diff --git a/backport-0001-CVE-2020-14355.patch b/backport-0001-CVE-2020-14355.patch deleted file mode 100644 index 8e977ba..0000000 --- a/backport-0001-CVE-2020-14355.patch +++ /dev/null @@ -1,32 +0,0 @@ -From 762e0abae36033ccde658fd52d3235887b60862d Mon Sep 17 00:00:00 2001 -From: Frediano Ziglio -Date: Wed, 29 Apr 2020 15:09:13 +0100 -Subject: [PATCH] quic: Check we have some data to start decoding quic image - -All paths already pass some data to quic_decode_begin but for the -test check it, it's not that expensive test. -Checking for not 0 is enough, all other words will potentially be -read calling more_io_words but we need one to avoid a potential -initial buffer overflow or deferencing an invalid pointer. - -Signed-off-by: Frediano Ziglio -Acked-by: Uri Lublin ---- - subprojects/spice-common/common//quic.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/subprojects/spice-common/common//quic.c b/subprojects/spice-common/common//quic.c -index e2dee0fd6874..bc753ca5064a 100644 ---- a/subprojects/spice-common/common//quic.c -+++ b/subprojects/spice-common/common//quic.c -@@ -1136,7 +1136,7 @@ int quic_decode_begin(QuicContext *quic, uint32_t *io_ptr, unsigned int num_io_w - int channels; - int bpc; - -- if (!encoder_reset(encoder, io_ptr, io_ptr_end)) { -+ if (!num_io_words || !encoder_reset(encoder, io_ptr, io_ptr_end)) { - return QUIC_ERROR; - } - --- -GitLab diff --git a/backport-0001-CVE-2021-20201.patch b/backport-0001-CVE-2021-20201.patch deleted file mode 100644 index 2c44be3..0000000 --- a/backport-0001-CVE-2021-20201.patch +++ /dev/null @@ -1,38 +0,0 @@ -From 95a0cfac8a1c8eff50f05e65df945da3bb501fc9 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Julien=20Rop=C3=A9?= -Date: Thu, 3 Dec 2020 09:33:48 +0100 -Subject: [PATCH] With OpenSSL 1.0.2 and earlier: disable client-side - renegotiation. -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Fixed issue #49 -Fixes BZ#1904459 - -Signed-off-by: Julien Rop茅 -Reported-by: BlackKD -Acked-by: Frediano Ziglio ---- - server/red-stream.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/server/red-stream.c b/server/red-stream.c -index 2c13aa2..c6f5ff7 100644 ---- a/server/red-stream.c -+++ b/server/red-stream.c -@@ -523,6 +523,11 @@ RedStreamSslStatus red_stream_ssl_accept(RedStream *stream) - return RED_STREAM_SSL_STATUS_OK; - } - -+#ifndef SSL_OP_NO_RENEGOTIATION -+ // With OpenSSL 1.0.2 and earlier: disable client-side renogotiation -+ stream->priv->ssl->s3->flags |= SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS; -+#endif -+ - ssl_error = SSL_get_error(stream->priv->ssl, return_code); - if (return_code == -1 && (ssl_error == SSL_ERROR_WANT_READ || - ssl_error == SSL_ERROR_WANT_WRITE)) { --- -2.23.0 - diff --git a/backport-0002-CVE-2020-14355.patch b/backport-0002-CVE-2020-14355.patch deleted file mode 100644 index 20aff85..0000000 --- a/backport-0002-CVE-2020-14355.patch +++ /dev/null @@ -1,47 +0,0 @@ -From 404d74782c8b5e57d146c5bf3118bb41bf3378e4 Mon Sep 17 00:00:00 2001 -From: Frediano Ziglio -Date: Wed, 29 Apr 2020 15:10:24 +0100 -Subject: [PATCH] quic: Check image size in quic_decode_begin - -Avoid some overflow in code due to images too big or -negative numbers. - -Signed-off-by: Frediano Ziglio -Acked-by: Uri Lublin ---- - subprojects/spice-common/common//quic.c | 13 +++++++++++++ - 1 file changed, 13 insertions(+) - -diff --git a/subprojects/spice-common/common//quic.c b/subprojects/spice-common/common//quic.c -index bc753ca5064a..681531677fbd 100644 ---- a/subprojects/spice-common/common//quic.c -+++ b/subprojects/spice-common/common//quic.c -@@ -56,6 +56,9 @@ typedef uint8_t BYTE; - #define MINwminext 1 - #define MAXwminext 100000000 - -+/* Maximum image size in pixels, mainly to avoid possible integer overflows */ -+#define SPICE_MAX_IMAGE_SIZE (512 * 1024 * 1024 - 1) -+ - typedef struct QuicFamily { - unsigned int nGRcodewords[MAXNUMCODES]; /* indexed by code number, contains number of - unmodified GR codewords in the code */ -@@ -1165,6 +1168,16 @@ int quic_decode_begin(QuicContext *quic, uint32_t *io_ptr, unsigned int num_io_w - height = encoder->io_word; - decode_eat32bits(encoder); - -+ if (width <= 0 || height <= 0) { -+ encoder->usr->warn(encoder->usr, "invalid size\n"); -+ return QUIC_ERROR; -+ } -+ -+ /* avoid too big images */ -+ if ((uint64_t) width * height > SPICE_MAX_IMAGE_SIZE) { -+ encoder->usr->error(encoder->usr, "image too large\n"); -+ } -+ - quic_image_params(encoder, type, &channels, &bpc); - - if (!encoder_reset_channels(encoder, channels, width, bpc)) { --- -GitLab diff --git a/backport-0002-CVE-2021-20201.patch b/backport-0002-CVE-2021-20201.patch deleted file mode 100644 index ef61e1d..0000000 --- a/backport-0002-CVE-2021-20201.patch +++ /dev/null @@ -1,36 +0,0 @@ -From ca5bbc5692e052159bce1a75f55dc60b36078749 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Julien=20Rop=C3=A9?= -Date: Wed, 2 Dec 2020 13:39:27 +0100 -Subject: [PATCH] With OpenSSL 1.1: Disable client-initiated renegotiation. -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Fixes issue #49 -Fixes BZ#1904459 - -Signed-off-by: Julien Rop茅 -Reported-by: BlackKD -Acked-by: Frediano Ziglio ---- - server/reds.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/server/reds.c b/server/reds.c -index ee8cf38..810b7e9 100644 ---- a/server/reds.c -+++ b/server/reds.c -@@ -2862,6 +2862,10 @@ static int reds_init_ssl(RedsState *reds) - * When some other SSL/TLS version becomes obsolete, add it to this - * variable. */ - long ssl_options = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_COMPRESSION | SSL_OP_NO_TLSv1; -+#ifdef SSL_OP_NO_RENEGOTIATION -+ // With OpenSSL 1.1: Disable all renegotiation in TLSv1.2 and earlier -+ ssl_options |= SSL_OP_NO_RENEGOTIATION; -+#endif - - /* Global system initialization*/ - openssl_global_init(); --- -2.23.0 - diff --git a/backport-0003-CVE-2020-14355.patch b/backport-0003-CVE-2020-14355.patch deleted file mode 100644 index 35f0965..0000000 --- a/backport-0003-CVE-2020-14355.patch +++ /dev/null @@ -1,34 +0,0 @@ -From ef1b6ff7b82e15d759e5415b8e35b92bb1a4c206 Mon Sep 17 00:00:00 2001 -From: Frediano Ziglio -Date: Wed, 29 Apr 2020 15:11:38 +0100 -Subject: [PATCH] quic: Check RLE lengths - -Avoid buffer overflows decoding images. On compression we compute -lengths till end of line so it won't cause regressions. -Proved by fuzzing the code. - -Signed-off-by: Frediano Ziglio -Acked-by: Uri Lublin ---- - subprojects/spice-common/common//quic_tmpl.c | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - -diff --git a/subprojects/spice-common/common//quic_tmpl.c b/subprojects/spice-common/common//quic_tmpl.c -index ecd6f3f187c7..ebae992d642a 100644 ---- a/subprojects/spice-common/common//quic_tmpl.c -+++ b/subprojects/spice-common/common//quic_tmpl.c -@@ -563,7 +563,11 @@ static void FNAME_DECL(uncompress_row_seg)(const PIXEL * const prev_row, - do_run: - state->waitcnt = stopidx - i; - run_index = i; -- run_end = i + decode_state_run(encoder, state); -+ run_end = decode_state_run(encoder, state); -+ if (run_end < 0 || run_end > (end - i)) { -+ encoder->usr->error(encoder->usr, "wrong RLE\n"); -+ } -+ run_end += i; - - for (; i < run_end; i++) { - UNCOMPRESS_PIX_START(&cur_row[i]); --- -GitLab diff --git a/backport-0004-CVE-2020-14355.patch b/backport-0004-CVE-2020-14355.patch deleted file mode 100644 index eb5ef6c..0000000 --- a/backport-0004-CVE-2020-14355.patch +++ /dev/null @@ -1,31 +0,0 @@ -From b24fe6b66b86e601c725d30f00c37e684b6395b6 Mon Sep 17 00:00:00 2001 -From: Frediano Ziglio -Date: Thu, 30 Apr 2020 10:19:09 +0100 -Subject: [PATCH] quic: Avoid possible buffer overflow in find_bucket - -Proved by fuzzing the code. - -Signed-off-by: Frediano Ziglio -Acked-by: Uri Lublin ---- - subprojects/spice-common/common//quic_family_tmpl.c | 7 ++++++- - 1 file changed, 6 insertions(+), 1 deletion(-) - ---- a/subprojects/spice-common/common/quic_family_tmpl.c -+++ b/subprojects/spice-common/common/quic_family_tmpl.c -@@ -105,7 +105,12 @@ static s_bucket *FNAME(find_bucket)(Chan - spice_assert(val < (0x1U << BPC)); - } - -- return channel->_buckets_ptrs[val]; -+ /* The and (&) here is to avoid buffer overflows in case of garbage or malicious -+ * attempts. Is much faster then using comparisons and save us from such situations. -+ * Note that on normal build the check above won't be compiled as this code path -+ * is pretty hot and would cause speed regressions. -+ */ -+ return channel->_buckets_ptrs[val & ((1U << BPC) - 1)]; - } - - #undef FNAME --- -GitLab diff --git a/spice-0.14.3.tar.bz2 b/spice-0.14.3.tar.bz2 deleted file mode 100644 index eab4a55..0000000 Binary files a/spice-0.14.3.tar.bz2 and /dev/null differ diff --git a/spice-0.14.3.tar.bz2.sign b/spice-0.14.3.tar.bz2.sign deleted file mode 100644 index 2b406f7..0000000 Binary files a/spice-0.14.3.tar.bz2.sign and /dev/null differ diff --git a/spice-0.15.2.tar.bz2 b/spice-0.15.2.tar.bz2 new file mode 100644 index 0000000..d26277b Binary files /dev/null and b/spice-0.15.2.tar.bz2 differ diff --git a/spice-0.15.2.tar.bz2.sig b/spice-0.15.2.tar.bz2.sig new file mode 100644 index 0000000..294fc5c Binary files /dev/null and b/spice-0.15.2.tar.bz2.sig differ diff --git a/spice.spec b/spice.spec index 209c1a9..61ea93b 100644 --- a/spice.spec +++ b/spice.spec @@ -1,26 +1,21 @@ Name: spice -Version: 0.14.3 -Release: 6 +Version: 0.15.2 +Release: 1 Summary: Implements the SPICE protocol Group: User Interface/Desktops License: LGPLv2+ URL: https://www.spice-space.org/ -Source0: https://www.spice-space.org/download/releases/%{name}-%{version}.tar.bz2 -Source1: https://www.spice-space.org/download/releases/%{name}-%{version}.tar.bz2.sign +Source0: https://www.spice-space.org/download/releases/spice-server/%{name}-%{version}.tar.bz2 +Source1: https://www.spice-space.org/download/releases/spice-server/%{name}-%{version}.tar.bz2.sig Source2: victortoso-E37A484F.keyring -Patch6000: backport-0001-CVE-2020-14355.patch -Patch6001: backport-0002-CVE-2020-14355.patch -Patch6002: backport-0003-CVE-2020-14355.patch -Patch6003: backport-0004-CVE-2020-14355.patch -Patch6004: backport-0001-CVE-2021-20201.patch -Patch6005: backport-0002-CVE-2021-20201.patch ExclusiveArch: %{ix86} x86_64 %{arm} aarch64 sw_64 loongarch64 riscv64 BuildRequires: gcc pkgconfig glib2-devel spice-protocol >= 0.14.0 opus-devel git-core gnupg2 BuildRequires: pixman-devel openssl-devel libjpeg-devel libcacard-devel cyrus-sasl-devel BuildRequires: lz4-devel gstreamer1-devel gstreamer1-plugins-base-devel orc-devel +BuildRequires: gcc-c++ %description The SPICE package provides the SPICE server library and client. @@ -77,6 +72,9 @@ install -d %{buildroot}%{_libexecdir} %doc README %changelog +* Thu Oct 19 2023 li weigang - - 0.15.2-1 +- update to version 0.15.2 + * Mon Jun 26 2023 wangjunqiang - 0.14.3-6 - Add riscv64 to ExclusiveArch