diff options
| author | Graham Christensen <graham@grahamc.com> | 2017-02-08 22:03:11 -0500 |
|---|---|---|
| committer | Graham Christensen <graham@grahamc.com> | 2017-02-08 22:03:11 -0500 |
| commit | 77e920d874e9c1b4c41ef1250013b19e8fa792c1 (patch) | |
| tree | 77c3b8ee8f660db84aa745e656941a5dda419966 | |
| parent | 379144f54b2fa0e1568f72d58860393a1e09b92d (diff) | |
| download | nixlib-77e920d874e9c1b4c41ef1250013b19e8fa792c1.tar nixlib-77e920d874e9c1b4c41ef1250013b19e8fa792c1.tar.gz nixlib-77e920d874e9c1b4c41ef1250013b19e8fa792c1.tar.bz2 nixlib-77e920d874e9c1b4c41ef1250013b19e8fa792c1.tar.lz nixlib-77e920d874e9c1b4c41ef1250013b19e8fa792c1.tar.xz nixlib-77e920d874e9c1b4c41ef1250013b19e8fa792c1.tar.zst nixlib-77e920d874e9c1b4c41ef1250013b19e8fa792c1.zip | |
spice: Patch for CVE-2016-9577, CVE-2016-9578
From the Red Hat advisory: * A vulnerability was discovered in spice in the server's protocol handling. An authenticated attacker could send crafted messages to the spice server causing a heap overflow leading to a crash or possible code execution. (CVE-2016-9577) * A vulnerability was discovered in spice in the server's protocol handling. An attacker able to connect to the spice server could send crafted messages which would cause the process to crash. (CVE-2016-9578)
| -rw-r--r-- | pkgs/development/libraries/spice/0001-Adapting-the-following-patch-from-http-pkgs.fedorapr.patch | 56 | ||||
| -rw-r--r-- | pkgs/development/libraries/spice/default.nix | 23 |
2 files changed, 76 insertions, 3 deletions
diff --git a/pkgs/development/libraries/spice/0001-Adapting-the-following-patch-from-http-pkgs.fedorapr.patch b/pkgs/development/libraries/spice/0001-Adapting-the-following-patch-from-http-pkgs.fedorapr.patch new file mode 100644 index 000000000000..8098f568e21a --- /dev/null +++ b/pkgs/development/libraries/spice/0001-Adapting-the-following-patch-from-http-pkgs.fedorapr.patch @@ -0,0 +1,56 @@ +From 75e8685740199537bfefcbd9996ec3ff9f6342e6 Mon Sep 17 00:00:00 2001 +From: Graham Christensen <graham@grahamc.com> +Date: Wed, 8 Feb 2017 21:58:43 -0500 +Subject: [PATCH] Adapting the following patch, from + http://pkgs.fedoraproject.org/cgit/rpms/spice.git/plain/0003-main-channel-Prevent-overflow-reading-messages-from-.patch?id=d919d639ae5f83a9735a04d843eed675f9357c0d + +> From: Frediano Ziglio <fziglio@redhat.com> +> Date: Tue, 29 Nov 2016 16:46:56 +0000 +> Subject: [spice-server 3/3] main-channel: Prevent overflow reading messages +> from client +> +> Caller is supposed the function return a buffer able to store +> size bytes. +> +> Signed-off-by: Frediano Ziglio <fziglio@redhat.com> +> Acked-by: Christophe Fergeau <cfergeau@redhat.com> +> --- +> server/main-channel.c | 3 +++ +> 1 file changed, 3 insertions(+) +> +> diff --git a/server/main-channel.c b/server/main-channel.c +> index 24dd448..1124506 100644 +> --- a/server/main-channel.c +> +++ b/server/main-channel.c +> @@ -258,6 +258,9 @@ static uint8_t *main_channel_alloc_msg_rcv_buf(RedChannelClient *rcc, +> +> if (type == SPICE_MSGC_MAIN_AGENT_DATA) { +> return reds_get_agent_data_buffer(red_channel_get_server(channel), mcc, size); +> + } else if (size > sizeof(main_chan->recv_buf)) { +> + /* message too large, caller will log a message and close the connection */ +> + return NULL; +> } else { +> return main_chan->recv_buf; +> } +> -- +> 2.9.3 +> --- + server/main_channel.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/server/main_channel.c b/server/main_channel.c +index 0ecc9df..1fc3915 100644 +--- a/server/main_channel.c ++++ b/server/main_channel.c +@@ -1026,6 +1026,9 @@ static uint8_t *main_channel_alloc_msg_rcv_buf(RedChannelClient *rcc, + + if (type == SPICE_MSGC_MAIN_AGENT_DATA) { + return reds_get_agent_data_buffer(mcc, size); ++ } else if (size > sizeof(main_chan->recv_buf)) { ++ /* message too large, caller will log a message and close the connection */ ++ return NULL; + } else { + return main_chan->recv_buf; + } +-- +2.10.0 diff --git a/pkgs/development/libraries/spice/default.nix b/pkgs/development/libraries/spice/default.nix index c0145f4f7769..61952c3b3238 100644 --- a/pkgs/development/libraries/spice/default.nix +++ b/pkgs/development/libraries/spice/default.nix @@ -1,6 +1,7 @@ -{ stdenv, fetchurl, pkgconfig, pixman, celt, alsaLib, openssl -, libXrandr, libXfixes, libXext, libXrender, libXinerama, libjpeg, zlib -, spice_protocol, python, pyparsing, glib, cyrus_sasl, lz4 }: +{ stdenv, fetchurl, fetchpatch, pkgconfig, pixman, celt, alsaLib +, openssl, libXrandr, libXfixes, libXext, libXrender, libXinerama +, libjpeg, zlib, spice_protocol, python, pyparsing, glib, cyrus_sasl +, lz4 }: with stdenv.lib; @@ -12,6 +13,22 @@ stdenv.mkDerivation rec { sha256 = "0za03i77j8i3g5l2np2j7vy8cqsdbkm9wbv4hjnaqq9xhz2sa0gr"; }; + patches = [ + (fetchpatch { + name = "0001-Prevent-possible-DoS-attempts-during-protocol-handsh.patch"; + url = "http://pkgs.fedoraproject.org/cgit/rpms/spice.git/plain/0001-Prevent-possible-DoS-attempts-during-protocol-handsh.patch?id=d919d639ae5f83a9735a04d843eed675f9357c0d"; + sha256 = "11x5566lx5zyl7f39glwsgpzkxb7hpcshx8va5ab3imrns07130q"; + }) + (fetchpatch { + name = "0002-Prevent-integer-overflows-in-capability-checks.patch"; + url = "http://pkgs.fedoraproject.org/cgit/rpms/spice.git/plain/0002-Prevent-integer-overflows-in-capability-checks.patch?id=d919d639ae5f83a9735a04d843eed675f9357c0d"; + sha256 = "1r1bhq98w93cvvrlrz6jwdfsy261xl3xqs0ppchaa2igyxvxv5z5"; + }) + # Originally from http://pkgs.fedoraproject.org/cgit/rpms/spice.git/plain/0003-main-channel-Prevent-overflow-reading-messages-from-.patch?id=d919d639ae5f83a9735a04d843eed675f9357c0d + # but main-channel.c was renamed to main_channel.c + ./0001-Adapting-the-following-patch-from-http-pkgs.fedorapr.patch + ]; + buildInputs = [ pixman celt alsaLib openssl libjpeg zlib libXrandr libXfixes libXrender libXext libXinerama python pyparsing glib cyrus_sasl lz4 ]; |