Bug#801089: spice: diff for NMU version 0.12.5-1.3

2015-10-08 Thread Salvatore Bonaccorso 
Hey!

On Thu, Oct 08, 2015 at 01:54:14PM +0800, Liang Guo wrote:
> On Thu, Oct 8, 2015 at 12:18 AM, Salvatore Bonaccorso  
> wrote:
> > tags 801089 + patch pending
> > tags 801091 + patch pending
> > thanks
> >
> > Dear maintainer,
> >
> > I've prepared an NMU for spice (versioned as 0.12.5-1.3) and
> > uploaded it to DELAYED/2. Please feel free to tell me if I
> > should delay it longer.
> >
> > Regards,
> > Salvatore
> 
> Please upload to ftp-master NOW.

Thanks for confirming, so have uploaded to unstable.

> btw, would you like co-maintain, or takeover spice ?

I guess i would take too much on my plate if I do so, so thus "no
cannot" ... sorry! :(

Regards,
Salvatore

Bug#801089: spice: diff for NMU version 0.12.5-1.3

2015-10-07 Thread Liang Guo 
On Thu, Oct 8, 2015 at 12:18 AM, Salvatore Bonaccorso  wrote:
> tags 801089 + patch pending
> tags 801091 + patch pending
> thanks
>
> Dear maintainer,
>
> I've prepared an NMU for spice (versioned as 0.12.5-1.3) and
> uploaded it to DELAYED/2. Please feel free to tell me if I
> should delay it longer.
>
> Regards,
> Salvatore

Please upload to ftp-master NOW.

btw, would you like co-maintain, or takeover spice ?

Thanks,
-- 
Liang Guo
http://guoliang.me/

Bug#801089: spice: diff for NMU version 0.12.5-1.3

2015-10-07 Thread Salvatore Bonaccorso 
tags 801089 + patch pending
tags 801091 + patch pending
thanks

Dear maintainer,

I've prepared an NMU for spice (versioned as 0.12.5-1.3) and
uploaded it to DELAYED/2. Please feel free to tell me if I
should delay it longer.

Regards,
Salvatore
diff -Nru spice-0.12.5/debian/changelog spice-0.12.5/debian/changelog
--- spice-0.12.5/debian/changelog	2015-09-05 05:52:55.0 +0200
+++ spice-0.12.5/debian/changelog	2015-10-07 18:06:10.0 +0200
@@ -1,3 +1,14 @@
+spice (0.12.5-1.3) unstable; urgency=high
+
+  * Non-maintainer upload.
+  * Add series of patches for CVE-2015-5260 and CVE-2015-6261.
+CVE-2015-5260: insufficient validation of surface_id parameter can cause
+crash. (Closes: #801089)
+CVE-2015-5261: host memory access from guest using crafted images.
+(Closes: #801091)
+
+ -- Salvatore Bonaccorso   Wed, 07 Oct 2015 07:23:38 +0200
+
 spice (0.12.5-1.2) unstable; urgency=high
 
   * Non-maintainer upload.
diff -Nru spice-0.12.5/debian/patches/CVE-2015-5260_CVE-2015-5261/0001-worker-validate-correctly-surfaces.patch spice-0.12.5/debian/patches/CVE-2015-5260_CVE-2015-5261/0001-worker-validate-correctly-surfaces.patch
--- spice-0.12.5/debian/patches/CVE-2015-5260_CVE-2015-5261/0001-worker-validate-correctly-surfaces.patch	1970-01-01 01:00:00.0 +0100
+++ spice-0.12.5/debian/patches/CVE-2015-5260_CVE-2015-5261/0001-worker-validate-correctly-surfaces.patch	2015-10-07 18:06:10.0 +0200
@@ -0,0 +1,117 @@
+From dd558bb833254fb49069eca052b92ae1abe3e8ff Mon Sep 17 00:00:00 2001
+From: Frediano Ziglio 
+Date: Wed, 9 Sep 2015 12:42:09 +0100
+Subject: [PATCH 01/19] worker: validate correctly surfaces
+
+Do not just give warning and continue to use an invalid index into
+an array.
+
+Resolves: CVE-2015-5260
+
+Signed-off-by: Frediano Ziglio 
+Acked-by: Christophe Fergeau 
+---
+ server/red_worker.c | 33 ++---
+ 1 file changed, 18 insertions(+), 15 deletions(-)
+
+--- a/server/red_worker.c
 b/server/red_worker.c
+@@ -1036,6 +1036,7 @@ typedef struct BitmapData {
+ SpiceRect lossy_rect;
+ } BitmapData;
+ 
++static inline int validate_surface(RedWorker *worker, uint32_t surface_id);
+ static void red_draw_qxl_drawable(RedWorker *worker, Drawable *drawable);
+ static void red_current_flush(RedWorker *worker, int surface_id);
+ #ifdef DRAW_ALL
+@@ -1245,14 +1246,12 @@ static inline int is_primary_surface(Red
+ return FALSE;
+ }
+ 
+-static inline void __validate_surface(RedWorker *worker, uint32_t surface_id)
+-{
+-spice_warn_if(surface_id >= worker->n_surfaces);
+-}
+-
+ static inline int validate_surface(RedWorker *worker, uint32_t surface_id)
+ {
+-spice_warn_if(surface_id >= worker->n_surfaces);
++if SPICE_UNLIKELY(surface_id >= worker->n_surfaces) {
++spice_warning("invalid surface_id %u", surface_id);
++return 0;
++}
+ if (!worker->surfaces[surface_id].context.canvas) {
+ spice_warning("canvas address is %p for %d (and is NULL)\n",
+&(worker->surfaces[surface_id].context.canvas), surface_id);
+@@ -4230,12 +4229,14 @@ static inline void red_create_surface(Re
+ static inline void red_process_surface(RedWorker *worker, RedSurfaceCmd *surface,
+uint32_t group_id, int loadvm)
+ {
+-int surface_id;
++uint32_t surface_id;
+ RedSurface *red_surface;
+ uint8_t *data;
+ 
+ surface_id = surface->surface_id;
+-__validate_surface(worker, surface_id);
++if SPICE_UNLIKELY(surface_id >= worker->n_surfaces) {
++goto exit;
++}
+ 
+ red_surface = >surfaces[surface_id];
+ 
+@@ -4271,6 +4272,7 @@ static inline void red_process_surface(R
+ default:
+ spice_error("unknown surface command");
+ };
++exit:
+ red_put_surface_cmd(surface);
+ free(surface);
+ }
+@@ -10865,7 +10867,7 @@ void handle_dev_update(void *opaque, voi
+ {
+ RedWorker *worker = opaque;
+ RedWorkerMessageUpdate *msg = payload;
+-SpiceRect *rect = spice_new0(SpiceRect, 1);
++SpiceRect *rect;
+ RedSurface *surface;
+ uint32_t surface_id = msg->surface_id;
+ const QXLRect *qxl_area = msg->qxl_area;
+@@ -10873,17 +10875,16 @@ void handle_dev_update(void *opaque, voi
+ QXLRect *qxl_dirty_rects = msg->qxl_dirty_rects;
+ uint32_t clear_dirty_region = msg->clear_dirty_region;
+ 
++VALIDATE_SURFACE_RET(worker, surface_id);
++
++rect = spice_new0(SpiceRect, 1);
+ surface = >surfaces[surface_id];
+ red_get_rect_ptr(rect, qxl_area);
+ flush_display_commands(worker);
+ 
+ spice_assert(worker->running);
+ 
+-if (validate_surface(worker, surface_id)) {
+-red_update_area(worker, rect, surface_id);
+-} else {
+-rendering_incorrect(__func__);
+-}
++red_update_area(worker, rect, surface_id);
+ free(rect);
+ 
+ surface_dirty_region_to_rects(surface,