extra/spice: patch to remove x86 assembly breakpoint

extra/spice/CVE-2013-4282.patch

@@ -1,104 +0,0 @@
-From 8af619009660b24e0b41ad26b30289eea288fcc2 Mon Sep 17 00:00:00 2001
-From: Christophe Fergeau <cfergeau@redhat.com>
-Date: Fri, 23 Aug 2013 09:29:44 +0000
-Subject: Fix buffer overflow when decrypting client SPICE ticket
-
-reds_handle_ticket uses a fixed size 'password' buffer for the decrypted
-password whose size is SPICE_MAX_PASSWORD_LENGTH. However,
-RSA_private_decrypt which we call for the decryption expects the
-destination buffer to be at least RSA_size(link->tiTicketing.rsa)
-bytes long. On my spice-server build, SPICE_MAX_PASSWORD_LENGTH
-is 60 while RSA_size() is 128, so we end up overflowing 'password'
-when using long passwords (this was reproduced using the string:
-'fullscreen=1proxy=#enter proxy here; e.g spice_proxy = http://[proxy]:[port]'
-as a password).
-
-When the overflow occurs, QEMU dies with:
-*** stack smashing detected ***: qemu-system-x86_64 terminated
-
-This commit ensures we use a corectly sized 'password' buffer,
-and that it's correctly nul-terminated so that we can use strcmp
-instead of strncmp. To keep using strncmp, we'd need to figure out
-which one of 'password' and 'taTicket.password' is the smaller buffer,
-and use that size.
-
-This fixes rhbz#999839
----
-diff --git a/server/reds.c b/server/reds.c
-index 892d247..2a0002b 100644
---- a/server/reds.c
-+++ b/server/reds.c
-@@ -1926,39 +1926,59 @@ static void reds_handle_link(RedLinkInfo *link)
- static void reds_handle_ticket(void *opaque)
- {
-     RedLinkInfo *link = (RedLinkInfo *)opaque;
--    char password[SPICE_MAX_PASSWORD_LENGTH];
-+    char *password;
-     time_t ltime;
-+    int password_size;
- 
-     //todo: use monotonic time
-     time(&ltime);
--    RSA_private_decrypt(link->tiTicketing.rsa_size,
--                        link->tiTicketing.encrypted_ticket.encrypted_data,
--                        (unsigned char *)password, link->tiTicketing.rsa, RSA_PKCS1_OAEP_PADDING);
-+    if (RSA_size(link->tiTicketing.rsa) < SPICE_MAX_PASSWORD_LENGTH) {
-+        spice_warning("RSA modulus size is smaller than SPICE_MAX_PASSWORD_LENGTH (%d < %d), "
-+                      "SPICE ticket sent from client may be truncated",
-+                      RSA_size(link->tiTicketing.rsa), SPICE_MAX_PASSWORD_LENGTH);
-+    }
-+
-+    password = g_malloc0(RSA_size(link->tiTicketing.rsa) + 1);
-+    password_size = RSA_private_decrypt(link->tiTicketing.rsa_size,
-+                                        link->tiTicketing.encrypted_ticket.encrypted_data,
-+                                        (unsigned char *)password,
-+                                        link->tiTicketing.rsa,
-+                                        RSA_PKCS1_OAEP_PADDING);
-+    if (password_size == -1) {
-+        spice_warning("failed to decrypt RSA encrypted password: %s",
-+                      ERR_error_string(ERR_get_error(), NULL));
-+        goto error;
-+    }
-+    password[password_size] = '\0';
- 
-     if (ticketing_enabled && !link->skip_auth) {
-         int expired =  taTicket.expiration_time < ltime;
- 
-         if (strlen(taTicket.password) == 0) {
--            reds_send_link_result(link, SPICE_LINK_ERR_PERMISSION_DENIED);
-             spice_warning("Ticketing is enabled, but no password is set. "
--                        "please set a ticket first");
--            reds_link_free(link);
--            return;
-+                          "please set a ticket first");
-+            goto error;
-         }
- 
--        if (expired || strncmp(password, taTicket.password, SPICE_MAX_PASSWORD_LENGTH) != 0) {
-+        if (expired || strcmp(password, taTicket.password) != 0) {
-             if (expired) {
-                 spice_warning("Ticket has expired");
-             } else {
-                 spice_warning("Invalid password");
-             }
--            reds_send_link_result(link, SPICE_LINK_ERR_PERMISSION_DENIED);
--            reds_link_free(link);
--            return;
-+            goto error;
-         }
-     }
- 
-     reds_handle_link(link);
-+    goto end;
-+
-+error:
-+    reds_send_link_result(link, SPICE_LINK_ERR_PERMISSION_DENIED);
-+    reds_link_free(link);
-+
-+end:
-+    g_free(password);
- }
- 
- static inline void async_read_clear_handlers(AsyncRead *obj)
---
-cgit v0.9.0.2-2-gbebe

extra/spice/PKGBUILD

@@ -6,6 +6,7 @@
 #  - drop qemu, libcacard deps
 #  - --disable-smartcard in configure
 #  - add v5 arch to configure
+#  - patch to remove x86 assembly breakpoint
 
 pkgname=spice
 pkgver=0.12.5
@@ -16,11 +17,13 @@ url="http://spice-space.org"
 license=('LGPL2.1')
 depends=(alsa-lib celt0.5.1 libjpeg-turbo libsasl libxinerama libxfixes libxrandr pixman)
 makedepends=(python2-pyparsing spice-protocol)
-source=(http://spice-space.org/download/releases/$pkgname-$pkgver.tar.bz2)
+source=(http://spice-space.org/download/releases/$pkgname-$pkgver.tar.bz2
+        alarm.patch)
 
 prepare() {
   cd "$srcdir/$pkgname-$pkgver"
   sed -i 's/|armv6|/|armv5tel|armv6|/' configure
+  patch -p1 -i ../alarm.patch
 }
 
 build() {
@@ -33,4 +36,5 @@ package() {
   cd "$srcdir/$pkgname-$pkgver"
   make DESTDIR="$pkgdir/" install
 }
-md5sums=('1256286214fe402703c0a01bd3a85319')
+md5sums=('1256286214fe402703c0a01bd3a85319'
+         'fb88aba84f39baa118fcd9da82b10b78')

extra/spice/alarm.patch

@@ -0,0 +1,26 @@
+diff -urN a/client/red_pixmap.h b/client/red_pixmap.h
+--- a/client/red_pixmap.h	2014-05-14 05:14:34.000000000 -0600
++++ b/client/red_pixmap.h	2014-07-07 05:29:00.121233414 -0600
+@@ -46,8 +46,6 @@
+                         spice_printerr("equal fails at (+%d+%d) +%d+%d:%d in %dx%d",
+                                        rect.left, rect.top, x-rect.left, y-rect.top, i,
+                                        _width-rect.left, _height-rect.top);
+-                        if (getenv("DIFFBP"))
+-                            SPICE_BREAKPOINT();
+                         return false;
+                     }
+                 }
+diff -urN a/client/utils.h b/client/utils.h
+--- a/client/utils.h	2014-05-14 05:14:34.000000000 -0600
++++ b/client/utils.h	2014-07-07 05:29:16.866177393 -0600
+@@ -50,10 +50,6 @@
+     throw Exception(exption_string, err);                       \
+ }
+ 
+-#define SPICE_BREAKPOINT() do{                  \
+-    __asm__ __volatile__ ("int $03");           \
+-}while(0)
+-
+ template <class T>
+ class AutoRef {
+ public: