mirror of
https://gitlab.uni-freiburg.de/opensourcevdi/spice
synced 2025-12-27 23:49:04 +00:00
a4a16ac42d
RedMemSlotInfo keeps an array of groups, and each group contains an array of slots. Unfortunately, these checks are off by 1, they check that the index is greater or equal to the number of elements in the array, while these arrays are 0 based. The check should only check for strictly greater than the number of elements. For the group array, this is not a big issue, as these memslot groups are created by spice-server users (eg QEMU), and the group ids used to index that array are also generated by the spice-server user, so it should not be possible for the guest to set them to arbitrary values. The slot id is more problematic, as it's calculated from a QXLPHYSICAL address, and such addresses are usually set by the guest QXL driver, so the guest can set these to arbitrary values, including malicious values, which are probably easy to build from the guest PCI configuration. This patch fixes the arrays bound check, and adds a test case for this. This fixes CVE-2019-3813. Signed-off-by: Christophe Fergeau <cfergeau@redhat.com> Acked-by: Frediano Ziglio <fziglio@redhat.com> |
||
|---|---|---|
| build-aux | ||
| docs | ||
| m4 | ||
| server | ||
| subprojects | ||
| tests | ||
| tools | ||
| uncrustify_cfg | ||
| .gitignore | ||
| .gitlab-ci.yml | ||
| .gitmodules | ||
| .mailmap | ||
| .travis.yml | ||
| AUTHORS | ||
| autogen.sh | ||
| cfg.mk | ||
| ChangeLog | ||
| configure.ac | ||
| COPYING | ||
| GNUmakefile | ||
| maint.mk | ||
| Makefile.am | ||
| meson_options.txt | ||
| meson.build | ||
| NEWS | ||
| README | ||
| spice-server.pc.in | ||
| TODO.multiclient | ||
SPICE: Simple Protocol for Independent Computing Environments
=============================================================
SPICE is a remote display system built for virtual environments which
allows you to view a computing 'desktop' environment not only on the
machine where it is running, but from anywhere on the Internet and
from a wide variety of machine architectures.
Installation
------------
The SPICE package uses GNU autotools, so the build install process
follows the standard process documented in the INSTALL file. As a
quick start you can do
./configure --prefix=/usr --sysconfdir=/etc \
--localstatedir=/var --libdir=/usr/lib
make
sudo make install
Or to install into a private user specific location
./configure --prefix=$HOME/spice
make
make install
The following mandatory dependencies are required in order to
build SPICE
Spice protocol >= 0.12.14
Pixman >= 0.17.7
OpenSSL
libjpeg
zlib
The following optional dependencies increase the available
functionality
Cyrus-SASL
libcacard >= 0.1.2 (Smartcard support)
Opus >= 1.0.0 (Opus audio encoding support)
LZ4 (LZ4 compression support)
GStreamer >= 1.0.0
Communication
-------------
To communicate with the development team, or to post patches
there is a technical mailing list:
http://lists.freedesktop.org/mailman/listinfo/spice-devel
There is also a mailing list for new release announcements:
http://lists.freedesktop.org/archives/spice-announce/
To view known bugs, or report new bugs, in SPICE visit
https://gitlab.freedesktop.org/spice/spice/issues/new?
Bugs found when using an OS distribution's binary packages should
be reported to the OS vendors' own bug tracker first.
The latest SPICE code can be found in GIT at:
https://gitlab.freedesktop.org/spice/
Licensing
---------
SPICE is provided under the terms of the GNU Lesser General Public
License as published by the Free Software Foundation; either
version 2.1 of the License, or (at your option) any later version.
Please see the COPYING file for the complete LGPLv2+ license
terms, or visit <http://www.gnu.org/licenses/>.
Experimental Features
---------------------
To enable multiple client connections, set:
SPICE_DEBUG_ALLOW_MC=1
-- End of readme