Bug#911992: stretch-pu: package spice-gtk/0.33-3.3+deb9u1
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu
Hi
spice-gtk is affected by the CVE-2018-10873 issue, as well tracked in
the Debian BTS as #906316. Whilst for src:spice itself we released a
DSA, for spice-gtk this does not warrant a DSA (the issue would be
other way around so a malicious spice server triggering the issue in
the client).
Basic smoke test was performed with the resulting package, but not
specifically tried to trigger the issue.
The changelog reads as
+spice-gtk (0.33-3.3+deb9u1) stretch; urgency=medium
+
+ * Non-maintainer upload.
+ * Fix flexible array buffer overflow (CVE-2018-10873) (Closes: #906316)
+
+ -- Salvatore Bonaccorso <carnil@debian.org> Fri, 26 Oct 2018 17:52:24 +0200
Full debdiff attached.
Thanks for considering including the update in the next stretch point
release.
Regards,
Salvatore
diff -Nru spice-gtk-0.33/debian/changelog spice-gtk-0.33/debian/changelog
--- spice-gtk-0.33/debian/changelog 2017-01-14 12:34:36.000000000 +0100
+++ spice-gtk-0.33/debian/changelog 2018-10-26 17:52:24.000000000 +0200
@@ -1,3 +1,10 @@
+spice-gtk (0.33-3.3+deb9u1) stretch; urgency=medium
+
+ * Non-maintainer upload.
+ * Fix flexible array buffer overflow (CVE-2018-10873) (Closes: #906316)
+
+ -- Salvatore Bonaccorso <carnil@debian.org> Fri, 26 Oct 2018 17:52:24 +0200
+
spice-gtk (0.33-3.3) unstable; urgency=medium
* Non-maintainer upload.
diff -Nru spice-gtk-0.33/debian/patches/Fix-flexible-array-buffer-overflow.patch spice-gtk-0.33/debian/patches/Fix-flexible-array-buffer-overflow.patch
--- spice-gtk-0.33/debian/patches/Fix-flexible-array-buffer-overflow.patch 1970-01-01 01:00:00.000000000 +0100
+++ spice-gtk-0.33/debian/patches/Fix-flexible-array-buffer-overflow.patch 2018-10-26 17:52:24.000000000 +0200
@@ -0,0 +1,68 @@
+From: Frediano Ziglio <fziglio@redhat.com>
+Date: Fri, 18 May 2018 11:41:57 +0100
+Subject: Fix flexible array buffer overflow
+Origin: https://gitlab.freedesktop.org/spice/spice-common/commit/bb15d4815ab586b4c4a20f4a565970a44824c42c
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-10873
+Bug-Debian: https://bugs.debian.org/906316
+
+This is kind of a DoS, possibly flexible array in the protocol
+causes the network size check to be ignored due to integer overflows.
+
+The size of flexible array is computed as (message_end - position),
+then this size is added to the number of bytes before the array and
+this number is used to check if we overflow initial message.
+
+An example is:
+
+ message {
+ uint32 dummy[2];
+ uint8 data[] @end;
+ } LenMessage;
+
+which generated this (simplified remove useless code) code:
+
+ { /* data */
+ data__nelements = message_end - (start + 8);
+
+ data__nw_size = data__nelements;
+ }
+
+ nw_size = 8 + data__nw_size;
+
+ /* Check if message fits in reported side */
+ if (nw_size > (uintptr_t) (message_end - start)) {
+ return NULL;
+ }
+
+Following code:
+- data__nelements == message_end - (start + 8)
+- data__nw_size == data__nelements == message_end - (start + 8)
+- nw_size == 8 + data__nw_size == 8 + message_end - (start + 8) ==
+ 8 + message_end - start - 8 == message_end -start
+- the check for overflow is (nw_size > (message_end - start)) but
+ nw_size == message_end - start so the check is doing
+ ((message_end - start) > (message_end - start)) which is always false.
+
+If message_end - start < 8 then data__nelements (number of element
+on the array above) computation generate an integer underflow that
+later create a buffer overflow.
+
+Add a check to make sure that the array starts before the message ends
+to avoid the overflow.
+
+Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
+Signed-off-by: Christophe Fergeau <cfergeau@redhat.com>
+[Salvatore Bonaccorso: Drop generated diff from commit messages causing
+ problem when applying with quilt. Remove addition to testsuite]
+---
+
+--- a/spice-common/python_modules/demarshal.py
++++ b/spice-common/python_modules/demarshal.py
+@@ -318,6 +318,7 @@ def write_validate_array_item(writer, co
+ writer.assign(nelements, array.size)
+ elif array.is_remaining_length():
+ if element_type.is_fixed_nw_size():
++ writer.error_check("%s > message_end" % item.get_position())
+ if element_type.get_fixed_nw_size() == 1:
+ writer.assign(nelements, "message_end - %s" % item.get_position())
+ else:
diff -Nru spice-gtk-0.33/debian/patches/series spice-gtk-0.33/debian/patches/series
--- spice-gtk-0.33/debian/patches/series 2017-01-14 12:34:36.000000000 +0100
+++ spice-gtk-0.33/debian/patches/series 2018-10-26 17:52:24.000000000 +0200
@@ -3,3 +3,4 @@
ssl-Stop-creating-our-own-X509_LOOKUP_METHOD.patch
ssl-Rework-our-custom-BIO-type.patch
ssl-Use-accessors-rather-than-direct-struct-access.patch
+Fix-flexible-array-buffer-overflow.patch
Reply to: