spice: security bump to version 0.12.6

spice: security bump to version 0.12.6

Fixes the following security issues:

CVE-2015-3247: Race condition in the worker_update_monitors_config function
in SPICE 0.12.4 allows a remote authenticated guest user to cause a denial
of service (heap-based memory corruption and QEMU-KVM crash) or possibly
execute arbitrary code on the host via unspecified vectors.

CVE-2015-5260: Heap-based buffer overflow in SPICE before 0.12.6 allows
guest OS users to cause a denial of service (heap-based memory corruption
and QEMU-KVM crash) or possibly execute arbitrary code on the host via QXL
commands related to the surface_id parameter.

CVE-2015-5261: Heap-based buffer overflow in SPICE before 0.12.6 allows
guest OS users to read and write to arbitrary memory locations on the host
via guest QXL commands related to surface creation.

Client/gui support is gone upstream (moved to spice-gtk / virt-viewer), so
add Config.in.legacy handling for them.

Lz4 is a new optional dependency, so handle it.

The spice protocol definition is no longer included and instead used from
spice-protocol.  The build system uses pkg-config --variable=codegendir to
find the build time path of this, which doesn't take our STAGING_DIR prefix
into consideration, so it needs some help.  The installed protocol
definition will likewise be newer than the generated files, so we need to
workaround that to ensure they are not regenerated (which needs host python
/ pyparsing).

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Reviewed-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>