diff options
author | Matthias Maier <tamiko@gentoo.org> | 2016-06-14 00:37:13 -0500 |
---|---|---|
committer | Matthias Maier <tamiko@gentoo.org> | 2016-06-14 00:46:47 -0500 |
commit | 76546db063fa388fbd42de1860e0d79d17948011 (patch) | |
tree | 2d125ca3c1c34f9adab27d3614dbe663a3526397 /app-emulation/spice/files/0.13.1-CVE-2016-0749-p1.patch | |
parent | app-emulation/spice: fix vuln 0.12.7, bug #584126 (diff) | |
download | gentoo-76546db063fa388fbd42de1860e0d79d17948011.tar.gz gentoo-76546db063fa388fbd42de1860e0d79d17948011.tar.bz2 gentoo-76546db063fa388fbd42de1860e0d79d17948011.zip |
app-emulation/spice: fix vuln 0.13.1, bug #584126
Apply the following patches to 0.13.1:
CVE-2016-2150:
Commits 69628ea1375282cb7ca5b4dc4410e7aa67e0fc02
Commits 790d8f3e53d324f496fc719498422e433aae8654
*instead of* 0067-create-a-function-to-validate-surface-parameters.patch
*instead of* 0068-improve-primary-surface-parameter-checks.patch
CVE-2016-0749:
Ported the following commits to 0.13.1 (patches did not apply due to
refactoring of some internal data structures and renaming).
*modified* 0065-smartcard-add-a-ref-to-item-before-adding-to-pipe.patch
*modified* 0066-smartcard-allocate-msg-with-the-expected-size.patch
Gentoo-Bug: 584126
Package-Manager: portage-2.2.28
Diffstat (limited to 'app-emulation/spice/files/0.13.1-CVE-2016-0749-p1.patch')
-rw-r--r-- | app-emulation/spice/files/0.13.1-CVE-2016-0749-p1.patch | 56 |
1 files changed, 56 insertions, 0 deletions
diff --git a/app-emulation/spice/files/0.13.1-CVE-2016-0749-p1.patch b/app-emulation/spice/files/0.13.1-CVE-2016-0749-p1.patch new file mode 100644 index 000000000000..cd1c8ef1df67 --- /dev/null +++ b/app-emulation/spice/files/0.13.1-CVE-2016-0749-p1.patch @@ -0,0 +1,56 @@ +From fd4a179a15882234f86ded87905a240dc76a9445 Mon Sep 17 00:00:00 2001 +From: Matthias Maier <tamiko@43-1.org> +Date: Tue, 14 Jun 2016 00:08:05 -0500 +Subject: [PATCH 1/2] Port fix for CVE-2016-0749 to 0.13.1, part I + +This is a port of + + 0065-smartcard-add-a-ref-to-item-before-adding-to-pipe.patch + +to version 0.13.1 + +Original commit message: + +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Marc-Andre Lureau <marcandre.lureau@redhat.com> +Date: Thu, 17 Dec 2015 18:13:47 +0100 +Subject: [PATCH] smartcard: add a ref to item before adding to pipe + +There is an unref when the message is sent. + +[...] + +Signed-off-by: Marc-Andre Lureau <marcandre.lureau@redhat.com> +--- + server/smartcard.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/server/smartcard.c b/server/smartcard.c +index ba6f2f5..96e4295 100644 +--- a/server/smartcard.c ++++ b/server/smartcard.c +@@ -181,14 +181,18 @@ static void smartcard_unref_msg_to_client(RedCharDeviceMsgToClient *msg, + smartcard_unref_vsc_msg_item((MsgItem *)msg); + } + +-static void smartcard_send_msg_to_client(RedCharDeviceMsgToClient *msg, ++static void smartcard_send_msg_to_client(RedCharDeviceMsgToClient *message, + RedClient *client, + void *opaque) + { + RedCharDeviceSmartcard *dev = opaque; +- spice_assert(dev->priv->scc && dev->priv->scc->base.client == client); +- smartcard_channel_client_pipe_add_push(&dev->priv->scc->base, &((MsgItem *)msg)->base); + ++ MsgItem *msg = (MsgItem *)message; ++ PipeItem *item = &msg->base; ++ ++ spice_assert(dev->priv->scc && dev->priv->scc->base.client == client); ++ smartcard_ref_vsc_msg_item(msg); ++ smartcard_channel_client_pipe_add_push(&dev->priv->scc->base, item); + } + + static void smartcard_send_tokens_to_client(RedClient *client, uint32_t tokens, void *opaque) +-- +2.7.3 + |