spice-gtk: CVE-2017-12194: Integer overflows causing buffer overflows in spice-client

Debian Bug report logs - #898503
spice-gtk: CVE-2017-12194: Integer overflows causing buffer overflows in spice-client

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: spice-gtk: CVE-2017-12194: Integer overflows causing buffer overflows in spice-client

Date: Sat, 12 May 2018 22:17:38 +0200

[Message part 1 (text/plain, inline)]

Source: spice-gtk
Version: 0.25-1
Severity: important
Tags: security upstream

Hi,

The following vulnerability was published for spice-gtk.

CVE-2017-12194[0]:
| A flaw was found in the way spice-client processed certain messages
| sent from the server. An attacker, having control of malicious
| spice-server, could use this flaw to crash the client or execute
| arbitrary code with permissions of the user running the client.
| spice-gtk versions through 0.34 are believed to be vulnerable.

See [2] for a test-program to demostrate the issue (attached here as
well) and two proposed patches to be applied.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-12194
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12194
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1501200
[2] https://bugzilla.redhat.com/show_bug.cgi?id=1240165

Regards,
Salvatore

[test-overflow.patch (text/plain, attachment)]

Message #10 received at 898503@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 898503@bugs.debian.org

Subject: Re: Bug#898503: spice-gtk: CVE-2017-12194: Integer overflows causing buffer overflows in spice-client

Date: Sat, 12 May 2018 22:29:59 +0200

[Message part 1 (text/plain, inline)]

Control: tags -1 + patch

Attaching as well the two proposed patches (and which make the
testcase pass).

Regards,
Salvatore

[test-overflow.patch (text/x-diff, attachment)]

[Fix-integer-overflows-computing-sizes.patch (text/x-diff, attachment)]

[Avoid-integer-overflow-computing-image-sizes.patch (text/x-diff, attachment)]

Message #17 received at 898503@bugs.debian.org (full text, mbox, reply):

From: Laurent Bigonville <bigon@debian.org>

To: Debian Bug Tracking System <898503@bugs.debian.org>

Subject: Re: spice-gtk: CVE-2017-12194: Integer overflows causing buffer overflows in spice-client

Date: Thu, 19 Jul 2018 09:48:44 +0200

Package: src:spice-gtk
Followup-For: Bug #898503

Hi,

This seems to be fixed in 0.35 release, could you please update? (It
requires a newer version of spice-protocol first)

Kind regards,

Laurent Bigonville

-- System Information:
Debian Release: buster/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'unstable'), (1, 'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.18.0-rc4-amd64 (SMP w/8 CPU cores)
Locale: LANG=fr_BE.UTF-8, LC_CTYPE=fr_BE.UTF-8 (charmap=UTF-8), LANGUAGE=fr_BE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: SELinux: enabled - Mode: Permissive - Policy name: refpolicy

Message #24 received at 898503-close@bugs.debian.org (full text, mbox, reply):

From: Laurent Bigonville <bigon@debian.org>

To: 898503-close@bugs.debian.org

Subject: Bug#898503: fixed in spice-gtk 0.35-1

Date: Wed, 05 Sep 2018 07:04:51 +0000

Source: spice-gtk
Source-Version: 0.35-1

We believe that the bug you reported is fixed in the latest version of
spice-gtk, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 898503@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Laurent Bigonville <bigon@debian.org> (supplier of updated spice-gtk package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 04 Sep 2018 10:46:38 +0200
Source: spice-gtk
Binary: spice-client-gtk spice-client-glib-usb-acl-helper libspice-client-glib-2.0-8 gir1.2-spiceclientglib-2.0 libspice-client-glib-2.0-dev libspice-client-gtk-3.0-5 gir1.2-spiceclientgtk-3.0 libspice-client-gtk-3.0-dev
Architecture: source amd64
Version: 0.35-1
Distribution: unstable
Urgency: medium
Maintainer: Liang Guo <guoliang@debian.org>
Changed-By: Laurent Bigonville <bigon@debian.org>
Description:
 gir1.2-spiceclientglib-2.0 - GObject for communicating with Spice servers (GObject-Introspecti
 gir1.2-spiceclientgtk-3.0 - GTK3 widget for SPICE clients (GObject-Introspection)
 libspice-client-glib-2.0-8 - GObject for communicating with Spice servers (runtime library)
 libspice-client-glib-2.0-dev - GObject for communicating with Spice servers (development files)
 libspice-client-gtk-3.0-5 - GTK3 widget for SPICE clients (runtime library)
 libspice-client-gtk-3.0-dev - GTK3 widget for SPICE clients (development files)
 spice-client-glib-usb-acl-helper - Helper tool to validate usb ACLs
 spice-client-gtk - Simple clients for interacting with SPICE servers
Closes: 857367 876089 898503 906316
Changes:
 spice-gtk (0.35-1) unstable; urgency=medium
 .
   * Team upload.
   * New upstream version 0.35
     - Fix Integer overflows causing buffer overflows in spice-client (Closes:
       #898503 CVE-2017-12194)
   * debian/control: Update the Vcs-* fields to point to salsa
   * debian/control: Bump build-dependencies
   * Drop build-dependency against libgudev-1.0-dev, this is not needed with
     libusb-1.0-0-dev >= 1.0.16, bump libusb-1.0-0-dev version accordlingly
     (Closes: #876089)
   * Drop d/p/explicitly-enable-subdir-objects.patch, doesn't seem needed anymore
   * debian/rules: Remove --parallel and --with autoreconf, it's the default
     with debhelper 10
   * The libspice-controller library was removed upstream. Add a Breaks against
     virt-viewer (<< 7.0), which is the only user of that library. (Closes:
     #857367)
   * debian/libspice-client-glib-2.0-8.symbols: Add new exported symbols
   * debian/watch: Use https instead of plain http
   * debian/control: Drop X-Python-Version to please lintian
   * debian/control: Bump Standards-Version to 4.2.1 (no further changes)
   * d/p/0001-Fix-flexible-array-buffer-overflow.patch: Fix possible buffer
     overflow and denial of service (CVE-2018-10873) (Closes: #906316)
Checksums-Sha1:
 cf37dc3eef34be156e006dfa8b4ebe02a4e28b27 2812 spice-gtk_0.35-1.dsc
 978985ce4dbe404d8994cbb1569ab7d543ed1eef 1412429 spice-gtk_0.35.orig.tar.bz2
 4515b0c8a9f794455c0d1995be5361465891d505 13636 spice-gtk_0.35-1.debian.tar.xz
 4ee0686d2f85a2a25e243aeb7682f63b216c7daa 238124 gir1.2-spiceclientglib-2.0_0.35-1_amd64.deb
 20c9b1c2297008f3d1515f1ef4d45431e5f2c25b 231164 gir1.2-spiceclientgtk-3.0_0.35-1_amd64.deb
 c56142feac38cdaec4279c0efdeafdd04251c263 1771980 libspice-client-glib-2.0-8-dbgsym_0.35-1_amd64.deb
 e7ddee67842aed7014124327e44638d20b7f7a1f 529004 libspice-client-glib-2.0-8_0.35-1_amd64.deb
 aea789bcf1f55a04e43d2e4ec567e14bed158257 314584 libspice-client-glib-2.0-dev_0.35-1_amd64.deb
 a6cc9a3326fd012a0d20db1118f41c4406666f85 317148 libspice-client-gtk-3.0-5-dbgsym_0.35-1_amd64.deb
 f7e44f3c57e044e7783205c844c12792b31e1d51 273664 libspice-client-gtk-3.0-5_0.35-1_amd64.deb
 5e39beb269cf2511b5c569211fdd05eae67e80c5 236272 libspice-client-gtk-3.0-dev_0.35-1_amd64.deb
 4e661eb894717f0b71c52483f7d6d286c01742d7 14112 spice-client-glib-usb-acl-helper-dbgsym_0.35-1_amd64.deb
 c892a67941e5156caefb8cc201334f5e07a931f1 234820 spice-client-glib-usb-acl-helper_0.35-1_amd64.deb
 0722ce08f989c1c8e8369fb6844d87bd74b2e73f 95728 spice-client-gtk-dbgsym_0.35-1_amd64.deb
 bcade6a0f412a63de5dec2553a5ed087aa1a6df9 263064 spice-client-gtk_0.35-1_amd64.deb
 468c93affc820146235c7bacff737c35c5026424 20005 spice-gtk_0.35-1_amd64.buildinfo
Checksums-Sha256:
 66aa1c2b0d6215926aaed07c6cc34253d56c2a42a7dc970f434bfa9c7f1ba627 2812 spice-gtk_0.35-1.dsc
 c7d7dc880d2ae7f81cd9149a21af260919d591283c14792d2e35834434c2cc91 1412429 spice-gtk_0.35.orig.tar.bz2
 a2c81877dd02551099e173e5617b8445e4cd177e52608d515bc8f5007f733f98 13636 spice-gtk_0.35-1.debian.tar.xz
 6d743dc1753ef7281ed6b18b5d2516fc1d8bec579b15830ac4faf6896ca6c7c0 238124 gir1.2-spiceclientglib-2.0_0.35-1_amd64.deb
 efd2d9bf0344297afe7849b68509897e09d3f2d98f84efb46bc493e77b87d6c8 231164 gir1.2-spiceclientgtk-3.0_0.35-1_amd64.deb
 8fe069b731bec622e8fc31b0e12d6c64307896937311e5d31decc1475690fe97 1771980 libspice-client-glib-2.0-8-dbgsym_0.35-1_amd64.deb
 e808dfe1027cdd8bbd5d8c627fae8e54cc8204694f2d118e68686ce209b5e540 529004 libspice-client-glib-2.0-8_0.35-1_amd64.deb
 4b7a8418cfdbf111611a5e1b10af8f5239e8285e9c686cc1ea5955b31f7c2927 314584 libspice-client-glib-2.0-dev_0.35-1_amd64.deb
 aa91b0cd69d69c042d124cc0b2923045922c151528aa04156f906d407b5a5ddc 317148 libspice-client-gtk-3.0-5-dbgsym_0.35-1_amd64.deb
 a16e3405c4ce98bdeaa36d7146e156c317bde259d642b4ca710bd3f4c59c68d1 273664 libspice-client-gtk-3.0-5_0.35-1_amd64.deb
 7c713c5d9fd37bf7e26c77e917fc26c14bb7e48ef491130dc2a2f3ef6d29e28f 236272 libspice-client-gtk-3.0-dev_0.35-1_amd64.deb
 b74350955bc804a8b29c65b40399de2263d26dd2916b30e677e60d812eedb748 14112 spice-client-glib-usb-acl-helper-dbgsym_0.35-1_amd64.deb
 bafde81a8026fe339e185b4dffa31d07726aa32a4f05d72a3e1875b27cbf582d 234820 spice-client-glib-usb-acl-helper_0.35-1_amd64.deb
 eb02c97a91a5b63a2747155a356e10a512e35d085d392e8690288b2ebd997691 95728 spice-client-gtk-dbgsym_0.35-1_amd64.deb
 a576cd3cf6ce32d5fcbac4cddb0a9b13537db4fcb079fbbdf2f9bcff9d14f1ec 263064 spice-client-gtk_0.35-1_amd64.deb
 d22e6ab73a5c6f9171b61cca2cfc7c02f3bc4a74d343383f0d2bccfb9e6c1412 20005 spice-gtk_0.35-1_amd64.buildinfo
Files:
 3bd63fb2863152a4c4b4870367f43486 2812 misc optional spice-gtk_0.35-1.dsc
 e23783fb43cb57a2fc807eab4db7c277 1412429 misc optional spice-gtk_0.35.orig.tar.bz2
 705db6edb72703bfee61c9f792ff0d25 13636 misc optional spice-gtk_0.35-1.debian.tar.xz
 05ec2ddc01cf1e51226220bb73e552f6 238124 introspection optional gir1.2-spiceclientglib-2.0_0.35-1_amd64.deb
 2a81b63f7f22617c4cf4947d084ae73b 231164 introspection optional gir1.2-spiceclientgtk-3.0_0.35-1_amd64.deb
 354539847ced48b5ac8f75db32956d20 1771980 debug optional libspice-client-glib-2.0-8-dbgsym_0.35-1_amd64.deb
 cf52b3e4d035cfcbd04727b6b9a7fef7 529004 libs optional libspice-client-glib-2.0-8_0.35-1_amd64.deb
 8af5abc86a1b6debe7569bf5c45ca1b5 314584 libdevel optional libspice-client-glib-2.0-dev_0.35-1_amd64.deb
 eb1b0dd600b2fffb76b3a6051c2bbae0 317148 debug optional libspice-client-gtk-3.0-5-dbgsym_0.35-1_amd64.deb
 692bf83f67a72f22c68e167ea5cb9793 273664 libs optional libspice-client-gtk-3.0-5_0.35-1_amd64.deb
 933ee3288cb7f30457d1ea9f67b114b0 236272 libdevel optional libspice-client-gtk-3.0-dev_0.35-1_amd64.deb
 ab51d2c725d65eadb40b91005afac291 14112 debug optional spice-client-glib-usb-acl-helper-dbgsym_0.35-1_amd64.deb
 e013066255d00923a9b1000c3f75c1e2 234820 misc optional spice-client-glib-usb-acl-helper_0.35-1_amd64.deb
 a13be5717468cc9fa18515736dd55acd 95728 debug optional spice-client-gtk-dbgsym_0.35-1_amd64.deb
 30e235886a39400deb146c92b7e7e5c1 263064 misc optional spice-client-gtk_0.35-1_amd64.deb
 df69a714c916f9899e87347474d7a8ff 20005 misc optional spice-gtk_0.35-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQFFBAEBCAAvFiEEmRrdqQAhuF2x31DwH8WJHrqwQ9UFAluOSR8RHGJpZ29uQGRl
Ymlhbi5vcmcACgkQH8WJHrqwQ9XZfAgAoBsrjtqL9VtUgk3utCeH9W+vCP8ZPOPF
ZCxeIlDphv5ks9kEyFWWTwsVfzlkiiR+XVkdYX8GE8aQGu3At8AnAECJS5sgDXvW
k4IPPr0ohXAyJxH27PZv1Cr+Z+xHrB+0ThHmycIAC+rm9bRvIaAKObyUgOD77z1K
gWwPQRSRtcvsVaq5oX611JOmOTqTKCexBlsCcX4T0z8Pik5a3XPu42/f5tscLfyk
tin+AyKcp7K7vFWB3qycL3w/8Ul1XuVC9qVcH0YD18Fcr6Vy16TYbzwP5UJK62Yi
fxsJmpAABEWr/qgqpdJz8ux3rmQmoynkWproiaaQYnA4SUollN9LZg==
=wdES
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.