diff options
Diffstat (limited to 'app-emulation/spice/files/0.13.1-CVE-2016-0749-p1.patch')
-rw-r--r-- | app-emulation/spice/files/0.13.1-CVE-2016-0749-p1.patch | 56 |
1 files changed, 56 insertions, 0 deletions
diff --git a/app-emulation/spice/files/0.13.1-CVE-2016-0749-p1.patch b/app-emulation/spice/files/0.13.1-CVE-2016-0749-p1.patch new file mode 100644 index 000000000000..cd1c8ef1df67 --- /dev/null +++ b/app-emulation/spice/files/0.13.1-CVE-2016-0749-p1.patch @@ -0,0 +1,56 @@ +From fd4a179a15882234f86ded87905a240dc76a9445 Mon Sep 17 00:00:00 2001 +From: Matthias Maier <tamiko@43-1.org> +Date: Tue, 14 Jun 2016 00:08:05 -0500 +Subject: [PATCH 1/2] Port fix for CVE-2016-0749 to 0.13.1, part I + +This is a port of + + 0065-smartcard-add-a-ref-to-item-before-adding-to-pipe.patch + +to version 0.13.1 + +Original commit message: + +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Marc-Andre Lureau <marcandre.lureau@redhat.com> +Date: Thu, 17 Dec 2015 18:13:47 +0100 +Subject: [PATCH] smartcard: add a ref to item before adding to pipe + +There is an unref when the message is sent. + +[...] + +Signed-off-by: Marc-Andre Lureau <marcandre.lureau@redhat.com> +--- + server/smartcard.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/server/smartcard.c b/server/smartcard.c +index ba6f2f5..96e4295 100644 +--- a/server/smartcard.c ++++ b/server/smartcard.c +@@ -181,14 +181,18 @@ static void smartcard_unref_msg_to_client(RedCharDeviceMsgToClient *msg, + smartcard_unref_vsc_msg_item((MsgItem *)msg); + } + +-static void smartcard_send_msg_to_client(RedCharDeviceMsgToClient *msg, ++static void smartcard_send_msg_to_client(RedCharDeviceMsgToClient *message, + RedClient *client, + void *opaque) + { + RedCharDeviceSmartcard *dev = opaque; +- spice_assert(dev->priv->scc && dev->priv->scc->base.client == client); +- smartcard_channel_client_pipe_add_push(&dev->priv->scc->base, &((MsgItem *)msg)->base); + ++ MsgItem *msg = (MsgItem *)message; ++ PipeItem *item = &msg->base; ++ ++ spice_assert(dev->priv->scc && dev->priv->scc->base.client == client); ++ smartcard_ref_vsc_msg_item(msg); ++ smartcard_channel_client_pipe_add_push(&dev->priv->scc->base, item); + } + + static void smartcard_send_tokens_to_client(RedClient *client, uint32_t tokens, void *opaque) +-- +2.7.3 + |