diff options
author | Matthias Maier <tamiko@gentoo.org> | 2017-05-10 23:36:38 -0500 |
---|---|---|
committer | Matthias Maier <tamiko@gentoo.org> | 2017-05-10 23:37:33 -0500 |
commit | 24492876545e0acf680e214f8547a2e739f89a9e (patch) | |
tree | 79318147d89d447f79ce89b38df31c82d668b6fa /app-emulation/spice/files | |
parent | www-apache/passenger: add 5.1.4 (diff) | |
download | gentoo-24492876545e0acf680e214f8547a2e739f89a9e.tar.gz gentoo-24492876545e0acf680e214f8547a2e739f89a9e.tar.bz2 gentoo-24492876545e0acf680e214f8547a2e739f89a9e.zip |
app-emulation/spice: drop versions 0.12.8, 0.13.1, 0.13.2
Package-Manager: Portage-2.3.5, Repoman-2.3.2
Diffstat (limited to 'app-emulation/spice/files')
5 files changed, 0 insertions, 301 deletions
diff --git a/app-emulation/spice/files/0.12.8-upstream-fix.patch b/app-emulation/spice/files/0.12.8-upstream-fix.patch deleted file mode 100644 index fcc1855ac772..000000000000 --- a/app-emulation/spice/files/0.12.8-upstream-fix.patch +++ /dev/null @@ -1,36 +0,0 @@ -commit 1d597f4b1a6bbeaf3dda998413a1e3cef2e40681 -Author: Marc-André Lureau <marcandre.lureau@redhat.com> -Date: Wed Jul 20 17:16:31 2016 +0400 - - Call migrate_end_complete() after falling back to switch-host - - Eventually, during a seamless migration, qemu may finish to migrate - before the spice client even finished to connect all channels to - destination and informed the server. In this case, - main_channel_client_migrate_src_complete() will fall back to - switch-host method, and reds_mig_fill_wait_disconnect() is called to - complete the migration (disconnecting all channels). - - reds_mig_cleanup() is called when all channels are disconnected, but - reds->mig_wait_connect is still TRUE, and it will call - migrate_connect_complete() instead of the expected - migrate_end_complete(). Setting reds->mig_wait_connect to FALSE when - reds_mig_fill_wait_disconnect() solves the issue. - - Fixes: - https://bugzilla.redhat.com/show_bug.cgi?id=1352836 - - Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com> - -diff --git a/server/reds.c b/server/reds.c -index 61bf735..f40b65c 100644 ---- a/server/reds.c -+++ b/server/reds.c -@@ -2816,6 +2816,7 @@ static void reds_mig_fill_wait_disconnect(void) - wait_client->client = client; - ring_add(&reds->mig_wait_disconnect_clients, &wait_client->link); - } -+ reds->mig_wait_connect = FALSE; - reds->mig_wait_disconnect = TRUE; - core->timer_start(reds->mig_timer, MIGRATE_TIMEOUT); - } diff --git a/app-emulation/spice/files/0.13.1-CVE-2016-0749-p1.patch b/app-emulation/spice/files/0.13.1-CVE-2016-0749-p1.patch deleted file mode 100644 index cd1c8ef1df67..000000000000 --- a/app-emulation/spice/files/0.13.1-CVE-2016-0749-p1.patch +++ /dev/null @@ -1,56 +0,0 @@ -From fd4a179a15882234f86ded87905a240dc76a9445 Mon Sep 17 00:00:00 2001 -From: Matthias Maier <tamiko@43-1.org> -Date: Tue, 14 Jun 2016 00:08:05 -0500 -Subject: [PATCH 1/2] Port fix for CVE-2016-0749 to 0.13.1, part I - -This is a port of - - 0065-smartcard-add-a-ref-to-item-before-adding-to-pipe.patch - -to version 0.13.1 - -Original commit message: - -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Marc-Andre Lureau <marcandre.lureau@redhat.com> -Date: Thu, 17 Dec 2015 18:13:47 +0100 -Subject: [PATCH] smartcard: add a ref to item before adding to pipe - -There is an unref when the message is sent. - -[...] - -Signed-off-by: Marc-Andre Lureau <marcandre.lureau@redhat.com> ---- - server/smartcard.c | 10 +++++++--- - 1 file changed, 7 insertions(+), 3 deletions(-) - -diff --git a/server/smartcard.c b/server/smartcard.c -index ba6f2f5..96e4295 100644 ---- a/server/smartcard.c -+++ b/server/smartcard.c -@@ -181,14 +181,18 @@ static void smartcard_unref_msg_to_client(RedCharDeviceMsgToClient *msg, - smartcard_unref_vsc_msg_item((MsgItem *)msg); - } - --static void smartcard_send_msg_to_client(RedCharDeviceMsgToClient *msg, -+static void smartcard_send_msg_to_client(RedCharDeviceMsgToClient *message, - RedClient *client, - void *opaque) - { - RedCharDeviceSmartcard *dev = opaque; -- spice_assert(dev->priv->scc && dev->priv->scc->base.client == client); -- smartcard_channel_client_pipe_add_push(&dev->priv->scc->base, &((MsgItem *)msg)->base); - -+ MsgItem *msg = (MsgItem *)message; -+ PipeItem *item = &msg->base; -+ -+ spice_assert(dev->priv->scc && dev->priv->scc->base.client == client); -+ smartcard_ref_vsc_msg_item(msg); -+ smartcard_channel_client_pipe_add_push(&dev->priv->scc->base, item); - } - - static void smartcard_send_tokens_to_client(RedClient *client, uint32_t tokens, void *opaque) --- -2.7.3 - diff --git a/app-emulation/spice/files/0.13.1-CVE-2016-0749-p2.patch b/app-emulation/spice/files/0.13.1-CVE-2016-0749-p2.patch deleted file mode 100644 index 6a1895f247f9..000000000000 --- a/app-emulation/spice/files/0.13.1-CVE-2016-0749-p2.patch +++ /dev/null @@ -1,50 +0,0 @@ -From 4cd23b8378e68283c7c9cf0b1e25dae11cf69c3e Mon Sep 17 00:00:00 2001 -From: Matthias Maier <tamiko@43-1.org> -Date: Tue, 14 Jun 2016 00:15:48 -0500 -Subject: [PATCH 2/2] Port fix for CVE-2016-0749 to 0.13.1, part II - -This is a port of - - 0066-smartcard-allocate-msg-with-the-expected-size.patch - -to version 0.13.1 - -Original commit message: - -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Marc-Andre Lureau <marcandre.lureau@redhat.com> -Date: Thu, 17 Dec 2015 18:16:22 +0100 -Subject: [PATCH] smartcard: allocate msg with the expected size - -[...] - -Signed-off-by: Marc-Andre Lureau <marcandre.lureau@redhat.com> ---- - server/smartcard.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/server/smartcard.c b/server/smartcard.c -index 96e4295..c317512 100644 ---- a/server/smartcard.c -+++ b/server/smartcard.c -@@ -313,7 +313,7 @@ static void smartcard_char_device_notify_reader_add(RedCharDeviceSmartcard *dev) - RedCharDeviceWriteBuffer *write_buf; - VSCMsgHeader *vheader; - -- write_buf = red_char_device_write_buffer_get(RED_CHAR_DEVICE(dev), NULL, sizeof(vheader)); -+ write_buf = red_char_device_write_buffer_get(RED_CHAR_DEVICE(dev), NULL, sizeof(*vheader)); - if (!write_buf) { - spice_error("failed to allocate write buffer"); - return; -@@ -360,7 +360,7 @@ static void smartcard_char_device_notify_reader_remove(RedCharDeviceSmartcard *d - spice_debug("reader add was never sent to the device"); - return; - } -- write_buf = red_char_device_write_buffer_get(RED_CHAR_DEVICE(dev), NULL, sizeof(vheader)); -+ write_buf = red_char_device_write_buffer_get(RED_CHAR_DEVICE(dev), NULL, sizeof(*vheader)); - if (!write_buf) { - spice_error("failed to allocate write buffer"); - return; --- -2.7.3 - diff --git a/app-emulation/spice/files/0.13.1-CVE-2016-2150-p1.patch b/app-emulation/spice/files/0.13.1-CVE-2016-2150-p1.patch deleted file mode 100644 index e814975e5f38..000000000000 --- a/app-emulation/spice/files/0.13.1-CVE-2016-2150-p1.patch +++ /dev/null @@ -1,109 +0,0 @@ -From fc06265c3780e05503410a6646d1434e15d25b03 Mon Sep 17 00:00:00 2001 -From: Frediano Ziglio <fziglio@redhat.com> -Date: Mon, 29 Feb 2016 14:24:03 +0000 -Subject: [PATCH 1/2] factor out red_validate_surface function to validate - surface parameters - -Make possible to reuse it outside red-parse-qxl.c. - -Signed-off-by: Frediano Ziglio <fziglio@redhat.com> -Acked-by: Christophe Fergeau <cfergeau@redhat.com> ---- - server/red-parse-qxl.c | 49 ++++++++++++++++++++++++++++++++----------------- - server/red-parse-qxl.h | 3 +++ - 2 files changed, 35 insertions(+), 17 deletions(-) - -diff --git a/server/red-parse-qxl.c b/server/red-parse-qxl.c -index 18b7ea6..b462311 100644 ---- a/server/red-parse-qxl.c -+++ b/server/red-parse-qxl.c -@@ -1327,13 +1327,41 @@ static unsigned int surface_format_to_bpp(uint32_t format) - return 0; - } - -+bool red_validate_surface(uint32_t width, uint32_t height, -+ int32_t stride, uint32_t format) -+{ -+ unsigned int bpp; -+ uint64_t size; -+ -+ bpp = surface_format_to_bpp(format); -+ -+ /* check if format is valid */ -+ if (!bpp) { -+ return false; -+ } -+ -+ /* check stride is larger than required bytes */ -+ size = ((uint64_t) width * bpp + 7u) / 8u; -+ /* the uint32_t conversion is here to avoid problems with -2^31 value */ -+ if (stride == G_MININT32 || size > (uint32_t) abs(stride)) { -+ return false; -+ } -+ -+ /* the multiplication can overflow, also abs(-2^31) may return a negative value */ -+ size = (uint64_t) height * abs(stride); -+ if (size > MAX_DATA_CHUNK) { -+ return false; -+ } -+ -+ return true; -+} -+ - int red_get_surface_cmd(RedMemSlotInfo *slots, int group_id, - RedSurfaceCmd *red, QXLPHYSICAL addr) - { - QXLSurfaceCmd *qxl; - uint64_t size; - int error; -- unsigned int bpp; - - qxl = (QXLSurfaceCmd *)memslot_get_virt(slots, addr, sizeof(*qxl), group_id, - &error); -@@ -1353,26 +1381,13 @@ int red_get_surface_cmd(RedMemSlotInfo *slots, int group_id, - red->u.surface_create.width = qxl->u.surface_create.width; - red->u.surface_create.height = qxl->u.surface_create.height; - red->u.surface_create.stride = qxl->u.surface_create.stride; -- bpp = surface_format_to_bpp(red->u.surface_create.format); - -- /* check if format is valid */ -- if (!bpp) { -+ if (!red_validate_surface(red->u.surface_create.width, red->u.surface_create.height, -+ red->u.surface_create.stride, red->u.surface_create.format)) { - return 1; - } - -- /* check stride is larger than required bytes */ -- size = ((uint64_t) red->u.surface_create.width * bpp + 7u) / 8u; -- /* the uint32_t conversion is here to avoid problems with -2^31 value */ -- if (red->u.surface_create.stride == G_MININT32 -- || size > (uint32_t) abs(red->u.surface_create.stride)) { -- return 1; -- } -- -- /* the multiplication can overflow, also abs(-2^31) may return a negative value */ -- size = (uint64_t) red->u.surface_create.height * abs(red->u.surface_create.stride); -- if (size > MAX_DATA_CHUNK) { -- return 1; -- } -+ size = red->u.surface_create.height * abs(red->u.surface_create.stride); - red->u.surface_create.data = - (uint8_t*)memslot_get_virt(slots, qxl->u.surface_create.data, size, group_id, &error); - if (error) { -diff --git a/server/red-parse-qxl.h b/server/red-parse-qxl.h -index 9c30572..72a57b4 100644 ---- a/server/red-parse-qxl.h -+++ b/server/red-parse-qxl.h -@@ -127,6 +127,9 @@ int red_get_message(RedMemSlotInfo *slots, int group_id, - RedMessage *red, QXLPHYSICAL addr); - void red_put_message(RedMessage *red); - -+bool red_validate_surface(uint32_t width, uint32_t height, -+ int32_t stride, uint32_t format); -+ - int red_get_surface_cmd(RedMemSlotInfo *slots, int group_id, - RedSurfaceCmd *red, QXLPHYSICAL addr); - void red_put_surface_cmd(RedSurfaceCmd *red); --- -2.7.3 - diff --git a/app-emulation/spice/files/0.13.1-CVE-2016-2150-p2.patch b/app-emulation/spice/files/0.13.1-CVE-2016-2150-p2.patch deleted file mode 100644 index a452969d6f1c..000000000000 --- a/app-emulation/spice/files/0.13.1-CVE-2016-2150-p2.patch +++ /dev/null @@ -1,50 +0,0 @@ -From b1c167bb9e8047e93bfd43a43832963c8e830f5b Mon Sep 17 00:00:00 2001 -From: Frediano Ziglio <fziglio@redhat.com> -Date: Wed, 2 Mar 2016 12:35:41 +0000 -Subject: [PATCH 2/2] improve primary surface parameter checks - -Primary surface, as additional surfaces, can be used to access -host memory from the guest using invalid parameters. - -The removed warning is not enough to prevent all cases. Also a warning -is not enough to stop an escalation to happen. -The red_validate_surface do different checks to make sure surface -request is valid and not cause possible buffer/integer overflows: -- format is valid; -- width is not large to cause overflow compared to stride; -- stride is not -2^31 (a number which negate is still <0); -- stride * height does not overflow. - -This fixes https://bugzilla.redhat.com/show_bug.cgi?id=1312980. - -Signed-off-by: Frediano Ziglio <fziglio@redhat.com> -Acked-by: Christophe Fergeau <cfergeau@redhat.com> ---- - server/red-worker.c | 11 +++++++++-- - 1 file changed, 9 insertions(+), 2 deletions(-) - -diff --git a/server/red-worker.c b/server/red-worker.c -index 241c300..c7fc8bd 100644 ---- a/server/red-worker.c -+++ b/server/red-worker.c -@@ -681,8 +681,15 @@ static void dev_create_primary_surface(RedWorker *worker, uint32_t surface_id, - spice_debug(NULL); - spice_warn_if_fail(surface_id == 0); - spice_warn_if_fail(surface.height != 0); -- spice_warn_if_fail(((uint64_t)abs(surface.stride) * (uint64_t)surface.height) == -- abs(surface.stride) * surface.height); -+ -+ /* surface can arrive from guest unchecked so make sure -+ * guest is not a malicious one and drop invalid requests -+ */ -+ if (!red_validate_surface(surface.width, surface.height, -+ surface.stride, surface.format)) { -+ spice_warning("wrong primary surface creation request"); -+ return; -+ } - - line_0 = (uint8_t*)memslot_get_virt(&worker->mem_slots, surface.mem, - surface.height * abs(surface.stride), --- -2.7.3 - |