Bug 12266

Summary: spice new security issue CVE-2013-4282
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: shlomif, sysadmin-bugs, tmb
Version: 3Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
Whiteboard: has_procedure advisory mga3-64-ok mga3-32-ok
Source RPM: spice-0.12.2-5.1.mga3.src.rpm CVE: CVE-2013-4282
Status comment:

Description David Walser 2014-01-10 18:55:25 CET 
RedHat has issued an advisory on October 29:
https://rhn.redhat.com/errata/RHSA-2013-1473.html

Patch added in Mageia 3 and Cauldron SVN.  Freeze push requested for Cauldron.

More details on this issue are here:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=728314

Reproducible: 

Steps to Reproduce:
David Walser 2014-01-10 19:00:51 CET

Whiteboard: (none) => MGA3TOO

Comment 1 David Walser 2014-01-11 03:07:47 CET 
Patched packages uploaded for Mageia 3 and Cauldron.

Advisory:
========================

Updated spice packages fix security vulnerability:

A stack-based buffer overflow flaw was found in the way the
reds_handle_ticket() function in the spice-server library handled
decryption of ticket data provided by the client. A remote user able to
initiate a SPICE connection to an application acting as a SPICE server
could use this flaw to crash the application (CVE-2013-4282).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4282
https://rhn.redhat.com/errata/RHSA-2013-1473.html
========================

Updated packages in core/updates_testing:
========================
spice-client-0.12.2-5.2.mga3
libspice-server1-0.12.2-5.2.mga3
libspice-server-devel-0.12.2-5.2.mga3

from spice-0.12.2-5.2.mga3.src.rpm

Version: Cauldron => 3
Assignee: bugsquad => qa-bugs
Whiteboard: MGA3TOO => (none)

Comment 2 Shlomi Fish 2014-01-17 15:22:52 CET 
It's not clear how to setup a SPICE service that the client can connect to. The documentation in the spice-client package is almost entirely non-existent. I did spice-client --host localhost and was asked for a port. The wikipedia page on the SPICE protocol does not provide a lot of info.

Are the spice package in question provided for people who are intimately familiar with them? What should be done?

CC: (none) => shlomif
Whiteboard: (none) => feedback

Comment 3 David Walser 2014-01-17 15:25:10 CET 
The feedback tag is when feedback is needed from packagers.  I don't know how to test this, but maybe you can search for previous times we've updated this in Bugzilla and can find some details there.

Whiteboard: feedback => (none)

Comment 4 claire robinson 2014-01-20 16:49:54 CET 
Testing complete mga3 64

Procedure in bug 10987

Whiteboard: (none) => has_procedure mga3-64-ok

Comment 5 claire robinson 2014-01-20 16:56:04 CET 
Testing complete mga3 32

Whiteboard: has_procedure mga3-64-ok => has_procedure mga3-64-ok mga3-32-ok

Comment 6 claire robinson 2014-01-20 17:25:20 CET 
Advisory uploaded. Validating.

Could sysadmin please push from 3 core/updates_testing to updates

Thanks

Keywords: (none) => validated_update
Whiteboard: has_procedure mga3-64-ok mga3-32-ok => has_procedure advisory mga3-64-ok mga3-32-ok
CC: (none) => sysadmin-bugs

Comment 7 Thomas Backlund 2014-01-21 17:44:04 CET 
Update pushed:
http://advisories.mageia.org/MGASA-2014-0022.html

Status: NEW => RESOLVED
CC: (none) => tmb
CVE: (none) => CVE-2013-4282
Resolution: (none) => FIXED