Your message dated Sat, 27 Oct 2018 21:11:34 +0000
with message-id <e1ggvrq-000d2a...@fasolo.debian.org>
and subject line Bug#906316: fixed in spice-gtk 0.33-3.3+deb9u1
has caused the Debian Bug report #906316,
regarding spice-gtk: CVE-2018-10873: Missing check in
demarshal.py:write_validate_array_item() allows for buffer overflow and denial
of service
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
906316: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=906316
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: spice
Version: 0.14.0-1
Severity: grave
Tags: patch security upstream
Control: clone -1 -2
Control: reassign -2 src:spice-gtk 0.34-1.1
Control: retitle -2 spice-gtk: CVE-2018-10873: Missing check in
demarshal.py:write_validate_array_item() allows for buffer overflow and denial
of service
Hi,
The following vulnerability was published for spice.
CVE-2018-10873[0]:
|Missing check in demarshal.py:write_validate_array_item() allows for
|buffer overflow and denial of service
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-10873
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10873
[1] http://www.openwall.com/lists/oss-security/2018/08/17/1
[2] https://bugzilla.redhat.com/show_bug.cgi?id=1596008
[3]
https://gitlab.freedesktop.org/spice/spice-common/commit/bb15d4815ab586b4c4a20f4a565970a44824c42c
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: spice-gtk
Source-Version: 0.33-3.3+deb9u1
We believe that the bug you reported is fixed in the latest version of
spice-gtk, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 906...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <car...@debian.org> (supplier of updated spice-gtk package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 26 Oct 2018 17:52:24 +0200
Source: spice-gtk
Binary: spice-client-gtk spice-client-glib-usb-acl-helper
libspice-client-glib-2.0-8 gir1.2-spice-client-glib-2.0
libspice-client-glib-2.0-dev libspice-client-gtk-3.0-5
gir1.2-spice-client-gtk-3.0 libspice-client-gtk-3.0-dev
Architecture: source
Version: 0.33-3.3+deb9u1
Distribution: stretch
Urgency: medium
Maintainer: Liang Guo <guoli...@debian.org>
Changed-By: Salvatore Bonaccorso <car...@debian.org>
Closes: 906316
Description:
gir1.2-spice-client-glib-2.0 - GObject for communicating with Spice servers
(GObject-Introspecti
gir1.2-spice-client-gtk-3.0 - GTK3 widget for SPICE clients
(GObject-Introspection)
libspice-client-glib-2.0-8 - GObject for communicating with Spice servers
(runtime library)
libspice-client-glib-2.0-dev - GObject for communicating with Spice servers
(development files)
libspice-client-gtk-3.0-5 - GTK3 widget for SPICE clients (runtime library)
libspice-client-gtk-3.0-dev - GTK3 widget for SPICE clients (development files)
spice-client-glib-usb-acl-helper - Helper tool to validate usb ACLs
spice-client-gtk - Simple clients for interacting with SPICE servers
Changes:
spice-gtk (0.33-3.3+deb9u1) stretch; urgency=medium
.
* Non-maintainer upload.
* Fix flexible array buffer overflow (CVE-2018-10873) (Closes: #906316)
Checksums-Sha1:
77cbf2f4916178f55880f97ccb407cc463f2c379 3504 spice-gtk_0.33-3.3+deb9u1.dsc
df88adc61835558ef4018b3b4e8ec5c31cf04686 16956
spice-gtk_0.33-3.3+deb9u1.debian.tar.xz
Checksums-Sha256:
b5ce27e4dc37b8b4e799535bbee2c690f939373dbc1d13e3ac245c6097d28894 3504
spice-gtk_0.33-3.3+deb9u1.dsc
bc3d6feeb6c127a700049eeb43094bf6a5f2ac6511bd85a5f71782a91c77d7aa 16956
spice-gtk_0.33-3.3+deb9u1.debian.tar.xz
Files:
9b17a68c227dfff234aff3cb3b626f14 3504 misc optional
spice-gtk_0.33-3.3+deb9u1.dsc
eda31619287cbd8edcf168cfe1128d1b 16956 misc optional
spice-gtk_0.33-3.3+deb9u1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlvTPCRfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EOV8QAJjNmVrZxe4Hf2OqaTRJnYCmnu7L/F4F
Y6hOw8u2/eAN+hmuBj2oKGgcB5vxx16SXRDJbzO8npmtzYSGYl0OFmqZiae1XIiV
MwhKbaShcUscoHi/r4v2j0YEz8fxhwJOTkA1BzmzonjdrQe+IltjkR/E9gW6354g
MY5AxIOiu03s1gtEIGy8fBfQPsRrpKadxAXXkAehRgncZauOd5PpkG6mXR2rudEv
zO3IiNPN2bLZ9pwKKFEC5oMSY6gqHpLmbd5DIuAE+gbSdZrLvtd1X3Dy6/oIok1K
rvvQ8Tg4qe7ka2Xn9+18oYNvKyEytt44pByIAriZINwCv3RhECT1zNrF/T4dcA/l
fiNGORe1upTAqXEqmIfoVWpRrIj91OYfL2Yn2+UHttkZ9NA0HlqvUUKPrbrwSP8I
8pMu/TyXF/O0T5gSdAeSX9p/H5BOHbwKkKB/y6lBhM9wxmP3iXhBI40M7tRRNVE+
9hRXSxfz/Pe8ruOiZbVn94hBm0MYKkVa/VpEfKzN9ioN4s2BnWTw1MLoENuixvbw
PbdbRPFGfUTxqcIBxT6iNUjgIOIWQY2trk45LWPJ3/Cx7h9ZB+T6anqhtA+1wSIk
lpTM1oKt2kHCehlfYMi9e0LZ5t1nxfE80B6nVro1biMnClkCWa/5RDMWpGgYL+zy
ygiqzo3GcZG9
=y6Mm
-----END PGP SIGNATURE-----
--- End Message ---
