A security issue fixed upstream in spice and spice-gtk has been announced: http://openwall.com/lists/oss-security/2018/08/17/1 The issue is fixed upstream in spice 0.14.1 and spice-gtk 0.36. Older versions are likely to be affected as well.
CC: (none) => smelror, thierry.vignaud
CC: (none) => marja11Assignee: bugsquad => pkg-bugs
Ubuntu has issued an advisory for this on August 22: https://usn.ubuntu.com/3751-1/ See also Bug 22879 for spice-gtk.
openSUSE has issued advisories today (September 4): https://lists.opensuse.org/opensuse-updates/2018-09/msg00007.html https://lists.opensuse.org/opensuse-updates/2018-09/msg00010.html It fixes this issue and an additional one.
Summary: spice, spice-gtk new security issue CVE-2018-10873 => spice, spice-gtk new security issues CVE-2018-10873 and CVE-2018-10893See Also: (none) => https://bugs.mageia.org/show_bug.cgi?id=22879
RedHat has issued an advisory for the first issue today (September 20): https://access.redhat.com/errata/RHSA-2018:2731
spice-0.14.1-1.mga7 is already in cauldron. However, upstream has no 0.36 version for spice-gtk, the last one is 0.35. I uploaded spice-gtk-0.35-3.mga7 which should fix it.
Assignee: pkg-bugs => brunoCC: (none) => brunoStatus: NEW => RESOLVEDResolution: (none) => FIXED
Mageia 6 hasn't been looked at, and I don't think this has been fixed for spice-gtk.
Status: RESOLVED => REOPENEDResolution: FIXED => (none)Whiteboard: (none) => MGA6TOO
Initialy mga6 wasn't mentioned, so I didn't look at it. For mga6 patches do not apply on our current version 0.33. So I suggest that we move to the same version as cauldron, which also means updating spice-protocol if that doesn't create too many issues.
Make sure you don't forget the new CVE from Comment 2. I'm not sure if it's fixed in the versions mentioned in Comment 0.
Indeed, CVE-2018-10893 had not been addressed yet. Fixed in spice-0.14.1-2.mga7 and spice-gtk-0.35-5.mga7.
Version: Cauldron => 6Whiteboard: MGA6TOO => (none)
Blocks: (none) => 22879
CC: (none) => bequimao.de
Depends on: (none) => 24257
Advisory for this bug is included into bug 24257
CC: (none) => nicolas.salguero
Advisory for this bug is included into bug 22879
Assigning to QA to list CVEs even if advisories are into bug 24257 and bug 22879
CVE: (none) => CVE-2018-10873, CVE-2018-10893Assignee: bruno => qa-bugsStatus: REOPENED => ASSIGNED
Source RPM: spice-0.14.0-1.mga7.src.rpm, spice-gtk-0.35-1.mga7.src.rpm => spice-0.13.90-1.mga6.src.rpm, spice-gtk-0.33-3.mga6.src.rpm
Moving advisory to the correct bug. spice is in Bug 24257. Suggested advisory: ======================== The updated packages fix a security vulnerability: A flaw was found in the way spice-client processed certain messages sent from the server. An attacker, having control of malicious spice-server, could use this flaw to crash the client or execute arbitrary code with permissions of the user running the client. spice-gtk versions through 0.34 are believed to be vulnerable. (CVE-2017-12194) A vulnerability was discovered in SPICE before version 0.14.1 where the generated code used for demarshalling messages lacked sufficient bounds checks. A malicious client or server, after authentication, could send specially crafted messages to its peer which would result in a crash or, potentially, other impacts. (CVE-2018-10873) Multiple integer overflow and buffer overflow issues were discovered in spice-client's handling of LZ compressed frames. A malicious server could cause the client to crash or, potentially, execute arbitrary code. (CVE-2018-10893) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12194 https://lists.opensuse.org/opensuse-updates/2018-04/msg00011.html https://usn.ubuntu.com/3659-1/ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10873 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10893 http://openwall.com/lists/oss-security/2018/08/17/1 https://lists.opensuse.org/opensuse-updates/2018-09/msg00007.html https://lists.opensuse.org/opensuse-updates/2018-09/msg00010.html Updated packages in core/updates_testing: ======================== spice-gtk-0.33-3.1.mga6 lib(64)spice-client-glib2.0_8-0.33-3.1.mga6 lib(64)spice-client-glib-gir2.0-0.33-3.1.mga6 lib(64)spice-client-gtk3.0_5-0.33-3.1.mga6 lib(64)spice-client-gtk-gir3.0-0.33-3.1.mga6 lib(64)spice-controller0-0.33-3.1.mga6 lib(64)spice-gtk-devel-0.33-3.1.mga6 from SRPMS: spice-gtk-0.33-3.1.mga6.src.rpm
Source RPM: spice-0.13.90-1.mga6.src.rpm, spice-gtk-0.33-3.mga6.src.rpm => spice-gtk-0.33-3.mga6.src.rpm, spice-0.13.90-1.mga6.src.rpm
MGA6-32 MATE on IBM Thinkpad R50e No installation issues No spice server around so launding spicy at CLI causes no errors and opens a window where to define a spice-server connection. Looked into spice server and found this: "The Simple Protocol for Independent Computing Environments (SPICE) is a remote display system built for virtual environments ......" Running virtual stuff on this old 32-bitter is just not feasible, so to me it is a bit more than a clean install. when someone else has a better environment, have my blessing to OK this update.
CC: (none) => herman.viaene
Running MGA 6 KDE Plasma as host and client under Qemu/KVM. Host: lib64spice-client-glib2.0_8-0.33-3.1.mga6 lib64spice-client-glib-gir2.0-0.33-3.1.mga6 lib64spice-client-gtk3.0_5-0.33-3.1.mga6 lib64spice-client-gtk-gir3.0-0.33-3.1.mga6 lib64spice-server1-0.13.90-1.2.mga6 spice-gtk-0.33-3.1.mga6 Client spice-vdagent-0.18.0-1.mga6 spice-webdavd-2.2-1.mga6 No regression found. NB. When I start Virtual Machine Manager I get the error message: Unable to connect to libvirt. Verify that the 'libvirtd' daemon is running. Nevertheless the system works fine. Ulrich
Whiteboard: (none) => MGA6-64-OK
Keywords: (none) => advisory, validated_updateCC: (none) => davidwhodgins, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0099.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED