openSUSE has issued an advisory on February 8:
The upstream fix is linked from the SUSE bug:
Mageia 5 and Mageia 6 are also affected.
Upstream patch is available
Assigning to the registered maintainer, but CC'ing all packagers collectively, in case the maintainer is unavailable.
Patch is included upstream in 0.18.0, which is in Cauldron (updated by tv).
Updated spice-vdagent package fixes security vulnerability:
Improperly escaped save directory that is passed to the shell allows local
attacker with access to the session the agent runs to inject arbitrary commands
to be executed (CVE-2017-15108).
Updated packages in core/updates_testing:
I got a bogus e-mail from the build system:
The upload of the following packages failed:
Upload log available in http://pkgsubmit.mageia.org/uploads/rejected//6/core/updates_testing/20190101214221.luigiwalser.duvel.17888.youri
MGA6-32 MATE on IBM Thinkpad R50e
No installation issues.
# systemctl start spice-vdagentd
# systemctl -l status spice-vdagentd
● spice-vdagentd.service - Agent daemon for Spice guests
Loaded: loaded (/usr/lib/systemd/system/spice-vdagentd.service; indirect; vendor preset: enabled)
Active: active (running) since vr 2019-01-04 16:43:15 CET; 17s ago
Process: 19898 ExecStart=/usr/sbin/spice-vdagentd $SPICE_VDAGENTD_EXTRA_ARGS (code=exited, status=0/
Main PID: 19899 (spice-vdagentd)
jan 04 16:43:15 mach6.hviaene.thuis systemd: Starting Agent daemon for Spice guests...
jan 04 16:43:15 mach6.hviaene.thuis systemd: Started Agent daemon for Spice guests.
Googling learned me this is part of virtual machine handling. I will not venture into that on a small, slow 32-bitter.
At least it does not disturb anything else
Trying to figure out how this all works. Initial googling supports Herman's conclusion that a VM is involved.
This is one quote:
SPICE could be divided into 4 different components: Protocol, Client, Server and Guest. The protocol is the specification in the communication of the three other components; A client such as remote-viewer is responsible to send data and translate the data from the Virtual Machine (VM) so you can interact with it; The SPICE server is the library used by the hypervisor in order to share the VM under SPICE protocol; And finally, the Guest side is all the software that must be running in the VM in order to make SPICE fully functional, such as the QXL driver and SPICE VDAgent.
spice-client is available in Mageia but it is beyond me to put it all together. Testing spice-vdagent by itself would seem to be impossible in the light of that quote so starting and stopping the service is about all we can do.
@Herman, re comment 5. Clean update, service runs. You should give it the OK.
Setting up a proper testbed involves more work than QA should be expected to do unless there is somebody who already uses such a setup.
Len, your wish is my command.(-:
Thanks to you both (needs another hotkey).
Advisory from comment 3. Validating.
An update for this issue has been pushed to the Mageia Updates repository.