From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id 4028860214 for ; Tue, 6 Oct 2020 16:53:48 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 2A40E27CD4 for ; Tue, 6 Oct 2020 16:53:48 +0200 (CEST) Received: from gaia.proxmox.com (212-186-127-178.static.upcbusiness.at [212.186.127.178]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS id 7591227CCA for ; Tue, 6 Oct 2020 16:53:45 +0200 (CEST) Received: from gaia.proxmox.com (localhost.localdomain [127.0.0.1]) by gaia.proxmox.com (8.15.2/8.15.2/Debian-14~deb10u1) with ESMTP id 096Erj6N2799522; Tue, 6 Oct 2020 16:53:45 +0200 Received: (from oguz@localhost) by gaia.proxmox.com (8.15.2/8.15.2/Submit) id 096ErjGH2799521; Tue, 6 Oct 2020 16:53:45 +0200 From: Oguz Bektas To: pve-devel@lists.proxmox.com Cc: Oguz Bektas , Frediano Ziglio , "Dr . David Alan Gilbert" , Victor Toso Date: Tue, 6 Oct 2020 16:53:44 +0200 Message-Id: <20201006145344.2799477-1-o.bektas@proxmox.com> X-Mailer: git-send-email 2.20.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: 1 AWL -1.022 Adjusted score from AWL reputation of From: address KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment KAM_LAZY_DOMAIN_SECURITY 1 Sending domain does not have any anti-forgery methods KAM_LOTSOFHASH 0.25 Emails with lots of hash-like gibberish KAM_NUMSUBJECT 0.5 Subject ends in numbers excluding current years KHOP_HELO_FCRDNS 0.398 Relay HELO differs from its IP's reverse DNS NO_DNS_FOR_FROM 0.379 Envelope sender has no MX or A DNS records SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_NONE 0.001 SPF: sender does not publish an SPF Record URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [openwall.com] Subject: [pve-devel] [PATCH libspice-server] update spice to 0.14.3 and add patches for CVE-2020-14355 X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Oct 2020 14:53:48 -0000 the original email is in oss-security[0], patches are from upstream gitlab. (commits linked in the email) removed the already applied monitor patch. [0]: https://www.openwall.com/lists/oss-security/2020/10/06/10 Signed-off-by: Oguz Bektas --- Makefile | 10 ++--- changelog.Debian | 7 +++ patches/CVE-2020-14355_1.patch | 28 ++++++++++++ patches/CVE-2020-14355_2.patch | 43 +++++++++++++++++++ patches/CVE-2020-14355_3.patch | 30 +++++++++++++ patches/CVE-2020-14355_4.patch | 29 +++++++++++++ ...ke-sure-we-have-at-least-one-monitor.patch | 33 -------------- 7 files changed, 142 insertions(+), 38 deletions(-) create mode 100644 patches/CVE-2020-14355_1.patch create mode 100644 patches/CVE-2020-14355_2.patch create mode 100644 patches/CVE-2020-14355_3.patch create mode 100644 patches/CVE-2020-14355_4.patch delete mode 100644 patches/red-qxl-make-sure-we-have-at-least-one-monitor.patch diff --git a/Makefile b/Makefile index 01bed58..6a34c84 100644 --- a/Makefile +++ b/Makefile @@ -1,9 +1,9 @@ SOURCE=spice PACKAGE=libspice-server1 -PKGVERSION=0.14.2 -DEBVERSION=0.14.2-4 -PVERELEASE=pve6+1 +PKGVERSION=0.14.3 +DEBVERSION=0.14.3-1 +PVERELEASE=pve6 VERSION := $(DEBVERSION)~$(PVERELEASE) @@ -29,7 +29,7 @@ $(DEB): $(SOURCE)_$(PKGVERSION).orig.tar.bz2 $(SOURCE)_$(DEBVERSION).debian.tar. tar xf $(SOURCE)_$(DEBVERSION).debian.tar.xz -C $(SOURCE)-$(PKGVERSION) cat changelog.Debian $(PKGDIR)/debian/changelog > $(PKGDIR)/debian/changelog.tmp mv $(PKGDIR)/debian/changelog.tmp $(PKGDIR)/debian/changelog - cd $(PKGDIR); for patch in ../patches/*.patch; do echo "applying patch '$$patch'" && patch -p1 < "$${patch}"; done + cd $(PKGDIR); for patch in ../patches/*.patch; do echo "applying patch '$$patch'" && patch -Np1 < "$${patch}"; done cd ${PKGDIR}; dpkg-buildpackage -b -us -uc lintian ${DEBS} @@ -38,7 +38,7 @@ $(DEB): $(SOURCE)_$(PKGVERSION).orig.tar.bz2 $(SOURCE)_$(DEBVERSION).debian.tar. download: $(SOURCE)_$(PKGVERSION).orig.tar.bz2 $(SOURCE)_$(DEBVERSION).debian.tar.xz $(SOURCE)_$(PKGVERSION).orig.tar.bz2: $(SOURCE)_$(DEBVERSION).debian.tar.xz $(SOURCE)_$(DEBVERSION).debian.tar.xz: - dget http://deb.debian.org/debian/pool/main/s/spice/spice_0.14.2-4.dsc + dget http://deb.debian.org/debian/pool/main/s/spice/spice_0.14.3-1.dsc .PHONY: upload upload: ${DEBS} diff --git a/changelog.Debian b/changelog.Debian index 14c019c..d1b4489 100644 --- a/changelog.Debian +++ b/changelog.Debian @@ -1,3 +1,10 @@ +spice (0.14.3-1~pve6) pve; urgency=medium + + [ Proxmox Support Team ] + * add patches for CVE-2020-14355 from oss-security + + -- Proxmox Support Team Tue, 06 Oct 2020 16:33:30 +0200 + spice (0.14.2-4~pve6+1) pve; urgency=medium [ Proxmox Support Team ] diff --git a/patches/CVE-2020-14355_1.patch b/patches/CVE-2020-14355_1.patch new file mode 100644 index 0000000..c76847c --- /dev/null +++ b/patches/CVE-2020-14355_1.patch @@ -0,0 +1,28 @@ +commit 762e0abae36033ccde658fd52d3235887b60862d +Author: Frediano Ziglio +Date: Wed Apr 29 15:09:13 2020 +0100 + + quic: Check we have some data to start decoding quic image + + All paths already pass some data to quic_decode_begin but for the + test check it, it's not that expensive test. + Checking for not 0 is enough, all other words will potentially be + read calling more_io_words but we need one to avoid a potential + initial buffer overflow or deferencing an invalid pointer. + + Signed-off-by: Frediano Ziglio + Acked-by: Uri Lublin + +diff --git a/subprojects/spice-common/quic.c b/subprojects/spice-common/quic.c +index e2dee0f..bc753ca 100644 +--- a/subprojects/spice-common/common/quic.c ++++ b/subprojects/spice-common/common/quic.c +@@ -1136,7 +1136,7 @@ int quic_decode_begin(QuicContext *quic, uint32_t *io_ptr, unsigned int num_io_w + int channels; + int bpc; + +- if (!encoder_reset(encoder, io_ptr, io_ptr_end)) { ++ if (!num_io_words || !encoder_reset(encoder, io_ptr, io_ptr_end)) { + return QUIC_ERROR; + } + diff --git a/patches/CVE-2020-14355_2.patch b/patches/CVE-2020-14355_2.patch new file mode 100644 index 0000000..6926286 --- /dev/null +++ b/patches/CVE-2020-14355_2.patch @@ -0,0 +1,43 @@ +commit 404d74782c8b5e57d146c5bf3118bb41bf3378e4 +Author: Frediano Ziglio +Date: Wed Apr 29 15:10:24 2020 +0100 + + quic: Check image size in quic_decode_begin + + Avoid some overflow in code due to images too big or + negative numbers. + + Signed-off-by: Frediano Ziglio + Acked-by: Uri Lublin + +diff --git a/subprojects/spice-common/common/quic.c b/subprojects/spice-common/common/quic.c +index bc753ca..6815316 100644 +--- a/subprojects/spice-common/common/quic.c ++++ b/subprojects/spice-common/common/quic.c +@@ -56,6 +56,9 @@ typedef uint8_t BYTE; + #define MINwminext 1 + #define MAXwminext 100000000 + ++/* Maximum image size in pixels, mainly to avoid possible integer overflows */ ++#define SPICE_MAX_IMAGE_SIZE (512 * 1024 * 1024 - 1) ++ + typedef struct QuicFamily { + unsigned int nGRcodewords[MAXNUMCODES]; /* indexed by code number, contains number of + unmodified GR codewords in the code */ +@@ -1165,6 +1168,16 @@ int quic_decode_begin(QuicContext *quic, uint32_t *io_ptr, unsigned int num_io_w + height = encoder->io_word; + decode_eat32bits(encoder); + ++ if (width <= 0 || height <= 0) { ++ encoder->usr->warn(encoder->usr, "invalid size\n"); ++ return QUIC_ERROR; ++ } ++ ++ /* avoid too big images */ ++ if ((uint64_t) width * height > SPICE_MAX_IMAGE_SIZE) { ++ encoder->usr->error(encoder->usr, "image too large\n"); ++ } ++ + quic_image_params(encoder, type, &channels, &bpc); + + if (!encoder_reset_channels(encoder, channels, width, bpc)) { diff --git a/patches/CVE-2020-14355_3.patch b/patches/CVE-2020-14355_3.patch new file mode 100644 index 0000000..77ea4ba --- /dev/null +++ b/patches/CVE-2020-14355_3.patch @@ -0,0 +1,30 @@ +commit ef1b6ff7b82e15d759e5415b8e35b92bb1a4c206 +Author: Frediano Ziglio +Date: Wed Apr 29 15:11:38 2020 +0100 + + quic: Check RLE lengths + + Avoid buffer overflows decoding images. On compression we compute + lengths till end of line so it won't cause regressions. + Proved by fuzzing the code. + + Signed-off-by: Frediano Ziglio + Acked-by: Uri Lublin + +diff --git a/subprojects/spice-common/common/quic_tmpl.c b/subprojects/spice-common/common/quic_tmpl.c +index ecd6f3f..ebae992 100644 +--- a/subprojects/spice-common/common/quic_tmpl.c ++++ b/subprojects/spice-common/common/quic_tmpl.c +@@ -563,7 +563,11 @@ static void FNAME_DECL(uncompress_row_seg)(const PIXEL * const prev_row, + do_run: + state->waitcnt = stopidx - i; + run_index = i; +- run_end = i + decode_state_run(encoder, state); ++ run_end = decode_state_run(encoder, state); ++ if (run_end < 0 || run_end > (end - i)) { ++ encoder->usr->error(encoder->usr, "wrong RLE\n"); ++ } ++ run_end += i; + + for (; i < run_end; i++) { + UNCOMPRESS_PIX_START(&cur_row[i]); diff --git a/patches/CVE-2020-14355_4.patch b/patches/CVE-2020-14355_4.patch new file mode 100644 index 0000000..64b039d --- /dev/null +++ b/patches/CVE-2020-14355_4.patch @@ -0,0 +1,29 @@ +commit b24fe6b66b86e601c725d30f00c37e684b6395b6 +Author: Frediano Ziglio +Date: Thu Apr 30 10:19:09 2020 +0100 + + quic: Avoid possible buffer overflow in find_bucket + + Proved by fuzzing the code. + + Signed-off-by: Frediano Ziglio + Acked-by: Uri Lublin + +diff --git a/subprojects/spice-common/common/quic_family_tmpl.c b/subprojects/spice-common/common/quic_family_tmpl.c +index 8a5f7d2..6cc051b 100644 +--- a/subprojects/spice-common/common/quic_family_tmpl.c ++++ b/subprojects/spice-common/common/quic_family_tmpl.c +@@ -103,7 +103,12 @@ static s_bucket *FNAME(find_bucket)(Channel *channel, const unsigned int val) + { + spice_extra_assert(val < (0x1U << BPC)); + +- return channel->_buckets_ptrs[val]; ++ /* The and (&) here is to avoid buffer overflows in case of garbage or malicious ++ * attempts. Is much faster then using comparisons and save us from such situations. ++ * Note that on normal build the check above won't be compiled as this code path ++ * is pretty hot and would cause speed regressions. ++ */ ++ return channel->_buckets_ptrs[val & ((1U << BPC) - 1)]; + } + + #undef FNAME diff --git a/patches/red-qxl-make-sure-we-have-at-least-one-monitor.patch b/patches/red-qxl-make-sure-we-have-at-least-one-monitor.patch deleted file mode 100644 index 407e986..0000000 --- a/patches/red-qxl-make-sure-we-have-at-least-one-monitor.patch +++ /dev/null @@ -1,33 +0,0 @@ -From 4f2d90a7849fafebc74dec608f9b4ffa9400d1a6 Mon Sep 17 00:00:00 2001 -From: Frediano Ziglio -Date: Thu, 19 Sep 2019 11:17:08 +0100 -Subject: red-qxl: Make sure we have at least one monitor - -It does not make sense to have a graphic card without a monitor. -In spice_qxl_set_max_monitors we prevent to set 0 monitors, do -the same in spice_qxl_set_device_info. - -This fixes https://bugzilla.redhat.com/show_bug.cgi?id=1691721. - -Signed-off-by: Frediano Ziglio -Tested-by: Dr. David Alan Gilbert -Acked-by: Victor Toso ---- - server/red-qxl.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/server/red-qxl.c b/server/red-qxl.c -index 0334827..dbfcd44 100644 ---- a/server/red-qxl.c -+++ b/server/red-qxl.c -@@ -804,7 +804,7 @@ void spice_qxl_set_device_info(QXLInstance *instance, - } - - instance->st->monitors_count = device_display_id_count; -- instance->st->max_monitors = device_display_id_count; -+ instance->st->max_monitors = MAX(1u, device_display_id_count); - - reds_send_device_display_info(red_qxl_get_server(instance->st)); - } --- -cgit v1.1 -- 2.20.1