update to 0.12.0

2021-11-23 17:57:25 +08:00 · 2021-11-23 17:57:25 +08:00 · e63e4c8822
commit e63e4c8822
parent ba82535f17
4 changed files with 23 additions and 90 deletions
--- a/0001-CVE-2021-3700.patch
+++ b/0001-CVE-2021-3700.patch
@ -1,72 +0,0 @@
 From 03c519ff5831ba75120e00ebebbf1d5a1f7220ab Mon Sep 17 00:00:00 2001
 From: Michael Hanselmann <public@hansmi.ch>
 Date: Sun, 8 Aug 2021 15:35:58 +0200
 Subject: [PATCH] Avoid use-after-free in serialization
 Serializing parsers with large amounts of buffered write data (e.g. in case of
 a slow or blocked write destination) would cause "serialize_data" to reallocate
 the state buffer whose default size is 64kB (USBREDIRPARSER_SERIALIZE_BUF_SIZE).
 The pointer to the position for the write buffer count would then point to
 a location outside the buffer where the number of write buffers would be written
 as a 32-bit value.
 As of QEMU 5.2.0 the serializer is invoked for migrations. Serializations for
 migrations may happen regularily such as when using the COLO feature[1].
 Serialization happens under QEMU's I/O lock. The guest can't control the state
 while the serialization is happening. The value written is the number of
 outstanding buffers which would be suceptible to timing and host system system
 load. The guest would have to continously groom the write buffers. A useful
 value needs to be allocated in the exact position freed during the buffer size
 increase, but before the buffer count is written. The author doesn't consider it
 realistic to exploit this use-after-free reliably.
 [1] https://wiki.qemu.org/Features/COLO
 Signed-off-by: Michael Hanselmann <public@hansmi.ch>
 ---
 usbredirparser/usbredirparser.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)
 diff --git a/usbredirparser/usbredirparser.c b/usbredirparser/usbredirparser.c
 index d1f9850..dc5f5a4 100644
 --- a/usbredirparser/usbredirparser.c
 +++ b/usbredirparser/usbredirparser.c
@@ -20,6 +20,7 @@
 */
 #include "config.h"
 +#include <stddef.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <stdarg.h>
@@ -1580,8 +1581,9 @@ int usbredirparser_serialize(struct usbredirparser *parser_pub,
     struct usbredirparser_priv *parser =
         (struct usbredirparser_priv *)parser_pub;
     struct usbredirparser_buf *wbuf;
 -    uint8_t *write_buf_count_pos, *state = NULL, *pos = NULL;
 +    uint8_t *state = NULL, *pos = NULL;
     uint32_t write_buf_count = 0, len, remain = 0;
 +    ptrdiff_t write_buf_count_pos;
     *state_dest = NULL;
     *state_len = 0;
@@ -1626,7 +1628,7 @@ int usbredirparser_serialize(struct usbredirparser *parser_pub,
                        parser->data, parser->data_read, "packet-data"))
         return -1;
 -    write_buf_count_pos = pos;
 +    write_buf_count_pos = pos - state;
     /* To be replaced with write_buf_count later */
     if (serialize_int(parser, &state, &pos, &remain, 0, "write_buf_count"))
         return -1;
@@ -1641,7 +1643,7 @@ int usbredirparser_serialize(struct usbredirparser *parser_pub,
         wbuf = wbuf->next;
     }
     /* Patch in write_buf_count */
 -    memcpy(write_buf_count_pos, &write_buf_count, sizeof(int32_t));
 +    memcpy(state + write_buf_count_pos, &write_buf_count, sizeof(int32_t));
     /* Patch in length */
     len = pos - state;
 -- 
 2.23.0
--- a/usbredir-0.12.0.tar.xz
+++ b/usbredir-0.12.0.tar.xz
--- a/usbredir-0.8.0.tar.bz2
+++ b/usbredir-0.8.0.tar.bz2
--- a/usbredir.spec
+++ b/usbredir.spec
@ -1,18 +1,17 @@
 Name:           usbredir
-Version:        0.8.0
+Version:        0.12.0
-Release:        7
+Release:        1
 Summary:        network protocol libraries for sending USB device traffic
 License:        LGPLv2+ and GPLv2+
 URL:            https://www.spice-space.org/usbredir.html
-Source0:        http://spice-space.org/download/%{name}/%{name}-%{version}.tar.bz2
+Source0:        http://spice-space.org/download/%{name}/%{name}-%{version}.tar.xz
 BuildRequires:  libusb1-devel >= 1.0.9 gcc
 BuildRequires:  meson glib2-devel
 Provides:       %{name}-server
 Obsoletes:      %{name}-server
 Patch1:      0001-CVE-2021-3700.patch
 %description
 usbredir is the name of a network protocol for sending USB device traffic over
 a network connection. It is also the name of the software package offering a parsing
@ -27,47 +26,53 @@ Requires:       usbredir = %{version}-%{release}
 This contains dynamic libraries and header files for the developing of usbredir.
-%package        help
+%package        server
-Summary:        Including man files for usbredir
+Summary:        Simple USB host TCP server
-Requires:       man
+License:	GPLv2+
-BuildArch:      noarch
+Requires:       usbredir = %{version}-%{release}
-%description    help
+%description    server
-This contains man files for the using of usbredir.
+A simple USB host TCP server, using libusbredirhost.
 %prep
 %autosetup -n %{name}-%{version} -p1
 %build
-%configure --disable-static
+%meson
-make %{?_smp_mflags} V=1
+%meson_build
 %install
-%make_install
+%meson_install
 %ldconfig_scriptlets
 %files
-%license COPYING COPYING.LIB README README.multi-thread
+%license COPYING COPYING.LIB
 %{_libdir}/libusbredir*.so.*
 %{_sbindir}/usbredirserver
 %exclude %{_libdir}/libusbredir*.la
 %files devel
-%doc ChangeLog
+%doc ChangeLog.md
 %{_includedir}/usbredir*.h
 %{_libdir}/libusbredir*.so
 %{_libdir}/pkgconfig/libusbredir*.pc
-%files help
+%files server
 %license COPYING
 %{_bindir}/usbredirect
 %{_sbindir}/usbredirserver
 %{_mandir}/man1/usbredirect.1*
 %{_mandir}/man1/usbredirserver.1*
 %changelog
 * Tue Nov 23 2021 yanglongkang <yanglongkang@huawei.com> - 0.12.0-1
 - update to 0.12.0
 * Thu Sep 23 2021 yanglongkang <yanglongkang@huawei.com> - 0.8.0-7
 - fix CVE-2021-3700