Debian Bug report logs -
#883238
spice-vdagent: CVE-2017-15108: Improper validation of xfers->save_dir in vdagent_file_xfers_data()
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Fri, 1 Dec 2017 07:24:02 UTC
Severity: important
Tags: patch, security, upstream
Found in versions spice-vdagent/0.15.0-1, spice-vdagent/0.17.0-1
Fixed in version spice-vdagent/0.18.0-1
Done: Laurent Bigonville <bigon@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Liang Guo <guoliang@debian.org>:
Bug#883238; Package src:spice-vdagent.
(Fri, 01 Dec 2017 07:24:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Liang Guo <guoliang@debian.org>.
(Fri, 01 Dec 2017 07:24:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: spice-vdagent
Version: 0.17.0-1
Severity: important
Tags: patch security upstream
Hi,
the following vulnerability was published for spice-vdagent.
CVE-2017-15108[0]:
|spice-vdagent: Improper validation of xfers->save_dir in
|vdagent_file_xfers_data()
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-15108
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15108
[1] https://cgit.freedesktop.org/spice/linux/vd_agent/commit/?id=8ba174816d245757e743e636df357910e1d5eb61
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Marked as found in versions spice-vdagent/0.15.0-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Fri, 01 Dec 2017 07:36:05 GMT) (full text, mbox, link).
Added tag(s) pending.
Request was from Laurent Bigonville <bigon@debian.org>
to control@bugs.debian.org.
(Tue, 02 Oct 2018 23:39:04 GMT) (full text, mbox, link).
Reply sent
to Laurent Bigonville <bigon@debian.org>:
You have taken responsibility.
(Thu, 18 Oct 2018 00:39:07 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Thu, 18 Oct 2018 00:39:07 GMT) (full text, mbox, link).
Message #14 received at 883238-close@bugs.debian.org (full text, mbox, reply):
Source: spice-vdagent
Source-Version: 0.18.0-1
We believe that the bug you reported is fixed in the latest version of
spice-vdagent, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 883238@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Laurent Bigonville <bigon@debian.org> (supplier of updated spice-vdagent package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 03 Oct 2018 01:22:06 +0200
Source: spice-vdagent
Binary: spice-vdagent
Architecture: source amd64
Version: 0.18.0-1
Distribution: unstable
Urgency: medium
Maintainer: Liang Guo <guoliang@debian.org>
Changed-By: Laurent Bigonville <bigon@debian.org>
Description:
spice-vdagent - Spice agent for Linux
Closes: 874678 883238 894116 905771
Changes:
spice-vdagent (0.18.0-1) unstable; urgency=medium
.
* Team upload.
[ Laurent Bigonville ]
* debian/watch: Update the URL
* New upstream version 0.18.0 (Closes: #905771)
- Quote the save directory before passing to shell (Closes: #883238
CVE-2017-15108)
- Drop the patches merged upstream
- debian/patches/systemd_service_default_file.patch: Refreshed
- debian/control: Bump the build-dependencies
* debian/control: Build-depend against udev
* debian/control: Drop dh-systemd, not needed with debhelper >= 10
* debian/control: Bump Standards-Version to 4.2.1 (no further changes)
* debian/control: Update Vcs- fields to the new URL
* Enable GTK support, the X11 backend is deprecated
* debian/rules: Reduce the number of runtime dependencies
* debian/control: Fix typos in the Description.
Thanks to Ludovic Rousseau <ludovic.rousseau@free.fr> (Closes: #874678)
* debian/rules: Use dh_auto_install instead of calling make directly
* debian/rules: Use dh_missing --list-missing instead of dh_install
.
[ Helmut Grohne ]
* Fix FTCBFS: Let dh_auto_configure pass --host to ./configure.
(Closes: #894116)
Checksums-Sha1:
6d79f6b3f9c737487bf16d30181768ba8250789c 1838 spice-vdagent_0.18.0-1.dsc
2e18fc918c46cdca1f00a3ce3c139c93f68ab166 138292 spice-vdagent_0.18.0.orig.tar.bz2
c068b4280f71c2518cd476a4cf12f3f8c263d54c 4936 spice-vdagent_0.18.0-1.debian.tar.xz
33354c1cdd8dc0d2b55e37d4aa0fa477f48ef49f 153976 spice-vdagent-dbgsym_0.18.0-1_amd64.deb
ed3aff1e3c0b687265ffab3d1585f4a522f8630c 13718 spice-vdagent_0.18.0-1_amd64.buildinfo
3eee6ee730dc36be756c070d3a19b54a97e18af4 47604 spice-vdagent_0.18.0-1_amd64.deb
Checksums-Sha256:
84f22b093fec674b97173c694df28438cd46306b910f5e86666373758494ae85 1838 spice-vdagent_0.18.0-1.dsc
80ee7ee3c7c17dbb5cb6f64d4cc0b27a9f81856b21038cbca9a007c9afdabeae 138292 spice-vdagent_0.18.0.orig.tar.bz2
01b2ad6ae4762b7d7769a1a7f0563fcc0ec49864240282f0c57cca6037f2d8b0 4936 spice-vdagent_0.18.0-1.debian.tar.xz
7e20fd83f65f4ec7376f70768d027ea511dca424466b7f998772b05a10f87281 153976 spice-vdagent-dbgsym_0.18.0-1_amd64.deb
86f4a89287507e72bfbdb2c6afb68b8f60673a7f8de64b43e07bd8140d12557a 13718 spice-vdagent_0.18.0-1_amd64.buildinfo
f521873ed4d065ebab37f4312199d5fc11d6276070584481b2aada87fe3faba5 47604 spice-vdagent_0.18.0-1_amd64.deb
Files:
911390954ab16ce90007cfb37e608d19 1838 x11 optional spice-vdagent_0.18.0-1.dsc
1adcea00743142249aa417c7e39635a9 138292 x11 optional spice-vdagent_0.18.0.orig.tar.bz2
9f27da2ca84f03d95184be49b7c6c92a 4936 x11 optional spice-vdagent_0.18.0-1.debian.tar.xz
0a463eeb7351ba9e3237a28ac1640453 153976 debug optional spice-vdagent-dbgsym_0.18.0-1_amd64.deb
52fbbecd0a3223f076e43f0002dd6eb9 13718 x11 optional spice-vdagent_0.18.0-1_amd64.buildinfo
34fc7ab947a175e94eecec482141ace8 47604 x11 optional spice-vdagent_0.18.0-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQFFBAEBCAAvFiEEmRrdqQAhuF2x31DwH8WJHrqwQ9UFAlu0ACIRHGJpZ29uQGRl
Ymlhbi5vcmcACgkQH8WJHrqwQ9U2OQf/dIZ+2yOCOJWc/zzNaH271MoK4ki5eMms
g/ixuhmYir1x16756BoRNsQfIXEsufu7WwoXZ1CAm5a267F5L8JdvHVQC4LRKyti
GkzaIXcvA+0hwX0O/kv9EB9Mmn5A+Z/lI3IkVraR2qUwlESBKrnagKMmB0RD+QFn
Uyw0lEsj7Hr1QJcmyrzU5vYGR9uSYmd+Ohv8hWY3XyQ0qWIS5Ja1xAnoqTGAE1nC
XREwrWrNsjNAGiALSBYEbZyhSYC/RDFWWcwFuO0q71cJ+DhUtfeh4lW0v6Nx/6vv
KYhJAKzp3HGI80YoGzb+HtrPiH2Srv29jpRQvHH8dwb1LvKgVwILjw==
=lamJ
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Tue, 20 Nov 2018 07:26:52 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 19:01:42 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon