Your message dated Mon, 08 Oct 2018 20:59:12 +0000
with message-id <e1g9ccs-000el4...@fasolo.debian.org>
and subject line Bug#906315: fixed in spice 0.14.0-1.1
has caused the Debian Bug report #906315,
regarding spice: CVE-2018-10873: Missing check in
demarshal.py:write_validate_array_item() allows for buffer overflow and denial
of service
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
906315: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=906315
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: spice
Version: 0.14.0-1
Severity: grave
Tags: patch security upstream
Control: clone -1 -2
Control: reassign -2 src:spice-gtk 0.34-1.1
Control: retitle -2 spice-gtk: CVE-2018-10873: Missing check in
demarshal.py:write_validate_array_item() allows for buffer overflow and denial
of service
Hi,
The following vulnerability was published for spice.
CVE-2018-10873[0]:
|Missing check in demarshal.py:write_validate_array_item() allows for
|buffer overflow and denial of service
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-10873
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10873
[1] http://www.openwall.com/lists/oss-security/2018/08/17/1
[2] https://bugzilla.redhat.com/show_bug.cgi?id=1596008
[3]
https://gitlab.freedesktop.org/spice/spice-common/commit/bb15d4815ab586b4c4a20f4a565970a44824c42c
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: spice
Source-Version: 0.14.0-1.1
We believe that the bug you reported is fixed in the latest version of
spice, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 906...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <car...@debian.org> (supplier of updated spice package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 15 Sep 2018 09:15:28 +0200
Source: spice
Binary: libspice-server1 libspice-server-dev
Architecture: source
Version: 0.14.0-1.1
Distribution: unstable
Urgency: medium
Maintainer: Liang Guo <guoli...@debian.org>
Changed-By: Salvatore Bonaccorso <car...@debian.org>
Closes: 906315
Description:
libspice-server-dev - Header files and development documentation for
spice-server
libspice-server1 - Implements the server side of the SPICE protocol
Changes:
spice (0.14.0-1.1) unstable; urgency=medium
.
* Non-maintainer upload.
* Fix flexible array buffer overflow (CVE-2018-10873) (Closes: #906315)
Checksums-Sha1:
71ebe34255c4abcf52a41315f49eb1e8008f3e23 2797 spice_0.14.0-1.1.dsc
1b16799e20b1ed19da6d9128d2439411cfce57cb 14580 spice_0.14.0-1.1.debian.tar.xz
Checksums-Sha256:
d562374db9d11204aa8e2473afb7a7cf868596f5cd6cae5d88f0de3b2ca68026 2797
spice_0.14.0-1.1.dsc
bd31e9f626f44ef703c7911a8818b0e48ef6b03d0e1b97e98713f134b9242132 14580
spice_0.14.0-1.1.debian.tar.xz
Files:
62de5aac34be4280e7d27059e5b099d0 2797 misc optional spice_0.14.0-1.1.dsc
77f17ab592ff4cfd2421f393a5dda9c6 14580 misc optional
spice_0.14.0-1.1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlu5F0dfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EzZoP/0sg4fyMngxmzuHojExSCAwH84x4IN0t
eWCmsFAa4yV6QYiWtiTvk1TDUmT15h8aH35ihHegmxZgdi8jClOEl9gKKzXXMPdG
yo/0qcLUa7hOPQdwMSwFRXUdn9vGxBg5BfI7ibDaZe3JWHrkbwUhLNWbRgM4um2C
Z/pyS5wAZYEoA52zpLWyOyaPXCO+nESEfECU/s075F6vrX4n3/tyAx7p3hZQB0YC
Uaqoqnoczutbin7+o58jjN2IfmPZ7TvJfk/Bi3iWtuU0wHYUk0fMa0pAaXlXOEPL
uTWkVJ35+hQ6Mfdf3gDd6DT9puk0xIsBdqGHCu9i5foiobG/bP+Me+98jj31VhrF
eaXwzNHN0fpwl8u2mArHHzTbGyhA/3m5LAsiK7ss4NexFBCyKapZ5FdF5snhTLT7
2HdSd2Bo5zIVE/pun88i+iNZd1LGdoW/VXKDO2ycxzX+KYtW4GXi26eQkF25+Fvj
Tj4nU1rDV/2VCs/Kg9qIteCOc37pRv32ziXBIRIsNfkI4ykEzBP0Ji/O06+HE8bS
wO6O0lxVqk9quH/HEkDFRF0dqw3Y2/03eOa/piSMb7w3RNLl4RYwhgNgAz7wC7hL
vzxcpnUoNGoKN4E9/46bEO/KZK5m6yNZ4gMJ3hI29VXp4qV9LwbXKRHsJeAMkLBL
P0zahIpMAJTi
=bfU7
-----END PGP SIGNATURE-----
--- End Message ---
