Assigning to the registered maintainer, but CC'ing all packagers collectively, in case the maintainer is unavailable.

CC: (none) => marja11, pkg-bugs
Assignee: bugsquad => alien

Patch is included upstream in 0.18.0, which is in Cauldron (updated by tv).

Version: Cauldron => 6
Whiteboard: MGA6TOO => (none)

Advisory:
========================

Updated spice-vdagent package fixes security vulnerability:

Improperly escaped save directory that is passed to the shell allows local
attacker with access to the session the agent runs to inject arbitrary commands
to be executed (CVE-2017-15108).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15108
https://lists.opensuse.org/opensuse-updates/2018-02/msg00028.html
========================

Updated packages in core/updates_testing:
========================
spice-vdagent-0.18.0-1.mga6

from spice-vdagent-0.18.0-1.mga6.src.rpm

Assignee: alien => qa-bugs

I got a bogus e-mail from the build system:
The upload of the following packages failed:

- spice-vdagent-debuginfo-0.18.0-1.mga6.i586.rpm
- spice-vdagent-0.18.0-1.mga6.i586.rpm
- spice-vdagent-0.18.0-1.mga6.x86_64.rpm
- spice-vdagent-debuginfo-0.18.0-1.mga6.x86_64.rpm

Upload log available in http://pkgsubmit.mageia.org/uploads/rejected//6/core/updates_testing/20190101214221.luigiwalser.duvel.17888.youri

CC: (none) => sysadmin-bugs

MGA6-32 MATE on IBM Thinkpad R50e
No installation issues.
At CLI:
# systemctl start spice-vdagentd
# systemctl -l status spice-vdagentd
● spice-vdagentd.service - Agent daemon for Spice guests
   Loaded: loaded (/usr/lib/systemd/system/spice-vdagentd.service; indirect; vendor preset: enabled)
   Active: active (running) since vr 2019-01-04 16:43:15 CET; 17s ago
  Process: 19898 ExecStart=/usr/sbin/spice-vdagentd $SPICE_VDAGENTD_EXTRA_ARGS (code=exited, status=0/
 Main PID: 19899 (spice-vdagentd)
   CGroup: /system.slice/spice-vdagentd.service
           └─19899 /usr/sbin/spice-vdagentd

jan 04 16:43:15 mach6.hviaene.thuis systemd[1]: Starting Agent daemon for Spice guests...
jan 04 16:43:15 mach6.hviaene.thuis systemd[1]: Started Agent daemon for Spice guests.


Googling learned me this is part of virtual machine handling. I will not venture into that on a small, slow 32-bitter.
At least it does not disturb anything else

CC: (none) => herman.viaene

Trying to figure out how this all works.  Initial googling supports Herman's conclusion that a VM is involved.

This is one quote:

SPICE could be divided into 4 different components: Protocol, Client, Server and Guest. The protocol is the specification in the communication of the three other components; A client such as remote-viewer is responsible to send data and translate the data from the Virtual Machine (VM) so you can interact with it; The SPICE server is the library used by the hypervisor in order to share the VM under SPICE protocol; And finally, the Guest side is all the software that must be running in the VM in order to make SPICE fully functional, such as the QXL driver and SPICE VDAgent.

spice-client is available in Mageia but it is beyond me to put it all together.  Testing spice-vdagent by itself would seem to be impossible in the light of that quote so starting and stopping the service is about all we can do.

@Herman, re comment 5.  Clean update, service runs.  You should give it the OK.
Setting up a proper testbed involves more work than QA should be expected to do unless there is somebody who already uses such a setup.

CC: (none) => tarazed25

Len, your wish is my command.(-:

Whiteboard: (none) => MGA6-32-OK

Thanks to you both (needs another hotkey).
Advisory from comment 3. Validating.

Keywords: (none) => advisory, validated_update
CC: (none) => lewyssmith

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0032.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED