diff options
author | Nicolás Reynolds <fauno@endefensadelsl.org> | 2014-01-01 16:37:20 -0300 |
---|---|---|
committer | Nicolás Reynolds <fauno@endefensadelsl.org> | 2014-01-01 16:37:20 -0300 |
commit | 6124dfa10e2a69fc79efc85f611c8db582caf711 (patch) | |
tree | e9706ae64164967e8448140e9cb6534dfbb0a2a3 /extra/spice/CVE-2013-4282.patch | |
parent | 385fda403f286573a778ee525fe56a86d11fc967 (diff) | |
parent | 5a81550adad5ccde4ad6924cfee2b2ef96d02c98 (diff) |
Merge branch 'master' of gparabola:abslibre/abslibre-pre-mips64el
Conflicts:
community/almanah/PKGBUILD
community/audit/PKGBUILD
community/bird/PKGBUILD
community/blobby2/PKGBUILD
community/blueman/PKGBUILD
community/bomberclone/PKGBUILD
community/botan/PKGBUILD
community/cantata/PKGBUILD
community/cinnamon-desktop/PKGBUILD
community/cinnamon-settings-daemon/PKGBUILD
community/cinnamon/PKGBUILD
community/clearsilver/PKGBUILD
community/clinica/PKGBUILD
community/confuse/PKGBUILD
community/deadbeef/PKGBUILD
community/dvdrtools/PKGBUILD
community/etl/PKGBUILD
community/extremetuxracer/PKGBUILD
community/fcitx-mozc/PKGBUILD
community/flashrom/PKGBUILD
community/freedroidrpg/PKGBUILD
community/gcolor2/PKGBUILD
community/geary/PKGBUILD
community/glob2/PKGBUILD
community/gnash/PKGBUILD
community/gnome-commander/PKGBUILD
community/gnome-settings-daemon-updates/PKGBUILD
community/gnuchess/PKGBUILD
community/haskell-bytestring-show/PKGBUILD
community/haskell-hslogger/PKGBUILD
community/haskell-vector/PKGBUILD
community/hedgewars/PKGBUILD
community/hitori/PKGBUILD
community/inputattach/PKGBUILD
community/jack2/PKGBUILD
community/kid3/PKGBUILD
community/lcdproc/PKGBUILD
community/libcec/PKGBUILD
community/libvirt/PKGBUILD
community/libwww/PKGBUILD
community/lightdm/PKGBUILD
community/lincity-ng/PKGBUILD
community/linux-tools/PKGBUILD
community/linuxtv-dvb-apps/PKGBUILD
community/lockdev/PKGBUILD
community/log4cpp/PKGBUILD
community/love/PKGBUILD
community/luajit/PKGBUILD
community/lxc/PKGBUILD
community/metamail/PKGBUILD
community/mingw32-binutils/PKGBUILD
community/mingw32-gcc/PKGBUILD
community/mingw32-pthreads/PKGBUILD
community/mongodb/PKGBUILD
community/nemo/PKGBUILD
community/par2cmdline/PKGBUILD
community/pdfedit/PKGBUILD
community/perl-json-xs/PKGBUILD
community/pidgin-talkfilters/PKGBUILD
community/pokerth/PKGBUILD
community/setconf/PKGBUILD
community/stfl/PKGBUILD
community/talkfilters/PKGBUILD
community/tre/PKGBUILD
community/ubuntuone-client-gnome/PKGBUILD
community/ubuntuone-client/PKGBUILD
community/vor/PKGBUILD
community/warmux/PKGBUILD
community/wdm/PKGBUILD
community/xbmc-pvr-addons/PKGBUILD
core/gcc/PKGBUILD
core/lvm2/PKGBUILD
core/systemd/PKGBUILD
core/sysvinit-tools/PKGBUILD
extra/aubio/PKGBUILD
extra/avidemux/PKGBUILD
extra/bluez4/PKGBUILD
extra/boost/PKGBUILD
extra/calligra/PKGBUILD
extra/caribou/PKGBUILD
extra/chemtool/PKGBUILD
extra/cinepaint/PKGBUILD
extra/conky/PKGBUILD
extra/cups/PKGBUILD
extra/enlightenment16/PKGBUILD
extra/exo/PKGBUILD
extra/fakechroot/PKGBUILD
extra/farstream-0.1/PKGBUILD
extra/ffmpeg-compat/PKGBUILD
extra/fltk/PKGBUILD
extra/git/PKGBUILD
extra/gpart/PKGBUILD
extra/gstreamer0.10-base/PKGBUILD
extra/gstreamer0.10-ffmpeg/PKGBUILD
extra/gstreamer0.10-good/PKGBUILD
extra/gstreamer0.10-ugly/PKGBUILD
extra/gtk-vnc/PKGBUILD
extra/haveged/PKGBUILD
extra/icewm/PKGBUILD
extra/imagemagick/PKGBUILD
extra/kactivities/PKGBUILD
extra/kdeaccessibility-jovie/PKGBUILD
extra/kdeaccessibility-kaccessible/PKGBUILD
extra/kdeaccessibility-kmag/PKGBUILD
extra/kdeaccessibility-kmousetool/PKGBUILD
extra/kdeaccessibility-kmouth/PKGBUILD
extra/kdeadmin-kcron/PKGBUILD
extra/kdeadmin-ksystemlog/PKGBUILD
extra/kdeadmin-kuser/PKGBUILD
extra/kdeartwork/PKGBUILD
extra/kdebase-konsole/PKGBUILD
extra/kdebase-workspace/PKGBUILD
extra/kdebase/PKGBUILD
extra/kdebindings-kimono/PKGBUILD
extra/kdebindings-korundum/PKGBUILD
extra/kdebindings-kross/PKGBUILD
extra/kdebindings-perlkde/PKGBUILD
extra/kdebindings-perlqt/PKGBUILD
extra/kdebindings-python/PKGBUILD
extra/kdebindings-qtruby/PKGBUILD
extra/kdebindings-qyoto/PKGBUILD
extra/kdebindings-smokegen/PKGBUILD
extra/kdebindings-smokekde/PKGBUILD
extra/kdebindings-smokeqt/PKGBUILD
extra/kdeedu-analitza/PKGBUILD
extra/kdeedu-blinken/PKGBUILD
extra/kdeedu-cantor/PKGBUILD
extra/kdeedu-kalgebra/PKGBUILD
extra/kdeedu-kalzium/PKGBUILD
extra/kdeedu-kanagram/PKGBUILD
extra/kdeedu-kbruch/PKGBUILD
extra/kdeedu-kgeography/PKGBUILD
extra/kdeedu-khangman/PKGBUILD
extra/kdeedu-kig/PKGBUILD
extra/kdeedu-kiten/PKGBUILD
extra/kdeedu-klettres/PKGBUILD
extra/kdeedu-kmplot/PKGBUILD
extra/kdeedu-kstars/PKGBUILD
extra/kdeedu-ktouch/PKGBUILD
extra/kdeedu-kturtle/PKGBUILD
extra/kdeedu-kwordquiz/PKGBUILD
extra/kdeedu-marble/PKGBUILD
extra/kdeedu-pairs/PKGBUILD
extra/kdeedu-parley/PKGBUILD
extra/kdeedu-rocs/PKGBUILD
extra/kdeedu-step/PKGBUILD
extra/kdegames-bomber/PKGBUILD
extra/kdegames-bovo/PKGBUILD
extra/kdegames-granatier/PKGBUILD
extra/kdegames-kapman/PKGBUILD
extra/kdegames-katomic/PKGBUILD
extra/kdegames-kblackbox/PKGBUILD
extra/kdegames-kblocks/PKGBUILD
extra/kdegames-kbounce/PKGBUILD
extra/kdegames-kbreakout/PKGBUILD
extra/kdegames-kdiamond/PKGBUILD
extra/kdegames-kfourinline/PKGBUILD
extra/kdegames-kgoldrunner/PKGBUILD
extra/kdegames-kigo/PKGBUILD
extra/kdegames-killbots/PKGBUILD
extra/kdegames-kiriki/PKGBUILD
extra/kdegames-kjumpingcube/PKGBUILD
extra/kdegames-klickety/PKGBUILD
extra/kdegames-klines/PKGBUILD
extra/kdegames-kmahjongg/PKGBUILD
extra/kdegames-kmines/PKGBUILD
extra/kdegames-knavalbattle/PKGBUILD
extra/kdegames-knetwalk/PKGBUILD
extra/kdegames-kolf/PKGBUILD
extra/kdegames-kollision/PKGBUILD
extra/kdegames-konquest/PKGBUILD
extra/kdegames-kpatience/PKGBUILD
extra/kdegames-kreversi/PKGBUILD
extra/kdegames-kshisen/PKGBUILD
extra/kdegames-ksirk/PKGBUILD
extra/kdegames-ksnakeduel/PKGBUILD
extra/kdegames-kspaceduel/PKGBUILD
extra/kdegames-ksquares/PKGBUILD
extra/kdegames-ksudoku/PKGBUILD
extra/kdegames-ktuberling/PKGBUILD
extra/kdegames-kubrick/PKGBUILD
extra/kdegames-lskat/PKGBUILD
extra/kdegames-palapeli/PKGBUILD
extra/kdegames-picmi/PKGBUILD
extra/kdegraphics-gwenview/PKGBUILD
extra/kdegraphics-kamera/PKGBUILD
extra/kdegraphics-kcolorchooser/PKGBUILD
extra/kdegraphics-kgamma/PKGBUILD
extra/kdegraphics-kolourpaint/PKGBUILD
extra/kdegraphics-kruler/PKGBUILD
extra/kdegraphics-ksaneplugin/PKGBUILD
extra/kdegraphics-ksnapshot/PKGBUILD
extra/kdegraphics-mobipocket/PKGBUILD
extra/kdegraphics-okular/PKGBUILD
extra/kdegraphics-strigi-analyzer/PKGBUILD
extra/kdegraphics-svgpart/PKGBUILD
extra/kdegraphics-thumbnailers/PKGBUILD
extra/kdemultimedia-audiocd-kio/PKGBUILD
extra/kdemultimedia-dragonplayer/PKGBUILD
extra/kdemultimedia-ffmpegthumbs/PKGBUILD
extra/kdemultimedia-juk/PKGBUILD
extra/kdemultimedia-kmix/PKGBUILD
extra/kdemultimedia-kscd/PKGBUILD
extra/kdemultimedia-mplayerthumbs/PKGBUILD
extra/kdenetwork-filesharing/PKGBUILD
extra/kdenetwork-kdnssd/PKGBUILD
extra/kdenetwork-kget/PKGBUILD
extra/kdenetwork-kppp/PKGBUILD
extra/kdenetwork-krdc/PKGBUILD
extra/kdenetwork-krfb/PKGBUILD
extra/kdenetwork-strigi-analyzers/PKGBUILD
extra/kdepim-runtime/PKGBUILD
extra/kdepim/PKGBUILD
extra/kdepimlibs/PKGBUILD
extra/kdeplasma-addons/PKGBUILD
extra/kdesdk-cervisia/PKGBUILD
extra/kdesdk-dev-scripts/PKGBUILD
extra/kdesdk-dev-utils/PKGBUILD
extra/kdesdk-dolphin-plugins/PKGBUILD
extra/kdesdk-kapptemplate/PKGBUILD
extra/kdesdk-kate/PKGBUILD
extra/kdesdk-kcachegrind/PKGBUILD
extra/kdesdk-kioslaves/PKGBUILD
extra/kdesdk-kompare/PKGBUILD
extra/kdesdk-lokalize/PKGBUILD
extra/kdesdk-okteta/PKGBUILD
extra/kdesdk-poxml/PKGBUILD
extra/kdesdk-strigi-analyzers/PKGBUILD
extra/kdesdk-thumbnailers/PKGBUILD
extra/kdesdk-umbrello/PKGBUILD
extra/kdetoys-amor/PKGBUILD
extra/kdetoys-kteatime/PKGBUILD
extra/kdetoys-ktux/PKGBUILD
extra/kdeutils-filelight/PKGBUILD
extra/kdeutils-kcalc/PKGBUILD
extra/kdeutils-kcharselect/PKGBUILD
extra/kdeutils-kdf/PKGBUILD
extra/kdeutils-kfloppy/PKGBUILD
extra/kdeutils-kgpg/PKGBUILD
extra/kdeutils-kremotecontrol/PKGBUILD
extra/kdeutils-ktimer/PKGBUILD
extra/kdeutils-kwallet/PKGBUILD
extra/kdeutils-print-manager/PKGBUILD
extra/kdeutils-superkaramba/PKGBUILD
extra/kdeutils-sweeper/PKGBUILD
extra/kdewebdev/PKGBUILD
extra/kino/PKGBUILD
extra/libdrm/PKGBUILD
extra/libiec61883/PKGBUILD
extra/libkcddb/PKGBUILD
extra/libkcompactdisc/PKGBUILD
extra/libkdcraw/PKGBUILD
extra/libkdeedu/PKGBUILD
extra/libkdegames/PKGBUILD
extra/libkexiv2/PKGBUILD
extra/libkipi/PKGBUILD
extra/libkmahjongg/PKGBUILD
extra/libksane/PKGBUILD
extra/libmikmod/PKGBUILD
extra/libmp4v2/PKGBUILD
extra/libnet/PKGBUILD
extra/libpst/PKGBUILD
extra/libsidplay/PKGBUILD
extra/libsigsegv/PKGBUILD
extra/libvpx/PKGBUILD
extra/libxmi/PKGBUILD
extra/lua51/PKGBUILD
extra/mariadb/PKGBUILD
extra/maxima/PKGBUILD
extra/mesa/PKGBUILD
extra/mjpegtools/PKGBUILD
extra/mkvtoolnix/PKGBUILD
extra/nepomuk-core/PKGBUILD
extra/nepomuk-widgets/PKGBUILD
extra/obexd/PKGBUILD
extra/opencv/PKGBUILD
extra/perl-dbd-mysql/PKGBUILD
extra/phonon-gstreamer/PKGBUILD
extra/phonon-vlc/PKGBUILD
extra/phonon/PKGBUILD
extra/plotutils/PKGBUILD
extra/postgresql/PKGBUILD
extra/pycrypto/PKGBUILD
extra/python/PKGBUILD
extra/qt4/PKGBUILD
extra/qt5/PKGBUILD
extra/rcs/PKGBUILD
extra/rdesktop/PKGBUILD
extra/rtmpdump/PKGBUILD
extra/ruby/PKGBUILD
extra/signon/PKGBUILD
extra/sqlite/PKGBUILD
extra/vigra/PKGBUILD
extra/vim/PKGBUILD
extra/vlc/PKGBUILD
extra/w3m/PKGBUILD
extra/wcslib/PKGBUILD
extra/windowmaker/PKGBUILD
extra/x264/PKGBUILD
extra/xaos/PKGBUILD
extra/xmlto/PKGBUILD
libre/angband-libre/PKGBUILD
libre/hplip-libre/PKGBUILD
libre/kdebase-konqueror-libre/PKGBUILD
libre/kdebase-runtime-libre/PKGBUILD
libre/kdelibs-libre/PKGBUILD
libre/kdenetwork-kopete-libre/PKGBUILD
libre/kdepim-libre/PKGBUILD
libre/kdeutils-ark-libre/PKGBUILD
libre/linux-libre/PKGBUILD
libre/mc-libre/PKGBUILD
libre/xbmc-libre/PKGBUILD
nonprism/kdenetwork-kopete-libre-nonprism/PKGBUILD
nonprism/kdepim-runtime-nonprism/PKGBUILD
pcr/libquvi-scripts-current/PKGBUILD
Diffstat (limited to 'extra/spice/CVE-2013-4282.patch')
-rw-r--r-- | extra/spice/CVE-2013-4282.patch | 104 |
1 files changed, 104 insertions, 0 deletions
diff --git a/extra/spice/CVE-2013-4282.patch b/extra/spice/CVE-2013-4282.patch new file mode 100644 index 000000000..3dfa1c8f2 --- /dev/null +++ b/extra/spice/CVE-2013-4282.patch @@ -0,0 +1,104 @@ +From 8af619009660b24e0b41ad26b30289eea288fcc2 Mon Sep 17 00:00:00 2001 +From: Christophe Fergeau <cfergeau@redhat.com> +Date: Fri, 23 Aug 2013 09:29:44 +0000 +Subject: Fix buffer overflow when decrypting client SPICE ticket + +reds_handle_ticket uses a fixed size 'password' buffer for the decrypted +password whose size is SPICE_MAX_PASSWORD_LENGTH. However, +RSA_private_decrypt which we call for the decryption expects the +destination buffer to be at least RSA_size(link->tiTicketing.rsa) +bytes long. On my spice-server build, SPICE_MAX_PASSWORD_LENGTH +is 60 while RSA_size() is 128, so we end up overflowing 'password' +when using long passwords (this was reproduced using the string: +'fullscreen=1proxy=#enter proxy here; e.g spice_proxy = http://[proxy]:[port]' +as a password). + +When the overflow occurs, QEMU dies with: +*** stack smashing detected ***: qemu-system-x86_64 terminated + +This commit ensures we use a corectly sized 'password' buffer, +and that it's correctly nul-terminated so that we can use strcmp +instead of strncmp. To keep using strncmp, we'd need to figure out +which one of 'password' and 'taTicket.password' is the smaller buffer, +and use that size. + +This fixes rhbz#999839 +--- +diff --git a/server/reds.c b/server/reds.c +index 892d247..2a0002b 100644 +--- a/server/reds.c ++++ b/server/reds.c +@@ -1926,39 +1926,59 @@ static void reds_handle_link(RedLinkInfo *link) + static void reds_handle_ticket(void *opaque) + { + RedLinkInfo *link = (RedLinkInfo *)opaque; +- char password[SPICE_MAX_PASSWORD_LENGTH]; ++ char *password; + time_t ltime; ++ int password_size; + + //todo: use monotonic time + time(<ime); +- RSA_private_decrypt(link->tiTicketing.rsa_size, +- link->tiTicketing.encrypted_ticket.encrypted_data, +- (unsigned char *)password, link->tiTicketing.rsa, RSA_PKCS1_OAEP_PADDING); ++ if (RSA_size(link->tiTicketing.rsa) < SPICE_MAX_PASSWORD_LENGTH) { ++ spice_warning("RSA modulus size is smaller than SPICE_MAX_PASSWORD_LENGTH (%d < %d), " ++ "SPICE ticket sent from client may be truncated", ++ RSA_size(link->tiTicketing.rsa), SPICE_MAX_PASSWORD_LENGTH); ++ } ++ ++ password = g_malloc0(RSA_size(link->tiTicketing.rsa) + 1); ++ password_size = RSA_private_decrypt(link->tiTicketing.rsa_size, ++ link->tiTicketing.encrypted_ticket.encrypted_data, ++ (unsigned char *)password, ++ link->tiTicketing.rsa, ++ RSA_PKCS1_OAEP_PADDING); ++ if (password_size == -1) { ++ spice_warning("failed to decrypt RSA encrypted password: %s", ++ ERR_error_string(ERR_get_error(), NULL)); ++ goto error; ++ } ++ password[password_size] = '\0'; + + if (ticketing_enabled && !link->skip_auth) { + int expired = taTicket.expiration_time < ltime; + + if (strlen(taTicket.password) == 0) { +- reds_send_link_result(link, SPICE_LINK_ERR_PERMISSION_DENIED); + spice_warning("Ticketing is enabled, but no password is set. " +- "please set a ticket first"); +- reds_link_free(link); +- return; ++ "please set a ticket first"); ++ goto error; + } + +- if (expired || strncmp(password, taTicket.password, SPICE_MAX_PASSWORD_LENGTH) != 0) { ++ if (expired || strcmp(password, taTicket.password) != 0) { + if (expired) { + spice_warning("Ticket has expired"); + } else { + spice_warning("Invalid password"); + } +- reds_send_link_result(link, SPICE_LINK_ERR_PERMISSION_DENIED); +- reds_link_free(link); +- return; ++ goto error; + } + } + + reds_handle_link(link); ++ goto end; ++ ++error: ++ reds_send_link_result(link, SPICE_LINK_ERR_PERMISSION_DENIED); ++ reds_link_free(link); ++ ++end: ++ g_free(password); + } + + static inline void async_read_clear_handlers(AsyncRead *obj) +-- +cgit v0.9.0.2-2-gbebe |