NetCube-Systems-Austria/kumquat-buildroot
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
c8f51a00d8
kumquat-buildroot/package/spice/spice.mk
Peter Korsgaard 75057fe767 spice: security bump to version 0.12.8 
Fixes the following security issues:

CVE-2016-0749: The smartcard interaction in SPICE allows remote attackers to
cause a denial of service (QEMU-KVM process crash) or possibly execute
arbitrary code via vectors related to connecting to a guest VM, which
triggers a heap-based buffer overflow.

CVE-2016-2150: SPICE allows local guest OS users to read from or write to
arbitrary host memory locations via crafted primary surface parameters, a
similar issue to CVE-2015-5261.

The pyparsing check has been dropped from configure, and the spice protocol
definition is again included, so the workarounds can be removed.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Reviewed-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2017-06-22 23:25:30 +02:00

75 lines
2.5 KiB
Makefile
Raw Blame History

################################################################################
#
# spice
#
################################################################################
SPICE_VERSION = 0.12.8
SPICE_SOURCE = spice-$(SPICE_VERSION).tar.bz2
SPICE_SITE = http://www.spice-space.org/download/releases
SPICE_LICENSE = LGPL-2.1+
SPICE_LICENSE_FILES = COPYING
SPICE_INSTALL_STAGING = YES
SPICE_DEPENDENCIES = \
jpeg \
libglib2 \
openssl \
pixman \
spice-protocol
# We disable everything for now, because the dependency tree can become
# quite deep if we try to enable some features, and I have not tested that.
SPICE_CONF_OPTS = \
--disable-opengl \
--disable-smartcard \
--disable-automated-tests \
--without-sasl \
--disable-manual
SPICE_DEPENDENCIES += host-pkgconf
ifeq ($(BR2_PACKAGE_CELT051),y)
SPICE_CONF_OPTS += --enable-celt051
SPICE_DEPENDENCIES += celt051
else
SPICE_CONF_OPTS += --disable-celt051
endif
ifeq ($(BR2_PACKAGE_LZ4),y)
SPICE_CONF_OPTS += --enable-lz4
SPICE_DEPENDENCIES += lz4
else
SPICE_CONF_OPTS += --disable-lz4
endif
# no enable/disable, detected using pkg-config
ifeq ($(BR2_PACKAGE_OPUS),y)
SPICE_DEPENDENCIES += opus
endif
# We need to tweak spice.pc because it /forgets/ (for static linking) that
# it should link against libz and libjpeg. libz is pkg-config-aware, while
# libjpeg isn't, hence the two-line tweak
define SPICE_POST_INSTALL_STAGING_FIX_PC
$(SED) 's/^\(Requires.private:.*\)$$/\1 zlib/; s/^\(Libs.private:.*\)$$/\1 -ljpeg/;' \
"$(STAGING_DIR)/usr/lib/pkgconfig/spice-server.pc"
endef
SPICE_POST_INSTALL_STAGING_HOOKS += SPICE_POST_INSTALL_STAGING_FIX_PC
# It is currently not possible to detect if stack-protection is available
# or not, because it requires support from both the compiler *and* the
# C library, but the C library (eg. uClibc) can be compiled without that
# support, even if gcc accepts the -fstack-protector-all option.
# spice's ./configure only checks for gcc's -fstack-protector-all option,
# so it misses the case where the C library doe not provide the requires
# support.
# A correct fix would be to fix spice's ./configure to also check the C
# library, but it might be much more involved.
# So, we simply disable it for now. After all, as uClibc's help puts it:
# Note that NOEXECSTACK on a kernel with address space randomization
# is generally sufficient to prevent most buffer overflow exploits
# without increasing code size.
SPICE_CONF_OPTS += gl_cv_warn__fstack_protector_all=no
$(eval $(autotools-package))
Reference in New Issue View Git Blame Copy Permalink