commit spice-gtk for openSUSE:Factory

Tue, 28 Aug 2018 00:22:22 -0700 

Hello community,

here is the log from the commit of package spice-gtk for openSUSE:Factory 
checked in at 2018-08-28 09:21:29
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/spice-gtk (Old)
 and      /work/SRC/openSUSE:Factory/.spice-gtk.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "spice-gtk"

Tue Aug 28 09:21:29 2018 rev:39 rq:630532 version:0.35

Changes:
--------
--- /work/SRC/openSUSE:Factory/spice-gtk/spice-gtk.changes      2018-08-07 
09:39:27.392931439 +0200
+++ /work/SRC/openSUSE:Factory/.spice-gtk.new/spice-gtk.changes 2018-08-28 
09:21:33.760288613 +0200
@@ -1,0 +2,8 @@
+Mon Aug 20 10:05:54 UTC 2018 - cbosdon...@suse.com
+
+- Fix potential heap corruption when demarshalling (CVE-2018-10873,
+  bsc#1104448)
+  Added patch:
+    bb15d481-Fix-flexible-array-buffer-overflow.patch
+
+-------------------------------------------------------------------

New:
----
  bb15d481-Fix-flexible-array-buffer-overflow.patch

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ spice-gtk.spec ++++++
--- /var/tmp/diff_new_pack.agpi8j/_old  2018-08-28 09:21:34.272290210 +0200
+++ /var/tmp/diff_new_pack.agpi8j/_new  2018-08-28 09:21:34.276290222 +0200
@@ -32,6 +32,8 @@
 # PATCH-FIX-UPSTREAM - CVE-2018-10893
 Patch1:         0001-lz-Avoid-buffer-reading-overflow-checking-for-image-.patch
 Patch2:         0002-lz-More-checks-on-image-sizes.patch
+# PATCH-FIX-UPSTREAM - CVE-2018-10873
+Patch3:         bb15d481-Fix-flexible-array-buffer-overflow.patch
 BuildRequires:  autoconf
 BuildRequires:  automake
 BuildRequires:  cyrus-sasl-devel
@@ -138,11 +140,13 @@
 pushd spice-common
 %patch1 -p1
 %patch2 -p1
+%patch3 -p1
 popd
 
 %build
 autoreconf -fi
 
+export PYTHON=/usr/bin/python3
 %configure \
     --disable-static \
     --enable-vala \
@@ -182,7 +186,11 @@
 %{_libdir}/libspice-client-glib-2.0.so.*
 
 %files -n libspice-client-glib-helper
+%if 0%{?suse_version} >= 1500
 %verify(not mode) %attr(4750,root,kvm) 
%{_bindir}/spice-client-glib-usb-acl-helper
+%else
+%attr(755,root,root) %{_bindir}/spice-client-glib-usb-acl-helper
+%endif
 %{_datadir}/polkit-1/actions/org.spice-space.lowlevelusbaccess.policy
 
 %files -n libspice-client-gtk-3_0-5

++++++ bb15d481-Fix-flexible-array-buffer-overflow.patch ++++++
>From bb15d4815ab586b4c4a20f4a565970a44824c42c Mon Sep 17 00:00:00 2001
From: Frediano Ziglio <fzig...@redhat.com>
Date: Fri, 18 May 2018 11:41:57 +0100
Subject: [PATCH] Fix flexible array buffer overflow

This is kind of a DoS, possibly flexible array in the protocol
causes the network size check to be ignored due to integer overflows.

The size of flexible array is computed as (message_end - position),
then this size is added to the number of bytes before the array and
this number is used to check if we overflow initial message.

An example is:

    message {
        uint32 dummy[2];
        uint8 data[] @end;
    } LenMessage;

which generated this (simplified remove useless code) code:

    { /* data */
        data__nelements = message_end - (start + 8);

        data__nw_size = data__nelements;
    }

    nw_size = 8 + data__nw_size;

    /* Check if message fits in reported side */
    if (nw_size > (uintptr_t) (message_end - start)) {
        return NULL;
    }

Following code:
- data__nelements == message_end - (start + 8)
- data__nw_size == data__nelements == message_end - (start + 8)
- nw_size == 8 + data__nw_size == 8 + message_end - (start + 8) ==
  8 + message_end - start - 8 == message_end -start
- the check for overflow is (nw_size > (message_end - start)) but
  nw_size == message_end - start so the check is doing
  ((message_end - start) > (message_end - start)) which is always false.

If message_end - start < 8 then data__nelements (number of element
on the array above) computation generate an integer underflow that
later create a buffer overflow.

Add a check to make sure that the array starts before the message ends
to avoid the overflow.

Signed-off-by: Frediano Ziglio <fzig...@redhat.com>
Signed-off-by: Christophe Fergeau <cferg...@redhat.com>
---
 python_modules/demarshal.py  | 1 +
 tests/test-marshallers.c     | 8 ++++++++
 tests/test-marshallers.h     | 5 +++++
 tests/test-marshallers.proto | 5 +++++
 4 files changed, 19 insertions(+)

diff --git a/python_modules/demarshal.py b/python_modules/demarshal.py
index 7b53361..5a237a6 100644
--- a/python_modules/demarshal.py
+++ b/python_modules/demarshal.py
@@ -331,6 +331,7 @@ def write_validate_array_item(writer, container, item, 
scope, parent_scope, star
         writer.assign(nelements, array.size)
     elif array.is_remaining_length():
         if element_type.is_fixed_nw_size():
+            writer.error_check("%s > message_end" % item.get_position())
             if element_type.get_fixed_nw_size() == 1:
                 writer.assign(nelements, "message_end - %s" % 
item.get_position())
             else:
-- 
2.18.0

Reply via email to