Bug 24257

Summary: spice new security issue CVE-2019-3813
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: bequimao.de, davidwhodgins, marja11, nicolas.salguero, smelror, sysadmin-bugs, thierry.vignaud
Version: 6Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA6-64-OK
Source RPM: spice-0.13.90-1.mga6.src.rpm CVE: CVE-2019-3813, CVE-2018-10873, CVE-2018-10893
Status comment:
Bug Depends on:    
Bug Blocks: 23466    

Description David Walser 2019-01-29 12:48:30 CET 
A security issue in spice has been announced:
https://www.openwall.com/lists/oss-security/2019/01/28/2

The issue will be fixed upstream in 0.14.2.

As noted in reply to the message above, the attached patch fails to apply to 0.14.1.

Mageia 6 is also affected.
David Walser 2019-01-29 12:48:41 CET

Blocks: (none) => 23466
Whiteboard: (none) => MGA6TOO

Comment 1 Marja Van Waes 2019-01-30 12:47:54 CET 
Assigning to all packagers collectively, since there is no registered maintainer for this package.

Also CC'ing some committers.

CC: (none) => marja11, nicolas.salguero, smelror, thierry.vignaud
Assignee: bugsquad => pkg-bugs

Comment 2 David Walser 2019-02-01 19:05:31 CET 
RedHat has issued an advisory for this on January 31:
https://access.redhat.com/errata/RHSA-2019:0231
Comment 3 David Walser 2019-02-01 19:13:26 CET 
Ubuntu has issued an advisory for this on January 28:
https://usn.ubuntu.com/3870-1/
Comment 4 David Walser 2019-02-02 20:53:11 CET 
Fixed in spice-0.14.1-3.mga7 in Cauldron.

Whiteboard: MGA6TOO => (none)
Version: Cauldron => 6

Comment 5 David Walser 2019-02-11 01:19:26 CET 
Fedora has issued an advisory for this on February 9:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/OWH2AHGKTPR5QUGXUYGY6CAEI3O7RPLL/
Comment 6 Nicolas Salguero 2019-02-14 09:58:05 CET 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

Spice, versions 0.5.2 through 0.14.1, are vulnerable to an out-of-bounds read due to an off-by-one error in memslot_get_virt. This may lead to a denial of service, or, in the worst case, code-execution by unauthenticated attackers. (CVE-2019-3813)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3813
https://www.openwall.com/lists/oss-security/2019/01/28/2
https://access.redhat.com/errata/RHSA-2019:0231
https://usn.ubuntu.com/3870-1/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/OWH2AHGKTPR5QUGXUYGY6CAEI3O7RPLL/
========================

Updated packages in core/updates_testing:
========================
spice-client-0.13.90-1.1.mga6
lib(64)spice-server1-0.13.90-1.1.mga6
lib(64)spice-server-devel-0.13.90-1.1.mga6

from SRPMS:
spice-0.13.90-1.1.mga6.src.rpm

Source RPM: spice-0.14.1-2.mga7.src.rpm => spice-0.13.90-1.mga6.src.rpm
CVE: (none) => CVE-2019-3813
Status: NEW => ASSIGNED
Assignee: pkg-bugs => qa-bugs

Comment 7 Nicolas Salguero 2019-02-14 11:35:44 CET 
To also solve bug 23466, I bumped the subrel so:

Updated packages in core/updates_testing:
========================
spice-client-0.13.90-1.2.mga6
lib(64)spice-server1-0.13.90-1.2.mga6
lib(64)spice-server-devel-0.13.90-1.2.mga6

from SRPMS:
spice-0.13.90-1.2.mga6.src.rpm
Comment 8 Nicolas Salguero 2019-02-14 12:46:58 CET 
I add advisory for bug 23466 too:

Suggested advisory:
========================

The updated packages fix a security vulnerability:

Spice, versions 0.5.2 through 0.14.1, are vulnerable to an out-of-bounds read due to an off-by-one error in memslot_get_virt. This may lead to a denial of service, or, in the worst case, code-execution by unauthenticated attackers. (CVE-2019-3813)

A vulnerability was discovered in SPICE before version 0.14.1 where the generated code used for demarshalling messages lacked sufficient bounds checks. A malicious client or server, after authentication, could send specially crafted messages to its peer which would result in a crash or, potentially, other impacts. (CVE-2018-10873)

Multiple integer overflow and buffer overflow issues were discovered in spice-client's handling of LZ compressed frames. A malicious server could cause the client to crash or, potentially, execute arbitrary code. (CVE-2018-10893)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3813
https://www.openwall.com/lists/oss-security/2019/01/28/2
https://access.redhat.com/errata/RHSA-2019:0231
https://usn.ubuntu.com/3870-1/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/OWH2AHGKTPR5QUGXUYGY6CAEI3O7RPLL/
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10873
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10893
http://openwall.com/lists/oss-security/2018/08/17/1
https://lists.opensuse.org/opensuse-updates/2018-09/msg00007.html
https://lists.opensuse.org/opensuse-updates/2018-09/msg00010.html
Nicolas Salguero 2019-02-14 13:27:29 CET

CVE: CVE-2019-3813 => CVE-2019-3813, CVE-2018-10873, CVE-2018-10893

Ulrich Beckmann 2019-02-17 20:27:52 CET

CC: (none) => bequimao.de

Comment 9 Dave Hodgins 2019-02-21 20:38:42 CET 
Adding ok based on testing shown by bug 23466 comment 14
Advisory committed to svn. Validating update.

Whiteboard: (none) => MGA6-64-OK
Keywords: (none) => advisory, validated_update
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 10 Mageia Robot 2019-02-22 01:36:50 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0100.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED