app-emulation/spice: drop versions 0.12.8, 0.13.1, 0.13.2

Package-Manager: Portage-2.3.5, Repoman-2.3.2

5 files changed, 0 insertions, 301 deletions

diff --git a/app-emulation/spice/files/0.12.8-upstream-fix.patch b/app-emulation/spice/files/0.12.8-upstream-fix.patch
deleted file mode 100644
index fcc1855ac772..000000000000
--- a/app-emulation/spice/files/0.12.8-upstream-fix.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-commit 1d597f4b1a6bbeaf3dda998413a1e3cef2e40681
-Author: Marc-André Lureau <marcandre.lureau@redhat.com>
-Date:   Wed Jul 20 17:16:31 2016 +0400
-
-    Call migrate_end_complete() after falling back to switch-host
-    
-    Eventually, during a seamless migration, qemu may finish to migrate
-    before the spice client even finished to connect all channels to
-    destination and informed the server. In this case,
-    main_channel_client_migrate_src_complete() will fall back to
-    switch-host method, and reds_mig_fill_wait_disconnect() is called to
-    complete the migration (disconnecting all channels).
-    
-    reds_mig_cleanup() is called when all channels are disconnected, but
-    reds->mig_wait_connect is still TRUE, and it will call
-    migrate_connect_complete() instead of the expected
-    migrate_end_complete(). Setting reds->mig_wait_connect to FALSE when
-    reds_mig_fill_wait_disconnect() solves the issue.
-    
-    Fixes:
-    https://bugzilla.redhat.com/show_bug.cgi?id=1352836
-    
-    Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
-
-diff --git a/server/reds.c b/server/reds.c
-index 61bf735..f40b65c 100644
---- a/server/reds.c
-+++ b/server/reds.c
-@@ -2816,6 +2816,7 @@ static void reds_mig_fill_wait_disconnect(void)
-         wait_client->client = client;
-         ring_add(&reds->mig_wait_disconnect_clients, &wait_client->link);
-     }
-+    reds->mig_wait_connect = FALSE;
-     reds->mig_wait_disconnect = TRUE;
-     core->timer_start(reds->mig_timer, MIGRATE_TIMEOUT);
- }
diff --git a/app-emulation/spice/files/0.13.1-CVE-2016-0749-p1.patch b/app-emulation/spice/files/0.13.1-CVE-2016-0749-p1.patch
deleted file mode 100644
index cd1c8ef1df67..000000000000
--- a/app-emulation/spice/files/0.13.1-CVE-2016-0749-p1.patch
+++ /dev/null
@@ -1,56 +0,0 @@
-From fd4a179a15882234f86ded87905a240dc76a9445 Mon Sep 17 00:00:00 2001
-From: Matthias Maier <tamiko@43-1.org>
-Date: Tue, 14 Jun 2016 00:08:05 -0500
-Subject: [PATCH 1/2] Port fix for CVE-2016-0749 to 0.13.1, part I
-
-This is a port of
-
-  0065-smartcard-add-a-ref-to-item-before-adding-to-pipe.patch
-
-to version 0.13.1
-
-Original commit message:
-
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Marc-Andre Lureau <marcandre.lureau@redhat.com>
-Date: Thu, 17 Dec 2015 18:13:47 +0100
-Subject: [PATCH] smartcard: add a ref to item before adding to pipe
-
-There is an unref when the message is sent.
-
-[...]
-
-Signed-off-by: Marc-Andre Lureau <marcandre.lureau@redhat.com>
----
- server/smartcard.c | 10 +++++++---
- 1 file changed, 7 insertions(+), 3 deletions(-)
-
-diff --git a/server/smartcard.c b/server/smartcard.c
-index ba6f2f5..96e4295 100644
---- a/server/smartcard.c
-+++ b/server/smartcard.c
-@@ -181,14 +181,18 @@ static void smartcard_unref_msg_to_client(RedCharDeviceMsgToClient *msg,
-     smartcard_unref_vsc_msg_item((MsgItem *)msg);
- }
- 
--static void smartcard_send_msg_to_client(RedCharDeviceMsgToClient *msg,
-+static void smartcard_send_msg_to_client(RedCharDeviceMsgToClient *message,
-                                          RedClient *client,
-                                          void *opaque)
- {
-     RedCharDeviceSmartcard *dev = opaque;
--    spice_assert(dev->priv->scc && dev->priv->scc->base.client == client);
--    smartcard_channel_client_pipe_add_push(&dev->priv->scc->base, &((MsgItem *)msg)->base);
- 
-+    MsgItem *msg = (MsgItem *)message;
-+    PipeItem *item = &msg->base;
-+
-+    spice_assert(dev->priv->scc && dev->priv->scc->base.client == client);
-+    smartcard_ref_vsc_msg_item(msg);
-+    smartcard_channel_client_pipe_add_push(&dev->priv->scc->base, item);
- }
- 
- static void smartcard_send_tokens_to_client(RedClient *client, uint32_t tokens, void *opaque)
--- 
-2.7.3
-
diff --git a/app-emulation/spice/files/0.13.1-CVE-2016-0749-p2.patch b/app-emulation/spice/files/0.13.1-CVE-2016-0749-p2.patch
deleted file mode 100644
index 6a1895f247f9..000000000000
--- a/app-emulation/spice/files/0.13.1-CVE-2016-0749-p2.patch
+++ /dev/null
@@ -1,50 +0,0 @@
-From 4cd23b8378e68283c7c9cf0b1e25dae11cf69c3e Mon Sep 17 00:00:00 2001
-From: Matthias Maier <tamiko@43-1.org>
-Date: Tue, 14 Jun 2016 00:15:48 -0500
-Subject: [PATCH 2/2] Port fix for CVE-2016-0749 to 0.13.1, part II
-
-This is a port of
-
-  0066-smartcard-allocate-msg-with-the-expected-size.patch
-
-to version 0.13.1
-
-Original commit message:
-
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Marc-Andre Lureau <marcandre.lureau@redhat.com>
-Date: Thu, 17 Dec 2015 18:16:22 +0100
-Subject: [PATCH] smartcard: allocate msg with the expected size
-
-[...]
-
-Signed-off-by: Marc-Andre Lureau <marcandre.lureau@redhat.com>
----
- server/smartcard.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/server/smartcard.c b/server/smartcard.c
-index 96e4295..c317512 100644
---- a/server/smartcard.c
-+++ b/server/smartcard.c
-@@ -313,7 +313,7 @@ static void smartcard_char_device_notify_reader_add(RedCharDeviceSmartcard *dev)
-     RedCharDeviceWriteBuffer *write_buf;
-     VSCMsgHeader *vheader;
- 
--    write_buf = red_char_device_write_buffer_get(RED_CHAR_DEVICE(dev), NULL, sizeof(vheader));
-+    write_buf = red_char_device_write_buffer_get(RED_CHAR_DEVICE(dev), NULL, sizeof(*vheader));
-     if (!write_buf) {
-         spice_error("failed to allocate write buffer");
-         return;
-@@ -360,7 +360,7 @@ static void smartcard_char_device_notify_reader_remove(RedCharDeviceSmartcard *d
-         spice_debug("reader add was never sent to the device");
-         return;
-     }
--    write_buf = red_char_device_write_buffer_get(RED_CHAR_DEVICE(dev), NULL, sizeof(vheader));
-+    write_buf = red_char_device_write_buffer_get(RED_CHAR_DEVICE(dev), NULL, sizeof(*vheader));
-     if (!write_buf) {
-         spice_error("failed to allocate write buffer");
-         return;
--- 
-2.7.3
-
diff --git a/app-emulation/spice/files/0.13.1-CVE-2016-2150-p1.patch b/app-emulation/spice/files/0.13.1-CVE-2016-2150-p1.patch
deleted file mode 100644
index e814975e5f38..000000000000
--- a/app-emulation/spice/files/0.13.1-CVE-2016-2150-p1.patch
+++ /dev/null
@@ -1,109 +0,0 @@
-From fc06265c3780e05503410a6646d1434e15d25b03 Mon Sep 17 00:00:00 2001
-From: Frediano Ziglio <fziglio@redhat.com>
-Date: Mon, 29 Feb 2016 14:24:03 +0000
-Subject: [PATCH 1/2] factor out red_validate_surface function to validate
- surface parameters
-
-Make possible to reuse it outside red-parse-qxl.c.
-
-Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
-Acked-by: Christophe Fergeau <cfergeau@redhat.com>
----
- server/red-parse-qxl.c | 49 ++++++++++++++++++++++++++++++++-----------------
- server/red-parse-qxl.h |  3 +++
- 2 files changed, 35 insertions(+), 17 deletions(-)
-
-diff --git a/server/red-parse-qxl.c b/server/red-parse-qxl.c
-index 18b7ea6..b462311 100644
---- a/server/red-parse-qxl.c
-+++ b/server/red-parse-qxl.c
-@@ -1327,13 +1327,41 @@ static unsigned int surface_format_to_bpp(uint32_t format)
-     return 0;
- }
- 
-+bool red_validate_surface(uint32_t width, uint32_t height,
-+                          int32_t stride, uint32_t format)
-+{
-+    unsigned int bpp;
-+    uint64_t size;
-+
-+    bpp = surface_format_to_bpp(format);
-+
-+    /* check if format is valid */
-+    if (!bpp) {
-+        return false;
-+    }
-+
-+    /* check stride is larger than required bytes */
-+    size = ((uint64_t) width * bpp + 7u) / 8u;
-+    /* the uint32_t conversion is here to avoid problems with -2^31 value */
-+    if (stride == G_MININT32 || size > (uint32_t) abs(stride)) {
-+        return false;
-+    }
-+
-+    /* the multiplication can overflow, also abs(-2^31) may return a negative value */
-+    size = (uint64_t) height * abs(stride);
-+    if (size > MAX_DATA_CHUNK) {
-+        return false;
-+    }
-+
-+    return true;
-+}
-+
- int red_get_surface_cmd(RedMemSlotInfo *slots, int group_id,
-                         RedSurfaceCmd *red, QXLPHYSICAL addr)
- {
-     QXLSurfaceCmd *qxl;
-     uint64_t size;
-     int error;
--    unsigned int bpp;
- 
-     qxl = (QXLSurfaceCmd *)memslot_get_virt(slots, addr, sizeof(*qxl), group_id,
-                                             &error);
-@@ -1353,26 +1381,13 @@ int red_get_surface_cmd(RedMemSlotInfo *slots, int group_id,
-         red->u.surface_create.width  = qxl->u.surface_create.width;
-         red->u.surface_create.height = qxl->u.surface_create.height;
-         red->u.surface_create.stride = qxl->u.surface_create.stride;
--        bpp = surface_format_to_bpp(red->u.surface_create.format);
- 
--        /* check if format is valid */
--        if (!bpp) {
-+        if (!red_validate_surface(red->u.surface_create.width, red->u.surface_create.height,
-+                                  red->u.surface_create.stride, red->u.surface_create.format)) {
-             return 1;
-         }
- 
--        /* check stride is larger than required bytes */
--        size = ((uint64_t) red->u.surface_create.width * bpp + 7u) / 8u;
--        /* the uint32_t conversion is here to avoid problems with -2^31 value */
--        if (red->u.surface_create.stride == G_MININT32
--            || size > (uint32_t) abs(red->u.surface_create.stride)) {
--            return 1;
--        }
--
--        /* the multiplication can overflow, also abs(-2^31) may return a negative value */
--        size = (uint64_t) red->u.surface_create.height * abs(red->u.surface_create.stride);
--        if (size > MAX_DATA_CHUNK) {
--            return 1;
--        }
-+        size = red->u.surface_create.height * abs(red->u.surface_create.stride);
-         red->u.surface_create.data =
-             (uint8_t*)memslot_get_virt(slots, qxl->u.surface_create.data, size, group_id, &error);
-         if (error) {
-diff --git a/server/red-parse-qxl.h b/server/red-parse-qxl.h
-index 9c30572..72a57b4 100644
---- a/server/red-parse-qxl.h
-+++ b/server/red-parse-qxl.h
-@@ -127,6 +127,9 @@ int red_get_message(RedMemSlotInfo *slots, int group_id,
-                     RedMessage *red, QXLPHYSICAL addr);
- void red_put_message(RedMessage *red);
- 
-+bool red_validate_surface(uint32_t width, uint32_t height,
-+                          int32_t stride, uint32_t format);
-+
- int red_get_surface_cmd(RedMemSlotInfo *slots, int group_id,
-                         RedSurfaceCmd *red, QXLPHYSICAL addr);
- void red_put_surface_cmd(RedSurfaceCmd *red);
--- 
-2.7.3
-
diff --git a/app-emulation/spice/files/0.13.1-CVE-2016-2150-p2.patch b/app-emulation/spice/files/0.13.1-CVE-2016-2150-p2.patch
deleted file mode 100644
index a452969d6f1c..000000000000
--- a/app-emulation/spice/files/0.13.1-CVE-2016-2150-p2.patch
+++ /dev/null
@@ -1,50 +0,0 @@
-From b1c167bb9e8047e93bfd43a43832963c8e830f5b Mon Sep 17 00:00:00 2001
-From: Frediano Ziglio <fziglio@redhat.com>
-Date: Wed, 2 Mar 2016 12:35:41 +0000
-Subject: [PATCH 2/2] improve primary surface parameter checks
-
-Primary surface, as additional surfaces, can be used to access
-host memory from the guest using invalid parameters.
-
-The removed warning is not enough to prevent all cases. Also a warning
-is not enough to stop an escalation to happen.
-The red_validate_surface do different checks to make sure surface
-request is valid and not cause possible buffer/integer overflows:
-- format is valid;
-- width is not large to cause overflow compared to stride;
-- stride is not -2^31 (a number which negate is still <0);
-- stride * height does not overflow.
-
-This fixes https://bugzilla.redhat.com/show_bug.cgi?id=1312980.
-
-Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
-Acked-by: Christophe Fergeau <cfergeau@redhat.com>
----
- server/red-worker.c | 11 +++++++++--
- 1 file changed, 9 insertions(+), 2 deletions(-)
-
-diff --git a/server/red-worker.c b/server/red-worker.c
-index 241c300..c7fc8bd 100644
---- a/server/red-worker.c
-+++ b/server/red-worker.c
-@@ -681,8 +681,15 @@ static void dev_create_primary_surface(RedWorker *worker, uint32_t surface_id,
-     spice_debug(NULL);
-     spice_warn_if_fail(surface_id == 0);
-     spice_warn_if_fail(surface.height != 0);
--    spice_warn_if_fail(((uint64_t)abs(surface.stride) * (uint64_t)surface.height) ==
--             abs(surface.stride) * surface.height);
-+
-+    /* surface can arrive from guest unchecked so make sure
-+     * guest is not a malicious one and drop invalid requests
-+     */
-+    if (!red_validate_surface(surface.width, surface.height,
-+                              surface.stride, surface.format)) {
-+        spice_warning("wrong primary surface creation request");
-+        return;
-+    }
- 
-     line_0 = (uint8_t*)memslot_get_virt(&worker->mem_slots, surface.mem,
-                                         surface.height * abs(surface.stride),
--- 
-2.7.3
-