app-emulation/spice: apply security patches for CVE-2020-14355

Bug: https://bugs.gentoo.org/746920
Package-Manager: Portage-3.0.18, Repoman-3.0.3
Signed-off-by: Matthias Maier <tamiko@gentoo.org>

5 files changed, 182 insertions, 0 deletions

diff --git a/app-emulation/spice/files/spice-0.14.3-CVE-2020-14355-404d7478.patch b/app-emulation/spice/files/spice-0.14.3-CVE-2020-14355-404d7478.patch
new file mode 100644
index 000000000000..338f4e6ca657
--- /dev/null
+++ b/app-emulation/spice/files/spice-0.14.3-CVE-2020-14355-404d7478.patch
@@ -0,0 +1,31 @@
+diff --git a/common/quic.c b/common/quic.c
+index bc753ca5064a0326906b4aa8c18d8745747feb5c..681531677fbd6c3bca5e482c77bb709d4465ef8e 100644
+--- a/subprojects/spice-common/common/quic.c
++++ b/subprojects/spice-common/common/quic.c
+@@ -56,6 +56,9 @@ typedef uint8_t BYTE;
+ #define MINwminext 1
+ #define MAXwminext 100000000
+ 
++/* Maximum image size in pixels, mainly to avoid possible integer overflows */
++#define SPICE_MAX_IMAGE_SIZE (512 * 1024 * 1024 - 1)
++
+ typedef struct QuicFamily {
+     unsigned int nGRcodewords[MAXNUMCODES];      /* indexed by code number, contains number of
+                                                     unmodified GR codewords in the code */
+@@ -1165,6 +1168,16 @@ int quic_decode_begin(QuicContext *quic, uint32_t *io_ptr, unsigned int num_io_w
+     height = encoder->io_word;
+     decode_eat32bits(encoder);
+ 
++    if (width <= 0 || height <= 0) {
++        encoder->usr->warn(encoder->usr, "invalid size\n");
++        return QUIC_ERROR;
++    }
++
++    /* avoid too big images */
++    if ((uint64_t) width * height > SPICE_MAX_IMAGE_SIZE) {
++        encoder->usr->error(encoder->usr, "image too large\n");
++    }
++
+     quic_image_params(encoder, type, &channels, &bpc);
+ 
+     if (!encoder_reset_channels(encoder, channels, width, bpc)) {
diff --git a/app-emulation/spice/files/spice-0.14.3-CVE-2020-14355-762e0aba.patch b/app-emulation/spice/files/spice-0.14.3-CVE-2020-14355-762e0aba.patch
new file mode 100644
index 000000000000..ce79ef0043ee
--- /dev/null
+++ b/app-emulation/spice/files/spice-0.14.3-CVE-2020-14355-762e0aba.patch
@@ -0,0 +1,13 @@
+diff --git a/common/quic.c b/common/quic.c
+index e2dee0fd68741512911d5d050053ad073cf29457..bc753ca5064a0326906b4aa8c18d8745747feb5c 100644
+--- a/subprojects/spice-common/common/quic.c
++++ b/subprojects/spice-common/common/quic.c
+@@ -1136,7 +1136,7 @@ int quic_decode_begin(QuicContext *quic, uint32_t *io_ptr, unsigned int num_io_w
+     int channels;
+     int bpc;
+ 
+-    if (!encoder_reset(encoder, io_ptr, io_ptr_end)) {
++    if (!num_io_words || !encoder_reset(encoder, io_ptr, io_ptr_end)) {
+         return QUIC_ERROR;
+     }
+ 
diff --git a/app-emulation/spice/files/spice-0.14.3-CVE-2020-14355-b24fe6b6.patch b/app-emulation/spice/files/spice-0.14.3-CVE-2020-14355-b24fe6b6.patch
new file mode 100644
index 000000000000..40127deda15a
--- /dev/null
+++ b/app-emulation/spice/files/spice-0.14.3-CVE-2020-14355-b24fe6b6.patch
@@ -0,0 +1,18 @@
+diff --git a/common/quic_family_tmpl.c b/common/quic_family_tmpl.c
+index 8a5f7d2c9be3f6b1bd82993703749268bab243b4..6cc051b36889f773fe5401e204db6245d99e27df 100644
+--- a/subprojects/spice-common/common/quic_family_tmpl.c
++++ b/subprojects/spice-common/common/quic_family_tmpl.c
+@@ -103,7 +103,12 @@ static s_bucket *FNAME(find_bucket)(Channel *channel, const unsigned int val)
+ {
+     spice_extra_assert(val < (0x1U << BPC));
+ 
+-    return channel->_buckets_ptrs[val];
++    /* The and (&) here is to avoid buffer overflows in case of garbage or malicious
++     * attempts. Is much faster then using comparisons and save us from such situations.
++     * Note that on normal build the check above won't be compiled as this code path
++     * is pretty hot and would cause speed regressions.
++     */
++    return channel->_buckets_ptrs[val & ((1U << BPC) - 1)];
+ }
+ 
+ #undef FNAME
diff --git a/app-emulation/spice/files/spice-0.14.3-CVE-2020-14355-ef1b6ff7.patch b/app-emulation/spice/files/spice-0.14.3-CVE-2020-14355-ef1b6ff7.patch
new file mode 100644
index 000000000000..bc764ec23ce2
--- /dev/null
+++ b/app-emulation/spice/files/spice-0.14.3-CVE-2020-14355-ef1b6ff7.patch
@@ -0,0 +1,17 @@
+diff --git a/common/quic_tmpl.c b/common/quic_tmpl.c
+index ecd6f3f187c753a89b7dbb0657edc3ae82ffaaff..ebae992d642a657a7505b3ca0e8145310805f32f 100644
+--- a/subprojects/spice-common/common/quic_tmpl.c
++++ b/subprojects/spice-common/common/quic_tmpl.c
+@@ -563,7 +563,11 @@ static void FNAME_DECL(uncompress_row_seg)(const PIXEL * const prev_row,
+ do_run:
+         state->waitcnt = stopidx - i;
+         run_index = i;
+-        run_end = i + decode_state_run(encoder, state);
++        run_end = decode_state_run(encoder, state);
++        if (run_end < 0 || run_end > (end - i)) {
++            encoder->usr->error(encoder->usr, "wrong RLE\n");
++        }
++        run_end += i;
+ 
+         for (; i < run_end; i++) {
+             UNCOMPRESS_PIX_START(&cur_row[i]);
diff --git a/app-emulation/spice/spice-0.14.3-r1.ebuild b/app-emulation/spice/spice-0.14.3-r1.ebuild
new file mode 100644
index 000000000000..175926c76fbf
--- /dev/null
+++ b/app-emulation/spice/spice-0.14.3-r1.ebuild
@@ -0,0 +1,103 @@
+# Copyright 1999-2021 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+
+PYTHON_COMPAT=( python3_{7,8} )
+inherit autotools python-any-r1 readme.gentoo-r1 xdg-utils
+
+DESCRIPTION="SPICE server"
+HOMEPAGE="https://www.spice-space.org/"
+SRC_URI="https://www.spice-space.org/download/releases/spice-server/${P}.tar.bz2"
+
+LICENSE="LGPL-2.1"
+SLOT="0"
+KEYWORDS="~amd64 ~arm64 ~ppc64 ~x86"
+IUSE="libressl lz4 sasl smartcard static-libs gstreamer"
+
+# the libspice-server only uses the headers of libcacard
+RDEPEND="
+	dev-lang/orc[static-libs(+)?]
+	>=dev-libs/glib-2.22:2[static-libs(+)?]
+	media-libs/opus[static-libs(+)?]
+	sys-libs/zlib[static-libs(+)?]
+	virtual/jpeg:0=[static-libs(+)?]
+	>=x11-libs/pixman-0.17.7[static-libs(+)?]
+	!libressl? ( dev-libs/openssl:0=[static-libs(+)?] )
+	libressl? ( dev-libs/libressl:0=[static-libs(+)?] )
+	lz4? ( app-arch/lz4:0=[static-libs(+)?] )
+	smartcard? ( >=app-emulation/libcacard-0.1.2 )
+	sasl? ( dev-libs/cyrus-sasl[static-libs(+)?] )
+	gstreamer? (
+		media-libs/gstreamer:1.0
+		media-libs/gst-plugins-base:1.0
+	)"
+DEPEND="${RDEPEND}
+	>=app-emulation/spice-protocol-0.14.0
+	smartcard? ( app-emulation/qemu[smartcard] )"
+BDEPEND="${PYTHON_DEPS}
+	virtual/pkgconfig
+	$(python_gen_any_dep '
+		>=dev-python/pyparsing-1.5.6-r2[${PYTHON_USEDEP}]
+		dev-python/six[${PYTHON_USEDEP}]
+	')"
+
+python_check_deps() {
+	has_version -b ">=dev-python/pyparsing-1.5.6-r2[${PYTHON_USEDEP}]"
+	has_version -b "dev-python/six[${PYTHON_USEDEP}]"
+}
+
+PATCHES=(
+	"${FILESDIR}"/${P}-CVE-2020-14355-762e0aba.patch
+	"${FILESDIR}"/${P}-CVE-2020-14355-404d7478.patch
+	"${FILESDIR}"/${P}-CVE-2020-14355-ef1b6ff7.patch
+	"${FILESDIR}"/${P}-CVE-2020-14355-b24fe6b6.patch
+)
+
+pkg_setup() {
+	[[ ${MERGE_TYPE} != binary ]] && python-any-r1_pkg_setup
+}
+
+src_prepare() {
+	default
+
+	eautoreconf
+}
+
+src_configure() {
+	# Prevent sandbox violations, bug #586560
+	# https://bugzilla.gnome.org/show_bug.cgi?id=744134
+	# https://bugzilla.gnome.org/show_bug.cgi?id=744135
+	addpredict /dev
+
+	xdg_environment_reset
+
+	local myconf="
+		$(use_enable static-libs static)
+		$(use_enable lz4)
+		$(use_with sasl)
+		$(use_enable smartcard)
+		--enable-gstreamer=$(usex gstreamer "1.0" "no")
+		--disable-celt051
+		"
+	econf ${myconf}
+}
+
+src_compile() {
+	# Prevent sandbox violations, bug #586560
+	# https://bugzilla.gnome.org/show_bug.cgi?id=744134
+	# https://bugzilla.gnome.org/show_bug.cgi?id=744135
+	addpredict /dev
+
+	default
+}
+
+src_install() {
+	default
+	use static-libs || find "${D}" -name '*.la' -type f -delete || die
+	readme.gentoo_create_doc
+}
+
+pkg_postinst() {
+	readme.gentoo_print_elog
+}