openSUSE has issued an advisory today (April 7):
Mageia 5 and Mageia 6 are also affected.
Assigning to all packagers collectively, since there is no registered maintainer for this package.
Patch available from openSUSE
Ubuntu has issued an advisory for this on May 23:
I used patches from Red Hat (https://bugzilla.redhat.com/show_bug.cgi?id=1240165) to update spice-gtk-0.35-3.mga7
For mga6 patches do not apply on our current version 0.33. So I suggest that we move to the same version as cauldron, which also means updating spice-protocol if that doesn't create too many issues.
I add advisory for bug 23466 too:
The updated packages fix a security vulnerability:
A flaw was found in the way spice-client processed certain messages sent from the server. An attacker, having control of malicious spice-server, could use this flaw to crash the client or execute arbitrary code with permissions of the user running the client. spice-gtk versions through 0.34 are believed to be vulnerable. (CVE-2017-12194)
A vulnerability was discovered in SPICE before version 0.14.1 where the generated code used for demarshalling messages lacked sufficient bounds checks. A malicious client or server, after authentication, could send specially crafted messages to its peer which would result in a crash or, potentially, other impacts. (CVE-2018-10873)
Multiple integer overflow and buffer overflow issues were discovered in spice-client's handling of LZ compressed frames. A malicious server could cause the client to crash or, potentially, execute arbitrary code. (CVE-2018-10893)
Updated packages in core/updates_testing:
CVE-2017-12194, CVE-2018-10873, CVE-2018-10893
Can't assign two bugs to QA for the same package, QA bug should generally be the newer (blocking) bug, which is Bug 23466 for spice-gtk and Bug 24257 for spice.
CVE-2017-12194, CVE-2018-10873, CVE-2018-10893 =>