aboutsummaryrefslogtreecommitdiffstats
path: root/recipes-support/spice
diff options
context:
space:
mode:
Diffstat (limited to 'recipes-support/spice')
-rw-r--r--recipes-support/spice/files/spice-fix-CVE-2013-4282.patch100
-rw-r--r--recipes-support/spice/spice_git.bb63
2 files changed, 163 insertions, 0 deletions
diff --git a/recipes-support/spice/files/spice-fix-CVE-2013-4282.patch b/recipes-support/spice/files/spice-fix-CVE-2013-4282.patch
new file mode 100644
index 00000000..1a00a851
--- /dev/null
+++ b/recipes-support/spice/files/spice-fix-CVE-2013-4282.patch
@@ -0,0 +1,100 @@
+Fix buffer overflow when decrypting client SPICE ticket
+
+commit 8af619009660b24e0b41ad26b30289eea288fcc2 upstream
+
+reds_handle_ticket uses a fixed size 'password' buffer for the decrypted
+password whose size is SPICE_MAX_PASSWORD_LENGTH. However,
+RSA_private_decrypt which we call for the decryption expects the
+destination buffer to be at least RSA_size(link->tiTicketing.rsa)
+bytes long. On my spice-server build, SPICE_MAX_PASSWORD_LENGTH
+is 60 while RSA_size() is 128, so we end up overflowing 'password'
+when using long passwords (this was reproduced using the string:
+'fullscreen=1proxy=#enter proxy here; e.g spice_proxy = http://[proxy]:[port]'
+as a password).
+
+When the overflow occurs, QEMU dies with:
+*** stack smashing detected ***: qemu-system-x86_64 terminated
+
+This commit ensures we use a corectly sized 'password' buffer,
+and that it's correctly nul-terminated so that we can use strcmp
+instead of strncmp. To keep using strncmp, we'd need to figure out
+which one of 'password' and 'taTicket.password' is the smaller buffer,
+and use that size.
+
+This fixes rhbz#999839
+diff --git a/server/reds.c b/server/reds.c
+index 30d0652..6f262b0 100644
+--- a/server/reds.c
++++ b/server/reds.c
+@@ -1931,39 +1931,59 @@ static void reds_handle_link(RedLinkInfo *link)
+ static void reds_handle_ticket(void *opaque)
+ {
+ RedLinkInfo *link = (RedLinkInfo *)opaque;
+- char password[SPICE_MAX_PASSWORD_LENGTH];
++ char *password;
+ time_t ltime;
++ int password_size;
+
+ //todo: use monotonic time
+ time(&ltime);
+- RSA_private_decrypt(link->tiTicketing.rsa_size,
+- link->tiTicketing.encrypted_ticket.encrypted_data,
+- (unsigned char *)password, link->tiTicketing.rsa, RSA_PKCS1_OAEP_PADDING);
++ if (RSA_size(link->tiTicketing.rsa) < SPICE_MAX_PASSWORD_LENGTH) {
++ spice_warning("RSA modulus size is smaller than SPICE_MAX_PASSWORD_LENGTH (%d < %d), "
++ "SPICE ticket sent from client may be truncated",
++ RSA_size(link->tiTicketing.rsa), SPICE_MAX_PASSWORD_LENGTH);
++ }
++
++ password = g_malloc0(RSA_size(link->tiTicketing.rsa) + 1);
++ password_size = RSA_private_decrypt(link->tiTicketing.rsa_size,
++ link->tiTicketing.encrypted_ticket.encrypted_data,
++ (unsigned char *)password,
++ link->tiTicketing.rsa,
++ RSA_PKCS1_OAEP_PADDING);
++ if (password_size == -1) {
++ spice_warning("failed to decrypt RSA encrypted password: %s",
++ ERR_error_string(ERR_get_error(), NULL));
++ goto error;
++ }
++ password[password_size] = '\0';
+
+ if (ticketing_enabled && !link->skip_auth) {
+ int expired = taTicket.expiration_time < ltime;
+
+ if (strlen(taTicket.password) == 0) {
+- reds_send_link_result(link, SPICE_LINK_ERR_PERMISSION_DENIED);
+ spice_warning("Ticketing is enabled, but no password is set. "
+- "please set a ticket first");
+- reds_link_free(link);
+- return;
++ "please set a ticket first");
++ goto error;
+ }
+
+- if (expired || strncmp(password, taTicket.password, SPICE_MAX_PASSWORD_LENGTH) != 0) {
++ if (expired || strcmp(password, taTicket.password) != 0) {
+ if (expired) {
+ spice_warning("Ticket has expired");
+ } else {
+ spice_warning("Invalid password");
+ }
+- reds_send_link_result(link, SPICE_LINK_ERR_PERMISSION_DENIED);
+- reds_link_free(link);
+- return;
++ goto error;
+ }
+ }
+
+ reds_handle_link(link);
++ goto end;
++
++error:
++ reds_send_link_result(link, SPICE_LINK_ERR_PERMISSION_DENIED);
++ reds_link_free(link);
++
++end:
++ g_free(password);
+ }
+
+ static inline void async_read_clear_handlers(AsyncRead *obj)
diff --git a/recipes-support/spice/spice_git.bb b/recipes-support/spice/spice_git.bb
new file mode 100644
index 00000000..900259aa
--- /dev/null
+++ b/recipes-support/spice/spice_git.bb
@@ -0,0 +1,63 @@
+#
+# Copyright (C) 2013 Wind River Systems, Inc.
+#
+
+SUMMARY = "Simple Protocol for Independent Computing Environments"
+DESCRIPTION = "SPICE (the Simple Protocol for Independent Computing \
+Environments) is a remote-display system built for virtual \
+environments which allows users to view a computing 'desktop' \
+environment - not only on its computer-server machine, but also from \
+anywhere on the Internet and using a wide variety of machine \
+architectures."
+
+LICENSE = "LGPLv2.1+"
+LIC_FILES_CHKSUM = "file://COPYING;md5=4fbd65380cdd255951079008b364516c"
+
+PR = "r0"
+PV = "0.12.4"
+
+# Actual versions based on the checkouts below
+# spice = "0.12.4"
+# common = "0.12.6"
+# protocol = "0.12.6"
+SRCREV_spice = "b270fb010a3ddb432dfe6b15e4bdffa6ac086cd0"
+SRCREV_spice-common = "fe93908238196bd632287fc9875e6f2e11105d04"
+SRCREV_spice-protocol = "784407f248e7f99d2bfcc9368f9acd1efb2b9617"
+
+SRC_URI = "git://anongit.freedesktop.org/spice/spice;name=spice \
+ git://anongit.freedesktop.org/spice/spice-common;destsuffix=git/spice-common;name=spice-common \
+ git://anongit.freedesktop.org/spice/spice-protocol;destsuffix=git/spice-common/spice-protocol;name=spice-protocol \
+ "
+
+SRC_URI += "file://spice-fix-CVE-2013-4282.patch"
+
+S = "${WORKDIR}/git"
+
+inherit autotools gettext pythonnative python-dir pkgconfig
+
+DEPENDS += "python-native celt051 python-pyparsing jpeg pixman alsa-lib glib-2.0"
+
+EXTRA_OECONF_append = " -Wnone"
+EXTRA_AUTORECONF_append = " -Wnone"
+
+export PYTHON="${STAGING_BINDIR_NATIVE}/python-native/python"
+export PYTHONPATH="${PKG_CONFIG_SYSROOT_DIR}${libdir}/python2.7/site-packages"
+
+PACKAGECONFIG ?= "sasl"
+
+PACKAGECONFIG[smartcard] = "--enable-smartcard,--disable-smartcard,libcacard,"
+PACKAGECONFIG[sasl] = "--with-sasl,--without-sasl,cyrus-sasl,"
+PACKAGECONFIG[client] = "--enable-client,--disable-client,,"
+PACKAGECONFIG[gui] = "--enable-gui,--disable-gui,,"
+PACKAGECONFIG[opengl] = "--enable-opengl,--disable-opengl,,"
+
+PACKAGES =+ "${PN}-protocol"
+LICENSE_${PN}-protocol = "BSD"
+FILES_${PN}-protocol += "${includedir}/spice-1"
+FILES_${PN}-protocol += "${datadir}/pkgconfig"
+
+do_install_append() {
+ cd ${S}/spice-common/spice-protocol
+ oe_runmake DESTDIR="${D}" install
+ cd -
+}