Your message dated Wed, 05 Sep 2018 07:04:51 +0000
with message-id <[email protected]>
and subject line Bug#906316: fixed in spice-gtk 0.35-1
has caused the Debian Bug report #906316,
regarding spice-gtk: CVE-2018-10873: Missing check in
demarshal.py:write_validate_array_item() allows for buffer overflow and denial
of service
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
906316: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=906316
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: spice
Version: 0.14.0-1
Severity: grave
Tags: patch security upstream
Control: clone -1 -2
Control: reassign -2 src:spice-gtk 0.34-1.1
Control: retitle -2 spice-gtk: CVE-2018-10873: Missing check in
demarshal.py:write_validate_array_item() allows for buffer overflow and denial
of service
Hi,
The following vulnerability was published for spice.
CVE-2018-10873[0]:
|Missing check in demarshal.py:write_validate_array_item() allows for
|buffer overflow and denial of service
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-10873
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10873
[1] http://www.openwall.com/lists/oss-security/2018/08/17/1
[2] https://bugzilla.redhat.com/show_bug.cgi?id=1596008
[3]
https://gitlab.freedesktop.org/spice/spice-common/commit/bb15d4815ab586b4c4a20f4a565970a44824c42c
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: spice-gtk
Source-Version: 0.35-1
We believe that the bug you reported is fixed in the latest version of
spice-gtk, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Laurent Bigonville <[email protected]> (supplier of updated spice-gtk package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 04 Sep 2018 10:46:38 +0200
Source: spice-gtk
Binary: spice-client-gtk spice-client-glib-usb-acl-helper
libspice-client-glib-2.0-8 gir1.2-spiceclientglib-2.0
libspice-client-glib-2.0-dev libspice-client-gtk-3.0-5
gir1.2-spiceclientgtk-3.0 libspice-client-gtk-3.0-dev
Architecture: source amd64
Version: 0.35-1
Distribution: unstable
Urgency: medium
Maintainer: Liang Guo <[email protected]>
Changed-By: Laurent Bigonville <[email protected]>
Description:
gir1.2-spiceclientglib-2.0 - GObject for communicating with Spice servers
(GObject-Introspecti
gir1.2-spiceclientgtk-3.0 - GTK3 widget for SPICE clients
(GObject-Introspection)
libspice-client-glib-2.0-8 - GObject for communicating with Spice servers
(runtime library)
libspice-client-glib-2.0-dev - GObject for communicating with Spice servers
(development files)
libspice-client-gtk-3.0-5 - GTK3 widget for SPICE clients (runtime library)
libspice-client-gtk-3.0-dev - GTK3 widget for SPICE clients (development files)
spice-client-glib-usb-acl-helper - Helper tool to validate usb ACLs
spice-client-gtk - Simple clients for interacting with SPICE servers
Closes: 857367 876089 898503 906316
Changes:
spice-gtk (0.35-1) unstable; urgency=medium
.
* Team upload.
* New upstream version 0.35
- Fix Integer overflows causing buffer overflows in spice-client (Closes:
#898503 CVE-2017-12194)
* debian/control: Update the Vcs-* fields to point to salsa
* debian/control: Bump build-dependencies
* Drop build-dependency against libgudev-1.0-dev, this is not needed with
libusb-1.0-0-dev >= 1.0.16, bump libusb-1.0-0-dev version accordlingly
(Closes: #876089)
* Drop d/p/explicitly-enable-subdir-objects.patch, doesn't seem needed
anymore
* debian/rules: Remove --parallel and --with autoreconf, it's the default
with debhelper 10
* The libspice-controller library was removed upstream. Add a Breaks against
virt-viewer (<< 7.0), which is the only user of that library. (Closes:
#857367)
* debian/libspice-client-glib-2.0-8.symbols: Add new exported symbols
* debian/watch: Use https instead of plain http
* debian/control: Drop X-Python-Version to please lintian
* debian/control: Bump Standards-Version to 4.2.1 (no further changes)
* d/p/0001-Fix-flexible-array-buffer-overflow.patch: Fix possible buffer
overflow and denial of service (CVE-2018-10873) (Closes: #906316)
Checksums-Sha1:
cf37dc3eef34be156e006dfa8b4ebe02a4e28b27 2812 spice-gtk_0.35-1.dsc
978985ce4dbe404d8994cbb1569ab7d543ed1eef 1412429 spice-gtk_0.35.orig.tar.bz2
4515b0c8a9f794455c0d1995be5361465891d505 13636 spice-gtk_0.35-1.debian.tar.xz
4ee0686d2f85a2a25e243aeb7682f63b216c7daa 238124
gir1.2-spiceclientglib-2.0_0.35-1_amd64.deb
20c9b1c2297008f3d1515f1ef4d45431e5f2c25b 231164
gir1.2-spiceclientgtk-3.0_0.35-1_amd64.deb
c56142feac38cdaec4279c0efdeafdd04251c263 1771980
libspice-client-glib-2.0-8-dbgsym_0.35-1_amd64.deb
e7ddee67842aed7014124327e44638d20b7f7a1f 529004
libspice-client-glib-2.0-8_0.35-1_amd64.deb
aea789bcf1f55a04e43d2e4ec567e14bed158257 314584
libspice-client-glib-2.0-dev_0.35-1_amd64.deb
a6cc9a3326fd012a0d20db1118f41c4406666f85 317148
libspice-client-gtk-3.0-5-dbgsym_0.35-1_amd64.deb
f7e44f3c57e044e7783205c844c12792b31e1d51 273664
libspice-client-gtk-3.0-5_0.35-1_amd64.deb
5e39beb269cf2511b5c569211fdd05eae67e80c5 236272
libspice-client-gtk-3.0-dev_0.35-1_amd64.deb
4e661eb894717f0b71c52483f7d6d286c01742d7 14112
spice-client-glib-usb-acl-helper-dbgsym_0.35-1_amd64.deb
c892a67941e5156caefb8cc201334f5e07a931f1 234820
spice-client-glib-usb-acl-helper_0.35-1_amd64.deb
0722ce08f989c1c8e8369fb6844d87bd74b2e73f 95728
spice-client-gtk-dbgsym_0.35-1_amd64.deb
bcade6a0f412a63de5dec2553a5ed087aa1a6df9 263064
spice-client-gtk_0.35-1_amd64.deb
468c93affc820146235c7bacff737c35c5026424 20005 spice-gtk_0.35-1_amd64.buildinfo
Checksums-Sha256:
66aa1c2b0d6215926aaed07c6cc34253d56c2a42a7dc970f434bfa9c7f1ba627 2812
spice-gtk_0.35-1.dsc
c7d7dc880d2ae7f81cd9149a21af260919d591283c14792d2e35834434c2cc91 1412429
spice-gtk_0.35.orig.tar.bz2
a2c81877dd02551099e173e5617b8445e4cd177e52608d515bc8f5007f733f98 13636
spice-gtk_0.35-1.debian.tar.xz
6d743dc1753ef7281ed6b18b5d2516fc1d8bec579b15830ac4faf6896ca6c7c0 238124
gir1.2-spiceclientglib-2.0_0.35-1_amd64.deb
efd2d9bf0344297afe7849b68509897e09d3f2d98f84efb46bc493e77b87d6c8 231164
gir1.2-spiceclientgtk-3.0_0.35-1_amd64.deb
8fe069b731bec622e8fc31b0e12d6c64307896937311e5d31decc1475690fe97 1771980
libspice-client-glib-2.0-8-dbgsym_0.35-1_amd64.deb
e808dfe1027cdd8bbd5d8c627fae8e54cc8204694f2d118e68686ce209b5e540 529004
libspice-client-glib-2.0-8_0.35-1_amd64.deb
4b7a8418cfdbf111611a5e1b10af8f5239e8285e9c686cc1ea5955b31f7c2927 314584
libspice-client-glib-2.0-dev_0.35-1_amd64.deb
aa91b0cd69d69c042d124cc0b2923045922c151528aa04156f906d407b5a5ddc 317148
libspice-client-gtk-3.0-5-dbgsym_0.35-1_amd64.deb
a16e3405c4ce98bdeaa36d7146e156c317bde259d642b4ca710bd3f4c59c68d1 273664
libspice-client-gtk-3.0-5_0.35-1_amd64.deb
7c713c5d9fd37bf7e26c77e917fc26c14bb7e48ef491130dc2a2f3ef6d29e28f 236272
libspice-client-gtk-3.0-dev_0.35-1_amd64.deb
b74350955bc804a8b29c65b40399de2263d26dd2916b30e677e60d812eedb748 14112
spice-client-glib-usb-acl-helper-dbgsym_0.35-1_amd64.deb
bafde81a8026fe339e185b4dffa31d07726aa32a4f05d72a3e1875b27cbf582d 234820
spice-client-glib-usb-acl-helper_0.35-1_amd64.deb
eb02c97a91a5b63a2747155a356e10a512e35d085d392e8690288b2ebd997691 95728
spice-client-gtk-dbgsym_0.35-1_amd64.deb
a576cd3cf6ce32d5fcbac4cddb0a9b13537db4fcb079fbbdf2f9bcff9d14f1ec 263064
spice-client-gtk_0.35-1_amd64.deb
d22e6ab73a5c6f9171b61cca2cfc7c02f3bc4a74d343383f0d2bccfb9e6c1412 20005
spice-gtk_0.35-1_amd64.buildinfo
Files:
3bd63fb2863152a4c4b4870367f43486 2812 misc optional spice-gtk_0.35-1.dsc
e23783fb43cb57a2fc807eab4db7c277 1412429 misc optional
spice-gtk_0.35.orig.tar.bz2
705db6edb72703bfee61c9f792ff0d25 13636 misc optional
spice-gtk_0.35-1.debian.tar.xz
05ec2ddc01cf1e51226220bb73e552f6 238124 introspection optional
gir1.2-spiceclientglib-2.0_0.35-1_amd64.deb
2a81b63f7f22617c4cf4947d084ae73b 231164 introspection optional
gir1.2-spiceclientgtk-3.0_0.35-1_amd64.deb
354539847ced48b5ac8f75db32956d20 1771980 debug optional
libspice-client-glib-2.0-8-dbgsym_0.35-1_amd64.deb
cf52b3e4d035cfcbd04727b6b9a7fef7 529004 libs optional
libspice-client-glib-2.0-8_0.35-1_amd64.deb
8af5abc86a1b6debe7569bf5c45ca1b5 314584 libdevel optional
libspice-client-glib-2.0-dev_0.35-1_amd64.deb
eb1b0dd600b2fffb76b3a6051c2bbae0 317148 debug optional
libspice-client-gtk-3.0-5-dbgsym_0.35-1_amd64.deb
692bf83f67a72f22c68e167ea5cb9793 273664 libs optional
libspice-client-gtk-3.0-5_0.35-1_amd64.deb
933ee3288cb7f30457d1ea9f67b114b0 236272 libdevel optional
libspice-client-gtk-3.0-dev_0.35-1_amd64.deb
ab51d2c725d65eadb40b91005afac291 14112 debug optional
spice-client-glib-usb-acl-helper-dbgsym_0.35-1_amd64.deb
e013066255d00923a9b1000c3f75c1e2 234820 misc optional
spice-client-glib-usb-acl-helper_0.35-1_amd64.deb
a13be5717468cc9fa18515736dd55acd 95728 debug optional
spice-client-gtk-dbgsym_0.35-1_amd64.deb
30e235886a39400deb146c92b7e7e5c1 263064 misc optional
spice-client-gtk_0.35-1_amd64.deb
df69a714c916f9899e87347474d7a8ff 20005 misc optional
spice-gtk_0.35-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQFFBAEBCAAvFiEEmRrdqQAhuF2x31DwH8WJHrqwQ9UFAluOSR8RHGJpZ29uQGRl
Ymlhbi5vcmcACgkQH8WJHrqwQ9XZfAgAoBsrjtqL9VtUgk3utCeH9W+vCP8ZPOPF
ZCxeIlDphv5ks9kEyFWWTwsVfzlkiiR+XVkdYX8GE8aQGu3At8AnAECJS5sgDXvW
k4IPPr0ohXAyJxH27PZv1Cr+Z+xHrB+0ThHmycIAC+rm9bRvIaAKObyUgOD77z1K
gWwPQRSRtcvsVaq5oX611JOmOTqTKCexBlsCcX4T0z8Pik5a3XPu42/f5tscLfyk
tin+AyKcp7K7vFWB3qycL3w/8Ul1XuVC9qVcH0YD18Fcr6Vy16TYbzwP5UJK62Yi
fxsJmpAABEWr/qgqpdJz8ux3rmQmoynkWproiaaQYnA4SUollN9LZg==
=wdES
-----END PGP SIGNATURE-----
--- End Message ---
