[arch-commits] Commit in spice/repos (3 files)

Wed, 06 Feb 2019 10:14:32 -0800 

    Date: Wednesday, February 6, 2019 @ 18:14:10
  Author: anatolik
Revision: 345330

archrelease: copy trunk to testing-x86_64

Added:
  spice/repos/testing-x86_64/
  spice/repos/testing-x86_64/CVE-2019-3813.patch
    (from rev 345329, spice/trunk/CVE-2019-3813.patch)
  spice/repos/testing-x86_64/PKGBUILD
    (from rev 345329, spice/trunk/PKGBUILD)

---------------------+
 CVE-2019-3813.patch |   50 ++++++++++++++++++++++++++++++++++++++++++++++++++
 PKGBUILD            |   41 +++++++++++++++++++++++++++++++++++++++++
 2 files changed, 91 insertions(+)

Copied: spice/repos/testing-x86_64/CVE-2019-3813.patch (from rev 345329, 
spice/trunk/CVE-2019-3813.patch)
===================================================================
--- testing-x86_64/CVE-2019-3813.patch                          (rev 0)
+++ testing-x86_64/CVE-2019-3813.patch  2019-02-06 18:14:10 UTC (rev 345330)
@@ -0,0 +1,50 @@
+commit 42f658a48b675de736317b28bcc2061508f407c3
+Author: Christophe Fergeau <cferg...@redhat.com>
+Date:   Thu Nov 29 14:18:39 2018 +0100
+
+    memslot: Fix off-by-one error in group/slot boundary check
+    
+    RedMemSlotInfo keeps an array of groups, and each group contains an
+    array of slots. Unfortunately, these checks are off by 1, they check
+    that the index is greater or equal to the number of elements in the
+    array, while these arrays are 0 based. The check should only check for
+    strictly greater than the number of elements.
+    
+    For the group array, this is not a big issue, as these memslot groups
+    are created by spice-server users (eg QEMU), and the group ids used to
+    index that array are also generated by the spice-server user, so it
+    should not be possible for the guest to set them to arbitrary values.
+    
+    The slot id is more problematic, as it's calculated from a QXLPHYSICAL
+    address, and such addresses are usually set by the guest QXL driver, so
+    the guest can set these to arbitrary values, including malicious values,
+    which are probably easy to build from the guest PCI configuration.
+    
+    This patch fixes the arrays bound check, and adds a test case for this.
+    This fixes CVE-2019-3813.
+    
+    Signed-off-by: Christophe Fergeau <cferg...@redhat.com>
+    Acked-by: Frediano Ziglio <fzig...@redhat.com>
+
+diff --git a/server/memslot.c b/server/memslot.c
+index 7074b432..8c59c383 100644
+--- a/server/memslot.c
++++ b/server/memslot.c
+@@ -99,14 +99,14 @@ unsigned long memslot_get_virt(RedMemSlotInfo *info, 
QXLPHYSICAL addr, uint32_t
+     MemSlot *slot;
+ 
+     *error = 0;
+-    if (group_id > info->num_memslots_groups) {
++    if (group_id >= info->num_memslots_groups) {
+         spice_critical("group_id too big");
+         *error = 1;
+         return 0;
+     }
+ 
+     slot_id = memslot_get_id(info, addr);
+-    if (slot_id > info->num_memslots) {
++    if (slot_id >= info->num_memslots) {
+         print_memslots(info);
+         spice_critical("slot_id %d too big, addr=%" PRIx64, slot_id, addr);
+         *error = 1;
+ 

Copied: spice/repos/testing-x86_64/PKGBUILD (from rev 345329, 
spice/trunk/PKGBUILD)
===================================================================
--- testing-x86_64/PKGBUILD                             (rev 0)
+++ testing-x86_64/PKGBUILD     2019-02-06 18:14:10 UTC (rev 345330)
@@ -0,0 +1,41 @@
+# Maintainer: Sergej Pupykin <pupykin.s+a...@gmail.com>
+# Maintainer: Patryk Kowalczyk < patryk at kowalczyk dot ws>
+
+pkgname=spice
+pkgver=0.14.0
+pkgrel=3
+pkgdesc="SPICE server"
+arch=('x86_64')
+url="https://www.spice-space.org";
+license=('LGPL2.1')
+depends=(celt0.5.1 libjpeg-turbo libsasl pixman glib2 opus lz4)
+makedepends=(python2-pyparsing python2-six qemu spice-protocol git libcacard)
+source=(https://www.spice-space.org/download/releases/spice-$pkgver.tar.bz2
+        
https://www.spice-space.org/download/releases/spice-$pkgver.tar.bz2.sign
+        CVE-2019-3813.patch)
+sha256sums=('3adb9495b51650e5eab53c74dd6a74919af4b339ff21721d9ab2a45b2e3bb848'
+            'SKIP'
+            '35c4f83f0b5933be2589327bfe203085289180217514d61dba2977b0ec6a6d39')
+validpgpkeys=(94A9F75661F77A6168649B23A9D8C21429AC6C82) # Christophe Fergeau 
(teuf) <christo...@fergeau.eu>
+
+prepare() {
+  cd spice-$pkgver
+  # based on upstream change a4a16ac42d2f19a17e36556546aa94d5cd83745f
+  patch -p1 < ../CVE-2019-3813.patch
+}
+
+build() {
+  cd spice-$pkgver
+  PYTHON=python2 ./configure --prefix=/usr --disable-static --enable-smartcard 
--enable-client --disable-werror
+  make
+}
+
+check() {
+  cd spice-$pkgver
+  make check
+}
+
+package() {
+  cd spice-$pkgver
+  make DESTDIR="$pkgdir/" install
+}

Reply via email to