diff options
author | Matthias Maier <tamiko@gentoo.org> | 2016-06-13 23:39:52 -0500 |
---|---|---|
committer | Matthias Maier <tamiko@gentoo.org> | 2016-06-14 00:46:46 -0500 |
commit | e78aee5d6b747e4dd0c6aed30b959107957a7c17 (patch) | |
tree | 8a266d3e3cf56a1f69193e5534e8bde7e1bd791c /app-emulation/spice/files/0.12.6-CVE-2016-2150-p2.patch | |
parent | dev-ruby/activerecord: add missing test-unit dependency, bug 578140 (diff) | |
download | gentoo-e78aee5d6b747e4dd0c6aed30b959107957a7c17.tar.gz gentoo-e78aee5d6b747e4dd0c6aed30b959107957a7c17.tar.bz2 gentoo-e78aee5d6b747e4dd0c6aed30b959107957a7c17.zip |
app-emulation/spice: fix vuln 0.12.7, bug #584126
Apply the following patches to 0.12.7:
CVE-2016-2150:
0067-create-a-function-to-validate-surface-parameters.patch
0068-improve-primary-surface-parameter-checks.patch
CVE-2016-0749:
0065-smartcard-add-a-ref-to-item-before-adding-to-pipe.patch
0066-smartcard-allocate-msg-with-the-expected-size.patch
Gentoo-Bug: 584126
Package-Manager: portage-2.2.28
Signed-off-by: Matthias Maier <tamiko@gentoo.org>
Diffstat (limited to 'app-emulation/spice/files/0.12.6-CVE-2016-2150-p2.patch')
-rw-r--r-- | app-emulation/spice/files/0.12.6-CVE-2016-2150-p2.patch | 33 |
1 files changed, 33 insertions, 0 deletions
diff --git a/app-emulation/spice/files/0.12.6-CVE-2016-2150-p2.patch b/app-emulation/spice/files/0.12.6-CVE-2016-2150-p2.patch new file mode 100644 index 000000000000..8005e063f0d8 --- /dev/null +++ b/app-emulation/spice/files/0.12.6-CVE-2016-2150-p2.patch @@ -0,0 +1,33 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Frediano Ziglio <fziglio@redhat.com> +Date: Mon, 29 Feb 2016 14:34:49 +0000 +Subject: [PATCH] improve primary surface parameter checks + +Primary surface, as additional surfaces, can be used to access +host memory from the guest using invalid parameters. + +Signed-off-by: Frediano Ziglio <fziglio@redhat.com> +--- + server/red_worker.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/server/red_worker.c b/server/red_worker.c +index a7eaab9..f9179a6 100644 +--- a/server/red_worker.c ++++ b/server/red_worker.c +@@ -11380,6 +11380,15 @@ static void dev_create_primary_surface(RedWorker *worker, uint32_t surface_id, + spice_warn_if(((uint64_t)abs(surface.stride) * (uint64_t)surface.height) != + abs(surface.stride) * surface.height); + ++ /* surface can arrive from guest unchecked so make sure ++ * guest is not a malicious one and drop invalid requests ++ */ ++ if (!red_validate_surface(surface.width, surface.height, ++ surface.stride, surface.format)) { ++ spice_warning("wrong primary surface creation request"); ++ return; ++ } ++ + line_0 = (uint8_t*)get_virt(&worker->mem_slots, surface.mem, + surface.height * abs(surface.stride), + surface.group_id, &error); |