_config(worker);
- }
- 
--- 
-cgit v0.10.2
-
-- 
2.8.3



---
Unsubscribe:  alpine-aports+unsubscribe@lists.alpinelinux.org
Help:         alpine-aports+help@lists.alpinelinux.org
---