[Buildroot] [PATCH 0/4] spice: version bump / security bump

[Buildroot] [PATCH 0/4] spice: version bump / security bump

[Peter Korsgaard]

Our spice version is quite old (2013) and is affected by a number of
security issues, so bump to the latest release in the 0.12.x series +
upstream post-0.12.8 security fixes.

As the configuration options and dependencies have changed quite a bit since
2013, don't just do the entire bump in a single patch, but instead move
forward release by release for easier review.

Peter Korsgaard (4):
  spice: bump to version 0.12.5
  spice: security bump to version 0.12.6
  spice: security bump to version 0.12.8
  spice: add post-0.12.8 upstream security fixes

 Config.in.legacy                                   | 23 +++++++++
 ...sible-DoS-attempts-during-protocol-handsh.patch | 60 ++++++++++++++++++++++
 ...0001-fix-missing-monitor_latency-argument.patch | 28 ----------
 ...nt-integer-overflows-in-capability-checks.patch | 43 ++++++++++++++++
 ...l-Prevent-overflow-reading-messages-from-.patch | 33 ++++++++++++
 package/spice/Config.in                            | 46 -----------------
 package/spice/spice.hash                           |  2 +-
 package/spice/spice.mk                             | 35 +++++--------
 8 files changed, 174 insertions(+), 96 deletions(-)
 create mode 100644 package/spice/0001-Prevent-possible-DoS-attempts-during-protocol-handsh.patch
 delete mode 100644 package/spice/0001-fix-missing-monitor_latency-argument.patch
 create mode 100644 package/spice/0002-Prevent-integer-overflows-in-capability-checks.patch
 create mode 100644 package/spice/0003-main-channel-Prevent-overflow-reading-messages-from-.patch

-- 
2.11.0

[Buildroot] [PATCH 1/4] spice: bump to version 0.12.5

[Peter Korsgaard]

Tunneling support is gone upstream, so drop the patch and add
Config.in.legacy handling for the option.

Celt051 is no longer a hard dependency, and opus is a new optional
dependency, so adjust the dependencies to match.

Python / pyparsing are not needed as the tarball contains the generated
files (this should presumably have been host-python in the first place as
these are used at build time), but we need a small workaround to convince
configure that they really aren't needed.

Alsa-lib is only needed for client support, and the configure script checks
for X11/Xext/Xrender, so adjust the dependencies to match.

A user manual is now generated by default if asciidoc is available, so
explicitly disable that.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
 Config.in.legacy                                   |  7 ++++
 ...0001-fix-missing-monitor_latency-argument.patch | 28 --------------
 package/spice/Config.in                            | 19 ++-------
 package/spice/spice.hash                           |  2 +-
 package/spice/spice.mk                             | 45 +++++++++++++++-------
 5 files changed, 43 insertions(+), 58 deletions(-)
 delete mode 100644 package/spice/0001-fix-missing-monitor_latency-argument.patch

diff --git a/Config.in.legacy b/Config.in.legacy
index 9a53495627..dc99b7c2eb 100644
--- a/Config.in.legacy
+++ b/Config.in.legacy
@@ -145,6 +145,13 @@ endif
 ###############################################################################
 comment "Legacy options removed in 2017.08"
 
+config BR2_PACKAGE_SPICE_TUNNEL
+	bool "spice network redirection removed"
+	select BR2_LEGACY
+	help
+	  Spice network redirection, aka tunnelling has been removed
+	  upstream.
+
 config BR2_PACKAGE_INPUT_TOOLS
 	bool "input-tools removed"
 	select BR2_LEGACY
diff --git a/package/spice/0001-fix-missing-monitor_latency-argument.patch b/package/spice/0001-fix-missing-monitor_latency-argument.patch
deleted file mode 100644
index e14dd2ce37..0000000000
--- a/package/spice/0001-fix-missing-monitor_latency-argument.patch
+++ /dev/null
@@ -1,28 +0,0 @@
-From 0d3767853ca179ce04a9b312d7a30d33d1266a3b Mon Sep 17 00:00:00 2001
-From: Axel Lin <axel.lin@ingics.com>
-Date: Thu, 10 Oct 2013 12:36:40 +0800
-Subject: [PATCH] red_tunnel_worker: Fix build error due to missing monitor_latency argument
-
-Fix missing monitor_latency argument in red_channel_client_create call.
-
-Signed-off-by: Axel Lin <axel.lin@ingics.com>
----
- server/red_tunnel_worker.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/server/red_tunnel_worker.c b/server/red_tunnel_worker.c
-index 97dcafd..6781d73 100644
---- a/server/red_tunnel_worker.c
-+++ b/server/red_tunnel_worker.c
-@@ -3417,7 +3417,7 @@ static void handle_tunnel_channel_link(RedChannel *channel, RedClient *client,
-     }
- 
-     tcc = (TunnelChannelClient*)red_channel_client_create(sizeof(TunnelChannelClient),
--                                                          channel, client, stream,
-+                                                          channel, client, stream, FALSE,
-                                                           0, NULL, 0, NULL);
-     if (!tcc) {
-         return;
--- 
-1.8.1.2
-
diff --git a/package/spice/Config.in b/package/spice/Config.in
index bde3a92859..220f9994da 100644
--- a/package/spice/Config.in
+++ b/package/spice/Config.in
@@ -2,23 +2,15 @@ comment "spice server needs a toolchain w/ wchar, threads"
 	depends on BR2_i386 || BR2_x86_64
 	depends on !BR2_USE_WCHAR || !BR2_TOOLCHAIN_HAS_THREADS
 
-comment "spice server depends on python (for pyparsing)"
-	depends on BR2_i386 || BR2_x86_64
-	depends on !BR2_PACKAGE_PYTHON
-
 config BR2_PACKAGE_SPICE
 	bool "spice server"
 	depends on BR2_i386 || BR2_x86_64
-	depends on BR2_PACKAGE_PYTHON
 	depends on BR2_USE_WCHAR # libglib2
 	depends on BR2_TOOLCHAIN_HAS_THREADS # libglib2
-	select BR2_PACKAGE_ALSA_LIB
-	select BR2_PACKAGE_CELT051
 	select BR2_PACKAGE_JPEG
 	select BR2_PACKAGE_LIBGLIB2
 	select BR2_PACKAGE_OPENSSL
 	select BR2_PACKAGE_PIXMAN
-	select BR2_PACKAGE_PYTHON_PYPARSING
 	select BR2_PACKAGE_SPICE_PROTOCOL
 	help
 	  The Spice project aims to provide a complete open source
@@ -43,6 +35,10 @@ config BR2_PACKAGE_SPICE_CLIENT
 	depends on BR2_INSTALL_LIBSTDCPP
 	select BR2_PACKAGE_XLIB_LIBXFIXES
 	select BR2_PACKAGE_XLIB_LIBXRANDR
+	select BR2_PACKAGE_XLIB_LIBX11
+	select BR2_PACKAGE_XLIB_LIBXEXT
+	select BR2_PACKAGE_XLIB_LIBXRENDER
+	select BR2_PACKAGE_ALSA_LIB
 
 comment "client needs a toolchain w/ threads, C++"
 	depends on BR2_PACKAGE_XORG7
@@ -60,11 +56,4 @@ config BR2_PACKAGE_SPICE_GUI
 comment "gui needs a toolchain w/ dynamic library"
 	depends on BR2_STATIC_LIBS
 
-config BR2_PACKAGE_SPICE_TUNNEL
-	bool "Enable network redirection"
-	select BR2_PACKAGE_SLIRP
-	help
-	  Say 'y' here to enable network redirection, aka tunnelling
-	  through a SLIP/SLIRP session.
-
 endif # BR2_PACKAGE_SPICE
diff --git a/package/spice/spice.hash b/package/spice/spice.hash
index c4d63198fb..0a943f0332 100644
--- a/package/spice/spice.hash
+++ b/package/spice/spice.hash
@@ -1,2 +1,2 @@
 # Locally calculated
-sha256	cf063e7df42e331a835529d2f613d8a01f8cb2963e8edaadf73a8d65c46fb387	spice-0.12.4.tar.bz2
+sha256	4209a20d8f67cb99a8a6ac499cfe79a18d4ca226360457954a223d6795c2f581	spice-0.12.5.tar.bz2
diff --git a/package/spice/spice.mk b/package/spice/spice.mk
index 1d26ddcc18..ba76a14d61 100644
--- a/package/spice/spice.mk
+++ b/package/spice/spice.mk
@@ -4,20 +4,17 @@
 #
 ################################################################################
 
-SPICE_VERSION = 0.12.4
+SPICE_VERSION = 0.12.5
 SPICE_SOURCE = spice-$(SPICE_VERSION).tar.bz2
 SPICE_SITE = http://www.spice-space.org/download/releases
 SPICE_LICENSE = LGPL-2.1+
 SPICE_LICENSE_FILES = COPYING
 SPICE_INSTALL_STAGING = YES
 SPICE_DEPENDENCIES = \
-	alsa-lib \
-	celt051 \
 	jpeg \
 	libglib2 \
 	openssl \
 	pixman \
-	python-pyparsing \
 	spice-protocol
 
 # We disable everything for now, because the dependency tree can become
@@ -26,13 +23,32 @@ SPICE_CONF_OPTS = \
 	--disable-opengl \
 	--disable-smartcard \
 	--disable-automated-tests \
-	--without-sasl
+	--without-sasl \
+	--disable-manual
 
 SPICE_DEPENDENCIES += host-pkgconf
 
+ifeq ($(BR2_PACKAGE_CELT051),y)
+SPICE_CONF_OPTS += --enable-celt051
+SPICE_DEPENDENCIES += celt051
+else
+SPICE_CONF_OPTS += --disable-celt051
+endif
+
+# no enable/disable, detected using pkg-config
+ifeq ($(BR2_PACKAGE_OPUS),y)
+SPICE_DEPENDENCIES += opus
+endif
+
 ifeq ($(BR2_PACKAGE_SPICE_CLIENT),y)
 SPICE_CONF_OPTS += --enable-client
-SPICE_DEPENDENCIES += xlib_libXfixes xlib_libXrandr
+SPICE_DEPENDENCIES += \
+	xlib_libXfixes \
+	xlib_libXrandr \
+	xlib_libX11 \
+	xlib_libXext \
+	xlib_libXrender \
+	alsa-lib
 else
 SPICE_CONF_OPTS += --disable-client
 endif
@@ -44,15 +60,16 @@ else
 SPICE_CONF_OPTS += --disable-gui
 endif
 
-ifeq ($(BR2_PACKAGE_SPICE_TUNNEL),y)
-SPICE_CONF_OPTS += --enable-tunnel
-SPICE_DEPENDENCIES += slirp
-else
-SPICE_CONF_OPTS += --disable-tunnel
-endif
+# spice uses a number of source files that are generated with python / pyparsing.
+# The generated files are part of the tarball, so python / pyparsing isn't needed
+# when building from the tarball, but the configure script gets confused and looks
+# for the wrong file name to know if it needs to check for python / pyparsing,
+# so convince it they aren't needed
+define SPICE_NO_PYTHON_PYPARSING
+	touch $(@D)/client/generated_marshallers.cpp
+endef
 
-SPICE_CONF_ENV = PYTHONPATH=$(TARGET_DIR)/usr/lib/python$(PYTHON_VERSION_MAJOR)/site-packages
-SPICE_MAKE_ENV = PYTHONPATH=$(TARGET_DIR)/usr/lib/python$(PYTHON_VERSION_MAJOR)/site-packages
+SPICE_PRE_CONFIGURE_HOOKS += SPICE_NO_PYTHON_PYPARSING
 
 # We need to tweak spice.pc because it /forgets/ (for static linking) that
 # it should link against libz and libjpeg. libz is pkg-config-aware, while
-- 
2.11.0

[Buildroot] [PATCH 2/4] spice: security bump to version 0.12.6

[Peter Korsgaard]

Fixes the following security issues:

CVE-2015-3247: Race condition in the worker_update_monitors_config function
in SPICE 0.12.4 allows a remote authenticated guest user to cause a denial
of service (heap-based memory corruption and QEMU-KVM crash) or possibly
execute arbitrary code on the host via unspecified vectors.

CVE-2015-5260: Heap-based buffer overflow in SPICE before 0.12.6 allows
guest OS users to cause a denial of service (heap-based memory corruption
and QEMU-KVM crash) or possibly execute arbitrary code on the host via QXL
commands related to the surface_id parameter.

CVE-2015-5261: Heap-based buffer overflow in SPICE before 0.12.6 allows
guest OS users to read and write to arbitrary memory locations on the host
via guest QXL commands related to surface creation.

Client/gui support is gone upstream (moved to spice-gtk / virt-viewer), so
add Config.in.legacy handling for them.

Lz4 is a new optional dependency, so handle it.

The spice protocol definition is no longer included and instead used from
spice-protocol.  The build system uses pkg-config --variable=codegendir to
find the build time path of this, which doesn't take our STAGING_DIR prefix
into consideration, so it needs some help.  The installed protocol
definition will likewise be newer than the generated files, so we need to
workaround that to ensure they are not regenerated (which needs host python
/ pyparsing).

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
 Config.in.legacy         | 16 ++++++++++++++++
 package/spice/Config.in  | 35 -----------------------------------
 package/spice/spice.hash |  2 +-
 package/spice/spice.mk   | 40 +++++++++++++++++++---------------------
 4 files changed, 36 insertions(+), 57 deletions(-)

diff --git a/Config.in.legacy b/Config.in.legacy
index dc99b7c2eb..361d331dc9 100644
--- a/Config.in.legacy
+++ b/Config.in.legacy
@@ -145,6 +145,22 @@ endif
 ###############################################################################
 comment "Legacy options removed in 2017.08"
 
+config BR2_PACKAGE_SPICE_CLIENT
+	bool "spice client support removed"
+	select BR2_LEGACY
+	help
+	  Spice client support has been removed upstream. The
+	  functionality now lives in the spice-gtk widget and
+	  virt-viewer.
+
+config BR2_PACKAGE_SPICE_GUI
+	bool "spice gui support removed"
+	select BR2_LEGACY
+	help
+	  Spice gui support has been removed upstream. The
+	  functionality now lives in the spice-gtk widget and
+	  virt-viewer.
+
 config BR2_PACKAGE_SPICE_TUNNEL
 	bool "spice network redirection removed"
 	select BR2_LEGACY
diff --git a/package/spice/Config.in b/package/spice/Config.in
index 220f9994da..2241b55b3d 100644
--- a/package/spice/Config.in
+++ b/package/spice/Config.in
@@ -22,38 +22,3 @@ config BR2_PACKAGE_SPICE
 	  This package implements the server-part of Spice.
 
 	  http://www.spice-space.org/
-
-if BR2_PACKAGE_SPICE
-
-comment "client depends on X.org"
-	depends on !BR2_PACKAGE_XORG7
-
-config BR2_PACKAGE_SPICE_CLIENT
-	bool "Enable client"
-	depends on BR2_PACKAGE_XORG7
-	depends on BR2_TOOLCHAIN_HAS_THREADS
-	depends on BR2_INSTALL_LIBSTDCPP
-	select BR2_PACKAGE_XLIB_LIBXFIXES
-	select BR2_PACKAGE_XLIB_LIBXRANDR
-	select BR2_PACKAGE_XLIB_LIBX11
-	select BR2_PACKAGE_XLIB_LIBXEXT
-	select BR2_PACKAGE_XLIB_LIBXRENDER
-	select BR2_PACKAGE_ALSA_LIB
-
-comment "client needs a toolchain w/ threads, C++"
-	depends on BR2_PACKAGE_XORG7
-	depends on !BR2_TOOLCHAIN_HAS_THREADS || !BR2_INSTALL_LIBSTDCPP
-
-config BR2_PACKAGE_SPICE_GUI
-	bool "Enable GUI"
-	depends on BR2_PACKAGE_SPICE_CLIENT
-	depends on !BR2_STATIC_LIBS
-	select BR2_PACKAGE_CEGUI06
-	help
-	  Say 'y' here to enable the Graphical User Interface (GUI)
-	  start dialog.
-
-comment "gui needs a toolchain w/ dynamic library"
-	depends on BR2_STATIC_LIBS
-
-endif # BR2_PACKAGE_SPICE
diff --git a/package/spice/spice.hash b/package/spice/spice.hash
index 0a943f0332..04bd516689 100644
--- a/package/spice/spice.hash
+++ b/package/spice/spice.hash
@@ -1,2 +1,2 @@
 # Locally calculated
-sha256	4209a20d8f67cb99a8a6ac499cfe79a18d4ca226360457954a223d6795c2f581	spice-0.12.5.tar.bz2
+sha256	f148ea30135bf80a4f465ce723a1cd6d4ccb34c098b6298a020b378ace8569b6	spice-0.12.6.tar.bz2
diff --git a/package/spice/spice.mk b/package/spice/spice.mk
index ba76a14d61..f1fb46d29c 100644
--- a/package/spice/spice.mk
+++ b/package/spice/spice.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-SPICE_VERSION = 0.12.5
+SPICE_VERSION = 0.12.6
 SPICE_SOURCE = spice-$(SPICE_VERSION).tar.bz2
 SPICE_SITE = http://www.spice-space.org/download/releases
 SPICE_LICENSE = LGPL-2.1+
@@ -35,38 +35,36 @@ else
 SPICE_CONF_OPTS += --disable-celt051
 endif
 
+ifeq ($(BR2_PACKAGE_LZ4),y)
+SPICE_CONF_OPTS += --enable-lz4
+SPICE_DEPENDENCIES += lz4
+else
+SPICE_CONF_OPTS += --disable-lz4
+endif
+
 # no enable/disable, detected using pkg-config
 ifeq ($(BR2_PACKAGE_OPUS),y)
 SPICE_DEPENDENCIES += opus
 endif
 
-ifeq ($(BR2_PACKAGE_SPICE_CLIENT),y)
-SPICE_CONF_OPTS += --enable-client
-SPICE_DEPENDENCIES += \
-	xlib_libXfixes \
-	xlib_libXrandr \
-	xlib_libX11 \
-	xlib_libXext \
-	xlib_libXrender \
-	alsa-lib
-else
-SPICE_CONF_OPTS += --disable-client
-endif
-
-ifeq ($(BR2_PACKAGE_SPICE_GUI),y)
-SPICE_CONF_OPTS += --enable-gui
-SPICE_DEPENDENCIES += cegui06
-else
-SPICE_CONF_OPTS += --disable-gui
-endif
+# build system uses pkg-config --variable=codegendir spice-protocol which
+# returns the runtime path rather than build time, so it needs some help
+SPICE_MAKE_OPTS = CODE_GENERATOR_BASEDIR=$(STAGING_DIR)/usr/lib/spice-protocol
+SPICE_INSTALL_STAGING_OPTS = $(SPICE_MAKE_OPTS) DESTDIR=$(STAGING_DIR) install
+SPICE_INSTALL_TARGET_OPTS = $(SPICE_MAKE_OPTS) DESTDIR=$(TARGET_DIR) install
 
 # spice uses a number of source files that are generated with python / pyparsing.
 # The generated files are part of the tarball, so python / pyparsing isn't needed
 # when building from the tarball, but the configure script gets confused and looks
 # for the wrong file name to know if it needs to check for python / pyparsing,
-# so convince it they aren't needed
+# so convince it they aren't needed.
+# It will also regenerate these files if the spice-protocol protocol definition
+# is newer than the generated files (which it will be when spice-protocol
+# installs it to staging), so ensure their timestamp is updated to skip this.
 define SPICE_NO_PYTHON_PYPARSING
+	mkdir -p $(@D)/client
 	touch $(@D)/client/generated_marshallers.cpp
+	touch $(@D)/spice-common/common/generated_*
 endef
 
 SPICE_PRE_CONFIGURE_HOOKS += SPICE_NO_PYTHON_PYPARSING
-- 
2.11.0

[Buildroot] [PATCH 3/4] spice: security bump to version 0.12.8

[Peter Korsgaard]

Fixes the following security issues:

CVE-2016-0749: The smartcard interaction in SPICE allows remote attackers to
cause a denial of service (QEMU-KVM process crash) or possibly execute
arbitrary code via vectors related to connecting to a guest VM, which
triggers a heap-based buffer overflow.

CVE-2016-2150: SPICE allows local guest OS users to read from or write to
arbitrary host memory locations via crafted primary surface parameters, a
similar issue to CVE-2015-5261.

The pyparsing check has been dropped from configure, and the spice protocol
definition is again included, so the workarounds can be removed.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
 package/spice/spice.hash |  2 +-
 package/spice/spice.mk   | 24 +-----------------------
 2 files changed, 2 insertions(+), 24 deletions(-)

diff --git a/package/spice/spice.hash b/package/spice/spice.hash
index 04bd516689..c9b591f41d 100644
--- a/package/spice/spice.hash
+++ b/package/spice/spice.hash
@@ -1,2 +1,2 @@
 # Locally calculated
-sha256	f148ea30135bf80a4f465ce723a1cd6d4ccb34c098b6298a020b378ace8569b6	spice-0.12.6.tar.bz2
+sha256	f901a5c5873d61acac84642f9eea5c4d6386fc3e525c2b68792322794e1c407d	spice-0.12.8.tar.bz2
diff --git a/package/spice/spice.mk b/package/spice/spice.mk
index f1fb46d29c..7b09f39fe7 100644
--- a/package/spice/spice.mk
+++ b/package/spice/spice.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-SPICE_VERSION = 0.12.6
+SPICE_VERSION = 0.12.8
 SPICE_SOURCE = spice-$(SPICE_VERSION).tar.bz2
 SPICE_SITE = http://www.spice-space.org/download/releases
 SPICE_LICENSE = LGPL-2.1+
@@ -47,28 +47,6 @@ ifeq ($(BR2_PACKAGE_OPUS),y)
 SPICE_DEPENDENCIES += opus
 endif
 
-# build system uses pkg-config --variable=codegendir spice-protocol which
-# returns the runtime path rather than build time, so it needs some help
-SPICE_MAKE_OPTS = CODE_GENERATOR_BASEDIR=$(STAGING_DIR)/usr/lib/spice-protocol
-SPICE_INSTALL_STAGING_OPTS = $(SPICE_MAKE_OPTS) DESTDIR=$(STAGING_DIR) install
-SPICE_INSTALL_TARGET_OPTS = $(SPICE_MAKE_OPTS) DESTDIR=$(TARGET_DIR) install
-
-# spice uses a number of source files that are generated with python / pyparsing.
-# The generated files are part of the tarball, so python / pyparsing isn't needed
-# when building from the tarball, but the configure script gets confused and looks
-# for the wrong file name to know if it needs to check for python / pyparsing,
-# so convince it they aren't needed.
-# It will also regenerate these files if the spice-protocol protocol definition
-# is newer than the generated files (which it will be when spice-protocol
-# installs it to staging), so ensure their timestamp is updated to skip this.
-define SPICE_NO_PYTHON_PYPARSING
-	mkdir -p $(@D)/client
-	touch $(@D)/client/generated_marshallers.cpp
-	touch $(@D)/spice-common/common/generated_*
-endef
-
-SPICE_PRE_CONFIGURE_HOOKS += SPICE_NO_PYTHON_PYPARSING
-
 # We need to tweak spice.pc because it /forgets/ (for static linking) that
 # it should link against libz and libjpeg. libz is pkg-config-aware, while
 # libjpeg isn't, hence the two-line tweak
-- 
2.11.0

[Buildroot] [PATCH 4/4] spice: add post-0.12.8 upstream security fixes

[Peter Korsgaard]

Fixes the following security issues:

CVE-2016-9577

    Frediano Ziglio of Red Hat discovered a buffer overflow
    vulnerability in the main_channel_alloc_msg_rcv_buf function. An
    authenticated attacker can take advantage of this flaw to cause a
    denial of service (spice server crash), or possibly, execute
    arbitrary code.

CVE-2016-9578

    Frediano Ziglio of Red Hat discovered that spice does not properly
    validate incoming messages. An attacker able to connect to the
    spice server could send crafted messages which would cause the
    process to crash.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
 ...sible-DoS-attempts-during-protocol-handsh.patch | 60 ++++++++++++++++++++++
 ...nt-integer-overflows-in-capability-checks.patch | 43 ++++++++++++++++
 ...l-Prevent-overflow-reading-messages-from-.patch | 33 ++++++++++++
 3 files changed, 136 insertions(+)
 create mode 100644 package/spice/0001-Prevent-possible-DoS-attempts-during-protocol-handsh.patch
 create mode 100644 package/spice/0002-Prevent-integer-overflows-in-capability-checks.patch
 create mode 100644 package/spice/0003-main-channel-Prevent-overflow-reading-messages-from-.patch

diff --git a/package/spice/0001-Prevent-possible-DoS-attempts-during-protocol-handsh.patch b/package/spice/0001-Prevent-possible-DoS-attempts-during-protocol-handsh.patch
new file mode 100644
index 0000000000..57a64d96b7
--- /dev/null
+++ b/package/spice/0001-Prevent-possible-DoS-attempts-during-protocol-handsh.patch
@@ -0,0 +1,60 @@
+From 1c6517973095a67c8cb57f3550fc1298404ab556 Mon Sep 17 00:00:00 2001
+From: Frediano Ziglio <fziglio@redhat.com>
+Date: Tue, 13 Dec 2016 14:39:48 +0000
+Subject: [PATCH] Prevent possible DoS attempts during protocol handshake
+
+The limit for link message is specified using a 32 bit unsigned integer.
+This could cause possible DoS due to excessive memory allocations and
+some possible crashes.
+For instance a value >= 2^31 causes a spice_assert to be triggered in
+async_read_handler (reds-stream.c) due to an integer overflow at this
+line:
+
+   int n = async->end - async->now;
+
+This could be easily triggered with a program like
+
+  #!/usr/bin/env python
+
+  import socket
+  import time
+  from struct import pack
+
+  server = '127.0.0.1'
+  port = 5900
+
+  s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+  s.connect((server, port))
+  data = pack('<4sIII', 'REDQ', 2, 2, 0xaaaaaaaa)
+  s.send(data)
+
+  time.sleep(1)
+
+without requiring any authentication (the same can be done
+with TLS).
+
+[Peter: fixes CVE-2016-9578]
+Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
+Acked-by: Christophe Fergeau <cfergeau@redhat.com>
+Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
+---
+ server/reds.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/server/reds.c b/server/reds.c
+index f40b65c1..86a33d53 100644
+--- a/server/reds.c
++++ b/server/reds.c
+@@ -2202,7 +2202,8 @@ static void reds_handle_read_header_done(void *opaque)
+ 
+     reds->peer_minor_version = header->minor_version;
+ 
+-    if (header->size < sizeof(SpiceLinkMess)) {
++    /* the check for 4096 is to avoid clients to cause arbitrary big memory allocations */
++    if (header->size < sizeof(SpiceLinkMess) || header->size > 4096) {
+         reds_send_link_error(link, SPICE_LINK_ERR_INVALID_DATA);
+         spice_warning("bad size %u", header->size);
+         reds_link_free(link);
+-- 
+2.11.0
+
diff --git a/package/spice/0002-Prevent-integer-overflows-in-capability-checks.patch b/package/spice/0002-Prevent-integer-overflows-in-capability-checks.patch
new file mode 100644
index 0000000000..5bf9b89d17
--- /dev/null
+++ b/package/spice/0002-Prevent-integer-overflows-in-capability-checks.patch
@@ -0,0 +1,43 @@
+From f66dc643635518e53dfbe5262f814a64eec54e4a Mon Sep 17 00:00:00 2001
+From: Frediano Ziglio <fziglio@redhat.com>
+Date: Tue, 13 Dec 2016 14:40:10 +0000
+Subject: [PATCH] Prevent integer overflows in capability checks
+
+The limits for capabilities are specified using 32 bit unsigned integers.
+This could cause possible integer overflows causing buffer overflows.
+For instance the sum of num_common_caps and num_caps can be 0 avoiding
+additional checks.
+As the link message is now capped to 4096 and the capabilities are
+contained in the link message limit the capabilities to 1024
+(capabilities are expressed in number of uint32_t items).
+
+[Peter: fixes CVE-2016-9578]
+Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
+Acked-by: Christophe Fergeau <cfergeau@redhat.com>
+Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
+---
+ server/reds.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/server/reds.c b/server/reds.c
+index 86a33d53..91504544 100644
+--- a/server/reds.c
++++ b/server/reds.c
+@@ -2110,6 +2110,14 @@ static void reds_handle_read_link_done(void *opaque)
+     link_mess->num_channel_caps = GUINT32_FROM_LE(link_mess->num_channel_caps);
+     link_mess->num_common_caps = GUINT32_FROM_LE(link_mess->num_common_caps);
+ 
++    /* Prevent DoS. Currently we defined only 13 capabilities,
++     * I expect 1024 to be valid for quite a lot time */
++    if (link_mess->num_channel_caps > 1024 || link_mess->num_common_caps > 1024) {
++        reds_send_link_error(link, SPICE_LINK_ERR_INVALID_DATA);
++        reds_link_free(link);
++        return;
++    }
++
+     num_caps = link_mess->num_common_caps + link_mess->num_channel_caps;
+     caps = (uint32_t *)((uint8_t *)link_mess + link_mess->caps_offset);
+ 
+-- 
+2.11.0
+
diff --git a/package/spice/0003-main-channel-Prevent-overflow-reading-messages-from-.patch b/package/spice/0003-main-channel-Prevent-overflow-reading-messages-from-.patch
new file mode 100644
index 0000000000..f602d5f3b1
--- /dev/null
+++ b/package/spice/0003-main-channel-Prevent-overflow-reading-messages-from-.patch
@@ -0,0 +1,33 @@
+From 5f96b596353d73bdf4bb3cd2de61e48a7fd5b4c3 Mon Sep 17 00:00:00 2001
+From: Frediano Ziglio <fziglio@redhat.com>
+Date: Tue, 29 Nov 2016 16:46:56 +0000
+Subject: [PATCH] main-channel: Prevent overflow reading messages from client
+
+Caller is supposed the function return a buffer able to store
+size bytes.
+
+[Peter: fixes CVE-2016-9577]
+Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
+Acked-by: Christophe Fergeau <cfergeau@redhat.com>
+Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
+---
+ server/main_channel.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/server/main_channel.c b/server/main_channel.c
+index 0ecc9df8..1fc39155 100644
+--- a/server/main_channel.c
++++ b/server/main_channel.c
+@@ -1026,6 +1026,9 @@ static uint8_t *main_channel_alloc_msg_rcv_buf(RedChannelClient *rcc,
+ 
+     if (type == SPICE_MSGC_MAIN_AGENT_DATA) {
+         return reds_get_agent_data_buffer(mcc, size);
++    } else if (size > sizeof(main_chan->recv_buf)) {
++        /* message too large, caller will log a message and close the connection */
++        return NULL;
+     } else {
+         return main_chan->recv_buf;
+     }
+-- 
+2.11.0
+
-- 
2.11.0

[Buildroot] [PATCH 1/4] spice: bump to version 0.12.5

[Yann E. MORIN]

Peter, All,

On 2017-06-22 00:07 +0200, Peter Korsgaard spake thusly:
> Tunneling support is gone upstream, so drop the patch and add
> Config.in.legacy handling for the option.
> 
> Celt051 is no longer a hard dependency, and opus is a new optional
> dependency, so adjust the dependencies to match.
> 
> Python / pyparsing are not needed as the tarball contains the generated
> files (this should presumably have been host-python in the first place as
> these are used at build time), but we need a small workaround to convince
> configure that they really aren't needed.
> 
> Alsa-lib is only needed for client support, and the configure script checks
> for X11/Xext/Xrender, so adjust the dependencies to match.
> 
> A user manual is now generated by default if asciidoc is available, so
> explicitly disable that.
> 
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

Thanks for handling my almost 5-year old crap... ;-)

Reviewed-by: "Yann E. MORIN" <yann.morin.1998@free.fr>

Regards,
Yann E. MORIN.

> ---
>  Config.in.legacy                                   |  7 ++++
>  ...0001-fix-missing-monitor_latency-argument.patch | 28 --------------
>  package/spice/Config.in                            | 19 ++-------
>  package/spice/spice.hash                           |  2 +-
>  package/spice/spice.mk                             | 45 +++++++++++++++-------
>  5 files changed, 43 insertions(+), 58 deletions(-)
>  delete mode 100644 package/spice/0001-fix-missing-monitor_latency-argument.patch
> 
> diff --git a/Config.in.legacy b/Config.in.legacy
> index 9a53495627..dc99b7c2eb 100644
> --- a/Config.in.legacy
> +++ b/Config.in.legacy
> @@ -145,6 +145,13 @@ endif
>  ###############################################################################
>  comment "Legacy options removed in 2017.08"
>  
> +config BR2_PACKAGE_SPICE_TUNNEL
> +	bool "spice network redirection removed"
> +	select BR2_LEGACY
> +	help
> +	  Spice network redirection, aka tunnelling has been removed
> +	  upstream.
> +
>  config BR2_PACKAGE_INPUT_TOOLS
>  	bool "input-tools removed"
>  	select BR2_LEGACY
> diff --git a/package/spice/0001-fix-missing-monitor_latency-argument.patch b/package/spice/0001-fix-missing-monitor_latency-argument.patch
> deleted file mode 100644
> index e14dd2ce37..0000000000
> --- a/package/spice/0001-fix-missing-monitor_latency-argument.patch
> +++ /dev/null
> @@ -1,28 +0,0 @@
> -From 0d3767853ca179ce04a9b312d7a30d33d1266a3b Mon Sep 17 00:00:00 2001
> -From: Axel Lin <axel.lin@ingics.com>
> -Date: Thu, 10 Oct 2013 12:36:40 +0800
> -Subject: [PATCH] red_tunnel_worker: Fix build error due to missing monitor_latency argument
> -
> -Fix missing monitor_latency argument in red_channel_client_create call.
> -
> -Signed-off-by: Axel Lin <axel.lin@ingics.com>
> ----
> - server/red_tunnel_worker.c | 2 +-
> - 1 file changed, 1 insertion(+), 1 deletion(-)
> -
> -diff --git a/server/red_tunnel_worker.c b/server/red_tunnel_worker.c
> -index 97dcafd..6781d73 100644
> ---- a/server/red_tunnel_worker.c
> -+++ b/server/red_tunnel_worker.c
> -@@ -3417,7 +3417,7 @@ static void handle_tunnel_channel_link(RedChannel *channel, RedClient *client,
> -     }
> - 
> -     tcc = (TunnelChannelClient*)red_channel_client_create(sizeof(TunnelChannelClient),
> --                                                          channel, client, stream,
> -+                                                          channel, client, stream, FALSE,
> -                                                           0, NULL, 0, NULL);
> -     if (!tcc) {
> -         return;
> --- 
> -1.8.1.2
> -
> diff --git a/package/spice/Config.in b/package/spice/Config.in
> index bde3a92859..220f9994da 100644
> --- a/package/spice/Config.in
> +++ b/package/spice/Config.in
> @@ -2,23 +2,15 @@ comment "spice server needs a toolchain w/ wchar, threads"
>  	depends on BR2_i386 || BR2_x86_64
>  	depends on !BR2_USE_WCHAR || !BR2_TOOLCHAIN_HAS_THREADS
>  
> -comment "spice server depends on python (for pyparsing)"
> -	depends on BR2_i386 || BR2_x86_64
> -	depends on !BR2_PACKAGE_PYTHON
> -
>  config BR2_PACKAGE_SPICE
>  	bool "spice server"
>  	depends on BR2_i386 || BR2_x86_64
> -	depends on BR2_PACKAGE_PYTHON
>  	depends on BR2_USE_WCHAR # libglib2
>  	depends on BR2_TOOLCHAIN_HAS_THREADS # libglib2
> -	select BR2_PACKAGE_ALSA_LIB
> -	select BR2_PACKAGE_CELT051
>  	select BR2_PACKAGE_JPEG
>  	select BR2_PACKAGE_LIBGLIB2
>  	select BR2_PACKAGE_OPENSSL
>  	select BR2_PACKAGE_PIXMAN
> -	select BR2_PACKAGE_PYTHON_PYPARSING
>  	select BR2_PACKAGE_SPICE_PROTOCOL
>  	help
>  	  The Spice project aims to provide a complete open source
> @@ -43,6 +35,10 @@ config BR2_PACKAGE_SPICE_CLIENT
>  	depends on BR2_INSTALL_LIBSTDCPP
>  	select BR2_PACKAGE_XLIB_LIBXFIXES
>  	select BR2_PACKAGE_XLIB_LIBXRANDR
> +	select BR2_PACKAGE_XLIB_LIBX11
> +	select BR2_PACKAGE_XLIB_LIBXEXT
> +	select BR2_PACKAGE_XLIB_LIBXRENDER
> +	select BR2_PACKAGE_ALSA_LIB
>  
>  comment "client needs a toolchain w/ threads, C++"
>  	depends on BR2_PACKAGE_XORG7
> @@ -60,11 +56,4 @@ config BR2_PACKAGE_SPICE_GUI
>  comment "gui needs a toolchain w/ dynamic library"
>  	depends on BR2_STATIC_LIBS
>  
> -config BR2_PACKAGE_SPICE_TUNNEL
> -	bool "Enable network redirection"
> -	select BR2_PACKAGE_SLIRP
> -	help
> -	  Say 'y' here to enable network redirection, aka tunnelling
> -	  through a SLIP/SLIRP session.
> -
>  endif # BR2_PACKAGE_SPICE
> diff --git a/package/spice/spice.hash b/package/spice/spice.hash
> index c4d63198fb..0a943f0332 100644
> --- a/package/spice/spice.hash
> +++ b/package/spice/spice.hash
> @@ -1,2 +1,2 @@
>  # Locally calculated
> -sha256	cf063e7df42e331a835529d2f613d8a01f8cb2963e8edaadf73a8d65c46fb387	spice-0.12.4.tar.bz2
> +sha256	4209a20d8f67cb99a8a6ac499cfe79a18d4ca226360457954a223d6795c2f581	spice-0.12.5.tar.bz2
> diff --git a/package/spice/spice.mk b/package/spice/spice.mk
> index 1d26ddcc18..ba76a14d61 100644
> --- a/package/spice/spice.mk
> +++ b/package/spice/spice.mk
> @@ -4,20 +4,17 @@
>  #
>  ################################################################################
>  
> -SPICE_VERSION = 0.12.4
> +SPICE_VERSION = 0.12.5
>  SPICE_SOURCE = spice-$(SPICE_VERSION).tar.bz2
>  SPICE_SITE = http://www.spice-space.org/download/releases
>  SPICE_LICENSE = LGPL-2.1+
>  SPICE_LICENSE_FILES = COPYING
>  SPICE_INSTALL_STAGING = YES
>  SPICE_DEPENDENCIES = \
> -	alsa-lib \
> -	celt051 \
>  	jpeg \
>  	libglib2 \
>  	openssl \
>  	pixman \
> -	python-pyparsing \
>  	spice-protocol
>  
>  # We disable everything for now, because the dependency tree can become
> @@ -26,13 +23,32 @@ SPICE_CONF_OPTS = \
>  	--disable-opengl \
>  	--disable-smartcard \
>  	--disable-automated-tests \
> -	--without-sasl
> +	--without-sasl \
> +	--disable-manual
>  
>  SPICE_DEPENDENCIES += host-pkgconf
>  
> +ifeq ($(BR2_PACKAGE_CELT051),y)
> +SPICE_CONF_OPTS += --enable-celt051
> +SPICE_DEPENDENCIES += celt051
> +else
> +SPICE_CONF_OPTS += --disable-celt051
> +endif
> +
> +# no enable/disable, detected using pkg-config
> +ifeq ($(BR2_PACKAGE_OPUS),y)
> +SPICE_DEPENDENCIES += opus
> +endif
> +
>  ifeq ($(BR2_PACKAGE_SPICE_CLIENT),y)
>  SPICE_CONF_OPTS += --enable-client
> -SPICE_DEPENDENCIES += xlib_libXfixes xlib_libXrandr
> +SPICE_DEPENDENCIES += \
> +	xlib_libXfixes \
> +	xlib_libXrandr \
> +	xlib_libX11 \
> +	xlib_libXext \
> +	xlib_libXrender \
> +	alsa-lib
>  else
>  SPICE_CONF_OPTS += --disable-client
>  endif
> @@ -44,15 +60,16 @@ else
>  SPICE_CONF_OPTS += --disable-gui
>  endif
>  
> -ifeq ($(BR2_PACKAGE_SPICE_TUNNEL),y)
> -SPICE_CONF_OPTS += --enable-tunnel
> -SPICE_DEPENDENCIES += slirp
> -else
> -SPICE_CONF_OPTS += --disable-tunnel
> -endif
> +# spice uses a number of source files that are generated with python / pyparsing.
> +# The generated files are part of the tarball, so python / pyparsing isn't needed
> +# when building from the tarball, but the configure script gets confused and looks
> +# for the wrong file name to know if it needs to check for python / pyparsing,
> +# so convince it they aren't needed
> +define SPICE_NO_PYTHON_PYPARSING
> +	touch $(@D)/client/generated_marshallers.cpp
> +endef
>  
> -SPICE_CONF_ENV = PYTHONPATH=$(TARGET_DIR)/usr/lib/python$(PYTHON_VERSION_MAJOR)/site-packages
> -SPICE_MAKE_ENV = PYTHONPATH=$(TARGET_DIR)/usr/lib/python$(PYTHON_VERSION_MAJOR)/site-packages
> +SPICE_PRE_CONFIGURE_HOOKS += SPICE_NO_PYTHON_PYPARSING
>  
>  # We need to tweak spice.pc because it /forgets/ (for static linking) that
>  # it should link against libz and libjpeg. libz is pkg-config-aware, while
> -- 
> 2.11.0
> 

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 223 225 172 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'

[Buildroot] [PATCH 2/4] spice: security bump to version 0.12.6

[Yann E. MORIN]

Peter, All,

On 2017-06-22 00:07 +0200, Peter Korsgaard spake thusly:
> Fixes the following security issues:
> 
> CVE-2015-3247: Race condition in the worker_update_monitors_config function
> in SPICE 0.12.4 allows a remote authenticated guest user to cause a denial
> of service (heap-based memory corruption and QEMU-KVM crash) or possibly
> execute arbitrary code on the host via unspecified vectors.
> 
> CVE-2015-5260: Heap-based buffer overflow in SPICE before 0.12.6 allows
> guest OS users to cause a denial of service (heap-based memory corruption
> and QEMU-KVM crash) or possibly execute arbitrary code on the host via QXL
> commands related to the surface_id parameter.
> 
> CVE-2015-5261: Heap-based buffer overflow in SPICE before 0.12.6 allows
> guest OS users to read and write to arbitrary memory locations on the host
> via guest QXL commands related to surface creation.
> 
> Client/gui support is gone upstream (moved to spice-gtk / virt-viewer), so
> add Config.in.legacy handling for them.
> 
> Lz4 is a new optional dependency, so handle it.
> 
> The spice protocol definition is no longer included and instead used from
> spice-protocol.  The build system uses pkg-config --variable=codegendir to
> find the build time path of this, which doesn't take our STAGING_DIR prefix
> into consideration, so it needs some help.  The installed protocol
> definition will likewise be newer than the generated files, so we need to
> workaround that to ensure they are not regenerated (which needs host python
> / pyparsing).
> 
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

Reviewed-by: "Yann E. MORIN" <yann.morin.1998@free.fr>

Regards,
Yann E. MORIN.

> ---
>  Config.in.legacy         | 16 ++++++++++++++++
>  package/spice/Config.in  | 35 -----------------------------------
>  package/spice/spice.hash |  2 +-
>  package/spice/spice.mk   | 40 +++++++++++++++++++---------------------
>  4 files changed, 36 insertions(+), 57 deletions(-)
> 
> diff --git a/Config.in.legacy b/Config.in.legacy
> index dc99b7c2eb..361d331dc9 100644
> --- a/Config.in.legacy
> +++ b/Config.in.legacy
> @@ -145,6 +145,22 @@ endif
>  ###############################################################################
>  comment "Legacy options removed in 2017.08"
>  
> +config BR2_PACKAGE_SPICE_CLIENT
> +	bool "spice client support removed"
> +	select BR2_LEGACY
> +	help
> +	  Spice client support has been removed upstream. The
> +	  functionality now lives in the spice-gtk widget and
> +	  virt-viewer.
> +
> +config BR2_PACKAGE_SPICE_GUI
> +	bool "spice gui support removed"
> +	select BR2_LEGACY
> +	help
> +	  Spice gui support has been removed upstream. The
> +	  functionality now lives in the spice-gtk widget and
> +	  virt-viewer.
> +
>  config BR2_PACKAGE_SPICE_TUNNEL
>  	bool "spice network redirection removed"
>  	select BR2_LEGACY
> diff --git a/package/spice/Config.in b/package/spice/Config.in
> index 220f9994da..2241b55b3d 100644
> --- a/package/spice/Config.in
> +++ b/package/spice/Config.in
> @@ -22,38 +22,3 @@ config BR2_PACKAGE_SPICE
>  	  This package implements the server-part of Spice.
>  
>  	  http://www.spice-space.org/
> -
> -if BR2_PACKAGE_SPICE
> -
> -comment "client depends on X.org"
> -	depends on !BR2_PACKAGE_XORG7
> -
> -config BR2_PACKAGE_SPICE_CLIENT
> -	bool "Enable client"
> -	depends on BR2_PACKAGE_XORG7
> -	depends on BR2_TOOLCHAIN_HAS_THREADS
> -	depends on BR2_INSTALL_LIBSTDCPP
> -	select BR2_PACKAGE_XLIB_LIBXFIXES
> -	select BR2_PACKAGE_XLIB_LIBXRANDR
> -	select BR2_PACKAGE_XLIB_LIBX11
> -	select BR2_PACKAGE_XLIB_LIBXEXT
> -	select BR2_PACKAGE_XLIB_LIBXRENDER
> -	select BR2_PACKAGE_ALSA_LIB
> -
> -comment "client needs a toolchain w/ threads, C++"
> -	depends on BR2_PACKAGE_XORG7
> -	depends on !BR2_TOOLCHAIN_HAS_THREADS || !BR2_INSTALL_LIBSTDCPP
> -
> -config BR2_PACKAGE_SPICE_GUI
> -	bool "Enable GUI"
> -	depends on BR2_PACKAGE_SPICE_CLIENT
> -	depends on !BR2_STATIC_LIBS
> -	select BR2_PACKAGE_CEGUI06
> -	help
> -	  Say 'y' here to enable the Graphical User Interface (GUI)
> -	  start dialog.
> -
> -comment "gui needs a toolchain w/ dynamic library"
> -	depends on BR2_STATIC_LIBS
> -
> -endif # BR2_PACKAGE_SPICE
> diff --git a/package/spice/spice.hash b/package/spice/spice.hash
> index 0a943f0332..04bd516689 100644
> --- a/package/spice/spice.hash
> +++ b/package/spice/spice.hash
> @@ -1,2 +1,2 @@
>  # Locally calculated
> -sha256	4209a20d8f67cb99a8a6ac499cfe79a18d4ca226360457954a223d6795c2f581	spice-0.12.5.tar.bz2
> +sha256	f148ea30135bf80a4f465ce723a1cd6d4ccb34c098b6298a020b378ace8569b6	spice-0.12.6.tar.bz2
> diff --git a/package/spice/spice.mk b/package/spice/spice.mk
> index ba76a14d61..f1fb46d29c 100644
> --- a/package/spice/spice.mk
> +++ b/package/spice/spice.mk
> @@ -4,7 +4,7 @@
>  #
>  ################################################################################
>  
> -SPICE_VERSION = 0.12.5
> +SPICE_VERSION = 0.12.6
>  SPICE_SOURCE = spice-$(SPICE_VERSION).tar.bz2
>  SPICE_SITE = http://www.spice-space.org/download/releases
>  SPICE_LICENSE = LGPL-2.1+
> @@ -35,38 +35,36 @@ else
>  SPICE_CONF_OPTS += --disable-celt051
>  endif
>  
> +ifeq ($(BR2_PACKAGE_LZ4),y)
> +SPICE_CONF_OPTS += --enable-lz4
> +SPICE_DEPENDENCIES += lz4
> +else
> +SPICE_CONF_OPTS += --disable-lz4
> +endif
> +
>  # no enable/disable, detected using pkg-config
>  ifeq ($(BR2_PACKAGE_OPUS),y)
>  SPICE_DEPENDENCIES += opus
>  endif
>  
> -ifeq ($(BR2_PACKAGE_SPICE_CLIENT),y)
> -SPICE_CONF_OPTS += --enable-client
> -SPICE_DEPENDENCIES += \
> -	xlib_libXfixes \
> -	xlib_libXrandr \
> -	xlib_libX11 \
> -	xlib_libXext \
> -	xlib_libXrender \
> -	alsa-lib
> -else
> -SPICE_CONF_OPTS += --disable-client
> -endif
> -
> -ifeq ($(BR2_PACKAGE_SPICE_GUI),y)
> -SPICE_CONF_OPTS += --enable-gui
> -SPICE_DEPENDENCIES += cegui06
> -else
> -SPICE_CONF_OPTS += --disable-gui
> -endif
> +# build system uses pkg-config --variable=codegendir spice-protocol which
> +# returns the runtime path rather than build time, so it needs some help
> +SPICE_MAKE_OPTS = CODE_GENERATOR_BASEDIR=$(STAGING_DIR)/usr/lib/spice-protocol
> +SPICE_INSTALL_STAGING_OPTS = $(SPICE_MAKE_OPTS) DESTDIR=$(STAGING_DIR) install
> +SPICE_INSTALL_TARGET_OPTS = $(SPICE_MAKE_OPTS) DESTDIR=$(TARGET_DIR) install
>  
>  # spice uses a number of source files that are generated with python / pyparsing.
>  # The generated files are part of the tarball, so python / pyparsing isn't needed
>  # when building from the tarball, but the configure script gets confused and looks
>  # for the wrong file name to know if it needs to check for python / pyparsing,
> -# so convince it they aren't needed
> +# so convince it they aren't needed.
> +# It will also regenerate these files if the spice-protocol protocol definition
> +# is newer than the generated files (which it will be when spice-protocol
> +# installs it to staging), so ensure their timestamp is updated to skip this.
>  define SPICE_NO_PYTHON_PYPARSING
> +	mkdir -p $(@D)/client
>  	touch $(@D)/client/generated_marshallers.cpp
> +	touch $(@D)/spice-common/common/generated_*
>  endef
>  
>  SPICE_PRE_CONFIGURE_HOOKS += SPICE_NO_PYTHON_PYPARSING
> -- 
> 2.11.0
> 

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 223 225 172 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'

[Buildroot] [PATCH 3/4] spice: security bump to version 0.12.8

[Yann E. MORIN]

Peter, All,

On 2017-06-22 00:07 +0200, Peter Korsgaard spake thusly:
> Fixes the following security issues:
> 
> CVE-2016-0749: The smartcard interaction in SPICE allows remote attackers to
> cause a denial of service (QEMU-KVM process crash) or possibly execute
> arbitrary code via vectors related to connecting to a guest VM, which
> triggers a heap-based buffer overflow.
> 
> CVE-2016-2150: SPICE allows local guest OS users to read from or write to
> arbitrary host memory locations via crafted primary surface parameters, a
> similar issue to CVE-2015-5261.
> 
> The pyparsing check has been dropped from configure, and the spice protocol
> definition is again included, so the workarounds can be removed.

All that work for that... :-/

> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

Reviewed-by: "Yann E. MORIN" <yann.morin.1998@free.fr>

Regards,
Yann E. MORIN.

> ---
>  package/spice/spice.hash |  2 +-
>  package/spice/spice.mk   | 24 +-----------------------
>  2 files changed, 2 insertions(+), 24 deletions(-)
> 
> diff --git a/package/spice/spice.hash b/package/spice/spice.hash
> index 04bd516689..c9b591f41d 100644
> --- a/package/spice/spice.hash
> +++ b/package/spice/spice.hash
> @@ -1,2 +1,2 @@
>  # Locally calculated
> -sha256	f148ea30135bf80a4f465ce723a1cd6d4ccb34c098b6298a020b378ace8569b6	spice-0.12.6.tar.bz2
> +sha256	f901a5c5873d61acac84642f9eea5c4d6386fc3e525c2b68792322794e1c407d	spice-0.12.8.tar.bz2
> diff --git a/package/spice/spice.mk b/package/spice/spice.mk
> index f1fb46d29c..7b09f39fe7 100644
> --- a/package/spice/spice.mk
> +++ b/package/spice/spice.mk
> @@ -4,7 +4,7 @@
>  #
>  ################################################################################
>  
> -SPICE_VERSION = 0.12.6
> +SPICE_VERSION = 0.12.8
>  SPICE_SOURCE = spice-$(SPICE_VERSION).tar.bz2
>  SPICE_SITE = http://www.spice-space.org/download/releases
>  SPICE_LICENSE = LGPL-2.1+
> @@ -47,28 +47,6 @@ ifeq ($(BR2_PACKAGE_OPUS),y)
>  SPICE_DEPENDENCIES += opus
>  endif
>  
> -# build system uses pkg-config --variable=codegendir spice-protocol which
> -# returns the runtime path rather than build time, so it needs some help
> -SPICE_MAKE_OPTS = CODE_GENERATOR_BASEDIR=$(STAGING_DIR)/usr/lib/spice-protocol
> -SPICE_INSTALL_STAGING_OPTS = $(SPICE_MAKE_OPTS) DESTDIR=$(STAGING_DIR) install
> -SPICE_INSTALL_TARGET_OPTS = $(SPICE_MAKE_OPTS) DESTDIR=$(TARGET_DIR) install
> -
> -# spice uses a number of source files that are generated with python / pyparsing.
> -# The generated files are part of the tarball, so python / pyparsing isn't needed
> -# when building from the tarball, but the configure script gets confused and looks
> -# for the wrong file name to know if it needs to check for python / pyparsing,
> -# so convince it they aren't needed.
> -# It will also regenerate these files if the spice-protocol protocol definition
> -# is newer than the generated files (which it will be when spice-protocol
> -# installs it to staging), so ensure their timestamp is updated to skip this.
> -define SPICE_NO_PYTHON_PYPARSING
> -	mkdir -p $(@D)/client
> -	touch $(@D)/client/generated_marshallers.cpp
> -	touch $(@D)/spice-common/common/generated_*
> -endef
> -
> -SPICE_PRE_CONFIGURE_HOOKS += SPICE_NO_PYTHON_PYPARSING
> -
>  # We need to tweak spice.pc because it /forgets/ (for static linking) that
>  # it should link against libz and libjpeg. libz is pkg-config-aware, while
>  # libjpeg isn't, hence the two-line tweak
> -- 
> 2.11.0
> 

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 223 225 172 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'

[Buildroot] [PATCH 4/4] spice: add post-0.12.8 upstream security fixes

[Yann E. MORIN]

Peter, All,

On 2017-06-22 00:07 +0200, Peter Korsgaard spake thusly:
> Fixes the following security issues:
> 
> CVE-2016-9577
> 
>     Frediano Ziglio of Red Hat discovered a buffer overflow
>     vulnerability in the main_channel_alloc_msg_rcv_buf function. An
>     authenticated attacker can take advantage of this flaw to cause a
>     denial of service (spice server crash), or possibly, execute
>     arbitrary code.
> 
> CVE-2016-9578
> 
>     Frediano Ziglio of Red Hat discovered that spice does not properly
>     validate incoming messages. An attacker able to connect to the
>     spice server could send crafted messages which would cause the
>     process to crash.
> 
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
> ---
>  ...sible-DoS-attempts-during-protocol-handsh.patch | 60 ++++++++++++++++++++++
>  ...nt-integer-overflows-in-capability-checks.patch | 43 ++++++++++++++++
>  ...l-Prevent-overflow-reading-messages-from-.patch | 33 ++++++++++++
>  3 files changed, 136 insertions(+)
>  create mode 100644 package/spice/0001-Prevent-possible-DoS-attempts-during-protocol-handsh.patch
>  create mode 100644 package/spice/0002-Prevent-integer-overflows-in-capability-checks.patch
>  create mode 100644 package/spice/0003-main-channel-Prevent-overflow-reading-messages-from-.patch

Although this is not strictly speaking a security fix, I woner if we
should not backport 1d597f4b1 (Call migrate_end_complete() after falling
back to switch-host) as it fixes a migration issue with qemu 2.6.

Anyway:

Reviewed-by: "Yann E. MORIN" <yann.morin.1998@free.fr>

Regards,
Yann E. MORIN.

> diff --git a/package/spice/0001-Prevent-possible-DoS-attempts-during-protocol-handsh.patch b/package/spice/0001-Prevent-possible-DoS-attempts-during-protocol-handsh.patch
> new file mode 100644
> index 0000000000..57a64d96b7
> --- /dev/null
> +++ b/package/spice/0001-Prevent-possible-DoS-attempts-during-protocol-handsh.patch
> @@ -0,0 +1,60 @@
> +From 1c6517973095a67c8cb57f3550fc1298404ab556 Mon Sep 17 00:00:00 2001
> +From: Frediano Ziglio <fziglio@redhat.com>
> +Date: Tue, 13 Dec 2016 14:39:48 +0000
> +Subject: [PATCH] Prevent possible DoS attempts during protocol handshake
> +
> +The limit for link message is specified using a 32 bit unsigned integer.
> +This could cause possible DoS due to excessive memory allocations and
> +some possible crashes.
> +For instance a value >= 2^31 causes a spice_assert to be triggered in
> +async_read_handler (reds-stream.c) due to an integer overflow at this
> +line:
> +
> +   int n = async->end - async->now;
> +
> +This could be easily triggered with a program like
> +
> +  #!/usr/bin/env python
> +
> +  import socket
> +  import time
> +  from struct import pack
> +
> +  server = '127.0.0.1'
> +  port = 5900
> +
> +  s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
> +  s.connect((server, port))
> +  data = pack('<4sIII', 'REDQ', 2, 2, 0xaaaaaaaa)
> +  s.send(data)
> +
> +  time.sleep(1)
> +
> +without requiring any authentication (the same can be done
> +with TLS).
> +
> +[Peter: fixes CVE-2016-9578]
> +Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
> +Acked-by: Christophe Fergeau <cfergeau@redhat.com>
> +Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
> +---
> + server/reds.c | 3 ++-
> + 1 file changed, 2 insertions(+), 1 deletion(-)
> +
> +diff --git a/server/reds.c b/server/reds.c
> +index f40b65c1..86a33d53 100644
> +--- a/server/reds.c
> ++++ b/server/reds.c
> +@@ -2202,7 +2202,8 @@ static void reds_handle_read_header_done(void *opaque)
> + 
> +     reds->peer_minor_version = header->minor_version;
> + 
> +-    if (header->size < sizeof(SpiceLinkMess)) {
> ++    /* the check for 4096 is to avoid clients to cause arbitrary big memory allocations */
> ++    if (header->size < sizeof(SpiceLinkMess) || header->size > 4096) {
> +         reds_send_link_error(link, SPICE_LINK_ERR_INVALID_DATA);
> +         spice_warning("bad size %u", header->size);
> +         reds_link_free(link);
> +-- 
> +2.11.0
> +
> diff --git a/package/spice/0002-Prevent-integer-overflows-in-capability-checks.patch b/package/spice/0002-Prevent-integer-overflows-in-capability-checks.patch
> new file mode 100644
> index 0000000000..5bf9b89d17
> --- /dev/null
> +++ b/package/spice/0002-Prevent-integer-overflows-in-capability-checks.patch
> @@ -0,0 +1,43 @@
> +From f66dc643635518e53dfbe5262f814a64eec54e4a Mon Sep 17 00:00:00 2001
> +From: Frediano Ziglio <fziglio@redhat.com>
> +Date: Tue, 13 Dec 2016 14:40:10 +0000
> +Subject: [PATCH] Prevent integer overflows in capability checks
> +
> +The limits for capabilities are specified using 32 bit unsigned integers.
> +This could cause possible integer overflows causing buffer overflows.
> +For instance the sum of num_common_caps and num_caps can be 0 avoiding
> +additional checks.
> +As the link message is now capped to 4096 and the capabilities are
> +contained in the link message limit the capabilities to 1024
> +(capabilities are expressed in number of uint32_t items).
> +
> +[Peter: fixes CVE-2016-9578]
> +Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
> +Acked-by: Christophe Fergeau <cfergeau@redhat.com>
> +Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
> +---
> + server/reds.c | 8 ++++++++
> + 1 file changed, 8 insertions(+)
> +
> +diff --git a/server/reds.c b/server/reds.c
> +index 86a33d53..91504544 100644
> +--- a/server/reds.c
> ++++ b/server/reds.c
> +@@ -2110,6 +2110,14 @@ static void reds_handle_read_link_done(void *opaque)
> +     link_mess->num_channel_caps = GUINT32_FROM_LE(link_mess->num_channel_caps);
> +     link_mess->num_common_caps = GUINT32_FROM_LE(link_mess->num_common_caps);
> + 
> ++    /* Prevent DoS. Currently we defined only 13 capabilities,
> ++     * I expect 1024 to be valid for quite a lot time */
> ++    if (link_mess->num_channel_caps > 1024 || link_mess->num_common_caps > 1024) {
> ++        reds_send_link_error(link, SPICE_LINK_ERR_INVALID_DATA);
> ++        reds_link_free(link);
> ++        return;
> ++    }
> ++
> +     num_caps = link_mess->num_common_caps + link_mess->num_channel_caps;
> +     caps = (uint32_t *)((uint8_t *)link_mess + link_mess->caps_offset);
> + 
> +-- 
> +2.11.0
> +
> diff --git a/package/spice/0003-main-channel-Prevent-overflow-reading-messages-from-.patch b/package/spice/0003-main-channel-Prevent-overflow-reading-messages-from-.patch
> new file mode 100644
> index 0000000000..f602d5f3b1
> --- /dev/null
> +++ b/package/spice/0003-main-channel-Prevent-overflow-reading-messages-from-.patch
> @@ -0,0 +1,33 @@
> +From 5f96b596353d73bdf4bb3cd2de61e48a7fd5b4c3 Mon Sep 17 00:00:00 2001
> +From: Frediano Ziglio <fziglio@redhat.com>
> +Date: Tue, 29 Nov 2016 16:46:56 +0000
> +Subject: [PATCH] main-channel: Prevent overflow reading messages from client
> +
> +Caller is supposed the function return a buffer able to store
> +size bytes.
> +
> +[Peter: fixes CVE-2016-9577]
> +Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
> +Acked-by: Christophe Fergeau <cfergeau@redhat.com>
> +Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
> +---
> + server/main_channel.c | 3 +++
> + 1 file changed, 3 insertions(+)
> +
> +diff --git a/server/main_channel.c b/server/main_channel.c
> +index 0ecc9df8..1fc39155 100644
> +--- a/server/main_channel.c
> ++++ b/server/main_channel.c
> +@@ -1026,6 +1026,9 @@ static uint8_t *main_channel_alloc_msg_rcv_buf(RedChannelClient *rcc,
> + 
> +     if (type == SPICE_MSGC_MAIN_AGENT_DATA) {
> +         return reds_get_agent_data_buffer(mcc, size);
> ++    } else if (size > sizeof(main_chan->recv_buf)) {
> ++        /* message too large, caller will log a message and close the connection */
> ++        return NULL;
> +     } else {
> +         return main_chan->recv_buf;
> +     }
> +-- 
> +2.11.0
> +
> -- 
> 2.11.0
> 

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 223 225 172 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'

[Buildroot] [PATCH 4/4] spice: add post-0.12.8 upstream security fixes

[Peter Korsgaard]

>>>>> "Yann" == Yann E MORIN <yann.morin.1998@free.fr> writes:

Hi,
 >> create mode 100644 package/spice/0003-main-channel-Prevent-overflow-reading-messages-from-.patch

 > Although this is not strictly speaking a security fix, I woner if we
 > should not backport 1d597f4b1 (Call migrate_end_complete() after falling
 > back to switch-host) as it fixes a migration issue with qemu 2.6.

Yes, that might be a good idea as a followup patch as it is such a
simple patch and fixes real issue.

 > Anyway:

 > Reviewed-by: "Yann E. MORIN" <yann.morin.1998@free.fr>

Thanks for the reviews!

-- 
Bye, Peter Korsgaard

[Buildroot] [PATCH 0/4] spice: version bump / security bump

[Peter Korsgaard]

>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes:

 > Our spice version is quite old (2013) and is affected by a number of
 > security issues, so bump to the latest release in the 0.12.x series +
 > upstream post-0.12.8 security fixes.

 > As the configuration options and dependencies have changed quite a bit since
 > 2013, don't just do the entire bump in a single patch, but instead move
 > forward release by release for easier review.

 > Peter Korsgaard (4):
 >   spice: bump to version 0.12.5
 >   spice: security bump to version 0.12.6
 >   spice: security bump to version 0.12.8
 >   spice: add post-0.12.8 upstream security fixes

Committed series, thanks.

-- 
Bye, Peter Korsgaard

[Buildroot] [PATCH 0/4] spice: version bump / security bump

[Peter Korsgaard]

>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes:

 > Our spice version is quite old (2013) and is affected by a number of
 > security issues, so bump to the latest release in the 0.12.x series +
 > upstream post-0.12.8 security fixes.

 > As the configuration options and dependencies have changed quite a bit since
 > 2013, don't just do the entire bump in a single patch, but instead move
 > forward release by release for easier review.

 > Peter Korsgaard (4):
 >   spice: bump to version 0.12.5
 >   spice: security bump to version 0.12.6
 >   spice: security bump to version 0.12.8
 >   spice: add post-0.12.8 upstream security fixes

Committed series to 2017.02.x and 2017.05.x, thanks.

-- 
Bye, Peter Korsgaard