Control: tags 906315 + pending
Dear maintainer, I've prepared an NMU for spice (versioned as 0.14.0-1.1) and uploaded it to DELAYED/2. Please feel free to tell me if I should delay it longer. Regards, Salvatore
diff -Nru spice-0.14.0/debian/changelog spice-0.14.0/debian/changelog --- spice-0.14.0/debian/changelog 2017-10-19 08:35:54.000000000 +0200 +++ spice-0.14.0/debian/changelog 2018-09-15 09:15:28.000000000 +0200 @@ -1,3 +1,10 @@ +spice (0.14.0-1.1) unstable; urgency=medium + + * Non-maintainer upload. + * Fix flexible array buffer overflow (CVE-2018-10873) (Closes: #906315) + + -- Salvatore Bonaccorso <car...@debian.org> Sat, 15 Sep 2018 09:15:28 +0200 + spice (0.14.0-1) unstable; urgency=medium * New upstream release diff -Nru spice-0.14.0/debian/patches/Fix-flexible-array-buffer-overflow.patch spice-0.14.0/debian/patches/Fix-flexible-array-buffer-overflow.patch --- spice-0.14.0/debian/patches/Fix-flexible-array-buffer-overflow.patch 1970-01-01 01:00:00.000000000 +0100 +++ spice-0.14.0/debian/patches/Fix-flexible-array-buffer-overflow.patch 2018-09-15 09:15:28.000000000 +0200 @@ -0,0 +1,68 @@ +From: Frediano Ziglio <fzig...@redhat.com> +Date: Fri, 18 May 2018 11:41:57 +0100 +Subject: Fix flexible array buffer overflow +Origin: https://gitlab.freedesktop.org/spice/spice-common/commit/bb15d4815ab586b4c4a20f4a565970a44824c42c +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-10873 +Bug-Debian: https://bugs.debian.org/906315 + +This is kind of a DoS, possibly flexible array in the protocol +causes the network size check to be ignored due to integer overflows. + +The size of flexible array is computed as (message_end - position), +then this size is added to the number of bytes before the array and +this number is used to check if we overflow initial message. + +An example is: + + message { + uint32 dummy[2]; + uint8 data[] @end; + } LenMessage; + +which generated this (simplified remove useless code) code: + + { /* data */ + data__nelements = message_end - (start + 8); + + data__nw_size = data__nelements; + } + + nw_size = 8 + data__nw_size; + + /* Check if message fits in reported side */ + if (nw_size > (uintptr_t) (message_end - start)) { + return NULL; + } + +Following code: +- data__nelements == message_end - (start + 8) +- data__nw_size == data__nelements == message_end - (start + 8) +- nw_size == 8 + data__nw_size == 8 + message_end - (start + 8) == + 8 + message_end - start - 8 == message_end -start +- the check for overflow is (nw_size > (message_end - start)) but + nw_size == message_end - start so the check is doing + ((message_end - start) > (message_end - start)) which is always false. + +If message_end - start < 8 then data__nelements (number of element +on the array above) computation generate an integer underflow that +later create a buffer overflow. + +Add a check to make sure that the array starts before the message ends +to avoid the overflow. + +Signed-off-by: Frediano Ziglio <fzig...@redhat.com> +Signed-off-by: Christophe Fergeau <cferg...@redhat.com> +[Salvatore Bonaccorso: Drop generated diff from commit messages causing + problem when applying with quilt. Remove addition to testsuite] +--- + +--- a/spice-common/python_modules/demarshal.py ++++ b/spice-common/python_modules/demarshal.py +@@ -318,6 +318,7 @@ def write_validate_array_item(writer, co + writer.assign(nelements, array.size) + elif array.is_remaining_length(): + if element_type.is_fixed_nw_size(): ++ writer.error_check("%s > message_end" % item.get_position()) + if element_type.get_fixed_nw_size() == 1: + writer.assign(nelements, "message_end - %s" % item.get_position()) + else: diff -Nru spice-0.14.0/debian/patches/series spice-0.14.0/debian/patches/series --- spice-0.14.0/debian/patches/series 1970-01-01 01:00:00.000000000 +0100 +++ spice-0.14.0/debian/patches/series 2018-09-15 09:15:28.000000000 +0200 @@ -0,0 +1 @@ +Fix-flexible-array-buffer-overflow.patch