Your message dated Sat, 20 Oct 2018 09:48:23 +0000
with message-id <e1gdnrr-000fnx...@fasolo.debian.org>
and subject line Bug#906315: fixed in spice 0.12.8-2.1+deb9u2
has caused the Debian Bug report #906315,
regarding spice: CVE-2018-10873: Missing check in
demarshal.py:write_validate_array_item() allows for buffer overflow and denial
of service
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
906315: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=906315
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: spice
Version: 0.14.0-1
Severity: grave
Tags: patch security upstream
Control: clone -1 -2
Control: reassign -2 src:spice-gtk 0.34-1.1
Control: retitle -2 spice-gtk: CVE-2018-10873: Missing check in
demarshal.py:write_validate_array_item() allows for buffer overflow and denial
of service
Hi,
The following vulnerability was published for spice.
CVE-2018-10873[0]:
|Missing check in demarshal.py:write_validate_array_item() allows for
|buffer overflow and denial of service
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-10873
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10873
[1] http://www.openwall.com/lists/oss-security/2018/08/17/1
[2] https://bugzilla.redhat.com/show_bug.cgi?id=1596008
[3]
https://gitlab.freedesktop.org/spice/spice-common/commit/bb15d4815ab586b4c4a20f4a565970a44824c42c
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: spice
Source-Version: 0.12.8-2.1+deb9u2
We believe that the bug you reported is fixed in the latest version of
spice, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 906...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <car...@debian.org> (supplier of updated spice package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 07 Oct 2018 08:51:43 +0200
Source: spice
Binary: libspice-server1 libspice-server-dev
Architecture: source
Version: 0.12.8-2.1+deb9u2
Distribution: stretch-security
Urgency: high
Maintainer: Liang Guo <guoli...@debian.org>
Changed-By: Salvatore Bonaccorso <car...@debian.org>
Closes: 906315
Description:
libspice-server-dev - Header files and development documentation for
spice-server
libspice-server1 - Implements the server side of the SPICE protocol
Changes:
spice (0.12.8-2.1+deb9u2) stretch-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Fix flexible array buffer overflow (CVE-2018-10873) (Closes: #906315)
Checksums-Sha1:
9ef474bf67cf1843cd247c6878d330863e6c67fc 2575 spice_0.12.8-2.1+deb9u2.dsc
c8d9b49bbb14fc124d04dd8638e3e431aea4c605 12488
spice_0.12.8-2.1+deb9u2.debian.tar.xz
Checksums-Sha256:
bd6df75afa88923e2ce4ad727f5cf3037483570a6f9f622cd4d6899a347cd063 2575
spice_0.12.8-2.1+deb9u2.dsc
701ec5175138a1cf9f9c63cfce59278858be3a96f87cc1317813f054ca42aa8c 12488
spice_0.12.8-2.1+deb9u2.debian.tar.xz
Files:
61df239bf153ea9a2d9bc165f61d1c76 2575 misc optional spice_0.12.8-2.1+deb9u2.dsc
5590a5f61f395650e46114b05236d4b5 12488 misc optional
spice_0.12.8-2.1+deb9u2.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlu5s8dfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89Ek3AP/2lSjQOYwZHvEoNS18xx9aiZSeOeQ+8N
hOOQvqzKR61efochakVuGm1Ia4K6aVJaL0rNSlRBCdasiQniAmCZVd2UliAAJ6D8
N4C0sTS0Yy0Z5XVmcHUugWXsKygCZJXj5Cfg6syLnUnBTzLbc++VU/6nbetz+DP4
0ydfqKujipiHxAlDK/D0Qjts2Ef/MEOMgn/rFlD57XIKryyr3Y2CFIqBSD9o8Sye
BwHxrP9sKb5JgBMsiTTyHUl572ooJkRMh/4vD/RVXMgTHRAjXwzyNagfJ4jTr2sf
l8q6r0cRiznou6TIhRo2+ow7gKvydL/VkQHOEHXd00QDJAvEL1WdwCZKxHGxgEmd
0wBf5QDyGnVlo104z8lDgvNHeJwzdNdl3ThBxEvDrJlm2z8w3u9rIlNPKE3EFqpk
/xgJUloH6FUaoIXCYPAgJ+xY/wIEyL03oIIHJ8aLTpHzBJ7HQY2lJeEy3c/9kzt3
FF4sYBWD/IXQEAT5xTIA9wPi9KlK8QXXh0EWneJ8Kbg9QkMDFODdqkROtkWvpJhn
tYJb/g+C04WocMb/JsMlHY2AVY99OmHg1reYHvt8pcvdEfmji31adIkEpDnsehJ5
hDamoYFnYGP7gLIjP72OK8kqEm/WQWqC+Ylk1X6iG05sKV2KV0rCONrKukS70aq9
W3XYb611LjR5
=cnUn
-----END PGP SIGNATURE-----
--- End Message ---
