Bug 27368 - spice, spice-gtk new security issue CVE-2020-14355
Summary: spice, spice-gtk new security issue CVE-2020-14355
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2020-10-07 01:35 CEST by David Walser
Modified: 2020-11-10 16:21 CET (History)
6 users (show)

See Also:
Source RPM: spice-0.14.2-1.mga7.src.rpm, spice-gtk-0.36-4.mga7.src.rpm
CVE: CVE-2020-14355
Status comment:


Attachments

Description David Walser 2020-10-07 01:35:00 CEST
RedHat has issued an advisory today (October 6):
https://access.redhat.com/errata/RHSA-2020:4186

Mageia 7 is also affected.
David Walser 2020-10-07 01:35:08 CEST

Whiteboard: (none) => MGA7TOO

Comment 1 Aurelien Oudelet 2020-10-07 20:13:01 CEST
Hi, thanks for reporting this bug.
Assigned to all packagers as there is no registered maintainer.
CC'ed 2 recents commiters.

Packagers: Please set the status to 'assigned' if you are working on it.

Assignee: bugsquad => pkg-bugs
Keywords: (none) => Triaged
CC: (none) => jani.valimaa, ouaurelien, thierry.vignaud

Comment 2 David Walser 2020-10-11 18:17:18 CEST
Initial announcement of the issue, with commit fixes:
https://www.openwall.com/lists/oss-security/2020/10/06/10
Comment 3 David Walser 2020-10-13 18:36:04 CEST
Ubuntu has issued an advisory for this on October 6:
https://ubuntu.com/security/notices/USN-4572-1
Comment 4 Nicolas Salguero 2020-10-21 15:22:23 CEST
Hi,

Sadly, spice-gtk fails to build for Mageia 7 because of the following error:
"""
FAILED: subprojects/spice-common/common/4ed40af@@spice-common-client@sta/meson-generated_.._generated_client_marshallers.c.o 
cc -Isubprojects/spice-common/common/4ed40af@@spice-common-client@sta -Isubprojects/spice-common/common -I../subprojects/spice-common/common -Isubprojects/spice-common -I../subprojects/spice-common -I/usr/include/spice-1 -I/usr/include/glib-2.0 -I/usr/lib64/glib-2.0/include -I/usr/include/libmount -I/usr/include/blkid -I/usr/include/uuid -I/usr/include/pixman-1 -I/usr/include/opus -I/usr/include/cacard -I/usr/include/nss -I/usr/include/nspr4 -fdiagnostics-color=always -pipe -D_FILE_OFFSET_BITS=64 -DHAVE_CONFIG_H '-DG_LOG_DOMAIN="Spice"' -Wall -Wextra -Werror -Wno-unused-parameter -DGLIB_VERSION_MIN_REQUIRED=GLIB_VERSION_2_38 -DGLIB_VERSION_MAX_ALLOWED=GLIB_VERSION_2_38 -O2 -g -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fstack-protector --param=ssp-buffer-size=4 -fasynchronous-unwind-tables -fPIC -pthread -MD -MQ 'subprojects/spice-common/common/4ed40af@@spice-common-client@sta/meson-generated_.._generated_client_marshallers.c.o' -MF 'subprojects/spice-common/common/4ed40af@@spice-common-client@sta/meson-generated_.._generated_client_marshallers.c.o.d' -o 'subprojects/spice-common/common/4ed40af@@spice-common-client@sta/meson-generated_.._generated_client_marshallers.c.o' -c subprojects/spice-common/common/generated_client_marshallers.c
subprojects/spice-common/common/generated_client_marshallers.c: In function ‘spice_marshall_msgc_tunnel_service_add’:
subprojects/spice-common/common/generated_client_marshallers.c:303:22: error: ‘SPICE_TUNNEL_SERVICE_TYPE_IPP’ undeclared (first use in this function); did you mean ‘SPICE_VIDEO_CODEC_TYPE_VP9’?
     if (src->type == SPICE_TUNNEL_SERVICE_TYPE_IPP) {
                      ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
                      SPICE_VIDEO_CODEC_TYPE_VP9
subprojects/spice-common/common/generated_client_marshallers.c:303:22: note: each undeclared identifier is reported only once for each function it appears in
subprojects/spice-common/common/generated_client_marshallers.c:306:31: error: ‘SPICE_TUNNEL_IP_TYPE_IPv4’ undeclared (first use in this function); did you mean ‘SPICE_CLIP_TYPE_NONE’?
         if (src->u.ip.type == SPICE_TUNNEL_IP_TYPE_IPv4) {
                               ^~~~~~~~~~~~~~~~~~~~~~~~~
                               SPICE_CLIP_TYPE_NONE
"""

It seems that spice-gtk 0.36 is not compatible with spice-protocol 0.14

Best regards,

Nico.

CC: (none) => nicolas.salguero

Comment 5 David Walser 2020-10-21 17:24:01 CEST
Can we upgrade it then?
Comment 6 Nicolas Salguero 2020-10-22 09:29:14 CEST
Suggested advisory:
========================

The updated packages fix a security vulnerability:

Multiple buffer overflow vulnerabilities were found in the QUIC image decoding process of the SPICE remote display system, before spice-0.14.2-1. Both the SPICE client (spice-gtk) and server are affected by these flaws. These flaws allow a malicious client or server to send specially crafted messages that, when processed by the QUIC image compression algorithm, result in a process crash or potential code execution. (CVE-2020-14355)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14355
https://access.redhat.com/errata/RHSA-2020:4186
https://www.openwall.com/lists/oss-security/2020/10/06/10
https://ubuntu.com/security/notices/USN-4572-1
========================

Updated packages in core/updates_testing:
========================
spice-client-0.14.2-1.1.mga7
lib(64)spice-server1-0.14.2-1.1.mga7
lib(64)spice-server-devel-0.14.2-1.1.mga7
spice-gtk-0.37-1.mga7
lib(64)spice-client-glib2.0_8-0.37-1.mga7
lib(64)spice-client-glib-gir2.0-0.37-1.mga7
lib(64)spice-client-gtk3.0_5-0.37-1.mga7
lib(64)spice-client-gtk-gir3.0-0.37-1.mga7
lib(64)spice-gtk-devel-0.37-1.mga7

from SRPMS:
spice-0.14.2-1.1.mga7.src.rpm
spice-gtk-0.37-1.mga7.src.rpm

CVE: (none) => CVE-2020-14355
Keywords: Triaged => (none)
Assignee: pkg-bugs => qa-bugs
Version: Cauldron => 7
Source RPM: spice-0.14.3-1.mga8.src.rpm, spice-gtk-0.38-1.mga8.src.rpm => spice-0.14.2-1.mga7.src.rpm, spice-gtk-0.36-4.mga7.src.rpm
Status: NEW => ASSIGNED
Whiteboard: MGA7TOO => (none)

Comment 7 Herman Viaene 2020-11-09 15:28:00 CET
MGA7-64 MATE  on Peaq C1011
No installation issues
Ref bug 23466
This notebook is too restricted to run virtual stuff, but the spicy command opens correctly the window to connect.
If no other can test more, I would agree on a clean install.

CC: (none) => herman.viaene

Comment 8 Aurelien Oudelet 2020-11-10 09:46:45 CET
This can be pushed if no installation issue.
Validating update, Advisory in Comment 6.

Advisory pushed to SVN.
Aurelien Oudelet 2020-11-10 09:47:15 CET

Keywords: (none) => advisory, validated_update
Whiteboard: (none) => MGA7-64-OK
CC: (none) => sysadmin-bugs

Comment 9 Mageia Robot 2020-11-10 16:21:19 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0408.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.