Debian-LTS has issued an advisory today (March 21): https://www.debian.org/lts/security/2022/dla-2958 The issue is fixed upstream in 0.11.0. Mageia 8 is also affected.
Whiteboard: (none) => MGA8TOOStatus comment: (none) => Fixed upstream in 0.11.0
Yet another package with no evident maintainer, so have to assign this also globally.
Assignee: bugsquad => pkg-bugs
Suggested advisory: ======================== The updated packages fix a security vulnerability: A use-after-free vulnerability was found in usbredir in versions prior to 0.11.0 in the usbredirparser_serialize() in usbredirparser/usbredirparser.c. This issue occurs when serializing large amounts of buffered write data in the case of a slow or blocked destination. (CVE-2021-3700) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3700 https://www.debian.org/lts/security/2022/dla-2958 ======================== Updated packages in core/updates_testing: ======================== lib(64)usbredirhost1-0.8.0-3.1.mga8 lib(64)usbredirparser1-0.8.0-3.1.mga8 lib(64)usbredir-devel-0.8.0-3.1.mga8 usbredir-0.8.0-3.1.mga8 from SRPM: usbredir-0.8.0-3.1.mga8.src.rpm
Status: NEW => ASSIGNEDAssignee: pkg-bugs => qa-bugsSource RPM: usbredir-0.9.0-1.mga9.src.rpm => usbredir-0.8.0-3.mga8.src.rpmCC: (none) => nicolas.salgueroCVE: (none) => CVE-2021-3700Status comment: Fixed upstream in 0.11.0 => (none)Version: Cauldron => 8Whiteboard: MGA8TOO => (none)
MGA8-64 Plasma on Lenovo B50 in Dutch No installation issues. No previous updates, went googling, but came back as soon as I could: virtualization, qemu, all stuff way over my head.
CC: (none) => herman.viaene
No installation issues. Looked into this, and didn't get much farther than you did, Herman. From what I see, the usbredir server/client libraries are designed to be used with something called "spice," which has something to do with virtual machines and QEMU or XEN. Very much beyond me. But, usbredir can also be used in a stand-alone manner. /usr/share/doc/usbredir/READ.ME says that there is supposed to be a "usbredirtestclient" package, which on the face of it sounds helpful for this situation, but for whatever reason our build doesn't seem to include it. So no help there. The file list indicates a man page for usbredirserver, It's brief, and probably helpful to someone who knows what he is doing, but for me not so much. I tried one of the commands anyway, with little success: $ usbredirserver --verbose=4 Missing usb device identifier argument Usage: usbredirserver [-p|--port <port>] [-v|--verbose <0-5>] [[-4|--ipv4 ipaddr]|[-6|--ipv6 ipaddr]] [-k|--keepalive seconds] <busnum-devnum|vendorid:prodid> That indicates an error coming from the unit between the chair and keyboard, something beyond Mageia's ability to repair, but it does seem to indicate, kind of, that it is working as designed. I'm going to give it an OK, and send it on, mostly based on two clean installs. I suspect the "missing" test package only provides a means of testing usbredir, and probably doesn't have an effect on usage. If I am in error on that, please let me know. Advisory in Comment 2.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_updateWhiteboard: (none) => MGA8-64-OK
Keywords: (none) => advisoryCC: (none) => davidwhodgins
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0133.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED