diff options
Diffstat (limited to 'recipes-support/spice')
-rw-r--r-- | recipes-support/spice/files/spice-fix-CVE-2013-4282.patch | 100 | ||||
-rw-r--r-- | recipes-support/spice/spice_git.bb | 63 |
2 files changed, 163 insertions, 0 deletions
diff --git a/recipes-support/spice/files/spice-fix-CVE-2013-4282.patch b/recipes-support/spice/files/spice-fix-CVE-2013-4282.patch new file mode 100644 index 00000000..1a00a851 --- /dev/null +++ b/recipes-support/spice/files/spice-fix-CVE-2013-4282.patch @@ -0,0 +1,100 @@ +Fix buffer overflow when decrypting client SPICE ticket + +commit 8af619009660b24e0b41ad26b30289eea288fcc2 upstream + +reds_handle_ticket uses a fixed size 'password' buffer for the decrypted +password whose size is SPICE_MAX_PASSWORD_LENGTH. However, +RSA_private_decrypt which we call for the decryption expects the +destination buffer to be at least RSA_size(link->tiTicketing.rsa) +bytes long. On my spice-server build, SPICE_MAX_PASSWORD_LENGTH +is 60 while RSA_size() is 128, so we end up overflowing 'password' +when using long passwords (this was reproduced using the string: +'fullscreen=1proxy=#enter proxy here; e.g spice_proxy = http://[proxy]:[port]' +as a password). + +When the overflow occurs, QEMU dies with: +*** stack smashing detected ***: qemu-system-x86_64 terminated + +This commit ensures we use a corectly sized 'password' buffer, +and that it's correctly nul-terminated so that we can use strcmp +instead of strncmp. To keep using strncmp, we'd need to figure out +which one of 'password' and 'taTicket.password' is the smaller buffer, +and use that size. + +This fixes rhbz#999839 +diff --git a/server/reds.c b/server/reds.c +index 30d0652..6f262b0 100644 +--- a/server/reds.c ++++ b/server/reds.c +@@ -1931,39 +1931,59 @@ static void reds_handle_link(RedLinkInfo *link) + static void reds_handle_ticket(void *opaque) + { + RedLinkInfo *link = (RedLinkInfo *)opaque; +- char password[SPICE_MAX_PASSWORD_LENGTH]; ++ char *password; + time_t ltime; ++ int password_size; + + //todo: use monotonic time + time(<ime); +- RSA_private_decrypt(link->tiTicketing.rsa_size, +- link->tiTicketing.encrypted_ticket.encrypted_data, +- (unsigned char *)password, link->tiTicketing.rsa, RSA_PKCS1_OAEP_PADDING); ++ if (RSA_size(link->tiTicketing.rsa) < SPICE_MAX_PASSWORD_LENGTH) { ++ spice_warning("RSA modulus size is smaller than SPICE_MAX_PASSWORD_LENGTH (%d < %d), " ++ "SPICE ticket sent from client may be truncated", ++ RSA_size(link->tiTicketing.rsa), SPICE_MAX_PASSWORD_LENGTH); ++ } ++ ++ password = g_malloc0(RSA_size(link->tiTicketing.rsa) + 1); ++ password_size = RSA_private_decrypt(link->tiTicketing.rsa_size, ++ link->tiTicketing.encrypted_ticket.encrypted_data, ++ (unsigned char *)password, ++ link->tiTicketing.rsa, ++ RSA_PKCS1_OAEP_PADDING); ++ if (password_size == -1) { ++ spice_warning("failed to decrypt RSA encrypted password: %s", ++ ERR_error_string(ERR_get_error(), NULL)); ++ goto error; ++ } ++ password[password_size] = '\0'; + + if (ticketing_enabled && !link->skip_auth) { + int expired = taTicket.expiration_time < ltime; + + if (strlen(taTicket.password) == 0) { +- reds_send_link_result(link, SPICE_LINK_ERR_PERMISSION_DENIED); + spice_warning("Ticketing is enabled, but no password is set. " +- "please set a ticket first"); +- reds_link_free(link); +- return; ++ "please set a ticket first"); ++ goto error; + } + +- if (expired || strncmp(password, taTicket.password, SPICE_MAX_PASSWORD_LENGTH) != 0) { ++ if (expired || strcmp(password, taTicket.password) != 0) { + if (expired) { + spice_warning("Ticket has expired"); + } else { + spice_warning("Invalid password"); + } +- reds_send_link_result(link, SPICE_LINK_ERR_PERMISSION_DENIED); +- reds_link_free(link); +- return; ++ goto error; + } + } + + reds_handle_link(link); ++ goto end; ++ ++error: ++ reds_send_link_result(link, SPICE_LINK_ERR_PERMISSION_DENIED); ++ reds_link_free(link); ++ ++end: ++ g_free(password); + } + + static inline void async_read_clear_handlers(AsyncRead *obj) diff --git a/recipes-support/spice/spice_git.bb b/recipes-support/spice/spice_git.bb new file mode 100644 index 00000000..900259aa --- /dev/null +++ b/recipes-support/spice/spice_git.bb @@ -0,0 +1,63 @@ +# +# Copyright (C) 2013 Wind River Systems, Inc. +# + +SUMMARY = "Simple Protocol for Independent Computing Environments" +DESCRIPTION = "SPICE (the Simple Protocol for Independent Computing \ +Environments) is a remote-display system built for virtual \ +environments which allows users to view a computing 'desktop' \ +environment - not only on its computer-server machine, but also from \ +anywhere on the Internet and using a wide variety of machine \ +architectures." + +LICENSE = "LGPLv2.1+" +LIC_FILES_CHKSUM = "file://COPYING;md5=4fbd65380cdd255951079008b364516c" + +PR = "r0" +PV = "0.12.4" + +# Actual versions based on the checkouts below +# spice = "0.12.4" +# common = "0.12.6" +# protocol = "0.12.6" +SRCREV_spice = "b270fb010a3ddb432dfe6b15e4bdffa6ac086cd0" +SRCREV_spice-common = "fe93908238196bd632287fc9875e6f2e11105d04" +SRCREV_spice-protocol = "784407f248e7f99d2bfcc9368f9acd1efb2b9617" + +SRC_URI = "git://anongit.freedesktop.org/spice/spice;name=spice \ + git://anongit.freedesktop.org/spice/spice-common;destsuffix=git/spice-common;name=spice-common \ + git://anongit.freedesktop.org/spice/spice-protocol;destsuffix=git/spice-common/spice-protocol;name=spice-protocol \ + " + +SRC_URI += "file://spice-fix-CVE-2013-4282.patch" + +S = "${WORKDIR}/git" + +inherit autotools gettext pythonnative python-dir pkgconfig + +DEPENDS += "python-native celt051 python-pyparsing jpeg pixman alsa-lib glib-2.0" + +EXTRA_OECONF_append = " -Wnone" +EXTRA_AUTORECONF_append = " -Wnone" + +export PYTHON="${STAGING_BINDIR_NATIVE}/python-native/python" +export PYTHONPATH="${PKG_CONFIG_SYSROOT_DIR}${libdir}/python2.7/site-packages" + +PACKAGECONFIG ?= "sasl" + +PACKAGECONFIG[smartcard] = "--enable-smartcard,--disable-smartcard,libcacard," +PACKAGECONFIG[sasl] = "--with-sasl,--without-sasl,cyrus-sasl," +PACKAGECONFIG[client] = "--enable-client,--disable-client,," +PACKAGECONFIG[gui] = "--enable-gui,--disable-gui,," +PACKAGECONFIG[opengl] = "--enable-opengl,--disable-opengl,," + +PACKAGES =+ "${PN}-protocol" +LICENSE_${PN}-protocol = "BSD" +FILES_${PN}-protocol += "${includedir}/spice-1" +FILES_${PN}-protocol += "${datadir}/pkgconfig" + +do_install_append() { + cd ${S}/spice-common/spice-protocol + oe_runmake DESTDIR="${D}" install + cd - +} |