Update buildroot 17.02.3 -> 17.02.4

2018-01-04 15:25:02 +01:00
parent d83c6ae740
commit 2c7985bce0
103 changed files with 2303 additions and 252 deletions
--- a/bsp/buildroot/package/spice/0001-Prevent-possible-DoS-attempts-during-protocol-handsh.patch
+++ b/bsp/buildroot/package/spice/0001-Prevent-possible-DoS-attempts-during-protocol-handsh.patch
@@ -0,0 +1,60 @@
+From 1c6517973095a67c8cb57f3550fc1298404ab556 Mon Sep 17 00:00:00 2001
+From: Frediano Ziglio <fziglio@redhat.com>
+Date: Tue, 13 Dec 2016 14:39:48 +0000
+Subject: [PATCH] Prevent possible DoS attempts during protocol handshake
+
+The limit for link message is specified using a 32 bit unsigned integer.
+This could cause possible DoS due to excessive memory allocations and
+some possible crashes.
+For instance a value >= 2^31 causes a spice_assert to be triggered in
+async_read_handler (reds-stream.c) due to an integer overflow at this
+line:
+
+   int n = async->end - async->now;
+
+This could be easily triggered with a program like
+
+  #!/usr/bin/env python
+
+  import socket
+  import time
+  from struct import pack
+
+  server = '127.0.0.1'
+  port = 5900
+
+  s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+  s.connect((server, port))
+  data = pack('<4sIII', 'REDQ', 2, 2, 0xaaaaaaaa)
+  s.send(data)
+
+  time.sleep(1)
+
+without requiring any authentication (the same can be done
+with TLS).
+
+[Peter: fixes CVE-2016-9578]
+Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
+Acked-by: Christophe Fergeau <cfergeau@redhat.com>
+Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
+---
+ server/reds.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/server/reds.c b/server/reds.c
+index f40b65c1..86a33d53 100644
+--- a/server/reds.c
+++ b/server/reds.c
+@@ -2202,7 +2202,8 @@ static void reds_handle_read_header_done(void *opaque)
+ 
+     reds->peer_minor_version = header->minor_version;
+ 
+-    if (header->size < sizeof(SpiceLinkMess)) {
+    /* the check for 4096 is to avoid clients to cause arbitrary big memory allocations */
+    if (header->size < sizeof(SpiceLinkMess) || header->size > 4096) {
+         reds_send_link_error(link, SPICE_LINK_ERR_INVALID_DATA);
+         spice_warning("bad size %u", header->size);
+         reds_link_free(link);
+-- 
+2.11.0
+
--- a/bsp/buildroot/package/spice/0001-fix-missing-monitor_latency-argument.patch
+++ b/bsp/buildroot/package/spice/0001-fix-missing-monitor_latency-argument.patch
@@ -1,28 +0,0 @@
-From 0d3767853ca179ce04a9b312d7a30d33d1266a3b Mon Sep 17 00:00:00 2001
-From: Axel Lin <axel.lin@ingics.com>
-Date: Thu, 10 Oct 2013 12:36:40 +0800
-Subject: [PATCH] red_tunnel_worker: Fix build error due to missing monitor_latency argument
-
-Fix missing monitor_latency argument in red_channel_client_create call.
-
-Signed-off-by: Axel Lin <axel.lin@ingics.com>
---
- server/red_tunnel_worker.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/server/red_tunnel_worker.c b/server/red_tunnel_worker.c
-index 97dcafd..6781d73 100644
--- a/server/red_tunnel_worker.c
-+++ b/server/red_tunnel_worker.c
-@@ -3417,7 +3417,7 @@ static void handle_tunnel_channel_link(RedChannel *channel, RedClient *client,
-     }
- 
-     tcc = (TunnelChannelClient*)red_channel_client_create(sizeof(TunnelChannelClient),
-                                                          channel, client, stream,
-+                                                          channel, client, stream, FALSE,
-                                                           0, NULL, 0, NULL);
-     if (!tcc) {
-         return;
-- 
-1.8.1.2
-
--- a/bsp/buildroot/package/spice/0002-Prevent-integer-overflows-in-capability-checks.patch
+++ b/bsp/buildroot/package/spice/0002-Prevent-integer-overflows-in-capability-checks.patch
@@ -0,0 +1,43 @@
+From f66dc643635518e53dfbe5262f814a64eec54e4a Mon Sep 17 00:00:00 2001
+From: Frediano Ziglio <fziglio@redhat.com>
+Date: Tue, 13 Dec 2016 14:40:10 +0000
+Subject: [PATCH] Prevent integer overflows in capability checks
+
+The limits for capabilities are specified using 32 bit unsigned integers.
+This could cause possible integer overflows causing buffer overflows.
+For instance the sum of num_common_caps and num_caps can be 0 avoiding
+additional checks.
+As the link message is now capped to 4096 and the capabilities are
+contained in the link message limit the capabilities to 1024
+(capabilities are expressed in number of uint32_t items).
+
+[Peter: fixes CVE-2016-9578]
+Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
+Acked-by: Christophe Fergeau <cfergeau@redhat.com>
+Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
+---
+ server/reds.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/server/reds.c b/server/reds.c
+index 86a33d53..91504544 100644
+--- a/server/reds.c
+++ b/server/reds.c
+@@ -2110,6 +2110,14 @@ static void reds_handle_read_link_done(void *opaque)
+     link_mess->num_channel_caps = GUINT32_FROM_LE(link_mess->num_channel_caps);
+     link_mess->num_common_caps = GUINT32_FROM_LE(link_mess->num_common_caps);
+ 
+    /* Prevent DoS. Currently we defined only 13 capabilities,
+     * I expect 1024 to be valid for quite a lot time */
+    if (link_mess->num_channel_caps > 1024 || link_mess->num_common_caps > 1024) {
+        reds_send_link_error(link, SPICE_LINK_ERR_INVALID_DATA);
+        reds_link_free(link);
+        return;
+    }
+
+     num_caps = link_mess->num_common_caps + link_mess->num_channel_caps;
+     caps = (uint32_t *)((uint8_t *)link_mess + link_mess->caps_offset);
+ 
+-- 
+2.11.0
+
--- a/bsp/buildroot/package/spice/0003-main-channel-Prevent-overflow-reading-messages-from-.patch
+++ b/bsp/buildroot/package/spice/0003-main-channel-Prevent-overflow-reading-messages-from-.patch
@@ -0,0 +1,33 @@
+From 5f96b596353d73bdf4bb3cd2de61e48a7fd5b4c3 Mon Sep 17 00:00:00 2001
+From: Frediano Ziglio <fziglio@redhat.com>
+Date: Tue, 29 Nov 2016 16:46:56 +0000
+Subject: [PATCH] main-channel: Prevent overflow reading messages from client
+
+Caller is supposed the function return a buffer able to store
+size bytes.
+
+[Peter: fixes CVE-2016-9577]
+Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
+Acked-by: Christophe Fergeau <cfergeau@redhat.com>
+Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
+---
+ server/main_channel.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/server/main_channel.c b/server/main_channel.c
+index 0ecc9df8..1fc39155 100644
+--- a/server/main_channel.c
+++ b/server/main_channel.c
+@@ -1026,6 +1026,9 @@ static uint8_t *main_channel_alloc_msg_rcv_buf(RedChannelClient *rcc,
+ 
+     if (type == SPICE_MSGC_MAIN_AGENT_DATA) {
+         return reds_get_agent_data_buffer(mcc, size);
+    } else if (size > sizeof(main_chan->recv_buf)) {
+        /* message too large, caller will log a message and close the connection */
+        return NULL;
+     } else {
+         return main_chan->recv_buf;
+     }
+-- 
+2.11.0
+
--- a/bsp/buildroot/package/spice/Config.in
+++ b/bsp/buildroot/package/spice/Config.in
@@ -2,23 +2,15 @@ comment "spice server needs a toolchain w/ wchar, threads"
 	depends on BR2_i386 || BR2_x86_64
 	depends on !BR2_USE_WCHAR || !BR2_TOOLCHAIN_HAS_THREADS

-comment "spice server depends on python (for pyparsing)"
-	depends on BR2_i386 || BR2_x86_64
-	depends on !BR2_PACKAGE_PYTHON
-
 config BR2_PACKAGE_SPICE
 	bool "spice server"
 	depends on BR2_i386 || BR2_x86_64
-	depends on BR2_PACKAGE_PYTHON
 	depends on BR2_USE_WCHAR # libglib2
 	depends on BR2_TOOLCHAIN_HAS_THREADS # libglib2
-	select BR2_PACKAGE_ALSA_LIB
-	select BR2_PACKAGE_CELT051
 	select BR2_PACKAGE_JPEG
 	select BR2_PACKAGE_LIBGLIB2
 	select BR2_PACKAGE_OPENSSL
 	select BR2_PACKAGE_PIXMAN
-	select BR2_PACKAGE_PYTHON_PYPARSING
 	select BR2_PACKAGE_SPICE_PROTOCOL
 	help
 	  The Spice project aims to provide a complete open source
@@ -30,41 +22,3 @@ config BR2_PACKAGE_SPICE
 	  This package implements the server-part of Spice.

 	  http://www.spice-space.org/
-
-if BR2_PACKAGE_SPICE
-
-comment "client depends on X.org"
-	depends on !BR2_PACKAGE_XORG7
-
-config BR2_PACKAGE_SPICE_CLIENT
-	bool "Enable client"
-	depends on BR2_PACKAGE_XORG7
-	depends on BR2_TOOLCHAIN_HAS_THREADS
-	depends on BR2_INSTALL_LIBSTDCPP
-	select BR2_PACKAGE_XLIB_LIBXFIXES
-	select BR2_PACKAGE_XLIB_LIBXRANDR
-
-comment "client needs a toolchain w/ threads, C++"
-	depends on BR2_PACKAGE_XORG7
-	depends on !BR2_TOOLCHAIN_HAS_THREADS || !BR2_INSTALL_LIBSTDCPP
-
-config BR2_PACKAGE_SPICE_GUI
-	bool "Enable GUI"
-	depends on BR2_PACKAGE_SPICE_CLIENT
-	depends on !BR2_STATIC_LIBS
-	select BR2_PACKAGE_CEGUI06
-	help
-	  Say 'y' here to enable the Graphical User Interface (GUI)
-	  start dialog.
-
-comment "gui needs a toolchain w/ dynamic library"
-	depends on BR2_STATIC_LIBS
-
-config BR2_PACKAGE_SPICE_TUNNEL
-	bool "Enable network redirection"
-	select BR2_PACKAGE_SLIRP
-	help
-	  Say 'y' here to enable network redirection, aka tunnelling
-	  through a SLIP/SLIRP session.
-
-endif # BR2_PACKAGE_SPICE
--- a/bsp/buildroot/package/spice/spice.hash
+++ b/bsp/buildroot/package/spice/spice.hash
@@ -1,2 +1,2 @@
 # Locally calculated
-sha256	cf063e7df42e331a835529d2f613d8a01f8cb2963e8edaadf73a8d65c46fb387	spice-0.12.4.tar.bz2
+sha256	f901a5c5873d61acac84642f9eea5c4d6386fc3e525c2b68792322794e1c407d	spice-0.12.8.tar.bz2
--- a/bsp/buildroot/package/spice/spice.mk
+++ b/bsp/buildroot/package/spice/spice.mk
@@ -4,21 +4,18 @@
 #
 ################################################################################

-SPICE_VERSION = 0.12.4
+SPICE_VERSION = 0.12.8
 SPICE_SOURCE = spice-$(SPICE_VERSION).tar.bz2
 SPICE_SITE = http://www.spice-space.org/download/releases
 SPICE_LICENSE = LGPLv2.1+
 SPICE_LICENSE_FILES = COPYING
 SPICE_INSTALL_STAGING = YES
 SPICE_DEPENDENCIES =        \
-	alsa-lib            \
-	celt051             \
 	jpeg                \
 	libglib2            \
 	openssl             \
 	pixman              \
-	python-pyparsing    \
-	spice-protocol      \
+	spice-protocol

 # We disable everything for now, because the dependency tree can become
 # quite deep if we try to enable some features, and I have not tested that.
@@ -27,33 +24,29 @@ SPICE_CONF_OPTS =                 \
 	--disable-smartcard       \
 	--disable-automated-tests \
 	--without-sasl            \
+	--disable-manual

 SPICE_DEPENDENCIES += host-pkgconf

-ifeq ($(BR2_PACKAGE_SPICE_CLIENT),y)
-SPICE_CONF_OPTS += --enable-client
-SPICE_DEPENDENCIES += xlib_libXfixes xlib_libXrandr
+ifeq ($(BR2_PACKAGE_CELT051),y)
+SPICE_CONF_OPTS += --enable-celt051
+SPICE_DEPENDENCIES += celt051
 else
-SPICE_CONF_OPTS += --disable-client
+SPICE_CONF_OPTS += --disable-celt051
 endif

-ifeq ($(BR2_PACKAGE_SPICE_GUI),y)
-SPICE_CONF_OPTS += --enable-gui
-SPICE_DEPENDENCIES += cegui06
+ifeq ($(BR2_PACKAGE_LZ4),y)
+SPICE_CONF_OPTS += --enable-lz4
+SPICE_DEPENDENCIES += lz4
 else
-SPICE_CONF_OPTS += --disable-gui
+SPICE_CONF_OPTS += --disable-lz4
 endif

-ifeq ($(BR2_PACKAGE_SPICE_TUNNEL),y)
-SPICE_CONF_OPTS += --enable-tunnel
-SPICE_DEPENDENCIES += slirp
-else
-SPICE_CONF_OPTS += --disable-tunnel
+# no enable/disable, detected using pkg-config
+ifeq ($(BR2_PACKAGE_OPUS),y)
+SPICE_DEPENDENCIES += opus
 endif

-SPICE_CONF_ENV = PYTHONPATH=$(TARGET_DIR)/usr/lib/python$(PYTHON_VERSION_MAJOR)/site-packages
-SPICE_MAKE_ENV = PYTHONPATH=$(TARGET_DIR)/usr/lib/python$(PYTHON_VERSION_MAJOR)/site-packages
-
 # We need to tweak spice.pc because it /forgets/ (for static linking) that
 # it should link against libz and libjpeg. libz is pkg-config-aware, while
 # libjpeg isn't, hence the two-line tweak