update to version 0.15.2

backport-0001-CVE-2020-14355.patch

@@ -1,32 +0,0 @@
-From 762e0abae36033ccde658fd52d3235887b60862d Mon Sep 17 00:00:00 2001
-From: Frediano Ziglio <freddy77@gmail.com>
-Date: Wed, 29 Apr 2020 15:09:13 +0100
-Subject: [PATCH] quic: Check we have some data to start decoding quic image
-
-All paths already pass some data to quic_decode_begin but for the
-test check it, it's not that expensive test.
-Checking for not 0 is enough, all other words will potentially be
-read calling more_io_words but we need one to avoid a potential
-initial buffer overflow or deferencing an invalid pointer.
-
-Signed-off-by: Frediano Ziglio <freddy77@gmail.com>
-Acked-by: Uri Lublin <uril@redhat.com>
----
- subprojects/spice-common/common//quic.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/subprojects/spice-common/common//quic.c b/subprojects/spice-common/common//quic.c
-index e2dee0fd6874..bc753ca5064a 100644
---- a/subprojects/spice-common/common//quic.c
-+++ b/subprojects/spice-common/common//quic.c
-@@ -1136,7 +1136,7 @@ int quic_decode_begin(QuicContext *quic, uint32_t *io_ptr, unsigned int num_io_w
-     int channels;
-     int bpc;
- 
--    if (!encoder_reset(encoder, io_ptr, io_ptr_end)) {
-+    if (!num_io_words || !encoder_reset(encoder, io_ptr, io_ptr_end)) {
-         return QUIC_ERROR;
-     }
- 
--- 
-GitLab

backport-0001-CVE-2021-20201.patch

@@ -1,38 +0,0 @@
-From 95a0cfac8a1c8eff50f05e65df945da3bb501fc9 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Julien=20Rop=C3=A9?= <jrope@redhat.com>
-Date: Thu, 3 Dec 2020 09:33:48 +0100
-Subject: [PATCH] With OpenSSL 1.0.2 and earlier: disable client-side
- renegotiation.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Fixed issue #49
-Fixes BZ#1904459
-
-Signed-off-by: Julien Rop茅 <jrope@redhat.com>
-Reported-by: BlackKD
-Acked-by: Frediano Ziglio <fziglio@redhat.com>
----
- server/red-stream.c | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/server/red-stream.c b/server/red-stream.c
-index 2c13aa2..c6f5ff7 100644
---- a/server/red-stream.c
-+++ b/server/red-stream.c
-@@ -523,6 +523,11 @@ RedStreamSslStatus red_stream_ssl_accept(RedStream *stream)
-         return RED_STREAM_SSL_STATUS_OK;
-     }
- 
-+#ifndef SSL_OP_NO_RENEGOTIATION
-+    // With OpenSSL 1.0.2 and earlier: disable client-side renogotiation
-+    stream->priv->ssl->s3->flags |= SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS;
-+#endif
-+
-     ssl_error = SSL_get_error(stream->priv->ssl, return_code);
-     if (return_code == -1 && (ssl_error == SSL_ERROR_WANT_READ ||
-                               ssl_error == SSL_ERROR_WANT_WRITE)) {
--- 
-2.23.0
-

backport-0002-CVE-2020-14355.patch

@@ -1,47 +0,0 @@
-From 404d74782c8b5e57d146c5bf3118bb41bf3378e4 Mon Sep 17 00:00:00 2001
-From: Frediano Ziglio <freddy77@gmail.com>
-Date: Wed, 29 Apr 2020 15:10:24 +0100
-Subject: [PATCH] quic: Check image size in quic_decode_begin
-
-Avoid some overflow in code due to images too big or
-negative numbers.
-
-Signed-off-by: Frediano Ziglio <freddy77@gmail.com>
-Acked-by: Uri Lublin <uril@redhat.com>
----
- subprojects/spice-common/common//quic.c | 13 +++++++++++++
- 1 file changed, 13 insertions(+)
-
-diff --git a/subprojects/spice-common/common//quic.c b/subprojects/spice-common/common//quic.c
-index bc753ca5064a..681531677fbd 100644
---- a/subprojects/spice-common/common//quic.c
-+++ b/subprojects/spice-common/common//quic.c
-@@ -56,6 +56,9 @@ typedef uint8_t BYTE;
- #define MINwminext 1
- #define MAXwminext 100000000
- 
-+/* Maximum image size in pixels, mainly to avoid possible integer overflows */
-+#define SPICE_MAX_IMAGE_SIZE (512 * 1024 * 1024 - 1)
-+
- typedef struct QuicFamily {
-     unsigned int nGRcodewords[MAXNUMCODES];      /* indexed by code number, contains number of
-                                                     unmodified GR codewords in the code */
-@@ -1165,6 +1168,16 @@ int quic_decode_begin(QuicContext *quic, uint32_t *io_ptr, unsigned int num_io_w
-     height = encoder->io_word;
-     decode_eat32bits(encoder);
- 
-+    if (width <= 0 || height <= 0) {
-+        encoder->usr->warn(encoder->usr, "invalid size\n");
-+        return QUIC_ERROR;
-+    }
-+
-+    /* avoid too big images */
-+    if ((uint64_t) width * height > SPICE_MAX_IMAGE_SIZE) {
-+        encoder->usr->error(encoder->usr, "image too large\n");
-+    }
-+
-     quic_image_params(encoder, type, &channels, &bpc);
- 
-     if (!encoder_reset_channels(encoder, channels, width, bpc)) {
--- 
-GitLab

backport-0002-CVE-2021-20201.patch

@@ -1,36 +0,0 @@
-From ca5bbc5692e052159bce1a75f55dc60b36078749 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Julien=20Rop=C3=A9?= <jrope@redhat.com>
-Date: Wed, 2 Dec 2020 13:39:27 +0100
-Subject: [PATCH] With OpenSSL 1.1: Disable client-initiated renegotiation.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Fixes issue #49
-Fixes BZ#1904459
-
-Signed-off-by: Julien Rop茅 <jrope@redhat.com>
-Reported-by: BlackKD
-Acked-by: Frediano Ziglio <fziglio@redhat.com>
----
- server/reds.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/server/reds.c b/server/reds.c
-index ee8cf38..810b7e9 100644
---- a/server/reds.c
-+++ b/server/reds.c
-@@ -2862,6 +2862,10 @@ static int reds_init_ssl(RedsState *reds)
-      * When some other SSL/TLS version becomes obsolete, add it to this
-      * variable. */
-     long ssl_options = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_COMPRESSION | SSL_OP_NO_TLSv1;
-+#ifdef SSL_OP_NO_RENEGOTIATION
-+    // With OpenSSL 1.1: Disable all renegotiation in TLSv1.2 and earlier
-+    ssl_options |= SSL_OP_NO_RENEGOTIATION;
-+#endif
- 
-     /* Global system initialization*/
-     openssl_global_init();
--- 
-2.23.0
-

backport-0003-CVE-2020-14355.patch

@@ -1,34 +0,0 @@
-From ef1b6ff7b82e15d759e5415b8e35b92bb1a4c206 Mon Sep 17 00:00:00 2001
-From: Frediano Ziglio <freddy77@gmail.com>
-Date: Wed, 29 Apr 2020 15:11:38 +0100
-Subject: [PATCH] quic: Check RLE lengths
-
-Avoid buffer overflows decoding images. On compression we compute
-lengths till end of line so it won't cause regressions.
-Proved by fuzzing the code.
-
-Signed-off-by: Frediano Ziglio <freddy77@gmail.com>
-Acked-by: Uri Lublin <uril@redhat.com>
----
- subprojects/spice-common/common//quic_tmpl.c | 6 +++++-
- 1 file changed, 5 insertions(+), 1 deletion(-)
-
-diff --git a/subprojects/spice-common/common//quic_tmpl.c b/subprojects/spice-common/common//quic_tmpl.c
-index ecd6f3f187c7..ebae992d642a 100644
---- a/subprojects/spice-common/common//quic_tmpl.c
-+++ b/subprojects/spice-common/common//quic_tmpl.c
-@@ -563,7 +563,11 @@ static void FNAME_DECL(uncompress_row_seg)(const PIXEL * const prev_row,
- do_run:
-         state->waitcnt = stopidx - i;
-         run_index = i;
--        run_end = i + decode_state_run(encoder, state);
-+        run_end = decode_state_run(encoder, state);
-+        if (run_end < 0 || run_end > (end - i)) {
-+            encoder->usr->error(encoder->usr, "wrong RLE\n");
-+        }
-+        run_end += i;
- 
-         for (; i < run_end; i++) {
-             UNCOMPRESS_PIX_START(&cur_row[i]);
--- 
-GitLab

backport-0004-CVE-2020-14355.patch

@@ -1,31 +0,0 @@
-From b24fe6b66b86e601c725d30f00c37e684b6395b6 Mon Sep 17 00:00:00 2001
-From: Frediano Ziglio <freddy77@gmail.com>
-Date: Thu, 30 Apr 2020 10:19:09 +0100
-Subject: [PATCH] quic: Avoid possible buffer overflow in find_bucket
-
-Proved by fuzzing the code.
-
-Signed-off-by: Frediano Ziglio <freddy77@gmail.com>
-Acked-by: Uri Lublin <uril@redhat.com>
----
- subprojects/spice-common/common//quic_family_tmpl.c | 7 ++++++-
- 1 file changed, 6 insertions(+), 1 deletion(-)
-
---- a/subprojects/spice-common/common/quic_family_tmpl.c
-+++ b/subprojects/spice-common/common/quic_family_tmpl.c
-@@ -105,7 +105,12 @@ static s_bucket *FNAME(find_bucket)(Chan
-         spice_assert(val < (0x1U << BPC));
-     }
- 
--    return channel->_buckets_ptrs[val];
-+    /* The and (&) here is to avoid buffer overflows in case of garbage or malicious
-+     * attempts. Is much faster then using comparisons and save us from such situations.
-+     * Note that on normal build the check above won't be compiled as this code path
-+     * is pretty hot and would cause speed regressions.
-+     */
-+    return channel->_buckets_ptrs[val & ((1U << BPC) - 1)];
- }
- 
- #undef FNAME
--- 
-GitLab

spice.spec

@@ -1,26 +1,21 @@
 Name:           spice
-Version:        0.14.3
+Version:        0.15.2
-Release:        6
+Release:        1
 Summary:        Implements the SPICE protocol
 Group:          User Interface/Desktops
 License:        LGPLv2+
 URL:            https://www.spice-space.org/
-Source0:        https://www.spice-space.org/download/releases/%{name}-%{version}.tar.bz2
+Source0:        https://www.spice-space.org/download/releases/spice-server/%{name}-%{version}.tar.bz2
-Source1:        https://www.spice-space.org/download/releases/%{name}-%{version}.tar.bz2.sign
+Source1:        https://www.spice-space.org/download/releases/spice-server/%{name}-%{version}.tar.bz2.sig
 Source2:        victortoso-E37A484F.keyring
 
-Patch6000:      backport-0001-CVE-2020-14355.patch
-Patch6001:      backport-0002-CVE-2020-14355.patch
-Patch6002:      backport-0003-CVE-2020-14355.patch
-Patch6003:      backport-0004-CVE-2020-14355.patch
-Patch6004:      backport-0001-CVE-2021-20201.patch
-Patch6005:      backport-0002-CVE-2021-20201.patch
 
 ExclusiveArch:  %{ix86} x86_64 %{arm} aarch64 sw_64 loongarch64 riscv64
 
 BuildRequires:  gcc pkgconfig glib2-devel spice-protocol >= 0.14.0 opus-devel git-core gnupg2
 BuildRequires:  pixman-devel openssl-devel libjpeg-devel libcacard-devel cyrus-sasl-devel
 BuildRequires:  lz4-devel gstreamer1-devel gstreamer1-plugins-base-devel orc-devel 
+BuildRequires:  gcc-c++
 
 %description
 The SPICE package provides the SPICE server library and client.
@@ -77,6 +72,9 @@ install -d  %{buildroot}%{_libexecdir}
 %doc README
 
 %changelog
+* Thu Oct 19 2023 li weigang - <weigangli99@gmail.com> - 0.15.2-1
+- update to version 0.15.2
+
 * Mon Jun 26 2023 wangjunqiang <wangjunqiang@iscas.ac.cn> - 0.14.3-6
 - Add riscv64 to ExclusiveArch