Control: tags 906315 + pending

Dear maintainer,

I've prepared an NMU for spice (versioned as 0.14.0-1.1) and
uploaded it to DELAYED/2. Please feel free to tell me if I
should delay it longer.

Regards,
Salvatore
diff -Nru spice-0.14.0/debian/changelog spice-0.14.0/debian/changelog
--- spice-0.14.0/debian/changelog	2017-10-19 08:35:54.000000000 +0200
+++ spice-0.14.0/debian/changelog	2018-09-15 09:15:28.000000000 +0200
@@ -1,3 +1,10 @@
+spice (0.14.0-1.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Fix flexible array buffer overflow (CVE-2018-10873) (Closes: #906315)
+
+ -- Salvatore Bonaccorso <car...@debian.org>  Sat, 15 Sep 2018 09:15:28 +0200
+
 spice (0.14.0-1) unstable; urgency=medium
 
   * New upstream release
diff -Nru spice-0.14.0/debian/patches/Fix-flexible-array-buffer-overflow.patch spice-0.14.0/debian/patches/Fix-flexible-array-buffer-overflow.patch
--- spice-0.14.0/debian/patches/Fix-flexible-array-buffer-overflow.patch	1970-01-01 01:00:00.000000000 +0100
+++ spice-0.14.0/debian/patches/Fix-flexible-array-buffer-overflow.patch	2018-09-15 09:15:28.000000000 +0200
@@ -0,0 +1,68 @@
+From: Frediano Ziglio <fzig...@redhat.com>
+Date: Fri, 18 May 2018 11:41:57 +0100
+Subject: Fix flexible array buffer overflow
+Origin: https://gitlab.freedesktop.org/spice/spice-common/commit/bb15d4815ab586b4c4a20f4a565970a44824c42c
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-10873
+Bug-Debian: https://bugs.debian.org/906315
+
+This is kind of a DoS, possibly flexible array in the protocol
+causes the network size check to be ignored due to integer overflows.
+
+The size of flexible array is computed as (message_end - position),
+then this size is added to the number of bytes before the array and
+this number is used to check if we overflow initial message.
+
+An example is:
+
+    message {
+        uint32 dummy[2];
+        uint8 data[] @end;
+    } LenMessage;
+
+which generated this (simplified remove useless code) code:
+
+    { /* data */
+        data__nelements = message_end - (start + 8);
+
+        data__nw_size = data__nelements;
+    }
+
+    nw_size = 8 + data__nw_size;
+
+    /* Check if message fits in reported side */
+    if (nw_size > (uintptr_t) (message_end - start)) {
+        return NULL;
+    }
+
+Following code:
+- data__nelements == message_end - (start + 8)
+- data__nw_size == data__nelements == message_end - (start + 8)
+- nw_size == 8 + data__nw_size == 8 + message_end - (start + 8) ==
+  8 + message_end - start - 8 == message_end -start
+- the check for overflow is (nw_size > (message_end - start)) but
+  nw_size == message_end - start so the check is doing
+  ((message_end - start) > (message_end - start)) which is always false.
+
+If message_end - start < 8 then data__nelements (number of element
+on the array above) computation generate an integer underflow that
+later create a buffer overflow.
+
+Add a check to make sure that the array starts before the message ends
+to avoid the overflow.
+
+Signed-off-by: Frediano Ziglio <fzig...@redhat.com>
+Signed-off-by: Christophe Fergeau <cferg...@redhat.com>
+[Salvatore Bonaccorso: Drop generated diff from commit messages causing
+ problem when applying with quilt. Remove addition to testsuite]
+---
+
+--- a/spice-common/python_modules/demarshal.py
++++ b/spice-common/python_modules/demarshal.py
+@@ -318,6 +318,7 @@ def write_validate_array_item(writer, co
+         writer.assign(nelements, array.size)
+     elif array.is_remaining_length():
+         if element_type.is_fixed_nw_size():
++            writer.error_check("%s > message_end" % item.get_position())
+             if element_type.get_fixed_nw_size() == 1:
+                 writer.assign(nelements, "message_end - %s" % item.get_position())
+             else:
diff -Nru spice-0.14.0/debian/patches/series spice-0.14.0/debian/patches/series
--- spice-0.14.0/debian/patches/series	1970-01-01 01:00:00.000000000 +0100
+++ spice-0.14.0/debian/patches/series	2018-09-15 09:15:28.000000000 +0200
@@ -0,0 +1 @@
+Fix-flexible-array-buffer-overflow.patch

Reply via email to