diff --git a/0001-CVE-2021-3700.patch b/0001-CVE-2021-3700.patch deleted file mode 100644 index a8141f9..0000000 --- a/0001-CVE-2021-3700.patch +++ /dev/null @@ -1,72 +0,0 @@ -From 03c519ff5831ba75120e00ebebbf1d5a1f7220ab Mon Sep 17 00:00:00 2001 -From: Michael Hanselmann -Date: Sun, 8 Aug 2021 15:35:58 +0200 -Subject: [PATCH] Avoid use-after-free in serialization - -Serializing parsers with large amounts of buffered write data (e.g. in case of -a slow or blocked write destination) would cause "serialize_data" to reallocate -the state buffer whose default size is 64kB (USBREDIRPARSER_SERIALIZE_BUF_SIZE). -The pointer to the position for the write buffer count would then point to -a location outside the buffer where the number of write buffers would be written -as a 32-bit value. - -As of QEMU 5.2.0 the serializer is invoked for migrations. Serializations for -migrations may happen regularily such as when using the COLO feature[1]. -Serialization happens under QEMU's I/O lock. The guest can't control the state -while the serialization is happening. The value written is the number of -outstanding buffers which would be suceptible to timing and host system system -load. The guest would have to continously groom the write buffers. A useful -value needs to be allocated in the exact position freed during the buffer size -increase, but before the buffer count is written. The author doesn't consider it -realistic to exploit this use-after-free reliably. - -[1] https://wiki.qemu.org/Features/COLO - -Signed-off-by: Michael Hanselmann ---- - usbredirparser/usbredirparser.c | 8 +++++--- - 1 file changed, 5 insertions(+), 3 deletions(-) - -diff --git a/usbredirparser/usbredirparser.c b/usbredirparser/usbredirparser.c -index d1f9850..dc5f5a4 100644 ---- a/usbredirparser/usbredirparser.c -+++ b/usbredirparser/usbredirparser.c -@@ -20,6 +20,7 @@ - */ - #include "config.h" - -+#include - #include - #include - #include -@@ -1580,8 +1581,9 @@ int usbredirparser_serialize(struct usbredirparser *parser_pub, - struct usbredirparser_priv *parser = - (struct usbredirparser_priv *)parser_pub; - struct usbredirparser_buf *wbuf; -- uint8_t *write_buf_count_pos, *state = NULL, *pos = NULL; -+ uint8_t *state = NULL, *pos = NULL; - uint32_t write_buf_count = 0, len, remain = 0; -+ ptrdiff_t write_buf_count_pos; - - *state_dest = NULL; - *state_len = 0; -@@ -1626,7 +1628,7 @@ int usbredirparser_serialize(struct usbredirparser *parser_pub, - parser->data, parser->data_read, "packet-data")) - return -1; - -- write_buf_count_pos = pos; -+ write_buf_count_pos = pos - state; - /* To be replaced with write_buf_count later */ - if (serialize_int(parser, &state, &pos, &remain, 0, "write_buf_count")) - return -1; -@@ -1641,7 +1643,7 @@ int usbredirparser_serialize(struct usbredirparser *parser_pub, - wbuf = wbuf->next; - } - /* Patch in write_buf_count */ -- memcpy(write_buf_count_pos, &write_buf_count, sizeof(int32_t)); -+ memcpy(state + write_buf_count_pos, &write_buf_count, sizeof(int32_t)); - - /* Patch in length */ - len = pos - state; --- -2.23.0 diff --git a/usbredir-0.12.0.tar.xz b/usbredir-0.12.0.tar.xz new file mode 100644 index 0000000..02f6e98 Binary files /dev/null and b/usbredir-0.12.0.tar.xz differ diff --git a/usbredir-0.8.0.tar.bz2 b/usbredir-0.8.0.tar.bz2 deleted file mode 100644 index a61a2ca..0000000 Binary files a/usbredir-0.8.0.tar.bz2 and /dev/null differ diff --git a/usbredir.spec b/usbredir.spec index 30f0f0f..96ab52c 100644 --- a/usbredir.spec +++ b/usbredir.spec @@ -1,18 +1,17 @@ Name: usbredir -Version: 0.8.0 -Release: 7 +Version: 0.12.0 +Release: 1 Summary: network protocol libraries for sending USB device traffic License: LGPLv2+ and GPLv2+ URL: https://www.spice-space.org/usbredir.html -Source0: http://spice-space.org/download/%{name}/%{name}-%{version}.tar.bz2 +Source0: http://spice-space.org/download/%{name}/%{name}-%{version}.tar.xz BuildRequires: libusb1-devel >= 1.0.9 gcc +BuildRequires: meson glib2-devel Provides: %{name}-server Obsoletes: %{name}-server -Patch1: 0001-CVE-2021-3700.patch - %description usbredir is the name of a network protocol for sending USB device traffic over a network connection. It is also the name of the software package offering a parsing @@ -27,47 +26,53 @@ Requires: usbredir = %{version}-%{release} This contains dynamic libraries and header files for the developing of usbredir. -%package help -Summary: Including man files for usbredir -Requires: man -BuildArch: noarch +%package server +Summary: Simple USB host TCP server +License: GPLv2+ +Requires: usbredir = %{version}-%{release} -%description help -This contains man files for the using of usbredir. +%description server +A simple USB host TCP server, using libusbredirhost. %prep %autosetup -n %{name}-%{version} -p1 %build -%configure --disable-static -make %{?_smp_mflags} V=1 +%meson +%meson_build %install -%make_install +%meson_install %ldconfig_scriptlets %files -%license COPYING COPYING.LIB README README.multi-thread +%license COPYING COPYING.LIB %{_libdir}/libusbredir*.so.* %{_sbindir}/usbredirserver -%exclude %{_libdir}/libusbredir*.la %files devel -%doc ChangeLog +%doc ChangeLog.md %{_includedir}/usbredir*.h %{_libdir}/libusbredir*.so %{_libdir}/pkgconfig/libusbredir*.pc -%files help +%files server +%license COPYING +%{_bindir}/usbredirect +%{_sbindir}/usbredirserver +%{_mandir}/man1/usbredirect.1* %{_mandir}/man1/usbredirserver.1* %changelog +* Tue Nov 23 2021 yanglongkang - 0.12.0-1 +- update to 0.12.0 + * Thu Sep 23 2021 yanglongkang - 0.8.0-7 - fix CVE-2021-3700