Bug#854336: marked as done (CVE-2016-9577 CVE-2016-9578)

[Debian Bug Tracking System]

Your message dated Wed, 15 Feb 2017 21:35:18 +0000
with message-id <e1ce7em-000ei7...@fasolo.debian.org>
and subject line Bug#854336: fixed in spice 0.12.8-2.1
has caused the Debian Bug report #854336,
regarding CVE-2016-9577 CVE-2016-9578
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
854336: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=854336
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: spice
Severity: grave
Tags: security

Please see
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-9577
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-9578

Cheers,
        Moritz

--- End Message ---

--- Begin Message ---

Source: spice
Source-Version: 0.12.8-2.1

We believe that the bug you reported is fixed in the latest version of
spice, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 854...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Markus Koschany <a...@debian.org> (supplier of updated spice package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 13 Feb 2017 21:42:01 +0100
Source: spice
Binary: libspice-server1 libspice-server-dev
Architecture: source
Version: 0.12.8-2.1
Distribution: unstable
Urgency: medium
Maintainer: Liang Guo <guoli...@debian.org>
Changed-By: Markus Koschany <a...@debian.org>
Description:
 libspice-server-dev - Header files and development documentation for 
spice-server
 libspice-server1 - Implements the server side of the SPICE protocol
Closes: 854336
Changes:
 spice (0.12.8-2.1) unstable; urgency=medium
 .
   * Non-maintainer upload.
   * Add CVE-2016-9577-and-CVE-2016-9578.patch:
     - CVE-2016-9577: A buffer overflow vulnerability in
       main_channel_alloc_msg_rcv_buf was found that occurs when reading large
       messages due to missing buffer size check.
     - CVE-2016-9578: A vulnerability was discovered in the server's
       protocol handling. An attacker able to connect to the spice server could
       send crafted messages which would cause the process to crash.
       (Closes: #854336)
Checksums-Sha1:
 2a92d404baec1d604a0cbbc8f0edaf184910f013 2543 spice_0.12.8-2.1.dsc
 cc1d4f7eb2e30368dd19ac28ff5c3317f57e8687 10172 spice_0.12.8-2.1.debian.tar.xz
 dce4512ed3b8815e4e1af56ae2e31bb5304cb947 6602 spice_0.12.8-2.1_amd64.buildinfo
Checksums-Sha256:
 a3d26dc4c66dd84e3e954fc67cfbf28fad6a26cdded67278220aead4f9ad2f97 2543 
spice_0.12.8-2.1.dsc
 15a39e0b0175b40cd8250bd56fae54128bbdfc2dccb7f61dc2cba73a5c1569ff 10172 
spice_0.12.8-2.1.debian.tar.xz
 b0ef2fdd963ae1ca7cd759e9918299c13d52115c3949a4a5c75d397f2226ab9d 6602 
spice_0.12.8-2.1_amd64.buildinfo
Files:
 7e7213f52c1fce7aec2427e12333b184 2543 misc optional spice_0.12.8-2.1.dsc
 26d0da36734b0a162c8eee8d7c074aca 10172 misc optional 
spice_0.12.8-2.1.debian.tar.xz
 81a2076c8ac391231aae292ef785ef30 6602 misc optional 
spice_0.12.8-2.1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAliiH9lfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1Hkl54P/i72Q4vAaw1McnreWvTvM3D7zNr4bNg3Wxla
mY+VJ2Ts4GtXAzrKNaudR7ilSrVyZfoEkVvXg8APrFdmHNyPPAnEaO8nCbJXhWhQ
ss9o3wjIz8QyW6KUb26x6CnlEq33YrM+sNmFmi+hLWPIVXVObjeYbrMXB8W5PpBE
oTQ/g0xPNEE4BfMn9tSdMm+utl2+KTxWtCy+9h/EeX9FObLOFt9/378PrUOz5LQf
rLl8T4NITdWoxuLW6zsUPzH9OXAcYASmn77b4lUfGrXXdPP1LCF/P8Tugvg/tTcL
HbXF3YUTKLYpK0qZYq1eUS6QHCPhf4vj4HYxYzjYqvDqIAojiQ/pUV5RYat58neX
GS5xqgmh8sOs9ZO8d4+R1fgOM45iPB+Ya2rlJSjf6kce56XL+6jkjr5GqY2NeI57
7mIOvJJGjEtEPsEBlsHXChyydQMepMUtVPONcPANIqY7SXG/GnXrv0OVToAZ6m6U
25ETaJ+TQN7IgjOAgyGgMIrn/YQ6ERs9JrcLQJ717ymNqHRCnVJCGBUf11oAqCR9
llugKfHXry/9OvTb8VCDrqaCDPSMRtdzJLkkF6jzSDQ5TH8f8fSi/RZqi9pTLMdj
guQCyyq3Lo7YKUexuaSVyEMtRA5qfOV7B4/8jVhZgNPZ3fAnMI60mkSoroPdzQIj
IFDpDy4u
=55Kn
-----END PGP SIGNATURE-----

--- End Message ---