RedHat has issued an advisory today (October 6): https://access.redhat.com/errata/RHSA-2020:4186 Mageia 7 is also affected.
Whiteboard: (none) => MGA7TOO
Hi, thanks for reporting this bug. Assigned to all packagers as there is no registered maintainer. CC'ed 2 recents commiters. Packagers: Please set the status to 'assigned' if you are working on it.
Assignee: bugsquad => pkg-bugsKeywords: (none) => TriagedCC: (none) => jani.valimaa, ouaurelien, thierry.vignaud
Initial announcement of the issue, with commit fixes: https://www.openwall.com/lists/oss-security/2020/10/06/10
Ubuntu has issued an advisory for this on October 6: https://ubuntu.com/security/notices/USN-4572-1
Hi, Sadly, spice-gtk fails to build for Mageia 7 because of the following error: """ FAILED: subprojects/spice-common/common/4ed40af@@spice-common-client@sta/meson-generated_.._generated_client_marshallers.c.o cc -Isubprojects/spice-common/common/4ed40af@@spice-common-client@sta -Isubprojects/spice-common/common -I../subprojects/spice-common/common -Isubprojects/spice-common -I../subprojects/spice-common -I/usr/include/spice-1 -I/usr/include/glib-2.0 -I/usr/lib64/glib-2.0/include -I/usr/include/libmount -I/usr/include/blkid -I/usr/include/uuid -I/usr/include/pixman-1 -I/usr/include/opus -I/usr/include/cacard -I/usr/include/nss -I/usr/include/nspr4 -fdiagnostics-color=always -pipe -D_FILE_OFFSET_BITS=64 -DHAVE_CONFIG_H '-DG_LOG_DOMAIN="Spice"' -Wall -Wextra -Werror -Wno-unused-parameter -DGLIB_VERSION_MIN_REQUIRED=GLIB_VERSION_2_38 -DGLIB_VERSION_MAX_ALLOWED=GLIB_VERSION_2_38 -O2 -g -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fstack-protector --param=ssp-buffer-size=4 -fasynchronous-unwind-tables -fPIC -pthread -MD -MQ 'subprojects/spice-common/common/4ed40af@@spice-common-client@sta/meson-generated_.._generated_client_marshallers.c.o' -MF 'subprojects/spice-common/common/4ed40af@@spice-common-client@sta/meson-generated_.._generated_client_marshallers.c.o.d' -o 'subprojects/spice-common/common/4ed40af@@spice-common-client@sta/meson-generated_.._generated_client_marshallers.c.o' -c subprojects/spice-common/common/generated_client_marshallers.c subprojects/spice-common/common/generated_client_marshallers.c: In function ‘spice_marshall_msgc_tunnel_service_add’: subprojects/spice-common/common/generated_client_marshallers.c:303:22: error: ‘SPICE_TUNNEL_SERVICE_TYPE_IPP’ undeclared (first use in this function); did you mean ‘SPICE_VIDEO_CODEC_TYPE_VP9’? if (src->type == SPICE_TUNNEL_SERVICE_TYPE_IPP) { ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SPICE_VIDEO_CODEC_TYPE_VP9 subprojects/spice-common/common/generated_client_marshallers.c:303:22: note: each undeclared identifier is reported only once for each function it appears in subprojects/spice-common/common/generated_client_marshallers.c:306:31: error: ‘SPICE_TUNNEL_IP_TYPE_IPv4’ undeclared (first use in this function); did you mean ‘SPICE_CLIP_TYPE_NONE’? if (src->u.ip.type == SPICE_TUNNEL_IP_TYPE_IPv4) { ^~~~~~~~~~~~~~~~~~~~~~~~~ SPICE_CLIP_TYPE_NONE """ It seems that spice-gtk 0.36 is not compatible with spice-protocol 0.14 Best regards, Nico.
CC: (none) => nicolas.salguero
Can we upgrade it then?
Suggested advisory: ======================== The updated packages fix a security vulnerability: Multiple buffer overflow vulnerabilities were found in the QUIC image decoding process of the SPICE remote display system, before spice-0.14.2-1. Both the SPICE client (spice-gtk) and server are affected by these flaws. These flaws allow a malicious client or server to send specially crafted messages that, when processed by the QUIC image compression algorithm, result in a process crash or potential code execution. (CVE-2020-14355) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14355 https://access.redhat.com/errata/RHSA-2020:4186 https://www.openwall.com/lists/oss-security/2020/10/06/10 https://ubuntu.com/security/notices/USN-4572-1 ======================== Updated packages in core/updates_testing: ======================== spice-client-0.14.2-1.1.mga7 lib(64)spice-server1-0.14.2-1.1.mga7 lib(64)spice-server-devel-0.14.2-1.1.mga7 spice-gtk-0.37-1.mga7 lib(64)spice-client-glib2.0_8-0.37-1.mga7 lib(64)spice-client-glib-gir2.0-0.37-1.mga7 lib(64)spice-client-gtk3.0_5-0.37-1.mga7 lib(64)spice-client-gtk-gir3.0-0.37-1.mga7 lib(64)spice-gtk-devel-0.37-1.mga7 from SRPMS: spice-0.14.2-1.1.mga7.src.rpm spice-gtk-0.37-1.mga7.src.rpm
CVE: (none) => CVE-2020-14355Keywords: Triaged => (none)Assignee: pkg-bugs => qa-bugsVersion: Cauldron => 7Source RPM: spice-0.14.3-1.mga8.src.rpm, spice-gtk-0.38-1.mga8.src.rpm => spice-0.14.2-1.mga7.src.rpm, spice-gtk-0.36-4.mga7.src.rpmStatus: NEW => ASSIGNEDWhiteboard: MGA7TOO => (none)
MGA7-64 MATE on Peaq C1011 No installation issues Ref bug 23466 This notebook is too restricted to run virtual stuff, but the spicy command opens correctly the window to connect. If no other can test more, I would agree on a clean install.
CC: (none) => herman.viaene
This can be pushed if no installation issue. Validating update, Advisory in Comment 6. Advisory pushed to SVN.
Keywords: (none) => advisory, validated_updateWhiteboard: (none) => MGA7-64-OKCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0408.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED