openSUSE has issued an advisory today (April 7): https://lists.opensuse.org/opensuse-updates/2018-04/msg00011.html Mageia 5 and Mageia 6 are also affected.
Whiteboard: (none) => MGA6TOO
Assigning to all packagers collectively, since there is no registered maintainer for this package.
Assignee: bugsquad => pkg-bugsCC: (none) => marja11
Status comment: (none) => Patch available from openSUSE
Ubuntu has issued an advisory for this on May 23: https://usn.ubuntu.com/3659-1/
See Also: (none) => https://bugs.mageia.org/show_bug.cgi?id=23466
I used patches from Red Hat (https://bugzilla.redhat.com/show_bug.cgi?id=1240165) to update spice-gtk-0.35-3.mga7
Assignee: pkg-bugs => brunoStatus: NEW => ASSIGNEDCC: (none) => bruno
Whiteboard: MGA6TOO => (none)Version: Cauldron => 6
For mga6 patches do not apply on our current version 0.33. So I suggest that we move to the same version as cauldron, which also means updating spice-protocol if that doesn't create too many issues.
CC: (none) => bequimao.de
Depends on: (none) => 23466
I add advisory for bug 23466 too: Suggested advisory: ======================== The updated packages fix a security vulnerability: A flaw was found in the way spice-client processed certain messages sent from the server. An attacker, having control of malicious spice-server, could use this flaw to crash the client or execute arbitrary code with permissions of the user running the client. spice-gtk versions through 0.34 are believed to be vulnerable. (CVE-2017-12194) A vulnerability was discovered in SPICE before version 0.14.1 where the generated code used for demarshalling messages lacked sufficient bounds checks. A malicious client or server, after authentication, could send specially crafted messages to its peer which would result in a crash or, potentially, other impacts. (CVE-2018-10873) Multiple integer overflow and buffer overflow issues were discovered in spice-client's handling of LZ compressed frames. A malicious server could cause the client to crash or, potentially, execute arbitrary code. (CVE-2018-10893) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12194 https://lists.opensuse.org/opensuse-updates/2018-04/msg00011.html https://usn.ubuntu.com/3659-1/ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10873 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10893 http://openwall.com/lists/oss-security/2018/08/17/1 https://lists.opensuse.org/opensuse-updates/2018-09/msg00007.html https://lists.opensuse.org/opensuse-updates/2018-09/msg00010.html Updated packages in core/updates_testing: ======================== spice-gtk-0.33-3.1.mga6 lib(64)spice-client-glib2.0_8-0.33-3.1.mga6 lib(64)spice-client-glib-gir2.0-0.33-3.1.mga6 lib(64)spice-client-gtk3.0_5-0.33-3.1.mga6 lib(64)spice-client-gtk-gir3.0-0.33-3.1.mga6 lib(64)spice-controller0-0.33-3.1.mga6 lib(64)spice-gtk-devel-0.33-3.1.mga6 from SRPMS: spice-gtk-0.33-3.1.mga6.src.rpm
Assignee: bruno => qa-bugsSource RPM: spice-gtk-0.34-2.mga7.src.rpm => spice-gtk-0.33-3.mga6.src.rpmCC: (none) => nicolas.salgueroCVE: (none) => CVE-2017-12194, CVE-2018-10873, CVE-2018-10893
Severity: normal => critical
Can't assign two bugs to QA for the same package, QA bug should generally be the newer (blocking) bug, which is Bug 23466 for spice-gtk and Bug 24257 for spice.
Assignee: qa-bugs => pkg-bugsCVE: CVE-2017-12194, CVE-2018-10873, CVE-2018-10893 => CVE-2017-12194
Fixed in: https://advisories.mageia.org/MGASA-2019-0099.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED