24257 – spice new security issue CVE-2019-3813

Bug 24257 - spice new security issue CVE-2019-3813

Summary: spice new security issue CVE-2019-3813

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	6
Hardware:	All Linux

Priority:	Normal Severity: critical
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA6-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:	23466
	Show dependency tree / graph

Reported:	2019-01-29 12:48 CET by David Walser
Modified:	2019-02-22 01:36 CET (History)
CC List:	7 users (show)

See Also:
Source RPM:	spice-0.13.90-1.mga6.src.rpm
CVE:	CVE-2019-3813, CVE-2018-10873, CVE-2018-10893
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2019-01-29 12:48:30 CET

A security issue in spice has been announced:
https://www.openwall.com/lists/oss-security/2019/01/28/2

The issue will be fixed upstream in 0.14.2.

As noted in reply to the message above, the attached patch fails to apply to 0.14.1.

Mageia 6 is also affected.

David Walser 2019-01-29 12:48:41 CET

Blocks: (none) => 23466
Whiteboard: (none) => MGA6TOO

Comment 1 Marja Van Waes 2019-01-30 12:47:54 CET

Assigning to all packagers collectively, since there is no registered maintainer for this package.

Also CC'ing some committers.

CC: (none) => marja11, nicolas.salguero, smelror, thierry.vignaud
Assignee: bugsquad => pkg-bugs

Comment 2 David Walser 2019-02-01 19:05:31 CET

RedHat has issued an advisory for this on January 31:
https://access.redhat.com/errata/RHSA-2019:0231

Comment 3 David Walser 2019-02-01 19:13:26 CET

Ubuntu has issued an advisory for this on January 28:
https://usn.ubuntu.com/3870-1/

Comment 4 David Walser 2019-02-02 20:53:11 CET

Fixed in spice-0.14.1-3.mga7 in Cauldron.

Whiteboard: MGA6TOO => (none)
Version: Cauldron => 6

Comment 5 David Walser 2019-02-11 01:19:26 CET

Fedora has issued an advisory for this on February 9:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/OWH2AHGKTPR5QUGXUYGY6CAEI3O7RPLL/

Comment 6 Nicolas Salguero 2019-02-14 09:58:05 CET

Suggested advisory:
========================

The updated packages fix a security vulnerability:

Spice, versions 0.5.2 through 0.14.1, are vulnerable to an out-of-bounds read due to an off-by-one error in memslot_get_virt. This may lead to a denial of service, or, in the worst case, code-execution by unauthenticated attackers. (CVE-2019-3813)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3813
https://www.openwall.com/lists/oss-security/2019/01/28/2
https://access.redhat.com/errata/RHSA-2019:0231
https://usn.ubuntu.com/3870-1/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/OWH2AHGKTPR5QUGXUYGY6CAEI3O7RPLL/
========================

Updated packages in core/updates_testing:
========================
spice-client-0.13.90-1.1.mga6
lib(64)spice-server1-0.13.90-1.1.mga6
lib(64)spice-server-devel-0.13.90-1.1.mga6

from SRPMS:
spice-0.13.90-1.1.mga6.src.rpm

Source RPM: spice-0.14.1-2.mga7.src.rpm => spice-0.13.90-1.mga6.src.rpm
CVE: (none) => CVE-2019-3813
Status: NEW => ASSIGNED
Assignee: pkg-bugs => qa-bugs

Comment 7 Nicolas Salguero 2019-02-14 11:35:44 CET

To also solve bug 23466, I bumped the subrel so:

Updated packages in core/updates_testing:
========================
spice-client-0.13.90-1.2.mga6
lib(64)spice-server1-0.13.90-1.2.mga6
lib(64)spice-server-devel-0.13.90-1.2.mga6

from SRPMS:
spice-0.13.90-1.2.mga6.src.rpm

Comment 8 Nicolas Salguero 2019-02-14 12:46:58 CET

I add advisory for bug 23466 too:

Suggested advisory:
========================

The updated packages fix a security vulnerability:

Spice, versions 0.5.2 through 0.14.1, are vulnerable to an out-of-bounds read due to an off-by-one error in memslot_get_virt. This may lead to a denial of service, or, in the worst case, code-execution by unauthenticated attackers. (CVE-2019-3813)

A vulnerability was discovered in SPICE before version 0.14.1 where the generated code used for demarshalling messages lacked sufficient bounds checks. A malicious client or server, after authentication, could send specially crafted messages to its peer which would result in a crash or, potentially, other impacts. (CVE-2018-10873)

Multiple integer overflow and buffer overflow issues were discovered in spice-client's handling of LZ compressed frames. A malicious server could cause the client to crash or, potentially, execute arbitrary code. (CVE-2018-10893)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3813
https://www.openwall.com/lists/oss-security/2019/01/28/2
https://access.redhat.com/errata/RHSA-2019:0231
https://usn.ubuntu.com/3870-1/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/OWH2AHGKTPR5QUGXUYGY6CAEI3O7RPLL/
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10873
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10893
http://openwall.com/lists/oss-security/2018/08/17/1
https://lists.opensuse.org/opensuse-updates/2018-09/msg00007.html
https://lists.opensuse.org/opensuse-updates/2018-09/msg00010.html

Nicolas Salguero 2019-02-14 13:27:29 CET

CVE: CVE-2019-3813 => CVE-2019-3813, CVE-2018-10873, CVE-2018-10893

Ulrich Beckmann 2019-02-17 20:27:52 CET

CC: (none) => bequimao.de

Comment 9 Dave Hodgins 2019-02-21 20:38:42 CET

Adding ok based on testing shown by bug 23466 comment 14
Advisory committed to svn. Validating update.

Whiteboard: (none) => MGA6-64-OK
Keywords: (none) => advisory, validated_update
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 10 Mageia Robot 2019-02-22 01:36:50 CET

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0100.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED

Note You need to log in before you can comment on or make changes to this bug.