Control: tags 983698 + patch Control: tags 983698 + pending Dear maintainer,
I've prepared an NMU for spice (versioned as 0.14.3-2.1) and uploaded it to DELAYED/10. Please feel free to tell me if I should delay it longer. Related merge request is https://salsa.debian.org/qemu-team/spice/-/merge_requests/3 and the sole reason I did is tho have more such issues fixed in bullseye if possible. On the other side the issue would otherwise not be urgent and is defintively more on the no-dsa range for a stable release. Furthermore used both commits from upstream although only one would be relevant. Let me know if I should cancel it as well if you would not like to see this change in this way as proposed. Regards, Salvatore
diff -Nru spice-0.14.3/debian/changelog spice-0.14.3/debian/changelog --- spice-0.14.3/debian/changelog 2020-10-29 08:57:02.000000000 +0100 +++ spice-0.14.3/debian/changelog 2021-02-28 16:29:54.000000000 +0100 @@ -1,3 +1,13 @@ +spice (0.14.3-2.1) unstable; urgency=medium + + * Non-maintainer upload. + * Client initiated renegotiation denial of service (CVE-2021-20201) + (Closes: #983698) + - With OpenSSL 1.1: Disable client-initiated renegotiation + - With OpenSSL 1.0.2 and earlier: disable client-side renegotiation + + -- Salvatore Bonaccorso <car...@debian.org> Sun, 28 Feb 2021 16:29:54 +0100 + spice (0.14.3-2) unstable; urgency=medium [ Christian Ehrhardt ] diff -Nru spice-0.14.3/debian/patches/With-OpenSSL-1.0.2-and-earlier-disable-client-side-r.patch spice-0.14.3/debian/patches/With-OpenSSL-1.0.2-and-earlier-disable-client-side-r.patch --- spice-0.14.3/debian/patches/With-OpenSSL-1.0.2-and-earlier-disable-client-side-r.patch 1970-01-01 01:00:00.000000000 +0100 +++ spice-0.14.3/debian/patches/With-OpenSSL-1.0.2-and-earlier-disable-client-side-r.patch 2021-02-28 16:29:54.000000000 +0100 @@ -0,0 +1,37 @@ +From: =?UTF-8?q?Julien=20Rop=C3=A9?= <jr...@redhat.com> +Date: Thu, 3 Dec 2020 09:33:48 +0100 +Subject: [2/2] With OpenSSL 1.0.2 and earlier: disable client-side + renegotiation. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +Origin: https://gitlab.freedesktop.org/spice/spice/-/commit/95a0cfac8a1c8eff50f05e65df945da3bb501fc9 +Bug: https://gitlab.freedesktop.org/spice/spice/-/issues/49 +Bug-Debian: https://bugs.debian.org/983698 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-20201 + +Fixed issue #49 +Fixes BZ#1904459 + +Signed-off-by: Julien Rop?? <jr...@redhat.com> +Reported-by: BlackKD +Acked-by: Frediano Ziglio <fzig...@redhat.com> +[Salvatore Bonaccorso: Backport to 0.14.3: Filename change] +--- + server/red-stream.cpp | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/server/red-stream.c ++++ b/server/red-stream.c +@@ -523,6 +523,11 @@ RedStreamSslStatus red_stream_ssl_accept + return RED_STREAM_SSL_STATUS_OK; + } + ++#ifndef SSL_OP_NO_RENEGOTIATION ++ // With OpenSSL 1.0.2 and earlier: disable client-side renogotiation ++ stream->priv->ssl->s3->flags |= SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS; ++#endif ++ + ssl_error = SSL_get_error(stream->priv->ssl, return_code); + if (return_code == -1 && (ssl_error == SSL_ERROR_WANT_READ || + ssl_error == SSL_ERROR_WANT_WRITE)) { diff -Nru spice-0.14.3/debian/patches/With-OpenSSL-1.1-Disable-client-initiated-renegotiat.patch spice-0.14.3/debian/patches/With-OpenSSL-1.1-Disable-client-initiated-renegotiat.patch --- spice-0.14.3/debian/patches/With-OpenSSL-1.1-Disable-client-initiated-renegotiat.patch 1970-01-01 01:00:00.000000000 +0100 +++ spice-0.14.3/debian/patches/With-OpenSSL-1.1-Disable-client-initiated-renegotiat.patch 2021-02-28 16:29:54.000000000 +0100 @@ -0,0 +1,35 @@ +From: =?UTF-8?q?Julien=20Rop=C3=A9?= <jr...@redhat.com> +Date: Wed, 2 Dec 2020 13:39:27 +0100 +Subject: [1/2] With OpenSSL 1.1: Disable client-initiated renegotiation. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +Origin: https://gitlab.freedesktop.org/spice/spice/-/commit/ca5bbc5692e052159bce1a75f55dc60b36078749 +Bug: https://gitlab.freedesktop.org/spice/spice/-/issues/49 +Bug-Debian: https://bugs.debian.org/983698 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-20201 + +Fixes issue #49 +Fixes BZ#1904459 + +Signed-off-by: Julien Rop?? <jr...@redhat.com> +Reported-by: BlackKD +Acked-by: Frediano Ziglio <fzig...@redhat.com> +[Salvatore Bonaccorso: Backport to 0.14.3: Filename change] +--- + server/reds.cpp | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/server/reds.c ++++ b/server/reds.c +@@ -2862,6 +2862,10 @@ static int reds_init_ssl(RedsState *reds + * When some other SSL/TLS version becomes obsolete, add it to this + * variable. */ + long ssl_options = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_COMPRESSION | SSL_OP_NO_TLSv1; ++#ifdef SSL_OP_NO_RENEGOTIATION ++ // With OpenSSL 1.1: Disable all renegotiation in TLSv1.2 and earlier ++ ssl_options |= SSL_OP_NO_RENEGOTIATION; ++#endif + + /* Global system initialization*/ + openssl_global_init(); diff -Nru spice-0.14.3/debian/patches/series spice-0.14.3/debian/patches/series --- spice-0.14.3/debian/patches/series 2020-10-29 08:55:13.000000000 +0100 +++ spice-0.14.3/debian/patches/series 2021-02-28 16:29:54.000000000 +0100 @@ -3,3 +3,5 @@ CVE-2020-14355/0002-quic-Check-image-size-in-quic_decode_begin.patch CVE-2020-14355/0003-quic-Check-RLE-lengths.patch CVE-2020-14355/0004-quic-Avoid-possible-buffer-overflow-in-find_bucket.patch +With-OpenSSL-1.1-Disable-client-initiated-renegotiat.patch +With-OpenSSL-1.0.2-and-earlier-disable-client-side-r.patch
