diff -pruN 0.14.3-1/debian/changelog 0.14.3-1ubuntu2/debian/changelog --- 0.14.3-1/debian/changelog 2020-04-14 13:55:25.000000000 +0000 +++ 0.14.3-1ubuntu2/debian/changelog 2020-10-01 11:00:18.000000000 +0000 @@ -1,3 +1,37 @@ +spice (0.14.3-1ubuntu2) groovy; urgency=medium + + * SECURITY UPDATE: multiple buffer overflows in QUIC image decoding + - debian/patches/CVE-2020-14355-1.patch: check we have some data to + start decoding quic image in subprojects/spice-common/common/quic.c. + - debian/patches/CVE-2020-14355-2.patch: check image size in + quic_decode_begin in subprojects/spice-common/common/quic.c. + - debian/patches/CVE-2020-14355-3.patch: check RLE lengths in + subprojects/spice-common/common/quic_tmpl.c. + - debian/patches/CVE-2020-14355-4.patch: avoid possible buffer overflow + in find_bucket in subprojects/spice-common/common/quic_family_tmpl.c. + - CVE-2020-14355 + + -- Marc Deslauriers Thu, 01 Oct 2020 07:00:18 -0400 + +spice (0.14.3-1ubuntu1) groovy; urgency=medium + + * Merge with Debian unstable (LP: #1881093). Remaining changes: + - d/control: Don't recommend -libav gstreamer plugins since it is in + universe + - make autopkgtests work again + - d/t/automated-tests: spice-common moved into dir subprojects + - d/t/automated-tests: option --enable-automated-tests now is always on + - d/t/control: make tests more debuggable by allowing stderr + - d/t/control: install new test dependency python-pil + - d/t/regression-test.py, d/t/base_test.ppm: add file dropped in release + tarball but needed for autopkgtests + - d/source/include-binaries: allow binary base_test.ppm in package + * Dropped changes + - d/p/lp-1874054-*: fix rescaling and some crashes (LP: 1874054) + [Upstream in 0.14.3] + + -- Christian Ehrhardt Thu, 28 May 2020 11:56:04 +0200 + spice (0.14.3-1) unstable; urgency=medium * new upstream version (Closes: #940057, #954629) @@ -9,6 +43,49 @@ spice (0.14.3-1) unstable; urgency=mediu -- Michael Tokarev Tue, 14 Apr 2020 16:55:25 +0300 +spice (0.14.2-4ubuntu3) focal; urgency=medium + + * d/p/lp-1874054-*: fix rescaling and some crashes (LP: #1874054) + + -- Christian Ehrhardt Tue, 21 Apr 2020 14:05:18 +0200 + +spice (0.14.2-4ubuntu2) focal; urgency=medium + + * No-change rebuild for libgcc-s1 package name change. + + -- Matthias Klose Mon, 23 Mar 2020 07:26:08 +0100 + +spice (0.14.2-4ubuntu1) focal; urgency=medium + + * Merge with Debian unstable (LP: #1852439). Remaining changes: + - d/control: Don't recommend -libav gstreamer plugins since it is in + universe + - make autopkgtests work again + - d/t/automated-tests: spice-common moved into dir subprojects + - d/t/automated-tests: option --enable-automated-tests now is always on + - d/t/control: make tests more debuggable by allowing stderr + - d/t/control: install new test dependency python-pil + - d/t/regression-test.py, d/t/base_test.ppm: add file dropped in release + tarball but needed for autopkgtests + - d/source/include-binaries: allow binary base_test.ppm in package + * Added changes: + - d/t/automated-tests, d/t/control: make autopkgtests python3 compatible + * Dropped Changes (in Debian): + - d/control: Don't recommend -ugly gstreamer plugins since it is in universe + - d/patches: drop patches being upstream in 0.14.2 + - new upstream 0.14.2 + - disable failing test-listen + - d/libspice-server1.symbols: update for new symbols in 14.2 + - d/p/fix-test-qxl-parsing-on-ppc64el-and-armhf.patch: avoid FTBFS due to + different handling of high words for constants + - d/control: bump build dependency to libspice-protocol-dev >=0.14.0 + * Dropped Changes (Upstream) + - SECURITY UPDATE: Integer overflow and buffer overflow CVE-2017-12194 + - SECURITY UPDATE: Denial of service CVE-2018-10873 + - SECURITY UPDATE: off-by-one error in memslot_get_virt CVE-2019-3813 + + -- Christian Ehrhardt Wed, 13 Nov 2019 15:54:00 +0100 + spice (0.14.2-4) unstable; urgency=medium * disable failing test-listen (Closes: #941006) @@ -56,6 +133,42 @@ spice (0.14.2-1) unstable; urgency=mediu -- Michael Tokarev Fri, 30 Aug 2019 13:54:00 +0300 +spice (0.14.2-0ubuntu2) eoan; urgency=medium + + * Fixup autpkgtest (LP: #1834286) + These changes will make the test able to run again, but not output mismatch + errors (this matches the behavior before 0.14.2). Upstream discussion + started on how to resolve that as a next step, more details at the LP bug. + - d/t/automated-tests: spice-common moved into dir subprojects + - d/t/automated-tests: option --enable-automated-tests now is always on" + - d/t/automated-tests, d/t/control: make tests more debuggable by allowing + stderr + - d/t/control: install new test dependency python-pil + - d/t/base_test.ppm, d/t/regression-test.py: provide test resources from + upstream git not part of the released tarball anymore + - d/source/include-binaries: allow binary base_test.ppm in package + + -- Christian Ehrhardt Tue, 25 Jun 2019 12:59:01 +0200 + +spice (0.14.2-0ubuntu1) eoan; urgency=medium + + * New upstream release + Among many other fixes this will resolve (LP: #1814146) + - d/p/disable-failing-test-listen.patch: disable new test that is + unreliable in the build environment + - d/patches: drop patches being upstream in 0.14.2 + + debian/patches/CVE-2017-12194-1.patch + + debian/patches/CVE-2017-12194-2.patch + + debian/patches/CVE-2017-12194-3.patch + + debian/patches/CVE-2018-10873.patch + + debian/patches/CVE-2019-3813.patch + - d/libspice-server1.symbols: update for new symbols in 14.2 + - d/p/fix-test-qxl-parsing-on-ppc64el-and-armhf.patch: avoid FTBFS due + to different handling of high words for constants + - d/control: bump build dependency to libspice-protocol-dev >=0.14.0 + + -- Christian Ehrhardt Fri, 24 May 2019 12:27:26 +0200 + spice (0.14.0-1.3) unstable; urgency=medium * Non-maintainer upload. @@ -78,6 +191,52 @@ spice (0.14.0-1.1) unstable; urgency=med -- Salvatore Bonaccorso Sat, 15 Sep 2018 09:15:28 +0200 +spice (0.14.0-1ubuntu5) disco; urgency=medium + + * SECURITY UPDATE: off-by-one error in memslot_get_virt + - debian/patches/CVE-2019-3813.patch: fix checks in server/memslot.c, + add tests to server/tests/test-qxl-parsing.c. + - CVE-2019-3813 + * debian/tests/automated-tests: fix incorrect test name, don't fail on + build writing to stderr. + + -- Marc Deslauriers Thu, 24 Jan 2019 08:58:10 -0500 + +spice (0.14.0-1ubuntu4) cosmic; urgency=medium + + * SECURITY UPDATE: Denial of service + - debian/patches/CVE-2018-10873.patch: fix in + spice-common/python_modules/demarshal.py, + - CVE-2018-10873 + + -- Leonidas S. Barbosa Mon, 20 Aug 2018 13:26:02 -0300 + +spice (0.14.0-1ubuntu3) cosmic; urgency=medium + + * SECURITY UPDATE: Integer overflow and buffer overflow + - debian/patches/CVE-2017-12194-1.patch: fix a integer overflow + computing sizes in spice-common/python_modules/demarshal.py. + - debian/patches/CVE-2017-12194-2.patch: avoid integer overflow + in spice-common/python_modules/demarshal.py, + spice-common/python_modules/marshal.py. + - debian/patches/CVE-2017-12194-3.patch: add tests to verify fix. + - CVE-2017-12194 + + -- Leonidas S. Barbosa Tue, 22 May 2018 14:53:01 -0300 + +spice (0.14.0-1ubuntu2) bionic; urgency=high + + * No change rebuild against openssl1.1. + + -- Dimitri John Ledkov Tue, 06 Feb 2018 17:55:31 +0000 + +spice (0.14.0-1ubuntu1) bionic; urgency=medium + + * Don't recommend -ugly or -libav gstreamer plugins since they + are in universe + + -- Jeremy Bicha Wed, 01 Nov 2017 21:55:03 -0400 + spice (0.14.0-1) unstable; urgency=medium * New upstream release diff -pruN 0.14.3-1/debian/control 0.14.3-1ubuntu2/debian/control --- 0.14.3-1/debian/control 2020-04-14 13:44:06.000000000 +0000 +++ 0.14.3-1ubuntu2/debian/control 2020-05-28 09:56:04.000000000 +0000 @@ -1,7 +1,8 @@ Source: spice Section: misc Priority: optional -Maintainer: Debian QEMU Team +Maintainer: Ubuntu Developers +XSBC-Original-Maintainer: Debian QEMU Team Uploaders: Michael Tokarev Build-Depends: debhelper (>= 10), @@ -38,7 +39,6 @@ Multi-Arch: same Pre-Depends: ${misc:Pre-Depends} Depends: ${misc:Depends}, ${shlibs:Depends} Recommends: - gstreamer1.0-libav, gstreamer1.0-plugins-base, gstreamer1.0-plugins-good, Suggests: diff -pruN 0.14.3-1/debian/patches/CVE-2020-14355-1.patch 0.14.3-1ubuntu2/debian/patches/CVE-2020-14355-1.patch --- 0.14.3-1/debian/patches/CVE-2020-14355-1.patch 1970-01-01 00:00:00.000000000 +0000 +++ 0.14.3-1ubuntu2/debian/patches/CVE-2020-14355-1.patch 2020-10-01 10:47:54.000000000 +0000 @@ -0,0 +1,29 @@ +From 762e0abae36033ccde658fd52d3235887b60862d Mon Sep 17 00:00:00 2001 +From: Frediano Ziglio +Date: Wed, 29 Apr 2020 15:09:13 +0100 +Subject: [PATCH spice-common 1/4] quic: Check we have some data to start + decoding quic image + +All paths already pass some data to quic_decode_begin but for the +test check it, it's not that expensive test. +Checking for not 0 is enough, all other words will potentially be +read calling more_io_words but we need one to avoid a potential +initial buffer overflow or deferencing an invalid pointer. + +Signed-off-by: Frediano Ziglio +Acked-by: Uri Lublin +--- + common/quic.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/subprojects/spice-common/common/quic.c ++++ b/subprojects/spice-common/common/quic.c +@@ -1145,7 +1145,7 @@ int quic_decode_begin(QuicContext *quic, + int channels; + int bpc; + +- if (!encoder_reset(encoder, io_ptr, io_ptr_end)) { ++ if (!num_io_words || !encoder_reset(encoder, io_ptr, io_ptr_end)) { + return QUIC_ERROR; + } + diff -pruN 0.14.3-1/debian/patches/CVE-2020-14355-2.patch 0.14.3-1ubuntu2/debian/patches/CVE-2020-14355-2.patch --- 0.14.3-1/debian/patches/CVE-2020-14355-2.patch 1970-01-01 00:00:00.000000000 +0000 +++ 0.14.3-1ubuntu2/debian/patches/CVE-2020-14355-2.patch 2020-10-01 10:49:13.000000000 +0000 @@ -0,0 +1,43 @@ +From 404d74782c8b5e57d146c5bf3118bb41bf3378e4 Mon Sep 17 00:00:00 2001 +From: Frediano Ziglio +Date: Wed, 29 Apr 2020 15:10:24 +0100 +Subject: [PATCH spice-common 2/4] quic: Check image size in quic_decode_begin + +Avoid some overflow in code due to images too big or +negative numbers. + +Signed-off-by: Frediano Ziglio +Acked-by: Uri Lublin +--- + common/quic.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +--- a/subprojects/spice-common/common/quic.c ++++ b/subprojects/spice-common/common/quic.c +@@ -57,6 +57,9 @@ typedef uint8_t BYTE; + #define MINwminext 1 + #define MAXwminext 100000000 + ++/* Maximum image size in pixels, mainly to avoid possible integer overflows */ ++#define SPICE_MAX_IMAGE_SIZE (512 * 1024 * 1024 - 1) ++ + typedef struct QuicFamily { + unsigned int nGRcodewords[MAXNUMCODES]; /* indexed by code number, contains number of + unmodified GR codewords in the code */ +@@ -1174,6 +1177,16 @@ int quic_decode_begin(QuicContext *quic, + height = encoder->io_word; + decode_eat32bits(encoder); + ++ if (width <= 0 || height <= 0) { ++ encoder->usr->warn(encoder->usr, "invalid size\n"); ++ return QUIC_ERROR; ++ } ++ ++ /* avoid too big images */ ++ if ((uint64_t) width * height > SPICE_MAX_IMAGE_SIZE) { ++ encoder->usr->error(encoder->usr, "image too large\n"); ++ } ++ + quic_image_params(encoder, type, &channels, &bpc); + + if (!encoder_reset_channels(encoder, channels, width, bpc)) { diff -pruN 0.14.3-1/debian/patches/CVE-2020-14355-3.patch 0.14.3-1ubuntu2/debian/patches/CVE-2020-14355-3.patch --- 0.14.3-1/debian/patches/CVE-2020-14355-3.patch 1970-01-01 00:00:00.000000000 +0000 +++ 0.14.3-1ubuntu2/debian/patches/CVE-2020-14355-3.patch 2020-10-01 10:58:55.000000000 +0000 @@ -0,0 +1,30 @@ +From ef1b6ff7b82e15d759e5415b8e35b92bb1a4c206 Mon Sep 17 00:00:00 2001 +From: Frediano Ziglio +Date: Wed, 29 Apr 2020 15:11:38 +0100 +Subject: [PATCH spice-common 3/4] quic: Check RLE lengths + +Avoid buffer overflows decoding images. On compression we compute +lengths till end of line so it won't cause regressions. +Proved by fuzzing the code. + +Signed-off-by: Frediano Ziglio +Acked-by: Uri Lublin +--- + common/quic_tmpl.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/subprojects/spice-common/common/quic_tmpl.c ++++ b/subprojects/spice-common/common/quic_tmpl.c +@@ -570,7 +570,11 @@ static void FNAME_DECL(uncompress_row_se + do_run: + state->waitcnt = stopidx - i; + run_index = i; +- run_end = i + decode_state_run(encoder, state); ++ run_end = decode_state_run(encoder, state); ++ if (run_end < 0 || run_end > (end - i)) { ++ encoder->usr->error(encoder->usr, "wrong RLE\n"); ++ } ++ run_end += i; + + for (; i < run_end; i++) { + UNCOMPRESS_PIX_START(&cur_row[i]); diff -pruN 0.14.3-1/debian/patches/CVE-2020-14355-4.patch 0.14.3-1ubuntu2/debian/patches/CVE-2020-14355-4.patch --- 0.14.3-1/debian/patches/CVE-2020-14355-4.patch 1970-01-01 00:00:00.000000000 +0000 +++ 0.14.3-1ubuntu2/debian/patches/CVE-2020-14355-4.patch 2020-10-01 10:59:19.000000000 +0000 @@ -0,0 +1,30 @@ +From b24fe6b66b86e601c725d30f00c37e684b6395b6 Mon Sep 17 00:00:00 2001 +From: Frediano Ziglio +Date: Thu, 30 Apr 2020 10:19:09 +0100 +Subject: [PATCH spice-common 4/4] quic: Avoid possible buffer overflow in + find_bucket + +Proved by fuzzing the code. + +Signed-off-by: Frediano Ziglio +Acked-by: Uri Lublin +--- + common/quic_family_tmpl.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/subprojects/spice-common/common/quic_family_tmpl.c ++++ b/subprojects/spice-common/common/quic_family_tmpl.c +@@ -105,7 +105,12 @@ static s_bucket *FNAME(find_bucket)(Chan + spice_assert(val < (0x1U << BPC)); + } + +- return channel->_buckets_ptrs[val]; ++ /* The and (&) here is to avoid buffer overflows in case of garbage or malicious ++ * attempts. Is much faster then using comparisons and save us from such situations. ++ * Note that on normal build the check above won't be compiled as this code path ++ * is pretty hot and would cause speed regressions. ++ */ ++ return channel->_buckets_ptrs[val & ((1U << BPC) - 1)]; + } + + #undef FNAME diff -pruN 0.14.3-1/debian/patches/series 0.14.3-1ubuntu2/debian/patches/series --- 0.14.3-1/debian/patches/series 2020-04-14 13:32:13.000000000 +0000 +++ 0.14.3-1ubuntu2/debian/patches/series 2020-10-01 10:59:00.000000000 +0000 @@ -1 +1,5 @@ disable-failing-test-listen.patch +CVE-2020-14355-1.patch +CVE-2020-14355-2.patch +CVE-2020-14355-3.patch +CVE-2020-14355-4.patch diff -pruN 0.14.3-1/debian/source/include-binaries 0.14.3-1ubuntu2/debian/source/include-binaries --- 0.14.3-1/debian/source/include-binaries 1970-01-01 00:00:00.000000000 +0000 +++ 0.14.3-1ubuntu2/debian/source/include-binaries 2020-05-28 09:56:04.000000000 +0000 @@ -0,0 +1 @@ +debian/tests/base_test.ppm diff -pruN 0.14.3-1/debian/tests/automated-tests 0.14.3-1ubuntu2/debian/tests/automated-tests --- 0.14.3-1/debian/tests/automated-tests 2019-01-28 12:04:44.000000000 +0000 +++ 0.14.3-1ubuntu2/debian/tests/automated-tests 2020-05-28 09:56:04.000000000 +0000 @@ -1,13 +1,16 @@ #! /bin/sh -set -e +set -ex -dh_auto_configure -- --enable-automated-tests \ +dh_auto_configure -- \ --disable-celt051 \ --disable-silent-rules \ --enable-smartcard -make -C spice-common/common libspice-common.la libspice-common-server.la +make -C subprojects/spice-common/common libspice-common.la libspice-common-server.la make -C server libspice-server.la make -C server/tests all -./server/tests/test_display_streaming --automated-tests +cp -av debian/tests/regression-test.py server/tests +cp -av debian/tests/base_test.ppm server/tests +cd server/tests +./test-display-streaming --automated-tests Binary files 0.14.3-1/debian/tests/base_test.ppm and 0.14.3-1ubuntu2/debian/tests/base_test.ppm differ diff -pruN 0.14.3-1/debian/tests/control 0.14.3-1ubuntu2/debian/tests/control --- 0.14.3-1/debian/tests/control 2019-01-28 12:04:44.000000000 +0000 +++ 0.14.3-1ubuntu2/debian/tests/control 2020-05-28 09:56:04.000000000 +0000 @@ -1,2 +1,3 @@ Tests: automated-tests -Depends: @, @builddeps@, spice-client-gtk +Depends: @, @builddeps@, spice-client-gtk, python3-pil, python3 +Restrictions: allow-stderr diff -pruN 0.14.3-1/debian/tests/regression-test.py 0.14.3-1ubuntu2/debian/tests/regression-test.py --- 0.14.3-1/debian/tests/regression-test.py 1970-01-01 00:00:00.000000000 +0000 +++ 0.14.3-1ubuntu2/debian/tests/regression-test.py 2020-05-28 09:56:04.000000000 +0000 @@ -0,0 +1,25 @@ +#!/usr/bin/python3 +from subprocess import PIPE, Popen +from PIL import Image +from PIL import ImageChops + + +def spicy_screenshot(): + cmd = "spicy-screenshot -h localhost -p 5912 -o output.ppm" + p = Popen(cmd, shell=True) + p.wait() + +def verify(): + base = Image.open("base_test.ppm") + output = Image.open("output.ppm") + return ImageChops.difference(base, output).getbbox() + +if __name__ == "__main__": + spicy_screenshot() + diff = verify() + + if diff is None: + print("\033[1;32mSUCCESS: No regressions were found!\033[1;m") + else: + print("\033[1;31mFAIL: Regressions were found!\n\033[1;m" + "\033[1;31m Please, take a look in your code and go fix it!\033[1;m")