Bug 22564

Summary: spice-vdagent new security issue CVE-2017-15108
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: bequimao.de, herman.viaene, lewyssmith, marja11, pkg-bugs, sysadmin-bugs, tarazed25
Version: 6Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA6-32-OK
Source RPM: spice-vdagent-0.17.0-2.mga6.src.rpm CVE:
Status comment: Upstream patch is available

Description David Walser 2018-02-10 22:01:02 CET 
openSUSE has issued an advisory on February 8:
https://lists.opensuse.org/opensuse-updates/2018-02/msg00028.html

The upstream fix is linked from the SUSE bug:
https://bugzilla.suse.com/show_bug.cgi?id=1070724

Mageia 5 and Mageia 6 are also affected.
David Walser 2018-02-10 22:02:25 CET

Whiteboard: (none) => MGA6TOO

David Walser 2018-02-10 22:07:28 CET

Status comment: (none) => Upstream patch is available

Comment 1 Marja Van Waes 2018-02-11 17:34:30 CET 
Assigning to the registered maintainer, but CC'ing all packagers collectively, in case the maintainer is unavailable.

CC: (none) => marja11, pkg-bugs
Assignee: bugsquad => alien

Comment 2 David Walser 2019-01-01 04:24:13 CET 
Patch is included upstream in 0.18.0, which is in Cauldron (updated by tv).

Version: Cauldron => 6
Whiteboard: MGA6TOO => (none)

Comment 3 David Walser 2019-01-01 22:55:00 CET 
Advisory:
========================

Updated spice-vdagent package fixes security vulnerability:

Improperly escaped save directory that is passed to the shell allows local
attacker with access to the session the agent runs to inject arbitrary commands
to be executed (CVE-2017-15108).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15108
https://lists.opensuse.org/opensuse-updates/2018-02/msg00028.html
========================

Updated packages in core/updates_testing:
========================
spice-vdagent-0.18.0-1.mga6

from spice-vdagent-0.18.0-1.mga6.src.rpm

Assignee: alien => qa-bugs

Comment 4 David Walser 2019-01-01 22:59:22 CET 
I got a bogus e-mail from the build system:
The upload of the following packages failed:

- spice-vdagent-debuginfo-0.18.0-1.mga6.i586.rpm
- spice-vdagent-0.18.0-1.mga6.i586.rpm
- spice-vdagent-0.18.0-1.mga6.x86_64.rpm
- spice-vdagent-debuginfo-0.18.0-1.mga6.x86_64.rpm

Upload log available in http://pkgsubmit.mageia.org/uploads/rejected//6/core/updates_testing/20190101214221.luigiwalser.duvel.17888.youri

CC: (none) => sysadmin-bugs

Comment 5 Herman Viaene 2019-01-04 16:45:32 CET 
MGA6-32 MATE on IBM Thinkpad R50e
No installation issues.
At CLI:
# systemctl start spice-vdagentd
# systemctl -l status spice-vdagentd
● spice-vdagentd.service - Agent daemon for Spice guests
   Loaded: loaded (/usr/lib/systemd/system/spice-vdagentd.service; indirect; vendor preset: enabled)
   Active: active (running) since vr 2019-01-04 16:43:15 CET; 17s ago
  Process: 19898 ExecStart=/usr/sbin/spice-vdagentd $SPICE_VDAGENTD_EXTRA_ARGS (code=exited, status=0/
 Main PID: 19899 (spice-vdagentd)
   CGroup: /system.slice/spice-vdagentd.service
           └─19899 /usr/sbin/spice-vdagentd

jan 04 16:43:15 mach6.hviaene.thuis systemd[1]: Starting Agent daemon for Spice guests...
jan 04 16:43:15 mach6.hviaene.thuis systemd[1]: Started Agent daemon for Spice guests.


Googling learned me this is part of virtual machine handling. I will not venture into that on a small, slow 32-bitter.
At least it does not disturb anything else

CC: (none) => herman.viaene

Ulrich Beckmann 2019-01-10 20:24:26 CET

CC: (none) => bequimao.de

Comment 6 Len Lawrence 2019-01-11 15:54:48 CET 
Trying to figure out how this all works.  Initial googling supports Herman's conclusion that a VM is involved.

This is one quote:

SPICE could be divided into 4 different components: Protocol, Client, Server and Guest. The protocol is the specification in the communication of the three other components; A client such as remote-viewer is responsible to send data and translate the data from the Virtual Machine (VM) so you can interact with it; The SPICE server is the library used by the hypervisor in order to share the VM under SPICE protocol; And finally, the Guest side is all the software that must be running in the VM in order to make SPICE fully functional, such as the QXL driver and SPICE VDAgent.

spice-client is available in Mageia but it is beyond me to put it all together.  Testing spice-vdagent by itself would seem to be impossible in the light of that quote so starting and stopping the service is about all we can do.

@Herman, re comment 5.  Clean update, service runs.  You should give it the OK.
Setting up a proper testbed involves more work than QA should be expected to do unless there is somebody who already uses such a setup.

CC: (none) => tarazed25

Comment 7 Herman Viaene 2019-01-11 16:08:33 CET 
Len, your wish is my command.(-:

Whiteboard: (none) => MGA6-32-OK

Comment 8 Lewis Smith 2019-01-11 19:49:04 CET 
Thanks to you both (needs another hotkey).
Advisory from comment 3. Validating.

Keywords: (none) => advisory, validated_update
CC: (none) => lewyssmith

Comment 9 Mageia Robot 2019-01-11 22:09:14 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0032.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED