Git-Url: http://git.frugalware.org/gitweb/gitweb.cgi?p=frugalware-1.9.git;a=commitdiff;h=60bd436381ed31eefa81351471c49438ea754ffd
commit 60bd436381ed31eefa81351471c49438ea754ffd Author: kikadf <kikadf...@gmail.com> Date: Sun Jan 12 11:56:22 2014 +0100 spice-0.12.2-2arcturus1-x86_64 * Fix CVE-2013-4130.patch diff --git a/source/xlib-extra/spice/CVE-2013-4130.patch b/source/xlib-extra/spice/CVE-2013-4130.patch new file mode 100644 index 0000000..a19040c --- /dev/null +++ b/source/xlib-extra/spice/CVE-2013-4130.patch @@ -0,0 +1,52 @@ +Description: Use RING_FOREACH_SAFE in red_channel.c functions which are missing it + Currently, both red_channel_pipes_add_type() and + red_channel_pipes_add_empty_msg() use plaing RING_FOREACH() which is not + safe versus removals from the ring within the loop body. + . + Although it's rare, such a removal can occur in both cases. In the case + of red_channel_pipes_add_type() we have: + red_channel_pipes_add_type() + -> red_channel_client_pipe_add_type() + -> red_channel_client_push() + . + And in the case of red_channel_client_pipes_add_empty_msg() we have: + red_channel_client_pipes_add_empty_msg() + -> red_channel_client_pipe_add_empty_msg() + -> red_channel_client_push() + . + But red_channel_client_push() can cause a removal from the clients ring if + a network error occurs: + red_channel_client_push() + -> red_channel_client_send() + -> red_peer_handle_outgoing() + -> handler->cb->on_error callback + = red_channel_client_default_peer_on_error() + -> red_channel_client_disconnect() + -> red_channel_remove_client() + -> ring_remove() + . + When this error path does occur, the assertion in RING_FOREACH()'s + ring_next() trips, and the process containing the spice server is aborted. + i.e. your whole VM dies, as a result of an unfortunately timed network + error on the spice channel. +Origin: backport, http://cgit.freedesktop.org/spice/spice/commit/?id=53488f0275d6c8a121af49f7ac817d09ce68090d +Bug-Debian: http://bugs.debian.org/717030 +Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=984769 +Forwarded: not-needed +Author: David Gibson <da...@gibson.dropbear.id.au> +Author: Salvatore Bonaccorso <car...@debian.org> +Last-Update: 2014-01-03 +--- a/server/red_channel.c ++++ b/server/red_channel.c +@@ -1213,9 +1213,9 @@ + + void red_channel_pipes_add_type(RedChannel *channel, int pipe_item_type) + { +- RingItem *link; ++ RingItem *link, *next; + +- RING_FOREACH(link, &channel->clients) { ++ RING_FOREACH_SAFE(link, next, &channel->clients) { + red_channel_client_pipe_add_type( + SPICE_CONTAINEROF(link, RedChannelClient, channel_link), + pipe_item_type); diff --git a/source/xlib-extra/spice/FrugalBuild b/source/xlib-extra/spice/FrugalBuild index 5ceaf1d..4413708 100644 --- a/source/xlib-extra/spice/FrugalBuild +++ b/source/xlib-extra/spice/FrugalBuild @@ -1,9 +1,12 @@ # Compiling time: 0.47 SBU -# Maintainer: bouleetbil <bouleet...@frogdev.info> +# Maintainer: kikadf <kikadf...@gmail.com> +# Contributor: bouleetbil <bouleet...@frogdev.info> + +options+=('asneeded') pkgname=spice pkgver=0.12.2 -pkgrel=1 +pkgrel=2arcturus1 url="http://spice-space.org"; source=("http://www.spice-space.org/download/releases/$pkgname-$pkgver.tar.bz2";) up2date="Flasttar http://www.spice-space.org/download/releases/"; @@ -22,8 +25,13 @@ subdepends=("${subdepends[@]}" "celt051 libglu libjpeg pixman cyrus-sasl libuuid subgroups=("${subgroups[@]}" 'xlib-extra') subarchs=("${subarchs[@]}" 'i686 x86_64') +# FSA fix *** +source=(${source[@]} CVE-2013-4130.patch) +sha1sums=(${sha1sums[@]} '36fbe9d347dcc1da79a962bebef9098f46547d8a') +# *********** + build() { - Fcd + Fpatchall Fconf Fsed "tests" "" server/Makefile* make || Fdie _______________________________________________ Frugalware-git mailing list Frugalware-git@frugalware.org http://frugalware.org/mailman/listinfo/frugalware-git
