Source: spice-gtk
Version: 0.25-1
Severity: important
Tags: security upstream
Hi,
The following vulnerability was published for spice-gtk.
CVE-2017-12194[0]:
| A flaw was found in the way spice-client processed certain messages
| sent from the server. An attacker, having control of malicious
| spice-server, could use this flaw to crash the client or execute
| arbitrary code with permissions of the user running the client.
| spice-gtk versions through 0.34 are believed to be vulnerable.
See [2] for a test-program to demostrate the issue (attached here as
well) and two proposed patches to be applied.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-12194
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12194
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1501200
[2] https://bugzilla.redhat.com/show_bug.cgi?id=1240165
Regards,
Salvatore
>From 78b54cbaa064f0ac94af114edb54fca3b365430d Mon Sep 17 00:00:00 2001
From: Frediano Ziglio <fzig...@redhat.com>
Date: Fri, 19 Jun 2015 14:42:54 +0100
Subject: [PATCH spice-common 1/3] Write a small test to test possible crash
This small test prove a that current generated demarshaller code
is not safe to integer overflows leading to buffer overflows.
Actually from a quick look at the protocol it seems that client
can't cause these overflows but server can quite easily at
demonstrated by this test.
Signed-off-by: Frediano Ziglio <fzig...@redhat.com>
---
tests/Makefile.am | 14 +++++++++
tests/test-overflow.c | 80 +++++++++++++++++++++++++++++++++++++++++++++++++++
2 files changed, 94 insertions(+)
create mode 100644 tests/test-overflow.c
Index: spice-gtk-0.34/spice-common/tests/Makefile.am
===================================================================
--- spice-gtk-0.34.orig/spice-common/tests/Makefile.am
+++ spice-gtk-0.34/spice-common/tests/Makefile.am
@@ -63,4 +63,18 @@ EXTRA_DIST = \
test-marshallers.proto \
$(NULL)
+TESTS += test_overflow
+test_overflow_SOURCES = test-overflow.c
+test_overflow_CFLAGS = \
+ -I$(top_srcdir) \
+ $(GLIB2_CFLAGS) \
+ $(SPICE_COMMON_CFLAGS) \
+ $(PROTOCOL_CFLAGS) \
+ $(NULL)
+test_overflow_LDADD = \
+ $(top_builddir)/common/libspice-common.la \
+ $(top_builddir)/common/libspice-common-server.la \
+ $(top_builddir)/common/libspice-common-client.la \
+ $(NULL)
+
-include $(top_srcdir)/git.mk
Index: spice-gtk-0.34/spice-common/tests/test-overflow.c
===================================================================
--- /dev/null
+++ spice-gtk-0.34/spice-common/tests/test-overflow.c
@@ -0,0 +1,80 @@
+/*
+ Copyright (C) 2015 Red Hat, Inc.
+
+ This library is free software; you can redistribute it and/or
+ modify it under the terms of the GNU Lesser General Public
+ License as published by the Free Software Foundation; either
+ version 2.1 of the License, or (at your option) any later version.
+
+ This library is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Lesser General Public License for more details.
+
+ You should have received a copy of the GNU Lesser General Public
+ License along with this library; if not, see <http://www.gnu.org/licenses/>.
+*/
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <assert.h>
+
+#include <common/marshaller.h>
+#include <common/generated_server_marshallers.h>
+#include <common/client_demarshallers.h>
+
+#define NUM_CHANNELS 3u
+
+int main(void)
+{
+ SpiceMarshaller *m;
+ SpiceMsgChannels *msg;
+ uint8_t *data, *out;
+ size_t len;
+ int to_free = 0;
+ spice_parse_channel_func_t func;
+ unsigned int max_message_type, n;
+ message_destructor_t free_output;
+
+ m = spice_marshaller_new();
+ assert(m);
+
+ msg = (SpiceMsgChannels *) malloc(sizeof(SpiceMsgChannels) +
+ NUM_CHANNELS * sizeof(SpiceChannelId));
+ assert(msg);
+
+ // build a message and marshal it
+ msg->num_of_channels = NUM_CHANNELS;
+ for (n = 0; n < NUM_CHANNELS; ++n)
+ msg->channels[n] = (SpiceChannelId) { n + 1, n * 7 };
+ spice_marshall_msg_main_channels_list(m, msg);
+
+ // get linear data
+ data = spice_marshaller_linearize(m, 0, &len, &to_free);
+ assert(data);
+
+ printf("output len %lu\n", (unsigned long) len);
+
+ // hack, try to core
+ *((uint32_t *) data) = 0x80000002u;
+
+ // extract the message
+ func = spice_get_server_channel_parser(1, &max_message_type);
+ assert(func);
+ out = func(data, data+len, SPICE_MSG_MAIN_CHANNELS_LIST, 0, &len,
&free_output);
+ assert(out == NULL);
+
+ // cleanup
+ if (to_free)
+ free(data);
+ if (out)
+ free_output(out);
+ free(msg);
+
+ return 0;
+}
+
Index: spice-gtk-0.34/spice-common/tests/Makefile.in
===================================================================
--- spice-gtk-0.34.orig/spice-common/tests/Makefile.in
+++ spice-gtk-0.34/spice-common/tests/Makefile.in
@@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.15 from Makefile.am.
+# Makefile.in generated by automake 1.15.1 from Makefile.am.
# @configure_input@
-# Copyright (C) 1994-2014 Free Software Foundation, Inc.
+# Copyright (C) 1994-2017 Free Software Foundation, Inc.
# This Makefile.in is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
@@ -88,7 +88,8 @@ PRE_UNINSTALL = :
POST_UNINSTALL = :
build_triplet = @build@
host_triplet = @host@
-TESTS = test_logging$(EXEEXT) test_marshallers$(EXEEXT)
+TESTS = test_logging$(EXEEXT) test_marshallers$(EXEEXT) \
+ test_overflow$(EXEEXT)
noinst_PROGRAMS = $(am__EXEEXT_1)
subdir = tests
ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
@@ -104,7 +105,8 @@ mkinstalldirs = $(install_sh) -d
CONFIG_HEADER = $(top_builddir)/config.h
CONFIG_CLEAN_FILES =
CONFIG_CLEAN_VPATH_FILES =
-am__EXEEXT_1 = test_logging$(EXEEXT) test_marshallers$(EXEEXT)
+am__EXEEXT_1 = test_logging$(EXEEXT) test_marshallers$(EXEEXT) \
+ test_overflow$(EXEEXT)
PROGRAMS = $(noinst_PROGRAMS)
am_test_logging_OBJECTS = test_logging-test-logging.$(OBJEXT)
test_logging_OBJECTS = $(am_test_logging_OBJECTS)
@@ -130,6 +132,16 @@ test_marshallers_LINK = $(LIBTOOL) $(AM_
$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
$(test_marshallers_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) \
-o $@
+am_test_overflow_OBJECTS = test_overflow-test-overflow.$(OBJEXT)
+test_overflow_OBJECTS = $(am_test_overflow_OBJECTS)
+test_overflow_DEPENDENCIES = \
+ $(top_builddir)/common/libspice-common.la \
+ $(top_builddir)/common/libspice-common-server.la \
+ $(top_builddir)/common/libspice-common-client.la \
+ $(am__DEPENDENCIES_1)
+test_overflow_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+ $(LIBTOOLFLAGS) --mode=link $(CCLD) $(test_overflow_CFLAGS) \
+ $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@
AM_V_P = $(am__v_P_@AM_V@)
am__v_P_ = $(am__v_P_@AM_DEFAULT_V@)
am__v_P_0 = false
@@ -164,8 +176,10 @@ AM_V_CCLD = $(am__v_CCLD_@AM_V@)
am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@)
am__v_CCLD_0 = @echo " CCLD " $@;
am__v_CCLD_1 =
-SOURCES = $(test_logging_SOURCES) $(test_marshallers_SOURCES)
-DIST_SOURCES = $(test_logging_SOURCES) $(test_marshallers_SOURCES)
+SOURCES = $(test_logging_SOURCES) $(test_marshallers_SOURCES) \
+ $(test_overflow_SOURCES)
+DIST_SOURCES = $(test_logging_SOURCES) $(test_marshallers_SOURCES) \
+ $(test_overflow_SOURCES)
am__can_run_installinfo = \
case $$AM_UPDATE_INFO_DIR in \
n|no|NO) false;; \
@@ -537,6 +551,7 @@ program_transform_name = @program_transf
psdir = @psdir@
pyexecdir = @pyexecdir@
pythondir = @pythondir@
+runstatedir = @runstatedir@
sbindir = @sbindir@
sharedstatedir = @sharedstatedir@
srcdir = @srcdir@
@@ -601,6 +616,20 @@ EXTRA_DIST = \
test-marshallers.proto \
$(NULL)
+test_overflow_SOURCES = test-overflow.c
+test_overflow_CFLAGS = \
+ -I$(top_srcdir) \
+ $(GLIB2_CFLAGS) \
+ $(SPICE_COMMON_CFLAGS) \
+ $(PROTOCOL_CFLAGS) \
+ $(NULL)
+
+test_overflow_LDADD = \
+ $(top_builddir)/common/libspice-common.la \
+ $(top_builddir)/common/libspice-common-server.la \
+ $(top_builddir)/common/libspice-common-client.la \
+ $(NULL)
+
all: $(BUILT_SOURCES)
$(MAKE) $(AM_MAKEFLAGS) all-am
@@ -653,6 +682,10 @@ test_marshallers$(EXEEXT): $(test_marsha
@rm -f test_marshallers$(EXEEXT)
$(AM_V_CCLD)$(test_marshallers_LINK) $(test_marshallers_OBJECTS)
$(test_marshallers_LDADD) $(LIBS)
+test_overflow$(EXEEXT): $(test_overflow_OBJECTS) $(test_overflow_DEPENDENCIES)
$(EXTRA_test_overflow_DEPENDENCIES)
+ @rm -f test_overflow$(EXEEXT)
+ $(AM_V_CCLD)$(test_overflow_LINK) $(test_overflow_OBJECTS)
$(test_overflow_LDADD) $(LIBS)
+
mostlyclean-compile:
-rm -f *.$(OBJEXT)
@@ -662,6 +695,7 @@ distclean-compile:
@AMDEP_TRUE@@am__include@
@am__quote@./$(DEPDIR)/test_logging-test-logging.Po@am__quote@
@AMDEP_TRUE@@am__include@
@am__quote@./$(DEPDIR)/test_marshallers-generated_test_marshallers.Po@am__quote@
@AMDEP_TRUE@@am__include@
@am__quote@./$(DEPDIR)/test_marshallers-test-marshallers.Po@am__quote@
+@AMDEP_TRUE@@am__include@
@am__quote@./$(DEPDIR)/test_overflow-test-overflow.Po@am__quote@
.c.o:
@am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF
$(DEPDIR)/$*.Tpo -c -o $@ $<
@@ -726,6 +760,20 @@ test_marshallers-test-marshallers.obj: t
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE)
$(depcomp) @AMDEPBACKSLASH@
@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES)
$(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_marshallers_CFLAGS) $(CFLAGS) -c
-o test_marshallers-test-marshallers.obj `if test -f 'test-marshallers.c'; then
$(CYGPATH_W) 'test-marshallers.c'; else $(CYGPATH_W)
'$(srcdir)/test-marshallers.c'; fi`
+test_overflow-test-overflow.o: test-overflow.c
+@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES)
$(AM_CPPFLAGS) $(CPPFLAGS) $(test_overflow_CFLAGS) $(CFLAGS) -MT
test_overflow-test-overflow.o -MD -MP -MF
$(DEPDIR)/test_overflow-test-overflow.Tpo -c -o test_overflow-test-overflow.o
`test -f 'test-overflow.c' || echo '$(srcdir)/'`test-overflow.c
+@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv)
$(DEPDIR)/test_overflow-test-overflow.Tpo
$(DEPDIR)/test_overflow-test-overflow.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='test-overflow.c'
object='test_overflow-test-overflow.o' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE)
$(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES)
$(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_overflow_CFLAGS) $(CFLAGS) -c -o
test_overflow-test-overflow.o `test -f 'test-overflow.c' || echo
'$(srcdir)/'`test-overflow.c
+
+test_overflow-test-overflow.obj: test-overflow.c
+@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES)
$(AM_CPPFLAGS) $(CPPFLAGS) $(test_overflow_CFLAGS) $(CFLAGS) -MT
test_overflow-test-overflow.obj -MD -MP -MF
$(DEPDIR)/test_overflow-test-overflow.Tpo -c -o test_overflow-test-overflow.obj
`if test -f 'test-overflow.c'; then $(CYGPATH_W) 'test-overflow.c'; else
$(CYGPATH_W) '$(srcdir)/test-overflow.c'; fi`
+@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv)
$(DEPDIR)/test_overflow-test-overflow.Tpo
$(DEPDIR)/test_overflow-test-overflow.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='test-overflow.c'
object='test_overflow-test-overflow.obj' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE)
$(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES)
$(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_overflow_CFLAGS) $(CFLAGS) -c -o
test_overflow-test-overflow.obj `if test -f 'test-overflow.c'; then
$(CYGPATH_W) 'test-overflow.c'; else $(CYGPATH_W) '$(srcdir)/test-overflow.c';
fi`
+
mostlyclean-libtool:
-rm -f *.lo
@@ -938,6 +986,13 @@ test_marshallers.log: test_marshallers$(
$(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \
--log-file $$b.log --trs-file $$b.trs \
$(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS)
-- $(LOG_COMPILE) \
+ "$$tst" $(AM_TESTS_FD_REDIRECT)
+test_overflow.log: test_overflow$(EXEEXT)
+ @p='test_overflow$(EXEEXT)'; \
+ b='test_overflow'; \
+ $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \
+ --log-file $$b.log --trs-file $$b.trs \
+ $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS)
-- $(LOG_COMPILE) \
"$$tst" $(AM_TESTS_FD_REDIRECT)
.test.log:
@p='$<'; \
