A security issue in spice has been announced: https://www.openwall.com/lists/oss-security/2019/01/28/2 The issue will be fixed upstream in 0.14.2. As noted in reply to the message above, the attached patch fails to apply to 0.14.1. Mageia 6 is also affected.
Blocks: (none) => 23466Whiteboard: (none) => MGA6TOO
Assigning to all packagers collectively, since there is no registered maintainer for this package. Also CC'ing some committers.
CC: (none) => marja11, nicolas.salguero, smelror, thierry.vignaudAssignee: bugsquad => pkg-bugs
RedHat has issued an advisory for this on January 31: https://access.redhat.com/errata/RHSA-2019:0231
Ubuntu has issued an advisory for this on January 28: https://usn.ubuntu.com/3870-1/
Fixed in spice-0.14.1-3.mga7 in Cauldron.
Whiteboard: MGA6TOO => (none)Version: Cauldron => 6
Fedora has issued an advisory for this on February 9: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/OWH2AHGKTPR5QUGXUYGY6CAEI3O7RPLL/
Suggested advisory: ======================== The updated packages fix a security vulnerability: Spice, versions 0.5.2 through 0.14.1, are vulnerable to an out-of-bounds read due to an off-by-one error in memslot_get_virt. This may lead to a denial of service, or, in the worst case, code-execution by unauthenticated attackers. (CVE-2019-3813) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3813 https://www.openwall.com/lists/oss-security/2019/01/28/2 https://access.redhat.com/errata/RHSA-2019:0231 https://usn.ubuntu.com/3870-1/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/OWH2AHGKTPR5QUGXUYGY6CAEI3O7RPLL/ ======================== Updated packages in core/updates_testing: ======================== spice-client-0.13.90-1.1.mga6 lib(64)spice-server1-0.13.90-1.1.mga6 lib(64)spice-server-devel-0.13.90-1.1.mga6 from SRPMS: spice-0.13.90-1.1.mga6.src.rpm
Source RPM: spice-0.14.1-2.mga7.src.rpm => spice-0.13.90-1.mga6.src.rpmCVE: (none) => CVE-2019-3813Status: NEW => ASSIGNEDAssignee: pkg-bugs => qa-bugs
To also solve bug 23466, I bumped the subrel so: Updated packages in core/updates_testing: ======================== spice-client-0.13.90-1.2.mga6 lib(64)spice-server1-0.13.90-1.2.mga6 lib(64)spice-server-devel-0.13.90-1.2.mga6 from SRPMS: spice-0.13.90-1.2.mga6.src.rpm
I add advisory for bug 23466 too: Suggested advisory: ======================== The updated packages fix a security vulnerability: Spice, versions 0.5.2 through 0.14.1, are vulnerable to an out-of-bounds read due to an off-by-one error in memslot_get_virt. This may lead to a denial of service, or, in the worst case, code-execution by unauthenticated attackers. (CVE-2019-3813) A vulnerability was discovered in SPICE before version 0.14.1 where the generated code used for demarshalling messages lacked sufficient bounds checks. A malicious client or server, after authentication, could send specially crafted messages to its peer which would result in a crash or, potentially, other impacts. (CVE-2018-10873) Multiple integer overflow and buffer overflow issues were discovered in spice-client's handling of LZ compressed frames. A malicious server could cause the client to crash or, potentially, execute arbitrary code. (CVE-2018-10893) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3813 https://www.openwall.com/lists/oss-security/2019/01/28/2 https://access.redhat.com/errata/RHSA-2019:0231 https://usn.ubuntu.com/3870-1/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/OWH2AHGKTPR5QUGXUYGY6CAEI3O7RPLL/ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10873 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10893 http://openwall.com/lists/oss-security/2018/08/17/1 https://lists.opensuse.org/opensuse-updates/2018-09/msg00007.html https://lists.opensuse.org/opensuse-updates/2018-09/msg00010.html
CVE: CVE-2019-3813 => CVE-2019-3813, CVE-2018-10873, CVE-2018-10893
CC: (none) => bequimao.de
Adding ok based on testing shown by bug 23466 comment 14 Advisory committed to svn. Validating update.
Whiteboard: (none) => MGA6-64-OKKeywords: (none) => advisory, validated_updateCC: (none) => davidwhodgins, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0100.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED