[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#855258: marked as done (unblock: spice/0.12.8-2.1)

Your message dated Sat, 18 Feb 2017 12:47:56 +0000
with message-id <E1cf4Qe-0002hm-Gs@respighi.debian.org>
and subject line unblock spice
has caused the Debian Bug report #855258,
regarding unblock: spice/0.12.8-2.1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
855258: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=855258
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Hi

Please unblock package spice

It fixes two CVEs, CVE-2016-9577 CVE-2016-9578, reported by Moritz as
#854336. Markus Kschany fixed it as:

+spice (0.12.8-2.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Add CVE-2016-9577-and-CVE-2016-9578.patch:
+    - CVE-2016-9577: A buffer overflow vulnerability in
+      main_channel_alloc_msg_rcv_buf was found that occurs when reading large
+      messages due to missing buffer size check.
+    - CVE-2016-9578: A vulnerability was discovered in the server's
+      protocol handling. An attacker able to connect to the spice server could
+      send crafted messages which would cause the process to crash.
+      (Closes: #854336)
+
+ -- Markus Koschany <apo@debian.org>  Mon, 13 Feb 2017 21:42:01 +0100

Attached the resulting debdiff from the version in testing.

unblock spice/0.12.8-2.1

Regards,
Salvatore

diff -Nru spice-0.12.8/debian/changelog spice-0.12.8/debian/changelog
--- spice-0.12.8/debian/changelog	2017-01-06 14:50:55.000000000 +0100
+++ spice-0.12.8/debian/changelog	2017-02-13 21:42:01.000000000 +0100
@@ -1,3 +1,17 @@
+spice (0.12.8-2.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Add CVE-2016-9577-and-CVE-2016-9578.patch:
+    - CVE-2016-9577: A buffer overflow vulnerability in
+      main_channel_alloc_msg_rcv_buf was found that occurs when reading large
+      messages due to missing buffer size check.
+    - CVE-2016-9578: A vulnerability was discovered in the server's
+      protocol handling. An attacker able to connect to the spice server could
+      send crafted messages which would cause the process to crash.
+      (Closes: #854336)
+
+ -- Markus Koschany <apo@debian.org>  Mon, 13 Feb 2017 21:42:01 +0100
+
 spice (0.12.8-2) unstable; urgency=medium
 
   * Build on all little-endian architectures (Closes: #734218)
diff -Nru spice-0.12.8/debian/patches/CVE-2016-9577-and-CVE-2016-9578.patch spice-0.12.8/debian/patches/CVE-2016-9577-and-CVE-2016-9578.patch
--- spice-0.12.8/debian/patches/CVE-2016-9577-and-CVE-2016-9578.patch	1970-01-01 01:00:00.000000000 +0100
+++ spice-0.12.8/debian/patches/CVE-2016-9577-and-CVE-2016-9578.patch	2017-02-13 21:42:01.000000000 +0100
@@ -0,0 +1,54 @@
+From: Markus Koschany <apo@debian.org>
+Date: Mon, 13 Feb 2017 21:38:02 +0100
+Subject: CVE-2016-9577 and CVE-2016-9578
+
+Bug-Debian: https://bugs.debian.org/854336
+Origin: http://pkgs.fedoraproject.org/cgit/rpms/spice.git/commit/?id=d919d639ae5f83a9735a04d843eed675f9357c0d
+---
+ server/main_channel.c |  3 +++
+ server/reds.c         | 11 ++++++++++-
+ 2 files changed, 13 insertions(+), 1 deletion(-)
+
+diff --git a/server/main_channel.c b/server/main_channel.c
+index 0ecc9df..1fc3915 100644
+--- a/server/main_channel.c
++++ b/server/main_channel.c
+@@ -1026,6 +1026,9 @@ static uint8_t *main_channel_alloc_msg_rcv_buf(RedChannelClient *rcc,
+ 
+     if (type == SPICE_MSGC_MAIN_AGENT_DATA) {
+         return reds_get_agent_data_buffer(mcc, size);
++    } else if (size > sizeof(main_chan->recv_buf)) {
++        /* message too large, caller will log a message and close the connection */
++        return NULL;
+     } else {
+         return main_chan->recv_buf;
+     }
+diff --git a/server/reds.c b/server/reds.c
+index 61bf735..4c60f58 100644
+--- a/server/reds.c
++++ b/server/reds.c
+@@ -2110,6 +2110,14 @@ static void reds_handle_read_link_done(void *opaque)
+     link_mess->num_channel_caps = GUINT32_FROM_LE(link_mess->num_channel_caps);
+     link_mess->num_common_caps = GUINT32_FROM_LE(link_mess->num_common_caps);
+ 
++    /* Prevent DoS. Currently we defined only 13 capabilities,
++     * I expect 1024 to be valid for quite a lot time */
++    if (link_mess->num_channel_caps > 1024 || link_mess->num_common_caps > 1024) {
++        reds_send_link_error(link, SPICE_LINK_ERR_INVALID_DATA);
++        reds_link_free(link);
++        return;
++    }
++
+     num_caps = link_mess->num_common_caps + link_mess->num_channel_caps;
+     caps = (uint32_t *)((uint8_t *)link_mess + link_mess->caps_offset);
+ 
+@@ -2202,7 +2210,8 @@ static void reds_handle_read_header_done(void *opaque)
+ 
+     reds->peer_minor_version = header->minor_version;
+ 
+-    if (header->size < sizeof(SpiceLinkMess)) {
++    /* the check for 4096 is to avoid clients to cause arbitrary big memory allocations */
++    if (header->size < sizeof(SpiceLinkMess) || header->size > 4096) {
+         reds_send_link_error(link, SPICE_LINK_ERR_INVALID_DATA);
+         spice_warning("bad size %u", header->size);
+         reds_link_free(link);
diff -Nru spice-0.12.8/debian/patches/series spice-0.12.8/debian/patches/series
--- spice-0.12.8/debian/patches/series	2017-01-06 14:50:42.000000000 +0100
+++ spice-0.12.8/debian/patches/series	2017-02-13 21:42:01.000000000 +0100
@@ -1 +1,2 @@
 stop-linking-with-libcacard.diff
+CVE-2016-9577-and-CVE-2016-9578.patch

--- End Message ---
--- Begin Message --- 
Unblocked.

--- End Message ---
Reply to: