Commits

Peter Korsgaard committed 622ff3d6ea6
spice: security bump to version 0.12.6 Fixes the following security issues: CVE-2015-3247: Race condition in the worker_update_monitors_config function in SPICE 0.12.4 allows a remote authenticated guest user to cause a denial of service (heap-based memory corruption and QEMU-KVM crash) or possibly execute arbitrary code on the host via unspecified vectors. CVE-2015-5260: Heap-based buffer overflow in SPICE before 0.12.6 allows guest OS users to cause a denial of service (heap-based memory corruption and QEMU-KVM crash) or possibly execute arbitrary code on the host via QXL commands related to the surface_id parameter. CVE-2015-5261: Heap-based buffer overflow in SPICE before 0.12.6 allows guest OS users to read and write to arbitrary memory locations on the host via guest QXL commands related to surface creation. Client/gui support is gone upstream (moved to spice-gtk / virt-viewer), so add Config.in.legacy handling for them. Lz4 is a new optional dependency, so handle it. The spice protocol definition is no longer included and instead used from spice-protocol. The build system uses pkg-config --variable=codegendir to find the build time path of this, which doesn't take our STAGING_DIR prefix into consideration, so it needs some help. The installed protocol definition will likewise be newer than the generated files, so we need to workaround that to ensure they are not regenerated (which needs host python / pyparsing). Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Reviewed-by: "Yann E. MORIN" <yann.morin.1998@free.fr> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>