spice: security bump to version 0.12.8
Fixes the following security issues: CVE-2016-0749: The smartcard interaction in SPICE allows remote attackers to cause a denial of service (QEMU-KVM process crash) or possibly execute arbitrary code via vectors related to connecting to a guest VM, which triggers a heap-based buffer overflow. CVE-2016-2150: SPICE allows local guest OS users to read from or write to arbitrary host memory locations via crafted primary surface parameters, a similar issue to CVE-2015-5261. The pyparsing check has been dropped from configure, and the spice protocol definition is again included, so the workarounds can be removed. Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Reviewed-by: "Yann E. MORIN" <yann.morin.1998@free.fr> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This commit is contained in:
Peter Korsgaard
parent
622ff3d6ea
commit
75057fe767
|
|
@ -1,2 +1,2 @@
|
|||
# Locally calculated
|
||||
sha256 f148ea30135bf80a4f465ce723a1cd6d4ccb34c098b6298a020b378ace8569b6 spice-0.12.6.tar.bz2
|
||||
sha256 f901a5c5873d61acac84642f9eea5c4d6386fc3e525c2b68792322794e1c407d spice-0.12.8.tar.bz2
|
||||
|
|
|
|||
|
|
@ -4,7 +4,7 @@
|
|||
#
|
||||
################################################################################
|
||||
|
||||
SPICE_VERSION = 0.12.6
|
||||
SPICE_VERSION = 0.12.8
|
||||
SPICE_SOURCE = spice-$(SPICE_VERSION).tar.bz2
|
||||
SPICE_SITE = http://www.spice-space.org/download/releases
|
||||
SPICE_LICENSE = LGPL-2.1+
|
||||
|
|
@ -47,28 +47,6 @@ ifeq ($(BR2_PACKAGE_OPUS),y)
|
|||
SPICE_DEPENDENCIES += opus
|
||||
endif
|
||||
|
||||
# build system uses pkg-config --variable=codegendir spice-protocol which
|
||||
# returns the runtime path rather than build time, so it needs some help
|
||||
SPICE_MAKE_OPTS = CODE_GENERATOR_BASEDIR=$(STAGING_DIR)/usr/lib/spice-protocol
|
||||
SPICE_INSTALL_STAGING_OPTS = $(SPICE_MAKE_OPTS) DESTDIR=$(STAGING_DIR) install
|
||||
SPICE_INSTALL_TARGET_OPTS = $(SPICE_MAKE_OPTS) DESTDIR=$(TARGET_DIR) install
|
||||
|
||||
# spice uses a number of source files that are generated with python / pyparsing.
|
||||
# The generated files are part of the tarball, so python / pyparsing isn't needed
|
||||
# when building from the tarball, but the configure script gets confused and looks
|
||||
# for the wrong file name to know if it needs to check for python / pyparsing,
|
||||
# so convince it they aren't needed.
|
||||
# It will also regenerate these files if the spice-protocol protocol definition
|
||||
# is newer than the generated files (which it will be when spice-protocol
|
||||
# installs it to staging), so ensure their timestamp is updated to skip this.
|
||||
define SPICE_NO_PYTHON_PYPARSING
|
||||
mkdir -p $(@D)/client
|
||||
touch $(@D)/client/generated_marshallers.cpp
|
||||
touch $(@D)/spice-common/common/generated_*
|
||||
endef
|
||||
|
||||
SPICE_PRE_CONFIGURE_HOOKS += SPICE_NO_PYTHON_PYPARSING
|
||||
|
||||
# We need to tweak spice.pc because it /forgets/ (for static linking) that
|
||||
# it should link against libz and libjpeg. libz is pkg-config-aware, while
|
||||
# libjpeg isn't, hence the two-line tweak
|
||||
|
|
|
|||
Loading…
Reference in a new issue