[Buildroot] [PATCH 2/4] spice: security bump to version 0.12.6

[Yann E. MORIN <yann.morin.1998@free.fr>]

Peter, All,

On 2017-06-22 00:07 +0200, Peter Korsgaard spake thusly:
> Fixes the following security issues:
> 
> CVE-2015-3247: Race condition in the worker_update_monitors_config function
> in SPICE 0.12.4 allows a remote authenticated guest user to cause a denial
> of service (heap-based memory corruption and QEMU-KVM crash) or possibly
> execute arbitrary code on the host via unspecified vectors.
> 
> CVE-2015-5260: Heap-based buffer overflow in SPICE before 0.12.6 allows
> guest OS users to cause a denial of service (heap-based memory corruption
> and QEMU-KVM crash) or possibly execute arbitrary code on the host via QXL
> commands related to the surface_id parameter.
> 
> CVE-2015-5261: Heap-based buffer overflow in SPICE before 0.12.6 allows
> guest OS users to read and write to arbitrary memory locations on the host
> via guest QXL commands related to surface creation.
> 
> Client/gui support is gone upstream (moved to spice-gtk / virt-viewer), so
> add Config.in.legacy handling for them.
> 
> Lz4 is a new optional dependency, so handle it.
> 
> The spice protocol definition is no longer included and instead used from
> spice-protocol.  The build system uses pkg-config --variable=codegendir to
> find the build time path of this, which doesn't take our STAGING_DIR prefix
> into consideration, so it needs some help.  The installed protocol
> definition will likewise be newer than the generated files, so we need to
> workaround that to ensure they are not regenerated (which needs host python
> / pyparsing).
> 
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

Reviewed-by: "Yann E. MORIN" <yann.morin.1998@free.fr>

Regards,
Yann E. MORIN.

> ---
>  Config.in.legacy         | 16 ++++++++++++++++
>  package/spice/Config.in  | 35 -----------------------------------
>  package/spice/spice.hash |  2 +-
>  package/spice/spice.mk   | 40 +++++++++++++++++++---------------------
>  4 files changed, 36 insertions(+), 57 deletions(-)
> 
> diff --git a/Config.in.legacy b/Config.in.legacy
> index dc99b7c2eb..361d331dc9 100644
> --- a/Config.in.legacy
> +++ b/Config.in.legacy
> @@ -145,6 +145,22 @@ endif
>  ###############################################################################
>  comment "Legacy options removed in 2017.08"
>  
> +config BR2_PACKAGE_SPICE_CLIENT
> +	bool "spice client support removed"
> +	select BR2_LEGACY
> +	help
> +	  Spice client support has been removed upstream. The
> +	  functionality now lives in the spice-gtk widget and
> +	  virt-viewer.
> +
> +config BR2_PACKAGE_SPICE_GUI
> +	bool "spice gui support removed"
> +	select BR2_LEGACY
> +	help
> +	  Spice gui support has been removed upstream. The
> +	  functionality now lives in the spice-gtk widget and
> +	  virt-viewer.
> +
>  config BR2_PACKAGE_SPICE_TUNNEL
>  	bool "spice network redirection removed"
>  	select BR2_LEGACY
> diff --git a/package/spice/Config.in b/package/spice/Config.in
> index 220f9994da..2241b55b3d 100644
> --- a/package/spice/Config.in
> +++ b/package/spice/Config.in
> @@ -22,38 +22,3 @@ config BR2_PACKAGE_SPICE
>  	  This package implements the server-part of Spice.
>  
>  	  http://www.spice-space.org/
> -
> -if BR2_PACKAGE_SPICE
> -
> -comment "client depends on X.org"
> -	depends on !BR2_PACKAGE_XORG7
> -
> -config BR2_PACKAGE_SPICE_CLIENT
> -	bool "Enable client"
> -	depends on BR2_PACKAGE_XORG7
> -	depends on BR2_TOOLCHAIN_HAS_THREADS
> -	depends on BR2_INSTALL_LIBSTDCPP
> -	select BR2_PACKAGE_XLIB_LIBXFIXES
> -	select BR2_PACKAGE_XLIB_LIBXRANDR
> -	select BR2_PACKAGE_XLIB_LIBX11
> -	select BR2_PACKAGE_XLIB_LIBXEXT
> -	select BR2_PACKAGE_XLIB_LIBXRENDER
> -	select BR2_PACKAGE_ALSA_LIB
> -
> -comment "client needs a toolchain w/ threads, C++"
> -	depends on BR2_PACKAGE_XORG7
> -	depends on !BR2_TOOLCHAIN_HAS_THREADS || !BR2_INSTALL_LIBSTDCPP
> -
> -config BR2_PACKAGE_SPICE_GUI
> -	bool "Enable GUI"
> -	depends on BR2_PACKAGE_SPICE_CLIENT
> -	depends on !BR2_STATIC_LIBS
> -	select BR2_PACKAGE_CEGUI06
> -	help
> -	  Say 'y' here to enable the Graphical User Interface (GUI)
> -	  start dialog.
> -
> -comment "gui needs a toolchain w/ dynamic library"
> -	depends on BR2_STATIC_LIBS
> -
> -endif # BR2_PACKAGE_SPICE
> diff --git a/package/spice/spice.hash b/package/spice/spice.hash
> index 0a943f0332..04bd516689 100644
> --- a/package/spice/spice.hash
> +++ b/package/spice/spice.hash
> @@ -1,2 +1,2 @@
>  # Locally calculated
> -sha256	4209a20d8f67cb99a8a6ac499cfe79a18d4ca226360457954a223d6795c2f581	spice-0.12.5.tar.bz2
> +sha256	f148ea30135bf80a4f465ce723a1cd6d4ccb34c098b6298a020b378ace8569b6	spice-0.12.6.tar.bz2
> diff --git a/package/spice/spice.mk b/package/spice/spice.mk
> index ba76a14d61..f1fb46d29c 100644
> --- a/package/spice/spice.mk
> +++ b/package/spice/spice.mk
> @@ -4,7 +4,7 @@
>  #
>  ################################################################################
>  
> -SPICE_VERSION = 0.12.5
> +SPICE_VERSION = 0.12.6
>  SPICE_SOURCE = spice-$(SPICE_VERSION).tar.bz2
>  SPICE_SITE = http://www.spice-space.org/download/releases
>  SPICE_LICENSE = LGPL-2.1+
> @@ -35,38 +35,36 @@ else
>  SPICE_CONF_OPTS += --disable-celt051
>  endif
>  
> +ifeq ($(BR2_PACKAGE_LZ4),y)
> +SPICE_CONF_OPTS += --enable-lz4
> +SPICE_DEPENDENCIES += lz4
> +else
> +SPICE_CONF_OPTS += --disable-lz4
> +endif
> +
>  # no enable/disable, detected using pkg-config
>  ifeq ($(BR2_PACKAGE_OPUS),y)
>  SPICE_DEPENDENCIES += opus
>  endif
>  
> -ifeq ($(BR2_PACKAGE_SPICE_CLIENT),y)
> -SPICE_CONF_OPTS += --enable-client
> -SPICE_DEPENDENCIES += \
> -	xlib_libXfixes \
> -	xlib_libXrandr \
> -	xlib_libX11 \
> -	xlib_libXext \
> -	xlib_libXrender \
> -	alsa-lib
> -else
> -SPICE_CONF_OPTS += --disable-client
> -endif
> -
> -ifeq ($(BR2_PACKAGE_SPICE_GUI),y)
> -SPICE_CONF_OPTS += --enable-gui
> -SPICE_DEPENDENCIES += cegui06
> -else
> -SPICE_CONF_OPTS += --disable-gui
> -endif
> +# build system uses pkg-config --variable=codegendir spice-protocol which
> +# returns the runtime path rather than build time, so it needs some help
> +SPICE_MAKE_OPTS = CODE_GENERATOR_BASEDIR=$(STAGING_DIR)/usr/lib/spice-protocol
> +SPICE_INSTALL_STAGING_OPTS = $(SPICE_MAKE_OPTS) DESTDIR=$(STAGING_DIR) install
> +SPICE_INSTALL_TARGET_OPTS = $(SPICE_MAKE_OPTS) DESTDIR=$(TARGET_DIR) install
>  
>  # spice uses a number of source files that are generated with python / pyparsing.
>  # The generated files are part of the tarball, so python / pyparsing isn't needed
>  # when building from the tarball, but the configure script gets confused and looks
>  # for the wrong file name to know if it needs to check for python / pyparsing,
> -# so convince it they aren't needed
> +# so convince it they aren't needed.
> +# It will also regenerate these files if the spice-protocol protocol definition
> +# is newer than the generated files (which it will be when spice-protocol
> +# installs it to staging), so ensure their timestamp is updated to skip this.
>  define SPICE_NO_PYTHON_PYPARSING
> +	mkdir -p $(@D)/client
>  	touch $(@D)/client/generated_marshallers.cpp
> +	touch $(@D)/spice-common/common/generated_*
>  endef
>  
>  SPICE_PRE_CONFIGURE_HOOKS += SPICE_NO_PYTHON_PYPARSING
> -- 
> 2.11.0
> 

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 223 225 172 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'