gentoo resync : 28.04.2021

7 files changed, 200 insertions, 5 deletions

diff --git a/app-emulation/spice/Manifest b/app-emulation/spice/Manifest
index 60d7adfffb44..0cb70be92056 100644
--- a/app-emulation/spice/Manifest
+++ b/app-emulation/spice/Manifest
@@ -1,5 +1,10 @@
 AUX README.gentoo 270 BLAKE2B 979c3e8d2a3c1d4f30af8f2d9954434dd685abf42992abf0e63e9dbe2d16d8fb3b135ecf3b81344e12d585ed92543d6b8adffb01e55772964de0f97f320d785c SHA512 9202046d629d12eee0435bb0ee8bafc1d8a0b52784275a7b3989fd430de8ed0ec2e59cfdf963a58494a05296a55bc99fe7095e661398182d62286e8816895dd1
+AUX spice-0.14.3-CVE-2020-14355-404d7478.patch 1274 BLAKE2B 750de585f630c724c851514b35dcec57e2c263fb4423cf472c9cb10a2654fdc918eac9f14460e17f4e147d1b2b4ad1269e254037fce49397eb336f38747492b7 SHA512 51a901195a884209929294c4e9af4e49da79741dc08f5fc3035b95abbdbacb9a8c2fe6d0ffb4c6829b9f22012497058e3c618e543102fd9bdf446fae6cd07824
+AUX spice-0.14.3-CVE-2020-14355-762e0aba.patch 533 BLAKE2B f6ecb51c2ef568d7e9c341be68100423434b70f963ecadf05f351ebc567af6defe8033a4e2fb930b7401ac9a0ed721c9f00ef643d93f2ff7aca5100ad7636e92 SHA512 f5af0b2a8e4604390f7ae35a87ad17a5def2b4861538fe80c385e7a601e7fe78bcc24af4fa536f72be2c980dff94d2ff7252cdf6e593889106c8c1ce9978d91b
+AUX spice-0.14.3-CVE-2020-14355-b24fe6b6.patch 876 BLAKE2B 7ba5c57e7ca7265f6d42bf475403ba1f1ce3690b1d6ab9d9c65ee722005a1b198b7b6a5ffb0d94a2dea1c67eb7ecd2585d6974c43ffae1dd25a2bc51781d5483 SHA512 b13f1b44d3452b5b246efb1b98f9b4b9bcff8ed9161bfa79d31fb4404cc499772144676a96b37b1cb94c7e9036c23df092fb1a878651555164e733d0fafb0712
+AUX spice-0.14.3-CVE-2020-14355-ef1b6ff7.patch 759 BLAKE2B 8d3f0b5d03d79dc1c02efec9f3746d4d8a5fc3be9b4a98a1b1b6f325cb19a03dbc2d29ab5c7a3a7bb807fda2bd52080c87d706a1c61eff15bc74a8c65a60f8ce SHA512 9b72fb0195feb5ddbce7dacca0459d2f5ad00a72c0f45488debae50c188b14274ae8a7208052e85ca42793a6be3a7483c816f1f381015ea5fe42fa05bb2a9f5a
 DIST spice-0.14.3.tar.bz2 1504304 BLAKE2B be655e1d4c48dae29903ab8e0dc52da63723e3252052afccc9587065531f28c8af7dbab4c585093f26d98f2273c6e734a553c18d4779a9f4464334ae1764f682 SHA512 9ecdc455ff25c71ac1fe6c576654b51efbfb860110bd6828065d23f7462d5c5cac772074d1a40f033386258d970b77275b2007bcfdffb23fdff2137154ea46e4
+EBUILD spice-0.14.3-r1.ebuild 2698 BLAKE2B 684a4f44144e435a7929731f8859e263a0d9e5da436011cbe6248589ee2c4ed074615e7b88a8eba8329a322581596eb73d598b5747b371f92b3bf71dae0eba49 SHA512 323c4e23e1ad04d56792c868054eb6edbb454c3af3124858f7623e6c33c7ad867f3ccf188f8736c6c810af30aa867d0fdb90005f1ad4d0299c287dc35bd9d7f2
 EBUILD spice-0.14.3.ebuild 2387 BLAKE2B 59c62447ccb9c49925163da9e976f642284daf975de196ade102593cf7ab131687e39e46b2206631513b4d8f5399936df3a0052a1b44b5c2a08cc0a6eb09ca6c SHA512 0269e6f91a2c028330de839878cd265f9a2b6d8b4677282e7524b0b8a4316620e7c5ca94789983e63e9d3420efb394324541fd5324f1e91e92cf8f4370dd6846
-EBUILD spice-9999.ebuild 2260 BLAKE2B 650dad9629ce6cd4804adc4ee62c878999b9f8904579512bb229f4854f2687db0bf05b4c4ceab96d179dfbd93a5969ad78e4c88f593c8d666e6e0ffdfff810b1 SHA512 ad1ae55797e60f33f9da14b07ff81be6e1b8c3ecb9e5aec97f1d0586284116c3b387f2df74fa479fb3098924af26c46caee08bc8d8d85af68a3c2bd300e612b7
+EBUILD spice-9999.ebuild 2357 BLAKE2B bc8f0fdacbabead0e2f8917635adcc99dbf7bef8be1c7198983793d3653b24807bdd7d301dc107630e3461c95aac431faca02aa244f2cc9508553ee4c3bc9c9b SHA512 2ef47fcd3ef83c93470e38f8eb29b7873a5d77ad1090bb4c183222c5e66c4609a53fbb3ceb6157f7c1dbc42d44177636654c945fd9da762368ad5703b0dfefd6
 MISC metadata.xml 385 BLAKE2B 599bae33d9264b8b3b4474b0d2234d66e6c6f2cd3da1710bfea64f75570264da7f4de712cecb95408a059f70e3dba2de2a421c02f1f728e39c2bf913c2c570a0 SHA512 c75966298d69fb56b3e16c98b0cc7b3b2514d2ad2a6b790777c00493754e678388f0eb17fbabc6f58a667883e87d2a4f19c2a1c34f5c87f81fb13a8948ab85c8
diff --git a/app-emulation/spice/files/spice-0.14.3-CVE-2020-14355-404d7478.patch b/app-emulation/spice/files/spice-0.14.3-CVE-2020-14355-404d7478.patch
new file mode 100644
index 000000000000..338f4e6ca657
--- /dev/null
+++ b/app-emulation/spice/files/spice-0.14.3-CVE-2020-14355-404d7478.patch
@@ -0,0 +1,31 @@
+diff --git a/common/quic.c b/common/quic.c
+index bc753ca5064a0326906b4aa8c18d8745747feb5c..681531677fbd6c3bca5e482c77bb709d4465ef8e 100644
+--- a/subprojects/spice-common/common/quic.c
++++ b/subprojects/spice-common/common/quic.c
+@@ -56,6 +56,9 @@ typedef uint8_t BYTE;
+ #define MINwminext 1
+ #define MAXwminext 100000000
+ 
++/* Maximum image size in pixels, mainly to avoid possible integer overflows */
++#define SPICE_MAX_IMAGE_SIZE (512 * 1024 * 1024 - 1)
++
+ typedef struct QuicFamily {
+     unsigned int nGRcodewords[MAXNUMCODES];      /* indexed by code number, contains number of
+                                                     unmodified GR codewords in the code */
+@@ -1165,6 +1168,16 @@ int quic_decode_begin(QuicContext *quic, uint32_t *io_ptr, unsigned int num_io_w
+     height = encoder->io_word;
+     decode_eat32bits(encoder);
+ 
++    if (width <= 0 || height <= 0) {
++        encoder->usr->warn(encoder->usr, "invalid size\n");
++        return QUIC_ERROR;
++    }
++
++    /* avoid too big images */
++    if ((uint64_t) width * height > SPICE_MAX_IMAGE_SIZE) {
++        encoder->usr->error(encoder->usr, "image too large\n");
++    }
++
+     quic_image_params(encoder, type, &channels, &bpc);
+ 
+     if (!encoder_reset_channels(encoder, channels, width, bpc)) {
diff --git a/app-emulation/spice/files/spice-0.14.3-CVE-2020-14355-762e0aba.patch b/app-emulation/spice/files/spice-0.14.3-CVE-2020-14355-762e0aba.patch
new file mode 100644
index 000000000000..ce79ef0043ee
--- /dev/null
+++ b/app-emulation/spice/files/spice-0.14.3-CVE-2020-14355-762e0aba.patch
@@ -0,0 +1,13 @@
+diff --git a/common/quic.c b/common/quic.c
+index e2dee0fd68741512911d5d050053ad073cf29457..bc753ca5064a0326906b4aa8c18d8745747feb5c 100644
+--- a/subprojects/spice-common/common/quic.c
++++ b/subprojects/spice-common/common/quic.c
+@@ -1136,7 +1136,7 @@ int quic_decode_begin(QuicContext *quic, uint32_t *io_ptr, unsigned int num_io_w
+     int channels;
+     int bpc;
+ 
+-    if (!encoder_reset(encoder, io_ptr, io_ptr_end)) {
++    if (!num_io_words || !encoder_reset(encoder, io_ptr, io_ptr_end)) {
+         return QUIC_ERROR;
+     }
+ 
diff --git a/app-emulation/spice/files/spice-0.14.3-CVE-2020-14355-b24fe6b6.patch b/app-emulation/spice/files/spice-0.14.3-CVE-2020-14355-b24fe6b6.patch
new file mode 100644
index 000000000000..40127deda15a
--- /dev/null
+++ b/app-emulation/spice/files/spice-0.14.3-CVE-2020-14355-b24fe6b6.patch
@@ -0,0 +1,18 @@
+diff --git a/common/quic_family_tmpl.c b/common/quic_family_tmpl.c
+index 8a5f7d2c9be3f6b1bd82993703749268bab243b4..6cc051b36889f773fe5401e204db6245d99e27df 100644
+--- a/subprojects/spice-common/common/quic_family_tmpl.c
++++ b/subprojects/spice-common/common/quic_family_tmpl.c
+@@ -103,7 +103,12 @@ static s_bucket *FNAME(find_bucket)(Channel *channel, const unsigned int val)
+ {
+     spice_extra_assert(val < (0x1U << BPC));
+ 
+-    return channel->_buckets_ptrs[val];
++    /* The and (&) here is to avoid buffer overflows in case of garbage or malicious
++     * attempts. Is much faster then using comparisons and save us from such situations.
++     * Note that on normal build the check above won't be compiled as this code path
++     * is pretty hot and would cause speed regressions.
++     */
++    return channel->_buckets_ptrs[val & ((1U << BPC) - 1)];
+ }
+ 
+ #undef FNAME
diff --git a/app-emulation/spice/files/spice-0.14.3-CVE-2020-14355-ef1b6ff7.patch b/app-emulation/spice/files/spice-0.14.3-CVE-2020-14355-ef1b6ff7.patch
new file mode 100644
index 000000000000..bc764ec23ce2
--- /dev/null
+++ b/app-emulation/spice/files/spice-0.14.3-CVE-2020-14355-ef1b6ff7.patch
@@ -0,0 +1,17 @@
+diff --git a/common/quic_tmpl.c b/common/quic_tmpl.c
+index ecd6f3f187c753a89b7dbb0657edc3ae82ffaaff..ebae992d642a657a7505b3ca0e8145310805f32f 100644
+--- a/subprojects/spice-common/common/quic_tmpl.c
++++ b/subprojects/spice-common/common/quic_tmpl.c
+@@ -563,7 +563,11 @@ static void FNAME_DECL(uncompress_row_seg)(const PIXEL * const prev_row,
+ do_run:
+         state->waitcnt = stopidx - i;
+         run_index = i;
+-        run_end = i + decode_state_run(encoder, state);
++        run_end = decode_state_run(encoder, state);
++        if (run_end < 0 || run_end > (end - i)) {
++            encoder->usr->error(encoder->usr, "wrong RLE\n");
++        }
++        run_end += i;
+ 
+         for (; i < run_end; i++) {
+             UNCOMPRESS_PIX_START(&cur_row[i]);
diff --git a/app-emulation/spice/spice-0.14.3-r1.ebuild b/app-emulation/spice/spice-0.14.3-r1.ebuild
new file mode 100644
index 000000000000..3b1c4cfb9ca5
--- /dev/null
+++ b/app-emulation/spice/spice-0.14.3-r1.ebuild
@@ -0,0 +1,107 @@
+# Copyright 1999-2021 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+
+PYTHON_COMPAT=( python3_{7,8,9} )
+inherit autotools python-any-r1 readme.gentoo-r1 xdg-utils
+
+DESCRIPTION="SPICE server"
+HOMEPAGE="https://www.spice-space.org/"
+SRC_URI="https://www.spice-space.org/download/releases/spice-server/${P}.tar.bz2"
+
+LICENSE="LGPL-2.1"
+SLOT="0"
+KEYWORDS="amd64 arm64 ppc64 x86"
+IUSE="libressl lz4 sasl smartcard static-libs gstreamer test"
+
+RESTRICT="!test? ( test )"
+
+# the libspice-server only uses the headers of libcacard
+RDEPEND="
+	dev-lang/orc[static-libs(+)?]
+	>=dev-libs/glib-2.22:2[static-libs(+)?]
+	media-libs/opus[static-libs(+)?]
+	sys-libs/zlib[static-libs(+)?]
+	virtual/jpeg:0=[static-libs(+)?]
+	>=x11-libs/pixman-0.17.7[static-libs(+)?]
+	!libressl? ( dev-libs/openssl:0=[static-libs(+)?] )
+	libressl? ( dev-libs/libressl:0=[static-libs(+)?] )
+	lz4? ( app-arch/lz4:0=[static-libs(+)?] )
+	smartcard? ( >=app-emulation/libcacard-0.1.2 )
+	sasl? ( dev-libs/cyrus-sasl[static-libs(+)?] )
+	gstreamer? (
+		media-libs/gstreamer:1.0
+		media-libs/gst-plugins-base:1.0
+	)"
+DEPEND="${RDEPEND}
+	>=app-emulation/spice-protocol-0.14.0
+	smartcard? ( app-emulation/qemu[smartcard] )
+	test? ( net-libs/glib-networking )"
+BDEPEND="${PYTHON_DEPS}
+	virtual/pkgconfig
+	$(python_gen_any_dep '
+		>=dev-python/pyparsing-1.5.6-r2[${PYTHON_USEDEP}]
+		dev-python/six[${PYTHON_USEDEP}]
+	')"
+
+python_check_deps() {
+	has_version -b ">=dev-python/pyparsing-1.5.6-r2[${PYTHON_USEDEP}]"
+	has_version -b "dev-python/six[${PYTHON_USEDEP}]"
+}
+
+PATCHES=(
+	"${FILESDIR}"/${P}-CVE-2020-14355-762e0aba.patch
+	"${FILESDIR}"/${P}-CVE-2020-14355-404d7478.patch
+	"${FILESDIR}"/${P}-CVE-2020-14355-ef1b6ff7.patch
+	"${FILESDIR}"/${P}-CVE-2020-14355-b24fe6b6.patch
+)
+
+pkg_setup() {
+	[[ ${MERGE_TYPE} != binary ]] && python-any-r1_pkg_setup
+}
+
+src_prepare() {
+	default
+
+	eautoreconf
+}
+
+src_configure() {
+	# Prevent sandbox violations, bug #586560
+	# https://bugzilla.gnome.org/show_bug.cgi?id=744134
+	# https://bugzilla.gnome.org/show_bug.cgi?id=744135
+	addpredict /dev
+
+	xdg_environment_reset
+
+	local myconf="
+		$(use_enable static-libs static)
+		$(use_enable lz4)
+		$(use_with sasl)
+		$(use_enable smartcard)
+		$(use_enable test tests)
+		--enable-gstreamer=$(usex gstreamer "1.0" "no")
+		--disable-celt051
+		"
+	econf ${myconf}
+}
+
+src_compile() {
+	# Prevent sandbox violations, bug #586560
+	# https://bugzilla.gnome.org/show_bug.cgi?id=744134
+	# https://bugzilla.gnome.org/show_bug.cgi?id=744135
+	addpredict /dev
+
+	default
+}
+
+src_install() {
+	default
+	use static-libs || find "${D}" -name '*.la' -type f -delete || die
+	readme.gentoo_create_doc
+}
+
+pkg_postinst() {
+	readme.gentoo_print_elog
+}
diff --git a/app-emulation/spice/spice-9999.ebuild b/app-emulation/spice/spice-9999.ebuild
index a7cd1fa64454..44eb9c360ee8 100644
--- a/app-emulation/spice/spice-9999.ebuild
+++ b/app-emulation/spice/spice-9999.ebuild
@@ -1,9 +1,9 @@
-# Copyright 1999-2020 Gentoo Authors
+# Copyright 1999-2021 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
 EAPI=7
 
-PYTHON_COMPAT=( python3_{7,8} )
+PYTHON_COMPAT=( python3_{7,8,9} )
 inherit git-r3 meson python-any-r1 readme.gentoo-r1 xdg-utils
 
 DESCRIPTION="SPICE server"
@@ -14,7 +14,9 @@ EGIT_REPO_URI="https://anongit.freedesktop.org/git/spice/spice.git"
 LICENSE="LGPL-2.1"
 SLOT="0"
 KEYWORDS=""
-IUSE="gstreamer libressl lz4 opus sasl smartcard static-libs"
+IUSE="gstreamer libressl lz4 opus sasl smartcard static-libs test"
+
+RESTRICT="!test? ( test )"
 
 # the libspice-server only uses the headers of libcacard
 RDEPEND="
@@ -35,7 +37,8 @@ RDEPEND="
 	)"
 DEPEND="${RDEPEND}
 	~app-emulation/spice-protocol-9999
-	smartcard? ( app-emulation/qemu[smartcard] )"
+	smartcard? ( app-emulation/qemu[smartcard] )
+	test? ( net-libs/glib-networking )"
 BDEPEND="${PYTHON_DEPS}
 	virtual/pkgconfig
 	$(python_gen_any_dep '
@@ -73,6 +76,7 @@ src_configure() {
 		$(meson_use sasl)
 		$(meson_feature opus)
 		$(meson_feature smartcard)
+		$(meson_use test tests)
 		-Dmanual=false
 		-Dtests=false
 	)