A security issue fixed upstream in spice and spice-gtk has been announced:
The issue is fixed upstream in spice 0.14.1 and spice-gtk 0.36.
Older versions are likely to be affected as well.
Ubuntu has issued an advisory for this on August 22:
See also Bug 22879 for spice-gtk.
openSUSE has issued advisories today (September 4):
It fixes this issue and an additional one.
spice, spice-gtk new security issue CVE-2018-10873 =>
spice, spice-gtk new security issues CVE-2018-10873 and CVE-2018-10893See Also:
RedHat has issued an advisory for the first issue today (September 20):
spice-0.14.1-1.mga7 is already in cauldron. However, upstream has no 0.36 version for spice-gtk, the last one is 0.35. I uploaded spice-gtk-0.35-3.mga7 which should fix it.
Mageia 6 hasn't been looked at, and I don't think this has been fixed for spice-gtk.
Initialy mga6 wasn't mentioned, so I didn't look at it.
For mga6 patches do not apply on our current version 0.33. So I suggest that we move to the same version as cauldron, which also means updating spice-protocol if that doesn't create too many issues.
Make sure you don't forget the new CVE from Comment 2. I'm not sure if it's fixed in the versions mentioned in Comment 0.
Indeed, CVE-2018-10893 had not been addressed yet.
Fixed in spice-0.14.1-2.mga7 and spice-gtk-0.35-5.mga7.
Advisory for this bug is included into bug 24257
Advisory for this bug is included into bug 22879
Assigning to QA to list CVEs even if advisories are into bug 24257 and bug 22879
spice-0.14.0-1.mga7.src.rpm, spice-gtk-0.35-1.mga7.src.rpm =>
Moving advisory to the correct bug. spice is in Bug 24257.
The updated packages fix a security vulnerability:
A flaw was found in the way spice-client processed certain messages sent from the server. An attacker, having control of malicious spice-server, could use this flaw to crash the client or execute arbitrary code with permissions of the user running the client. spice-gtk versions through 0.34 are believed to be vulnerable. (CVE-2017-12194)
A vulnerability was discovered in SPICE before version 0.14.1 where the generated code used for demarshalling messages lacked sufficient bounds checks. A malicious client or server, after authentication, could send specially crafted messages to its peer which would result in a crash or, potentially, other impacts. (CVE-2018-10873)
Multiple integer overflow and buffer overflow issues were discovered in spice-client's handling of LZ compressed frames. A malicious server could cause the client to crash or, potentially, execute arbitrary code. (CVE-2018-10893)
Updated packages in core/updates_testing:
spice-0.13.90-1.mga6.src.rpm, spice-gtk-0.33-3.mga6.src.rpm =>
MGA6-32 MATE on IBM Thinkpad R50e
No installation issues
No spice server around so launding spicy at CLI causes no errors and opens a window where to define a spice-server connection.
Looked into spice server and found this:
"The Simple Protocol for Independent Computing Environments (SPICE) is a remote display system built for virtual environments ......"
Running virtual stuff on this old 32-bitter is just not feasible, so to me it is a bit more than a clean install. when someone else has a better environment, have my blessing to OK this update.
Running MGA 6 KDE Plasma as host and client under Qemu/KVM.
No regression found.
NB. When I start Virtual Machine Manager I get the error message:
Unable to connect to libvirt.
Verify that the 'libvirtd' daemon is running.
Nevertheless the system works fine.
An update for this issue has been pushed to the Mageia Updates repository.