summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat (limited to 'app-emulation/spice/files/0.13.1-CVE-2016-0749-p1.patch')
-rw-r--r--app-emulation/spice/files/0.13.1-CVE-2016-0749-p1.patch56
1 files changed, 56 insertions, 0 deletions
diff --git a/app-emulation/spice/files/0.13.1-CVE-2016-0749-p1.patch b/app-emulation/spice/files/0.13.1-CVE-2016-0749-p1.patch
new file mode 100644
index 000000000000..cd1c8ef1df67
--- /dev/null
+++ b/app-emulation/spice/files/0.13.1-CVE-2016-0749-p1.patch
@@ -0,0 +1,56 @@
+From fd4a179a15882234f86ded87905a240dc76a9445 Mon Sep 17 00:00:00 2001
+From: Matthias Maier <tamiko@43-1.org>
+Date: Tue, 14 Jun 2016 00:08:05 -0500
+Subject: [PATCH 1/2] Port fix for CVE-2016-0749 to 0.13.1, part I
+
+This is a port of
+
+ 0065-smartcard-add-a-ref-to-item-before-adding-to-pipe.patch
+
+to version 0.13.1
+
+Original commit message:
+
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Marc-Andre Lureau <marcandre.lureau@redhat.com>
+Date: Thu, 17 Dec 2015 18:13:47 +0100
+Subject: [PATCH] smartcard: add a ref to item before adding to pipe
+
+There is an unref when the message is sent.
+
+[...]
+
+Signed-off-by: Marc-Andre Lureau <marcandre.lureau@redhat.com>
+---
+ server/smartcard.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/server/smartcard.c b/server/smartcard.c
+index ba6f2f5..96e4295 100644
+--- a/server/smartcard.c
++++ b/server/smartcard.c
+@@ -181,14 +181,18 @@ static void smartcard_unref_msg_to_client(RedCharDeviceMsgToClient *msg,
+ smartcard_unref_vsc_msg_item((MsgItem *)msg);
+ }
+
+-static void smartcard_send_msg_to_client(RedCharDeviceMsgToClient *msg,
++static void smartcard_send_msg_to_client(RedCharDeviceMsgToClient *message,
+ RedClient *client,
+ void *opaque)
+ {
+ RedCharDeviceSmartcard *dev = opaque;
+- spice_assert(dev->priv->scc && dev->priv->scc->base.client == client);
+- smartcard_channel_client_pipe_add_push(&dev->priv->scc->base, &((MsgItem *)msg)->base);
+
++ MsgItem *msg = (MsgItem *)message;
++ PipeItem *item = &msg->base;
++
++ spice_assert(dev->priv->scc && dev->priv->scc->base.client == client);
++ smartcard_ref_vsc_msg_item(msg);
++ smartcard_channel_client_pipe_add_push(&dev->priv->scc->base, item);
+ }
+
+ static void smartcard_send_tokens_to_client(RedClient *client, uint32_t tokens, void *opaque)
+--
+2.7.3
+