[Buildroot] [PATCH 2/4] spice: security bump to version 0.12.6

[Peter Korsgaard <peter@korsgaard.com>]

Fixes the following security issues:

CVE-2015-3247: Race condition in the worker_update_monitors_config function
in SPICE 0.12.4 allows a remote authenticated guest user to cause a denial
of service (heap-based memory corruption and QEMU-KVM crash) or possibly
execute arbitrary code on the host via unspecified vectors.

CVE-2015-5260: Heap-based buffer overflow in SPICE before 0.12.6 allows
guest OS users to cause a denial of service (heap-based memory corruption
and QEMU-KVM crash) or possibly execute arbitrary code on the host via QXL
commands related to the surface_id parameter.

CVE-2015-5261: Heap-based buffer overflow in SPICE before 0.12.6 allows
guest OS users to read and write to arbitrary memory locations on the host
via guest QXL commands related to surface creation.

Client/gui support is gone upstream (moved to spice-gtk / virt-viewer), so
add Config.in.legacy handling for them.

Lz4 is a new optional dependency, so handle it.

The spice protocol definition is no longer included and instead used from
spice-protocol.  The build system uses pkg-config --variable=codegendir to
find the build time path of this, which doesn't take our STAGING_DIR prefix
into consideration, so it needs some help.  The installed protocol
definition will likewise be newer than the generated files, so we need to
workaround that to ensure they are not regenerated (which needs host python
/ pyparsing).

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
 Config.in.legacy         | 16 ++++++++++++++++
 package/spice/Config.in  | 35 -----------------------------------
 package/spice/spice.hash |  2 +-
 package/spice/spice.mk   | 40 +++++++++++++++++++---------------------
 4 files changed, 36 insertions(+), 57 deletions(-)

diff --git a/Config.in.legacy b/Config.in.legacy
index dc99b7c2eb..361d331dc9 100644
--- a/Config.in.legacy
+++ b/Config.in.legacy
@@ -145,6 +145,22 @@ endif
 ###############################################################################
 comment "Legacy options removed in 2017.08"
 
+config BR2_PACKAGE_SPICE_CLIENT
+	bool "spice client support removed"
+	select BR2_LEGACY
+	help
+	  Spice client support has been removed upstream. The
+	  functionality now lives in the spice-gtk widget and
+	  virt-viewer.
+
+config BR2_PACKAGE_SPICE_GUI
+	bool "spice gui support removed"
+	select BR2_LEGACY
+	help
+	  Spice gui support has been removed upstream. The
+	  functionality now lives in the spice-gtk widget and
+	  virt-viewer.
+
 config BR2_PACKAGE_SPICE_TUNNEL
 	bool "spice network redirection removed"
 	select BR2_LEGACY
diff --git a/package/spice/Config.in b/package/spice/Config.in
index 220f9994da..2241b55b3d 100644
--- a/package/spice/Config.in
+++ b/package/spice/Config.in
@@ -22,38 +22,3 @@ config BR2_PACKAGE_SPICE
 	  This package implements the server-part of Spice.
 
 	  http://www.spice-space.org/
-
-if BR2_PACKAGE_SPICE
-
-comment "client depends on X.org"
-	depends on !BR2_PACKAGE_XORG7
-
-config BR2_PACKAGE_SPICE_CLIENT
-	bool "Enable client"
-	depends on BR2_PACKAGE_XORG7
-	depends on BR2_TOOLCHAIN_HAS_THREADS
-	depends on BR2_INSTALL_LIBSTDCPP
-	select BR2_PACKAGE_XLIB_LIBXFIXES
-	select BR2_PACKAGE_XLIB_LIBXRANDR
-	select BR2_PACKAGE_XLIB_LIBX11
-	select BR2_PACKAGE_XLIB_LIBXEXT
-	select BR2_PACKAGE_XLIB_LIBXRENDER
-	select BR2_PACKAGE_ALSA_LIB
-
-comment "client needs a toolchain w/ threads, C++"
-	depends on BR2_PACKAGE_XORG7
-	depends on !BR2_TOOLCHAIN_HAS_THREADS || !BR2_INSTALL_LIBSTDCPP
-
-config BR2_PACKAGE_SPICE_GUI
-	bool "Enable GUI"
-	depends on BR2_PACKAGE_SPICE_CLIENT
-	depends on !BR2_STATIC_LIBS
-	select BR2_PACKAGE_CEGUI06
-	help
-	  Say 'y' here to enable the Graphical User Interface (GUI)
-	  start dialog.
-
-comment "gui needs a toolchain w/ dynamic library"
-	depends on BR2_STATIC_LIBS
-
-endif # BR2_PACKAGE_SPICE
diff --git a/package/spice/spice.hash b/package/spice/spice.hash
index 0a943f0332..04bd516689 100644
--- a/package/spice/spice.hash
+++ b/package/spice/spice.hash
@@ -1,2 +1,2 @@
 # Locally calculated
-sha256	4209a20d8f67cb99a8a6ac499cfe79a18d4ca226360457954a223d6795c2f581	spice-0.12.5.tar.bz2
+sha256	f148ea30135bf80a4f465ce723a1cd6d4ccb34c098b6298a020b378ace8569b6	spice-0.12.6.tar.bz2
diff --git a/package/spice/spice.mk b/package/spice/spice.mk
index ba76a14d61..f1fb46d29c 100644
--- a/package/spice/spice.mk
+++ b/package/spice/spice.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-SPICE_VERSION = 0.12.5
+SPICE_VERSION = 0.12.6
 SPICE_SOURCE = spice-$(SPICE_VERSION).tar.bz2
 SPICE_SITE = http://www.spice-space.org/download/releases
 SPICE_LICENSE = LGPL-2.1+
@@ -35,38 +35,36 @@ else
 SPICE_CONF_OPTS += --disable-celt051
 endif
 
+ifeq ($(BR2_PACKAGE_LZ4),y)
+SPICE_CONF_OPTS += --enable-lz4
+SPICE_DEPENDENCIES += lz4
+else
+SPICE_CONF_OPTS += --disable-lz4
+endif
+
 # no enable/disable, detected using pkg-config
 ifeq ($(BR2_PACKAGE_OPUS),y)
 SPICE_DEPENDENCIES += opus
 endif
 
-ifeq ($(BR2_PACKAGE_SPICE_CLIENT),y)
-SPICE_CONF_OPTS += --enable-client
-SPICE_DEPENDENCIES += \
-	xlib_libXfixes \
-	xlib_libXrandr \
-	xlib_libX11 \
-	xlib_libXext \
-	xlib_libXrender \
-	alsa-lib
-else
-SPICE_CONF_OPTS += --disable-client
-endif
-
-ifeq ($(BR2_PACKAGE_SPICE_GUI),y)
-SPICE_CONF_OPTS += --enable-gui
-SPICE_DEPENDENCIES += cegui06
-else
-SPICE_CONF_OPTS += --disable-gui
-endif
+# build system uses pkg-config --variable=codegendir spice-protocol which
+# returns the runtime path rather than build time, so it needs some help
+SPICE_MAKE_OPTS = CODE_GENERATOR_BASEDIR=$(STAGING_DIR)/usr/lib/spice-protocol
+SPICE_INSTALL_STAGING_OPTS = $(SPICE_MAKE_OPTS) DESTDIR=$(STAGING_DIR) install
+SPICE_INSTALL_TARGET_OPTS = $(SPICE_MAKE_OPTS) DESTDIR=$(TARGET_DIR) install
 
 # spice uses a number of source files that are generated with python / pyparsing.
 # The generated files are part of the tarball, so python / pyparsing isn't needed
 # when building from the tarball, but the configure script gets confused and looks
 # for the wrong file name to know if it needs to check for python / pyparsing,
-# so convince it they aren't needed
+# so convince it they aren't needed.
+# It will also regenerate these files if the spice-protocol protocol definition
+# is newer than the generated files (which it will be when spice-protocol
+# installs it to staging), so ensure their timestamp is updated to skip this.
 define SPICE_NO_PYTHON_PYPARSING
+	mkdir -p $(@D)/client
 	touch $(@D)/client/generated_marshallers.cpp
+	touch $(@D)/spice-common/common/generated_*
 endef
 
 SPICE_PRE_CONFIGURE_HOOKS += SPICE_NO_PYTHON_PYPARSING
-- 
2.11.0