openSUSE has issued an advisory on February 8: https://lists.opensuse.org/opensuse-updates/2018-02/msg00028.html The upstream fix is linked from the SUSE bug: https://bugzilla.suse.com/show_bug.cgi?id=1070724 Mageia 5 and Mageia 6 are also affected.
Whiteboard: (none) => MGA6TOO
Status comment: (none) => Upstream patch is available
Assigning to the registered maintainer, but CC'ing all packagers collectively, in case the maintainer is unavailable.
CC: (none) => marja11, pkg-bugsAssignee: bugsquad => alien
Patch is included upstream in 0.18.0, which is in Cauldron (updated by tv).
Version: Cauldron => 6Whiteboard: MGA6TOO => (none)
Advisory: ======================== Updated spice-vdagent package fixes security vulnerability: Improperly escaped save directory that is passed to the shell allows local attacker with access to the session the agent runs to inject arbitrary commands to be executed (CVE-2017-15108). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15108 https://lists.opensuse.org/opensuse-updates/2018-02/msg00028.html ======================== Updated packages in core/updates_testing: ======================== spice-vdagent-0.18.0-1.mga6 from spice-vdagent-0.18.0-1.mga6.src.rpm
Assignee: alien => qa-bugs
I got a bogus e-mail from the build system: The upload of the following packages failed: - spice-vdagent-debuginfo-0.18.0-1.mga6.i586.rpm - spice-vdagent-0.18.0-1.mga6.i586.rpm - spice-vdagent-0.18.0-1.mga6.x86_64.rpm - spice-vdagent-debuginfo-0.18.0-1.mga6.x86_64.rpm Upload log available in http://pkgsubmit.mageia.org/uploads/rejected//6/core/updates_testing/20190101214221.luigiwalser.duvel.17888.youri
CC: (none) => sysadmin-bugs
MGA6-32 MATE on IBM Thinkpad R50e No installation issues. At CLI: # systemctl start spice-vdagentd # systemctl -l status spice-vdagentd ● spice-vdagentd.service - Agent daemon for Spice guests Loaded: loaded (/usr/lib/systemd/system/spice-vdagentd.service; indirect; vendor preset: enabled) Active: active (running) since vr 2019-01-04 16:43:15 CET; 17s ago Process: 19898 ExecStart=/usr/sbin/spice-vdagentd $SPICE_VDAGENTD_EXTRA_ARGS (code=exited, status=0/ Main PID: 19899 (spice-vdagentd) CGroup: /system.slice/spice-vdagentd.service └─19899 /usr/sbin/spice-vdagentd jan 04 16:43:15 mach6.hviaene.thuis systemd[1]: Starting Agent daemon for Spice guests... jan 04 16:43:15 mach6.hviaene.thuis systemd[1]: Started Agent daemon for Spice guests. Googling learned me this is part of virtual machine handling. I will not venture into that on a small, slow 32-bitter. At least it does not disturb anything else
CC: (none) => herman.viaene
CC: (none) => bequimao.de
Trying to figure out how this all works. Initial googling supports Herman's conclusion that a VM is involved. This is one quote: SPICE could be divided into 4 different components: Protocol, Client, Server and Guest. The protocol is the specification in the communication of the three other components; A client such as remote-viewer is responsible to send data and translate the data from the Virtual Machine (VM) so you can interact with it; The SPICE server is the library used by the hypervisor in order to share the VM under SPICE protocol; And finally, the Guest side is all the software that must be running in the VM in order to make SPICE fully functional, such as the QXL driver and SPICE VDAgent. spice-client is available in Mageia but it is beyond me to put it all together. Testing spice-vdagent by itself would seem to be impossible in the light of that quote so starting and stopping the service is about all we can do. @Herman, re comment 5. Clean update, service runs. You should give it the OK. Setting up a proper testbed involves more work than QA should be expected to do unless there is somebody who already uses such a setup.
CC: (none) => tarazed25
Len, your wish is my command.(-:
Whiteboard: (none) => MGA6-32-OK
Thanks to you both (needs another hotkey). Advisory from comment 3. Validating.
Keywords: (none) => advisory, validated_updateCC: (none) => lewyssmith
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0032.html
Status: NEW => RESOLVEDResolution: (none) => FIXED