Red Hat Training

A Red Hat training course is available for Red Hat Enterprise Linux

4.128. libcacard

Updated libcacard and spice-client packages that fix a number of bugs and add various enhancements are now available for Red Hat Enterprise Linux 6.
The Simple Protocol for Independent Computing Environments (SPICE) is a remote display protocol designed for virtual environments. The spice-client package provides the client side of the SPICE protocol.
The libcacard package contains the Common Access Card (CAC) emulation library.
The spice-client package has been upgraded to upstream version 0.8.2, which provides a number of bug fixes and enhancements over the previous version, including:
  • Various code cleanup modifications, such as removing unused variables, dead code and typos, have been included.
  • Several package build changes, such as enabling a silent build and a cleanup in the script have been included.
  • White spaces in values for the --host-subject command line option are now ignored.
  • A new --version command line option for the spicec command has been added.
The libcacard package has been upgraded to upstream version 0.15.0, which provides a number of bug fixes and enhancements over the previous version, including a fix for the following bug:
  • Some AET middleware did not work correctly with the CKM_RSA_X_590 encrypting mechanism even though it reported support for this mechanism. Consequently, if such middleware was used by libcacard virtual smart cards, smart cards failed to emulate any RSA authentication based operations, such as requesting a security pin or retrieving user certificates. The library has been modified to handle CKM_RSA_X590 failures by falling back to use CKM_RSA_PKCS encryption. Virtual smart cards now work correctly with AET middleware.

Bug Fixes

Although old SPICE-related packages (such as cairo-spice) are no longer required to be installed with the spice-client package, they were still needed by a previously installed spice-client or spice-server package. With the Obsolete lines in the package spec file, updating spice-client forced an update of spice-server as well, and vice versa. With this update, all "Obsolete" lines have been removed from the spice-client.spec file, and updating spice-client no longer forces the update of spice-server.
The SPICE client did not correctly handle monitor setting routines when it was running on a client machine with multiple monitors. As a consequence, the client entered an infinite loop while trying to rearrange monitors, which eventually caused the client to terminate unexpectedly. With this update, the code has been modified to prevent the client from entering this loop, and the client thus no longer crashes.
The SPICE client failed to connect to the SPICE server on the target host after a virtual machine had been migrated to a remote machine. This happened when the migration of the virtual machine took longer than the expiration time of the SPICE ticket that was set on the target host. Without a valid password, the SPICE server refused connection from the SPICE client and the SPICE session had to be closed. To prevent this problem, support for spice semi-seamless migration has been added. Other components such as spice-protocol, spice-server and qemu-kvm have also been modified to support this feature. SPICE now allows the SPICE client to connect to the SPICE server on the target host at the very start of the virtual machine migration, just before the migrate monitor command is given to the qemu-kvm application. With a valid ticket on the target host, the SPICE ticket on the destination no longer expires and the SPICE client now remains open when the virtual machine migration is done.
Due to an incorrect condition in the code, the SPICE client could attempt to free memory that has already been freed. Therefore, when the KDE desktop screen of the client machine with the running SPICE client was locked, the SPICE client terminated unexpectedly with a segmentation fault after unlocking the screen. The code has been modified to free memory correctly, and the SPICE client no longer crashes in the scenario described.
When running multiple SPICE client sessions at the same time and the screen resolution on the client machine was changed, the SPICE client could often enter an infinite loop in the code. As a consequence, the X Windows server consumed up to 100% of CPU and caused the client machine to be unresponsive. With this update, the underlying code has been modified to prevent the client from entering the loop, and the problem no longer occurs.
The help description for the --color-depth and --disable-effects client WAN options was inaccurate. With this update, the spicec --help command now clearly states that these WAN options have effect only if supported by the guest vdagent.
Due to the way the SPICE server establishes secured connections, the SPICE client log contained secure-connection messages that included the misleading string, connect_unsecure. With this update, the function used to establish secure connections has been renamed and secure-connection messages in the client log now contain the connect_to_peer string.
On a Linux guest that uses the Xinerama extension, X Windows creates a non-primary screen surface before it creates the primary screen surface when creating secondary screens on start up. Unfortunately, the SPICE client expected an existence of the primary screen surface when it attempted to handle the creation of non-primary screen surfaces. The primary surface did not exist at the time, therefore the SPICE client terminated unexpectedly. With this update, the SPICE client now ensures that the screen exists before starting operations on it. The SPICE client no longer crashes in the scenario described.
Previously, the --smartcard-db client command line option was not handled properly. As a consequence, when running with this option, the SPICE client terminated with the following error message:
Error: unhandled exception: cmd line error
With this update, the --smartcard-db option is now handled properly and the SPICE client works as expected using this option.
When attempting to connect to a Linux guest using the SPICE client with WAN options and the SPICE agent (vdagent) was running on the guest, the client initiated handshaking. If the vdagent did not support WAN options, it did not reply to the client and connection thus failed with the vdagent timeout. Also with certain WAN options, such as --color-depth 16, the attempt to connect failed with the vdagent timeout even though no vdagent was running on the guest. With this update, the SPICE client checks capabilities of the vdagent. If vdagent does not support WAN options or there is no vdagent running on the guest, the client continues with the message sequence initiation and connection is now successful.
Due to a missing error code setting in the source code, the SPICE client returned exit code 0 when running without the --host command line option, although the client correctly displayed the following error message:
spicec: missing --host
With this update, the missing line in the code has been added, and the SPICE client now correctly exits with the error code 14 in this scenario.
All users of libcacard and spice-client are advised to upgrade to these updated packages, which fix these bugs and add these enhancements.