aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAriadne Conill <ariadne@dereferenced.org>2021-06-02 21:12:04 -0600
committerAriadne Conill <ariadne@dereferenced.org>2021-06-02 21:18:43 -0600
commitb8823f3f856d4ade65d56997b605c4e42d88938e (patch)
tree8a97e7d178c3b698d761aab20f60c55a728a516b
parente6ce8b0c63e8f5c4d886d332e8c5c1a82415ac73 (diff)
downloadaports-b8823f3f856d4ade65d56997b605c4e42d88938e.tar.gz
aports-b8823f3f856d4ade65d56997b605c4e42d88938e.tar.bz2
aports-b8823f3f856d4ade65d56997b605c4e42d88938e.tar.xz
main/spice: add mitigation for CVE-2021-20101
-rw-r--r--main/spice/APKBUILD13
-rw-r--r--main/spice/CVE-2021-20201.patch36
2 files changed, 45 insertions, 4 deletions
diff --git a/main/spice/APKBUILD b/main/spice/APKBUILD
index 275abb6469..75a4f091ee 100644
--- a/main/spice/APKBUILD
+++ b/main/spice/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=spice
pkgver=0.14.2
-pkgrel=1
+pkgrel=2
pkgdesc="Implements the SPICE protocol"
url="http://www.spice-space.org/"
arch="all"
@@ -15,9 +15,12 @@ makedepends="$depends_dev alsa-lib-dev libjpeg-turbo-dev libxrandr-dev lz4-dev
subpackages="$pkgname-dev $pkgname-server"
source="https://www.spice-space.org/download/releases/spice-server/spice-$pkgver.tar.bz2
0001-Disable-failing-tests-on-some-arches.patch
+ CVE-2021-20201.patch
"
# secfixes:
+# 0.14.2-r2:
+# - CVE-2021-20201
# 0.14.1-r4:
# - CVE-2019-3813
# 0.14.1-r0:
@@ -64,6 +67,8 @@ server() {
mkdir -p "$subpkgdir"/usr/lib
mv "$pkgdir"/usr/lib/*server.so.* "$subpkgdir"/usr/lib/
}
-
-sha512sums="1093b618ea4a7ff31944429ce2903abecfc8d20c35f2d9c8c837a6e053ee429c0115e40665542637a717869209523ac05d15cdb5e77563102d5d3915e4aaaf76 spice-0.14.2.tar.bz2
-0ce5c4077a436a8895452557529d4ad118a578b8e6d157e1d8453105b7456496a0f85da0821afafbae7359a3fd6fe46d47de3bf639fa9bdb9a535ce68ab17dfa 0001-Disable-failing-tests-on-some-arches.patch"
+sha512sums="
+1093b618ea4a7ff31944429ce2903abecfc8d20c35f2d9c8c837a6e053ee429c0115e40665542637a717869209523ac05d15cdb5e77563102d5d3915e4aaaf76 spice-0.14.2.tar.bz2
+0ce5c4077a436a8895452557529d4ad118a578b8e6d157e1d8453105b7456496a0f85da0821afafbae7359a3fd6fe46d47de3bf639fa9bdb9a535ce68ab17dfa 0001-Disable-failing-tests-on-some-arches.patch
+f7584c07c2c521c1454d1a7bc49aba4fd17553b96ce5107114e9bb02d58439cabd1471dd6e6e639a3f783255efecbd1a17cd543672a8021c9d59f68acb4fcbb7 CVE-2021-20201.patch
+"
diff --git a/main/spice/CVE-2021-20201.patch b/main/spice/CVE-2021-20201.patch
new file mode 100644
index 0000000000..9c633c89e2
--- /dev/null
+++ b/main/spice/CVE-2021-20201.patch
@@ -0,0 +1,36 @@
+From ca5bbc5692e052159bce1a75f55dc60b36078749 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Julien=20Rop=C3=A9?= <jrope@redhat.com>
+Date: Wed, 2 Dec 2020 13:39:27 +0100
+Subject: [PATCH] With OpenSSL 1.1: Disable client-initiated renegotiation.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Fixes issue #49
+Fixes BZ#1904459
+
+Signed-off-by: Julien Ropé <jrope@redhat.com>
+Reported-by: BlackKD
+Acked-by: Frediano Ziglio <fziglio@redhat.com>
+---
+ server/reds.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/server/reds.c b/server/reds.c
+index fe69508e..f61086cb 100644
+--- a/server/reds.c
++++ b/server/reds.c
+@@ -2753,6 +2753,10 @@ static int reds_init_ssl(RedsState *reds)
+ * When some other SSL/TLS version becomes obsolete, add it to this
+ * variable. */
+ long ssl_options = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_COMPRESSION | SSL_OP_NO_TLSv1;
++#ifdef SSL_OP_NO_RENEGOTIATION
++ // With OpenSSL 1.1: Disable all renegotiation in TLSv1.2 and earlier
++ ssl_options |= SSL_OP_NO_RENEGOTIATION;
++#endif
+
+ /* Global system initialization*/
+ openssl_global_init();
+--
+GitLab
+