Bug 848279 (CVE-2013-4282) - VUL-0: CVE-2013-4282: spice: buffer overflow in password handling
Summary: VUL-0: CVE-2013-4282: spice: buffer overflow in password handling
Status: RESOLVED FIXED
Alias: CVE-2013-4282
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Cédric Bosdonnat
QA Contact: Security Team bot
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2013-10-30 13:01 UTC by Marcus Meissner
Modified: 2017-02-13 10:01 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2013-10-30 13:01:31 UTC 
CVE-2013-4282, via rh bugzilla and linux-distros 


From 3554c19d1c65c2bc4ae8cadb7296256c03215257 Mon Sep 17 00:00:00 2001
From: Christophe Fergeau <cfergeau@redhat.com>
Subject: [PATCH] Fix buffer overflow when decrypting client SPICE ticket

reds_handle_ticket uses a fixed size 'password' buffer for the decrypted
password whose size is SPICE_MAX_PASSWORD_LENGTH. However,
RSA_private_decrypt which we call for the decryption expects the
destination buffer to be at least RSA_size(link->tiTicketing.rsa)
bytes long. On my spice-server build, SPICE_MAX_PASSWORD_LENGTH
is 60 while RSA_size() is 128, so we end up overflowing 'password'
when using long passwords (this was reproduced using the string:
'fullscreen=1proxy=#enter proxy here; e.g spice_proxy = http://[proxy]:[port]'
as a password).

When the overflow occurs, QEMU dies with:
*** stack smashing detected ***: qemu-system-x86_64 terminated

This commit ensures we use a corectly sized 'password' buffer,
and that it's correctly nul-terminated so that we can use strcmp
instead of strncmp. To keep using strncmp, we'd need to figure out
which one of 'password' and 'taTicket.password' is the smaller buffer,
and use that size.

---
 server/reds.c | 44 ++++++++++++++++++++++++++++++++------------
 1 file changed, 32 insertions(+), 12 deletions(-)

(rest of the patch attached)


References:
https://bugzilla.redhat.com/show_bug.cgi?id=1000443
Comment 1 Swamp Workflow Management 2013-10-30 23:00:24 UTC 
bugbot adjusting priority
Comment 3 Cédric Bosdonnat 2015-04-01 12:40:18 UTC 
Maintenance request created with the added patch: #54492
Comment 5 Swamp Workflow Management 2015-05-15 16:05:05 UTC 
SUSE-SU-2015:0884-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 848279
CVE References: CVE-2013-4282
Sources used:
SUSE Linux Enterprise Server 12 (src):    spice-0.12.4-6.1
SUSE Linux Enterprise Desktop 12 (src):    spice-0.12.4-6.1
Comment 6 Swamp Workflow Management 2015-05-15 23:05:03 UTC 
SUSE-SU-2015:0884-2: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 848279
CVE References: CVE-2013-4282
Sources used:
SUSE Linux Enterprise Software Development Kit 12 (src):    spice-0.12.4-6.1
Comment 7 Sebastian Krahmer 2015-05-18 12:07:59 UTC 
Seems like all affected dists have been released (SLE12). closing
Comment 8 Swamp Workflow Management 2015-10-15 08:09:59 UTC 
openSUSE-SU-2015:1750-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 848279,944460,944787,948976
CVE References: CVE-2013-4282,CVE-2015-3247,CVE-2015-5260,CVE-2015-5261
Sources used:
openSUSE 13.2 (src):    spice-0.12.4-4.6.1
openSUSE 13.1 (src):    spice-0.12.4-2.3.1
Comment 9 Bernhard Wiedemann 2017-02-02 11:02:02 UTC 
This is an autogenerated message for OBS integration:
This bug (848279) was mentioned in
https://build.opensuse.org/request/show/454133 Factory / spice