meta-cloud-services: introduce spice

A common requirement for many cloud systems is remote console access. Adding spice to the common layer allows a rich console environment to be provided. Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>
author: Bruce Ashfield <bruce.ashfield@windriver.com> 2014-03-25 15:38:22 -0400
committer: Bruce Ashfield <bruce.ashfield@windriver.com> 2014-03-25 15:38:22 -0400
commit: adf590f2283097b64976936e530084986c203b2b (patch)
tree: 6cb99bb0647ec5c19f4bf32aec256ae3aa0fc146 /recipes-support/spice
parent: dfc85232382af8fee180a83bd33f9d436557b774 (diff)
download: meta-cloud-services-adf590f2283097b64976936e530084986c203b2b.tar.gz
2 files changed, 163 insertions, 0 deletions
diff --git a/recipes-support/spice/files/spice-fix-CVE-2013-4282.patch b/recipes-support/spice/files/spice-fix-CVE-2013-4282.patch
new file mode 100644
index 0000000..1a00a85
--- /dev/null
+++ b/recipes-support/spice/files/spice-fix-CVE-2013-4282.patch
@@ -0,0 +1,100 @@
+Fix buffer overflow when decrypting client SPICE ticket
+commit 8af619009660b24e0b41ad26b30289eea288fcc2     upstream
+reds_handle_ticket uses a fixed size 'password' buffer for the decrypted
+password whose size is SPICE_MAX_PASSWORD_LENGTH. However,
+RSA_private_decrypt which we call for the decryption expects the
+destination buffer to be at least RSA_size(link->tiTicketing.rsa)
+bytes long. On my spice-server build, SPICE_MAX_PASSWORD_LENGTH
+is 60 while RSA_size() is 128, so we end up overflowing 'password'
+when using long passwords (this was reproduced using the string:
+'fullscreen=1proxy=#enter proxy here; e.g spice_proxy = http://[proxy]:[port]'
+as a password).
+When the overflow occurs, QEMU dies with:
+*** stack smashing detected ***: qemu-system-x86_64 terminated
+This commit ensures we use a corectly sized 'password' buffer,
+and that it's correctly nul-terminated so that we can use strcmp
+instead of strncmp. To keep using strncmp, we'd need to figure out
+which one of 'password' and 'taTicket.password' is the smaller buffer,
+and use that size.
+This fixes rhbz#999839
+diff --git a/server/reds.c b/server/reds.c
+index 30d0652..6f262b0 100644
+--- a/server/reds.c
+++ b/server/reds.c
+@@ -1931,39 +1931,59 @@ static void reds_handle_link(RedLinkInfo *link)
+ static void reds_handle_ticket(void *opaque)
+ {
+     RedLinkInfo *link = (RedLinkInfo *)opaque;
+-    char password[SPICE_MAX_PASSWORD_LENGTH];
+    char *password;
+     time_t ltime;
+    int password_size;
+ 
+     //todo: use monotonic time
+     time(&ltime);
+-    RSA_private_decrypt(link->tiTicketing.rsa_size,
+-                        link->tiTicketing.encrypted_ticket.encrypted_data,
+-                        (unsigned char *)password, link->tiTicketing.rsa, RSA_PKCS1_OAEP_PADDING);
+    if (RSA_size(link->tiTicketing.rsa) < SPICE_MAX_PASSWORD_LENGTH) {
+        spice_warning("RSA modulus size is smaller than SPICE_MAX_PASSWORD_LENGTH (%d < %d), "
+                      "SPICE ticket sent from client may be truncated",
+                      RSA_size(link->tiTicketing.rsa), SPICE_MAX_PASSWORD_LENGTH);
+    }
+
+    password = g_malloc0(RSA_size(link->tiTicketing.rsa) + 1);
+    password_size = RSA_private_decrypt(link->tiTicketing.rsa_size,
+                                        link->tiTicketing.encrypted_ticket.encrypted_data,
+                                        (unsigned char *)password,
+                                        link->tiTicketing.rsa,
+                                        RSA_PKCS1_OAEP_PADDING);
+    if (password_size == -1) {
+        spice_warning("failed to decrypt RSA encrypted password: %s",
+                      ERR_error_string(ERR_get_error(), NULL));
+        goto error;
+    }
+    password[password_size] = '\0';
+ 
+     if (ticketing_enabled && !link->skip_auth) {
+         int expired =  taTicket.expiration_time < ltime;
+ 
+         if (strlen(taTicket.password) == 0) {
+-            reds_send_link_result(link, SPICE_LINK_ERR_PERMISSION_DENIED);
+             spice_warning("Ticketing is enabled, but no password is set. "
+-                        "please set a ticket first");
+-            reds_link_free(link);
+-            return;
+                          "please set a ticket first");
+            goto error;
+         }
+ 
+-        if (expired || strncmp(password, taTicket.password, SPICE_MAX_PASSWORD_LENGTH) != 0) {
+        if (expired || strcmp(password, taTicket.password) != 0) {
+             if (expired) {
+                 spice_warning("Ticket has expired");
+             } else {
+                 spice_warning("Invalid password");
+             }
+-            reds_send_link_result(link, SPICE_LINK_ERR_PERMISSION_DENIED);
+-            reds_link_free(link);
+-            return;
+            goto error;
+         }
+     }
+ 
+     reds_handle_link(link);
+    goto end;
+
+error:
+    reds_send_link_result(link, SPICE_LINK_ERR_PERMISSION_DENIED);
+    reds_link_free(link);
+
+end:
+    g_free(password);
+ }
+ 
+ static inline void async_read_clear_handlers(AsyncRead *obj)
diff --git a/recipes-support/spice/spice_git.bb b/recipes-support/spice/spice_git.bb
new file mode 100644
index 0000000..900259a
--- /dev/null
+++ b/recipes-support/spice/spice_git.bb
@@ -0,0 +1,63 @@
+#
+# Copyright (C) 2013 Wind River Systems, Inc.
+#
+SUMMARY = "Simple Protocol for Independent Computing Environments"
+DESCRIPTION = "SPICE (the Simple Protocol for Independent Computing \
+Environments) is a remote-display system built for virtual \
+environments which allows users to view a computing 'desktop' \ 
+environment - not only on its computer-server machine, but also from \
+anywhere on the Internet and using a wide variety of machine \
+architectures."
+LICENSE = "LGPLv2.1+"
+LIC_FILES_CHKSUM = "file://COPYING;md5=4fbd65380cdd255951079008b364516c"
+PR = "r0"
+PV = "0.12.4"
+# Actual versions based on the checkouts below
+# spice = "0.12.4"
+# common = "0.12.6"
+# protocol = "0.12.6"
+SRCREV_spice = "b270fb010a3ddb432dfe6b15e4bdffa6ac086cd0"
+SRCREV_spice-common = "fe93908238196bd632287fc9875e6f2e11105d04"
+SRCREV_spice-protocol = "784407f248e7f99d2bfcc9368f9acd1efb2b9617"
+SRC_URI = "git://anongit.freedesktop.org/spice/spice;name=spice \
+           git://anongit.freedesktop.org/spice/spice-common;destsuffix=git/spice-common;name=spice-common \
+           git://anongit.freedesktop.org/spice/spice-protocol;destsuffix=git/spice-common/spice-protocol;name=spice-protocol \
+          "
+SRC_URI += "file://spice-fix-CVE-2013-4282.patch"
+S = "${WORKDIR}/git"
+inherit autotools gettext pythonnative python-dir pkgconfig
+DEPENDS += "python-native celt051 python-pyparsing jpeg pixman alsa-lib glib-2.0"
+EXTRA_OECONF_append = " -Wnone"
+EXTRA_AUTORECONF_append = " -Wnone"
+export PYTHON="${STAGING_BINDIR_NATIVE}/python-native/python"
+export PYTHONPATH="${PKG_CONFIG_SYSROOT_DIR}${libdir}/python2.7/site-packages"
+PACKAGECONFIG ?= "sasl"
+PACKAGECONFIG[smartcard] = "--enable-smartcard,--disable-smartcard,libcacard,"
+PACKAGECONFIG[sasl] = "--with-sasl,--without-sasl,cyrus-sasl,"
+PACKAGECONFIG[client] = "--enable-client,--disable-client,,"
+PACKAGECONFIG[gui] = "--enable-gui,--disable-gui,,"
+PACKAGECONFIG[opengl] = "--enable-opengl,--disable-opengl,,"
+PACKAGES =+ "${PN}-protocol"
+LICENSE_${PN}-protocol = "BSD"
+FILES_${PN}-protocol += "${includedir}/spice-1"
+FILES_${PN}-protocol += "${datadir}/pkgconfig"
+do_install_append() {
+        cd ${S}/spice-common/spice-protocol
+        oe_runmake DESTDIR="${D}" install
+        cd -
+}
author	Bruce Ashfield <bruce.ashfield@windriver.com>	2014-03-25 15:38:22 -0400
committer	Bruce Ashfield <bruce.ashfield@windriver.com>	2014-03-25 15:38:22 -0400
commit	adf590f2283097b64976936e530084986c203b2b (patch)
tree	6cb99bb0647ec5c19f4bf32aec256ae3aa0fc146 /recipes-support/spice
parent	dfc85232382af8fee180a83bd33f9d436557b774 (diff)
download	meta-cloud-services-adf590f2283097b64976936e530084986c203b2b.tar.gz

diff --git a/recipes-support/spice/files/spice-fix-CVE-2013-4282.patch b/recipes-support/spice/files/spice-fix-CVE-2013-4282.patch new file mode 100644 index 0000000..1a00a85 --- /dev/null +++ b/recipes-support/spice/files/spice-fix-CVE-2013-4282.patch
@@ -0,0 +1,100 @@
	1	Fix buffer overflow when decrypting client SPICE ticket
	2
	3	commit 8af619009660b24e0b41ad26b30289eea288fcc2 upstream
	4
	5	reds_handle_ticket uses a fixed size 'password' buffer for the decrypted
	6	password whose size is SPICE_MAX_PASSWORD_LENGTH. However,
	7	RSA_private_decrypt which we call for the decryption expects the
	8	destination buffer to be at least RSA_size(link->tiTicketing.rsa)
	9	bytes long. On my spice-server build, SPICE_MAX_PASSWORD_LENGTH
	10	is 60 while RSA_size() is 128, so we end up overflowing 'password'
	11	when using long passwords (this was reproduced using the string:
	12	'fullscreen=1proxy=#enter proxy here; e.g spice_proxy = http://[proxy]:[port]'
	13	as a password).
	14
	15	When the overflow occurs, QEMU dies with:
	16	* stack smashing detected *: qemu-system-x86_64 terminated
	17
	18	This commit ensures we use a corectly sized 'password' buffer,
	19	and that it's correctly nul-terminated so that we can use strcmp
	20	instead of strncmp. To keep using strncmp, we'd need to figure out
	21	which one of 'password' and 'taTicket.password' is the smaller buffer,
	22	and use that size.
	23
	24	This fixes rhbz#999839
	25	diff --git a/server/reds.c b/server/reds.c
	26	index 30d0652..6f262b0 100644
	27	--- a/server/reds.c
	28	+++ b/server/reds.c
	29	@@ -1931,39 +1931,59 @@ static void reds_handle_link(RedLinkInfo *link)
	30	static void reds_handle_ticket(void *opaque)
	31	{
	32	RedLinkInfo link = (RedLinkInfo )opaque;
	33	- char password[SPICE_MAX_PASSWORD_LENGTH];
	34	+ char *password;
	35	time_t ltime;
	36	+ int password_size;
	37
	38	//todo: use monotonic time
	39	time(&ltime);
	40	- RSA_private_decrypt(link->tiTicketing.rsa_size,
	41	- link->tiTicketing.encrypted_ticket.encrypted_data,
	42	- (unsigned char *)password, link->tiTicketing.rsa, RSA_PKCS1_OAEP_PADDING);
	43	+ if (RSA_size(link->tiTicketing.rsa) < SPICE_MAX_PASSWORD_LENGTH) {
	44	+ spice_warning("RSA modulus size is smaller than SPICE_MAX_PASSWORD_LENGTH (%d < %d), "
	45	+ "SPICE ticket sent from client may be truncated",
	46	+ RSA_size(link->tiTicketing.rsa), SPICE_MAX_PASSWORD_LENGTH);
	47	+ }
	48	+
	49	+ password = g_malloc0(RSA_size(link->tiTicketing.rsa) + 1);
	50	+ password_size = RSA_private_decrypt(link->tiTicketing.rsa_size,
	51	+ link->tiTicketing.encrypted_ticket.encrypted_data,
	52	+ (unsigned char *)password,
	53	+ link->tiTicketing.rsa,
	54	+ RSA_PKCS1_OAEP_PADDING);
	55	+ if (password_size == -1) {
	56	+ spice_warning("failed to decrypt RSA encrypted password: %s",
	57	+ ERR_error_string(ERR_get_error(), NULL));
	58	+ goto error;
	59	+ }
	60	+ password[password_size] = '\0';
	61
	62	if (ticketing_enabled && !link->skip_auth) {
	63	int expired = taTicket.expiration_time < ltime;
	64
	65	if (strlen(taTicket.password) == 0) {
	66	- reds_send_link_result(link, SPICE_LINK_ERR_PERMISSION_DENIED);
	67	spice_warning("Ticketing is enabled, but no password is set. "
	68	- "please set a ticket first");
	69	- reds_link_free(link);
	70	- return;
	71	+ "please set a ticket first");
	72	+ goto error;
	73	}
	74
	75	- if (expired \|\| strncmp(password, taTicket.password, SPICE_MAX_PASSWORD_LENGTH) != 0) {
	76	+ if (expired \|\| strcmp(password, taTicket.password) != 0) {
	77	if (expired) {
	78	spice_warning("Ticket has expired");
	79	} else {
	80	spice_warning("Invalid password");
	81	}
	82	- reds_send_link_result(link, SPICE_LINK_ERR_PERMISSION_DENIED);
	83	- reds_link_free(link);
	84	- return;
	85	+ goto error;
	86	}
	87	}
	88
	89	reds_handle_link(link);
	90	+ goto end;
	91	+
	92	+error:
	93	+ reds_send_link_result(link, SPICE_LINK_ERR_PERMISSION_DENIED);
	94	+ reds_link_free(link);
	95	+
	96	+end:
	97	+ g_free(password);
	98	}
	99
	100	static inline void async_read_clear_handlers(AsyncRead *obj)


diff --git a/recipes-support/spice/spice_git.bb b/recipes-support/spice/spice_git.bb new file mode 100644 index 0000000..900259a --- /dev/null +++ b/recipes-support/spice/spice_git.bb
@@ -0,0 +1,63 @@
	1	#
	2	# Copyright (C) 2013 Wind River Systems, Inc.
	3	#
	4
	5	SUMMARY = "Simple Protocol for Independent Computing Environments"
	6	DESCRIPTION = "SPICE (the Simple Protocol for Independent Computing \
	7	Environments) is a remote-display system built for virtual \
	8	environments which allows users to view a computing 'desktop' \
	9	environment - not only on its computer-server machine, but also from \
	10	anywhere on the Internet and using a wide variety of machine \
	11	architectures."
	12
	13	LICENSE = "LGPLv2.1+"
	14	LIC_FILES_CHKSUM = "file://COPYING;md5=4fbd65380cdd255951079008b364516c"
	15
	16	PR = "r0"
	17	PV = "0.12.4"
	18
	19	# Actual versions based on the checkouts below
	20	# spice = "0.12.4"
	21	# common = "0.12.6"
	22	# protocol = "0.12.6"
	23	SRCREV_spice = "b270fb010a3ddb432dfe6b15e4bdffa6ac086cd0"
	24	SRCREV_spice-common = "fe93908238196bd632287fc9875e6f2e11105d04"
	25	SRCREV_spice-protocol = "784407f248e7f99d2bfcc9368f9acd1efb2b9617"
	26
	27	SRC_URI = "git://anongit.freedesktop.org/spice/spice;name=spice \
	28	git://anongit.freedesktop.org/spice/spice-common;destsuffix=git/spice-common;name=spice-common \
	29	git://anongit.freedesktop.org/spice/spice-protocol;destsuffix=git/spice-common/spice-protocol;name=spice-protocol \
	30	"
	31
	32	SRC_URI += "file://spice-fix-CVE-2013-4282.patch"
	33
	34	S = "${WORKDIR}/git"
	35
	36	inherit autotools gettext pythonnative python-dir pkgconfig
	37
	38	DEPENDS += "python-native celt051 python-pyparsing jpeg pixman alsa-lib glib-2.0"
	39
	40	EXTRA_OECONF_append = " -Wnone"
	41	EXTRA_AUTORECONF_append = " -Wnone"
	42
	43	export PYTHON="${STAGING_BINDIR_NATIVE}/python-native/python"
	44	export PYTHONPATH="${PKG_CONFIG_SYSROOT_DIR}${libdir}/python2.7/site-packages"
	45
	46	PACKAGECONFIG ?= "sasl"
	47
	48	PACKAGECONFIG[smartcard] = "--enable-smartcard,--disable-smartcard,libcacard,"
	49	PACKAGECONFIG[sasl] = "--with-sasl,--without-sasl,cyrus-sasl,"
	50	PACKAGECONFIG[client] = "--enable-client,--disable-client,,"
	51	PACKAGECONFIG[gui] = "--enable-gui,--disable-gui,,"
	52	PACKAGECONFIG[opengl] = "--enable-opengl,--disable-opengl,,"
	53
	54	PACKAGES =+ "${PN}-protocol"
	55	LICENSE_${PN}-protocol = "BSD"
	56	FILES_${PN}-protocol += "${includedir}/spice-1"
	57	FILES_${PN}-protocol += "${datadir}/pkgconfig"
	58
	59	do_install_append() {
	60	cd ${S}/spice-common/spice-protocol
	61	oe_runmake DESTDIR="${D}" install
	62	cd -
	63	}