From mboxrd@z Thu Jan 1 00:00:00 1970 From: Yann E. MORIN Date: Thu, 22 Jun 2017 22:27:02 +0200 Subject: [Buildroot] [PATCH 2/4] spice: security bump to version 0.12.6 In-Reply-To: <20170621220744.18908-3-peter@korsgaard.com> References: <20170621220744.18908-1-peter@korsgaard.com> <20170621220744.18908-3-peter@korsgaard.com> Message-ID: <20170622202702.GE3054@scaer> List-Id: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: buildroot@busybox.net Peter, All, On 2017-06-22 00:07 +0200, Peter Korsgaard spake thusly: > Fixes the following security issues: > > CVE-2015-3247: Race condition in the worker_update_monitors_config function > in SPICE 0.12.4 allows a remote authenticated guest user to cause a denial > of service (heap-based memory corruption and QEMU-KVM crash) or possibly > execute arbitrary code on the host via unspecified vectors. > > CVE-2015-5260: Heap-based buffer overflow in SPICE before 0.12.6 allows > guest OS users to cause a denial of service (heap-based memory corruption > and QEMU-KVM crash) or possibly execute arbitrary code on the host via QXL > commands related to the surface_id parameter. > > CVE-2015-5261: Heap-based buffer overflow in SPICE before 0.12.6 allows > guest OS users to read and write to arbitrary memory locations on the host > via guest QXL commands related to surface creation. > > Client/gui support is gone upstream (moved to spice-gtk / virt-viewer), so > add Config.in.legacy handling for them. > > Lz4 is a new optional dependency, so handle it. > > The spice protocol definition is no longer included and instead used from > spice-protocol. The build system uses pkg-config --variable=codegendir to > find the build time path of this, which doesn't take our STAGING_DIR prefix > into consideration, so it needs some help. The installed protocol > definition will likewise be newer than the generated files, so we need to > workaround that to ensure they are not regenerated (which needs host python > / pyparsing). > > Signed-off-by: Peter Korsgaard Reviewed-by: "Yann E. MORIN" Regards, Yann E. MORIN. > --- > Config.in.legacy | 16 ++++++++++++++++ > package/spice/Config.in | 35 ----------------------------------- > package/spice/spice.hash | 2 +- > package/spice/spice.mk | 40 +++++++++++++++++++--------------------- > 4 files changed, 36 insertions(+), 57 deletions(-) > > diff --git a/Config.in.legacy b/Config.in.legacy > index dc99b7c2eb..361d331dc9 100644 > --- a/Config.in.legacy > +++ b/Config.in.legacy > @@ -145,6 +145,22 @@ endif > ############################################################################### > comment "Legacy options removed in 2017.08" > > +config BR2_PACKAGE_SPICE_CLIENT > + bool "spice client support removed" > + select BR2_LEGACY > + help > + Spice client support has been removed upstream. The > + functionality now lives in the spice-gtk widget and > + virt-viewer. > + > +config BR2_PACKAGE_SPICE_GUI > + bool "spice gui support removed" > + select BR2_LEGACY > + help > + Spice gui support has been removed upstream. The > + functionality now lives in the spice-gtk widget and > + virt-viewer. > + > config BR2_PACKAGE_SPICE_TUNNEL > bool "spice network redirection removed" > select BR2_LEGACY > diff --git a/package/spice/Config.in b/package/spice/Config.in > index 220f9994da..2241b55b3d 100644 > --- a/package/spice/Config.in > +++ b/package/spice/Config.in > @@ -22,38 +22,3 @@ config BR2_PACKAGE_SPICE > This package implements the server-part of Spice. > > http://www.spice-space.org/ > - > -if BR2_PACKAGE_SPICE > - > -comment "client depends on X.org" > - depends on !BR2_PACKAGE_XORG7 > - > -config BR2_PACKAGE_SPICE_CLIENT > - bool "Enable client" > - depends on BR2_PACKAGE_XORG7 > - depends on BR2_TOOLCHAIN_HAS_THREADS > - depends on BR2_INSTALL_LIBSTDCPP > - select BR2_PACKAGE_XLIB_LIBXFIXES > - select BR2_PACKAGE_XLIB_LIBXRANDR > - select BR2_PACKAGE_XLIB_LIBX11 > - select BR2_PACKAGE_XLIB_LIBXEXT > - select BR2_PACKAGE_XLIB_LIBXRENDER > - select BR2_PACKAGE_ALSA_LIB > - > -comment "client needs a toolchain w/ threads, C++" > - depends on BR2_PACKAGE_XORG7 > - depends on !BR2_TOOLCHAIN_HAS_THREADS || !BR2_INSTALL_LIBSTDCPP > - > -config BR2_PACKAGE_SPICE_GUI > - bool "Enable GUI" > - depends on BR2_PACKAGE_SPICE_CLIENT > - depends on !BR2_STATIC_LIBS > - select BR2_PACKAGE_CEGUI06 > - help > - Say 'y' here to enable the Graphical User Interface (GUI) > - start dialog. > - > -comment "gui needs a toolchain w/ dynamic library" > - depends on BR2_STATIC_LIBS > - > -endif # BR2_PACKAGE_SPICE > diff --git a/package/spice/spice.hash b/package/spice/spice.hash > index 0a943f0332..04bd516689 100644 > --- a/package/spice/spice.hash > +++ b/package/spice/spice.hash > @@ -1,2 +1,2 @@ > # Locally calculated > -sha256 4209a20d8f67cb99a8a6ac499cfe79a18d4ca226360457954a223d6795c2f581 spice-0.12.5.tar.bz2 > +sha256 f148ea30135bf80a4f465ce723a1cd6d4ccb34c098b6298a020b378ace8569b6 spice-0.12.6.tar.bz2 > diff --git a/package/spice/spice.mk b/package/spice/spice.mk > index ba76a14d61..f1fb46d29c 100644 > --- a/package/spice/spice.mk > +++ b/package/spice/spice.mk > @@ -4,7 +4,7 @@ > # > ################################################################################ > > -SPICE_VERSION = 0.12.5 > +SPICE_VERSION = 0.12.6 > SPICE_SOURCE = spice-$(SPICE_VERSION).tar.bz2 > SPICE_SITE = http://www.spice-space.org/download/releases > SPICE_LICENSE = LGPL-2.1+ > @@ -35,38 +35,36 @@ else > SPICE_CONF_OPTS += --disable-celt051 > endif > > +ifeq ($(BR2_PACKAGE_LZ4),y) > +SPICE_CONF_OPTS += --enable-lz4 > +SPICE_DEPENDENCIES += lz4 > +else > +SPICE_CONF_OPTS += --disable-lz4 > +endif > + > # no enable/disable, detected using pkg-config > ifeq ($(BR2_PACKAGE_OPUS),y) > SPICE_DEPENDENCIES += opus > endif > > -ifeq ($(BR2_PACKAGE_SPICE_CLIENT),y) > -SPICE_CONF_OPTS += --enable-client > -SPICE_DEPENDENCIES += \ > - xlib_libXfixes \ > - xlib_libXrandr \ > - xlib_libX11 \ > - xlib_libXext \ > - xlib_libXrender \ > - alsa-lib > -else > -SPICE_CONF_OPTS += --disable-client > -endif > - > -ifeq ($(BR2_PACKAGE_SPICE_GUI),y) > -SPICE_CONF_OPTS += --enable-gui > -SPICE_DEPENDENCIES += cegui06 > -else > -SPICE_CONF_OPTS += --disable-gui > -endif > +# build system uses pkg-config --variable=codegendir spice-protocol which > +# returns the runtime path rather than build time, so it needs some help > +SPICE_MAKE_OPTS = CODE_GENERATOR_BASEDIR=$(STAGING_DIR)/usr/lib/spice-protocol > +SPICE_INSTALL_STAGING_OPTS = $(SPICE_MAKE_OPTS) DESTDIR=$(STAGING_DIR) install > +SPICE_INSTALL_TARGET_OPTS = $(SPICE_MAKE_OPTS) DESTDIR=$(TARGET_DIR) install > > # spice uses a number of source files that are generated with python / pyparsing. > # The generated files are part of the tarball, so python / pyparsing isn't needed > # when building from the tarball, but the configure script gets confused and looks > # for the wrong file name to know if it needs to check for python / pyparsing, > -# so convince it they aren't needed > +# so convince it they aren't needed. > +# It will also regenerate these files if the spice-protocol protocol definition > +# is newer than the generated files (which it will be when spice-protocol > +# installs it to staging), so ensure their timestamp is updated to skip this. > define SPICE_NO_PYTHON_PYPARSING > + mkdir -p $(@D)/client > touch $(@D)/client/generated_marshallers.cpp > + touch $(@D)/spice-common/common/generated_* > endef > > SPICE_PRE_CONFIGURE_HOOKS += SPICE_NO_PYTHON_PYPARSING > -- > 2.11.0 > -- .-----------------.--------------------.------------------.--------------------. | Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: | | +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___ | | +33 223 225 172 `------------.-------: X AGAINST | \e/ There is no | | http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v conspiracy. | '------------------------------^-------^------------------^--------------------'