| Summary: | spice, spice-gtk new security issue CVE-2020-14355 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | critical | ||
| Priority: | Normal | CC: | herman.viaene, jani.valimaa, nicolas.salguero, ouaurelien, sysadmin-bugs, thierry.vignaud |
| Version: | 7 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA7-64-OK | ||
| Source RPM: | spice-0.14.2-1.mga7.src.rpm, spice-gtk-0.36-4.mga7.src.rpm | CVE: | CVE-2020-14355 |
| Status comment: | |||
|
Description
David Walser
2020-10-07 01:35:00 CEST
David Walser
2020-10-07 01:35:08 CEST
Whiteboard:
(none) =>
MGA7TOO Hi, thanks for reporting this bug. Assigned to all packagers as there is no registered maintainer. CC'ed 2 recents commiters. Packagers: Please set the status to 'assigned' if you are working on it. Assignee:
bugsquad =>
pkg-bugs Initial announcement of the issue, with commit fixes: https://www.openwall.com/lists/oss-security/2020/10/06/10 Ubuntu has issued an advisory for this on October 6: https://ubuntu.com/security/notices/USN-4572-1 Hi,
Sadly, spice-gtk fails to build for Mageia 7 because of the following error:
"""
FAILED: subprojects/spice-common/common/4ed40af@@spice-common-client@sta/meson-generated_.._generated_client_marshallers.c.o
cc -Isubprojects/spice-common/common/4ed40af@@spice-common-client@sta -Isubprojects/spice-common/common -I../subprojects/spice-common/common -Isubprojects/spice-common -I../subprojects/spice-common -I/usr/include/spice-1 -I/usr/include/glib-2.0 -I/usr/lib64/glib-2.0/include -I/usr/include/libmount -I/usr/include/blkid -I/usr/include/uuid -I/usr/include/pixman-1 -I/usr/include/opus -I/usr/include/cacard -I/usr/include/nss -I/usr/include/nspr4 -fdiagnostics-color=always -pipe -D_FILE_OFFSET_BITS=64 -DHAVE_CONFIG_H '-DG_LOG_DOMAIN="Spice"' -Wall -Wextra -Werror -Wno-unused-parameter -DGLIB_VERSION_MIN_REQUIRED=GLIB_VERSION_2_38 -DGLIB_VERSION_MAX_ALLOWED=GLIB_VERSION_2_38 -O2 -g -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fstack-protector --param=ssp-buffer-size=4 -fasynchronous-unwind-tables -fPIC -pthread -MD -MQ 'subprojects/spice-common/common/4ed40af@@spice-common-client@sta/meson-generated_.._generated_client_marshallers.c.o' -MF 'subprojects/spice-common/common/4ed40af@@spice-common-client@sta/meson-generated_.._generated_client_marshallers.c.o.d' -o 'subprojects/spice-common/common/4ed40af@@spice-common-client@sta/meson-generated_.._generated_client_marshallers.c.o' -c subprojects/spice-common/common/generated_client_marshallers.c
subprojects/spice-common/common/generated_client_marshallers.c: In function ‘spice_marshall_msgc_tunnel_service_add’:
subprojects/spice-common/common/generated_client_marshallers.c:303:22: error: ‘SPICE_TUNNEL_SERVICE_TYPE_IPP’ undeclared (first use in this function); did you mean ‘SPICE_VIDEO_CODEC_TYPE_VP9’?
if (src->type == SPICE_TUNNEL_SERVICE_TYPE_IPP) {
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SPICE_VIDEO_CODEC_TYPE_VP9
subprojects/spice-common/common/generated_client_marshallers.c:303:22: note: each undeclared identifier is reported only once for each function it appears in
subprojects/spice-common/common/generated_client_marshallers.c:306:31: error: ‘SPICE_TUNNEL_IP_TYPE_IPv4’ undeclared (first use in this function); did you mean ‘SPICE_CLIP_TYPE_NONE’?
if (src->u.ip.type == SPICE_TUNNEL_IP_TYPE_IPv4) {
^~~~~~~~~~~~~~~~~~~~~~~~~
SPICE_CLIP_TYPE_NONE
"""
It seems that spice-gtk 0.36 is not compatible with spice-protocol 0.14
Best regards,
Nico.CC:
(none) =>
nicolas.salguero Can we upgrade it then? Suggested advisory: ======================== The updated packages fix a security vulnerability: Multiple buffer overflow vulnerabilities were found in the QUIC image decoding process of the SPICE remote display system, before spice-0.14.2-1. Both the SPICE client (spice-gtk) and server are affected by these flaws. These flaws allow a malicious client or server to send specially crafted messages that, when processed by the QUIC image compression algorithm, result in a process crash or potential code execution. (CVE-2020-14355) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14355 https://access.redhat.com/errata/RHSA-2020:4186 https://www.openwall.com/lists/oss-security/2020/10/06/10 https://ubuntu.com/security/notices/USN-4572-1 ======================== Updated packages in core/updates_testing: ======================== spice-client-0.14.2-1.1.mga7 lib(64)spice-server1-0.14.2-1.1.mga7 lib(64)spice-server-devel-0.14.2-1.1.mga7 spice-gtk-0.37-1.mga7 lib(64)spice-client-glib2.0_8-0.37-1.mga7 lib(64)spice-client-glib-gir2.0-0.37-1.mga7 lib(64)spice-client-gtk3.0_5-0.37-1.mga7 lib(64)spice-client-gtk-gir3.0-0.37-1.mga7 lib(64)spice-gtk-devel-0.37-1.mga7 from SRPMS: spice-0.14.2-1.1.mga7.src.rpm spice-gtk-0.37-1.mga7.src.rpm CVE:
(none) =>
CVE-2020-14355 MGA7-64 MATE on Peaq C1011 No installation issues Ref bug 23466 This notebook is too restricted to run virtual stuff, but the spicy command opens correctly the window to connect. If no other can test more, I would agree on a clean install. CC:
(none) =>
herman.viaene This can be pushed if no installation issue. Validating update, Advisory in Comment 6. Advisory pushed to SVN.
Aurelien Oudelet
2020-11-10 09:47:15 CET
Keywords:
(none) =>
advisory, validated_update An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0408.html Resolution:
(none) =>
FIXED |