Debian Bug report logs -
#797976
spice: CVE-2015-3247: memory corruption in worker_update_monitors_config()
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Fri, 4 Sep 2015 06:24:02 UTC
Severity: grave
Tags: patch, security, upstream
Found in version spice/0.12.5-1
Fixed in versions spice/0.12.5-1.2, spice/0.12.5-1+deb8u1
Done: Salvatore Bonaccorso <carnil@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Liang Guo <guoliang@debian.org>:
Bug#797976; Package src:spice.
(Fri, 04 Sep 2015 06:24:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Liang Guo <guoliang@debian.org>.
(Fri, 04 Sep 2015 06:24:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: spice
Version: 0.12.5-1
Severity: grave
Tags: security patch upstream
Hi,
the following vulnerability was published for spice.
CVE-2015-3247[0]:
memory corruption in worker_update_monitors_config()
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2015-3247
[1] https://git.centos.org/blob/rpms!spice.git/11e32f6dd156a3c4847da29d989837437e973ccc/SOURCES!0038-Avoid-race-conditions-reading-monitor-configs-from-g.patch
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Liang Guo <guoliang@debian.org>:
Bug#797976; Package src:spice.
(Fri, 04 Sep 2015 10:51:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Liang Guo <guoliang@debian.org>.
(Fri, 04 Sep 2015 10:51:05 GMT) (full text, mbox, link).
Message #10 received at 797976@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Control: tags -1 + patch
Hi,
Attached is the debdiff prepared for a jessie-security upload.
Regards,
Salvatore
[spice_0.12.5-1+deb8u1.debdiff (text/plain, attachment)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Liang Guo <guoliang@debian.org>:
Bug#797976; Package src:spice.
(Sun, 06 Sep 2015 19:30:15 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Liang Guo <guoliang@debian.org>.
(Sun, 06 Sep 2015 19:30:15 GMT) (full text, mbox, link).
Message #15 received at 797976@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Control: tags 797976 + pending
Dear maintainer,
I've prepared an NMU for spice (versioned as 0.12.5-1.2) and
uploaded it to DELAYED/2. Please feel free to tell me if I
should delay it longer.
Regards,
Salvatore
[spice-0.12.5-1.2-nmu.diff (text/x-diff, attachment)]
[signature.asc (application/pgp-signature, inline)]
Added tag(s) pending.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 797976-submit@bugs.debian.org.
(Sun, 06 Sep 2015 19:30:15 GMT) (full text, mbox, link).
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Tue, 08 Sep 2015 19:51:09 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Tue, 08 Sep 2015 19:51:09 GMT) (full text, mbox, link).
Message #22 received at 797976-close@bugs.debian.org (full text, mbox, reply):
Source: spice
Source-Version: 0.12.5-1.2
We believe that the bug you reported is fixed in the latest version of
spice, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 797976@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated spice package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 05 Sep 2015 05:51:01 +0200
Source: spice
Binary: spice-client libspice-server1 libspice-server1-dbg libspice-server-dev
Architecture: source
Version: 0.12.5-1.2
Distribution: unstable
Urgency: high
Maintainer: Liang Guo <guoliang@debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 797976
Description:
libspice-server-dev - Header files and development documentation for spice-server
libspice-server1 - Implements the server side of the SPICE protocol
libspice-server1-dbg - Debugging symbols for libspice-server1
spice-client - Implements the client side of the SPICE protocol
Changes:
spice (0.12.5-1.2) unstable; urgency=high
.
* Non-maintainer upload.
* Add CVE-2015-3247.patch patch.
CVE-2015-3247: Memory corruption in worker_update_monitors_config().
(Closes: #797976)
Checksums-Sha1:
ae907c1d714e28217018b1173dd0d099637c28df 2361 spice_0.12.5-1.2.dsc
b5054609c118e19f2bf3f65036d138bad64c5a5b 16448 spice_0.12.5-1.2.debian.tar.xz
Checksums-Sha256:
c2f8b3fd1d2b16ee18c9fa0c474844286ec10c6b409de492358a59e15d48108f 2361 spice_0.12.5-1.2.dsc
aaab3fa3ee1a3f983b9589034e07b5d98d679cbdff7007c907afea695dd2bc71 16448 spice_0.12.5-1.2.debian.tar.xz
Files:
34c6830e85175d1a89a7b937f9a2d0c4 2361 misc optional spice_0.12.5-1.2.dsc
ee8500331df521efe5e757301f81ff4d 16448 misc optional spice_0.12.5-1.2.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJV6mlxAAoJEAVMuPMTQ89E/l8P/13t2zImtGd9wd9MBMCInNmI
ZAC6UaZ4HHgwehHB8cljQkHMGJaRVja4C0IbtPaxdEesiBgI8m7DdtiPLT/23Wgw
RR1CjCLtVgoJ97frqDmhZeMRnT7igue98HKjcZt4EMHvE35vXArN76UMJ5jjOhl1
JSynFYeF4hX8YQBaMMJFiYqagmOKVKskDF/MUNGSSxule/MN9InHhMDvab+rxD4m
2ZfklgPRt1Yuu24rAjfO5A9iYd/IqW36h5KqYENmyULI5MawU9LrgPZf1u3iA3db
bDdGZpDHaTao0oI3TZw4JZrpFbtX4oVqCbXTDm3Yb4H17R1sdqUSIpewXeVPHuHv
UTJu3kxVhrUtk2CuBsRzpFhGuEs9X9A8aCx8NBPQ43bRv++ikqISKdH4+mM4K3jw
of9LCBCHBYosMoNNCUcYgqqIraZ29IdpQRgRq1ukN+tC+w8DQlEzLdDZReqT2HtL
sg1vUCsyFY9VgH3vbgy/O1d5DY6R/kviC5q32FNWpYkouQ2HWUN7p40dwFK3r/AF
r6SwaKXx0C6j4NYmJtMnHD9aMfq9/TtvZiKUpRA880mXMmVrnlPq6A3BqPg5Zyzp
EazJ194xco/cv18NzN32Kf9BVXUHyGsqEQH2kaMIx1Myg5mir4hQrgL84gPboUQg
sle6iXDMYS+pwFmFFmLW
=M2rN
-----END PGP SIGNATURE-----
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Sat, 12 Sep 2015 21:22:26 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sat, 12 Sep 2015 21:22:26 GMT) (full text, mbox, link).
Message #27 received at 797976-close@bugs.debian.org (full text, mbox, reply):
Source: spice
Source-Version: 0.12.5-1+deb8u1
We believe that the bug you reported is fixed in the latest version of
spice, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 797976@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated spice package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 04 Sep 2015 09:34:00 +0200
Source: spice
Binary: spice-client libspice-server1 libspice-server1-dbg libspice-server-dev
Architecture: source
Version: 0.12.5-1+deb8u1
Distribution: jessie-security
Urgency: high
Maintainer: Liang Guo <guoliang@debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 797976
Description:
libspice-server-dev - Header files and development documentation for spice-server
libspice-server1 - Implements the server side of the SPICE protocol
libspice-server1-dbg - Debugging symbols for libspice-server1
spice-client - Implements the client side of the SPICE protocol
Changes:
spice (0.12.5-1+deb8u1) jessie-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Add CVE-2015-3247.patch patch.
CVE-2015-3247: Memory corruption in worker_update_monitors_config().
(Closes: #797976)
Checksums-Sha1:
2da1aa188b2edf10b5039f62a565bdb6329dd173 2355 spice_0.12.5-1+deb8u1.dsc
2fabe47611cac6b43b3c2c61e400d7375f06e16a 1737169 spice_0.12.5.orig.tar.bz2
684ce5f7ec08004821a1b26d2f693ff145b603d0 16404 spice_0.12.5-1+deb8u1.debian.tar.xz
Checksums-Sha256:
d7a48c58c7d8720dd28e0d2de8adefc30ab664d18e15931ac5a3a98681a5934b 2355 spice_0.12.5-1+deb8u1.dsc
4209a20d8f67cb99a8a6ac499cfe79a18d4ca226360457954a223d6795c2f581 1737169 spice_0.12.5.orig.tar.bz2
80d9911664ca2ca7c7b3a6ee85d26a01717a10465e0ebc15e780cf03482b7b42 16404 spice_0.12.5-1+deb8u1.debian.tar.xz
Files:
00727efcb18f391f061243b110ffd044 2355 misc optional spice_0.12.5-1+deb8u1.dsc
1256286214fe402703c0a01bd3a85319 1737169 misc optional spice_0.12.5.orig.tar.bz2
91b33b72c1b8d33f3d5a43a41084927f 16404 misc optional spice_0.12.5-1+deb8u1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJV6gTXAAoJEAVMuPMTQ89EFzsP/2pGzzIrCuuDWymvu/8lN0FO
qERrGIpRoArCu6p1SWkPutJWIJzYi+VD2AalN488pqGAHLsdVCPJkXMIdZ5I3Z57
auOQ65YpdtqeMgHTkyP0wwqcW9MfuNy8ncokOYpQdLGPJLh9bNAMo+gEYdnDyUEG
q36eKLgo5sp5BfDdOCDnXn7R4b/6ISStqnVPaBTChKok473TXle7Rya8dl3pV17z
kivharIuzx6TAJz41RObkjQDCHLFOEfas/26yua+jGLyaD+I2X8z/5m6hVZ+BPUk
BL/F9LMomnkp/pJZKDi29vTUaPrvcLw0tqKY7uqwO/FjwHPfqTbbgl2mlSqx6Ojq
+i9lefYTUYd+hE0yKyzqaucy9ORc3OcfLzsRc9hi7j78F2r+vGVgDAR/W6o+4RVR
CkKqhe7jyEfXNMjxZHdJ938kFDIbsJ6XiNSzsMVs2qnPG7ae6D5z+n+Wr8rrRA6X
uYrYf/JYyLBf92lkuu3rXlb4zS1tO9tJxp6hJklTMzM43Rxy0ArXl2tFg/7T83DW
PKzCVtQ9mij+heHR68qjXJKapxsUKRvuLuiNDhr+f++iu9L2xrRO+2C9mq8VJtxU
Eyrk+GHmR5FXd15JA108sgvteTbpjUQrDYYgVEDLJd9PULzfQMebkDG30V2syx+0
tIex5+ij2cHAJq0D0V/z
=w4mY
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Liang Guo <guoliang@debian.org>:
Bug#797976; Package src:spice.
(Mon, 12 Oct 2015 15:39:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Welly Ardiansyah <wellyardiansyah43071992@gmail.com>:
Extra info received and forwarded to list. Copy sent to Liang Guo <guoliang@debian.org>.
(Mon, 12 Oct 2015 15:39:04 GMT) (full text, mbox, link).
Message #32 received at 797976@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Please give me security updates. To be able to install debian application
for android
[Message part 2 (text/html, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Liang Guo <guoliang@debian.org>:
Bug#797976; Package src:spice.
(Sat, 31 Oct 2015 13:51:06 GMT) (full text, mbox, link).
Acknowledgement sent
to "Interfax Service" <incoming@interfax.net>:
Extra info received and forwarded to list. Copy sent to Liang Guo <guoliang@debian.org>.
(Sat, 31 Oct 2015 13:51:06 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 24 Jan 2016 07:35:41 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:44:51 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon