spice: CVE-2015-5260: Insufficient validation of surface_id parameter can cause crash

Debian Bug report logs - #801089
spice: CVE-2015-5260: Insufficient validation of surface_id parameter can cause crash

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: spice: CVE-2015-5260: Insufficient validation of surface_id parameter can cause crash

Date: Tue, 06 Oct 2015 09:19:08 +0200

Source: spice
Version: 0.12.5-1
Severity: grave
Tags: security upstream

Hi,

the following vulnerability was published for spice.

CVE-2015-5260[0]:
Insufficient validation of surface_id parameter can cause crash

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2015-5260
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1260822

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

p.s.: working on an update at least for jessie.

-- System Information:
Debian Release: stretch/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/8 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)

Message #10 received at 801089@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 801089@bugs.debian.org, 801091@bugs.debian.org

Subject: spice: diff for NMU version 0.12.5-1.3

Date: Wed, 7 Oct 2015 18:18:02 +0200

[Message part 1 (text/plain, inline)]

tags 801089 + patch pending
tags 801091 + patch pending
thanks

Dear maintainer,

I've prepared an NMU for spice (versioned as 0.12.5-1.3) and
uploaded it to DELAYED/2. Please feel free to tell me if I
should delay it longer.

Regards,
Salvatore

[spice-0.12.5-1.3-nmu.diff (text/x-diff, attachment)]

Message #17 received at 801089@bugs.debian.org (full text, mbox, reply):

From: Liang Guo <bluestonechina@gmail.com>

To: Salvatore Bonaccorso <carnil@debian.org>, 801089@bugs.debian.org

Subject: Re: Bug#801089: spice: diff for NMU version 0.12.5-1.3

Date: Thu, 8 Oct 2015 13:54:14 +0800

On Thu, Oct 8, 2015 at 12:18 AM, Salvatore Bonaccorso <carnil@debian.org> wrote:
> tags 801089 + patch pending
> tags 801091 + patch pending
> thanks
>
> Dear maintainer,
>
> I've prepared an NMU for spice (versioned as 0.12.5-1.3) and
> uploaded it to DELAYED/2. Please feel free to tell me if I
> should delay it longer.
>
> Regards,
> Salvatore

Please upload to ftp-master NOW.

btw, would you like co-maintain, or takeover spice ?

Thanks,
-- 
Liang Guo
http://guoliang.me/

Message #22 received at 801089-close@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 801089-close@bugs.debian.org

Subject: Bug#801089: fixed in spice 0.12.5-1.3

Date: Thu, 08 Oct 2015 09:26:59 +0000

Source: spice
Source-Version: 0.12.5-1.3

We believe that the bug you reported is fixed in the latest version of
spice, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 801089@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated spice package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 07 Oct 2015 07:23:38 +0200
Source: spice
Binary: spice-client libspice-server1 libspice-server1-dbg libspice-server-dev
Architecture: source
Version: 0.12.5-1.3
Distribution: unstable
Urgency: high
Maintainer: Liang Guo <guoliang@debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 801089 801091
Description: 
 libspice-server-dev - Header files and development documentation for spice-server
 libspice-server1 - Implements the server side of the SPICE protocol
 libspice-server1-dbg - Debugging symbols for libspice-server1
 spice-client - Implements the client side of the SPICE protocol
Changes:
 spice (0.12.5-1.3) unstable; urgency=high
 .
   * Non-maintainer upload.
   * Add series of patches for CVE-2015-5260 and CVE-2015-6261.
     CVE-2015-5260: insufficient validation of surface_id parameter can cause
     crash. (Closes: #801089)
     CVE-2015-5261: host memory access from guest using crafted images.
     (Closes: #801091)
Checksums-Sha1: 
 ddfe911a8db97277d68c2f3223a2451a2f75f754 2361 spice_0.12.5-1.3.dsc
 eea80df8ffaba3d499489119d4aead2d4896ae50 25004 spice_0.12.5-1.3.debian.tar.xz
Checksums-Sha256: 
 c84662a4002947c986d9fc8729a99bab9cd364e8dd75fb7019780b66b104b6eb 2361 spice_0.12.5-1.3.dsc
 f158cdf3092e7633497a8700502ed6d2af7219100efb8e99fe0325a8aff716e9 25004 spice_0.12.5-1.3.debian.tar.xz
Files: 
 a65dfc82e68cb3006686acdb1dcc7bf0 2361 misc optional spice_0.12.5-1.3.dsc
 55c345fc77483b839d3238157895eec9 25004 misc optional spice_0.12.5-1.3.debian.tar.xz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJWFUSSAAoJEAVMuPMTQ89EnjIP/0rp6eG3KiTS+jtJCdt8huxW
5Zb7mC4JIPQ2ZkxDFleafUUJ1eAREGRAaPYppqoh6WcHQiB/lxFV4yLtiJ2Ymae0
wjqJMt6ckWp2QxNIhePEn8x7DRmMKKCgGgz+ChqD7/ndyVxb2wfaZ0vvbWDN3W0S
2MGwVAEtlm6UouY57atcU03RKUrCWdGbznQji8oIt8oMhMRiUXlnYzhJeQN6Muhy
v7SlRsh4kSeZ+9gLloyZTsLheydn07b+zjwZUrpfLmpitkQM/Zmb2+q1E9fHuz8d
FPIWAB+V1UlW9hyOo5wM3YrPsaYDcREi84AerfLedSvTDckD8gdV97Zv6t9Ro9QZ
wr0trl26KEglvymaOpeT3uqPL/yQA20v41K49yuF7wtKwNw2QIV7EP8W1nqpbwWe
FgTs2X0KXVV/ZkEcRpPxnfH9xq8LqG880y0yMi8djp4AKR0LchTH2S9BiYEUugPo
HQgNblXEr4lCxuIMDetp88gHE3X8Wa5VlsywGcz6H9ijV+K3/bmYmtn4AlwhQsMa
I51VsPkBNXqow0emZHj+R7QtbKAj+VwvLw0RW1nJ5oEwQARZ2BMM8WnffLNu8q8g
dlHWw4YROcu2Nh+8I8g8Cil5R2HM1p4k3tjRjp5nl+JcO6H/qSsQglRTS/nyNKOl
vo0mcxX3nTlibKw/ojWp
=ktsn
-----END PGP SIGNATURE-----

Message #27 received at 801089@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Liang Guo <bluestonechina@gmail.com>

Cc: 801089@bugs.debian.org

Subject: Re: Bug#801089: spice: diff for NMU version 0.12.5-1.3

Date: Thu, 8 Oct 2015 13:43:15 +0200

Hey!

On Thu, Oct 08, 2015 at 01:54:14PM +0800, Liang Guo wrote:
> On Thu, Oct 8, 2015 at 12:18 AM, Salvatore Bonaccorso <carnil@debian.org> wrote:
> > tags 801089 + patch pending
> > tags 801091 + patch pending
> > thanks
> >
> > Dear maintainer,
> >
> > I've prepared an NMU for spice (versioned as 0.12.5-1.3) and
> > uploaded it to DELAYED/2. Please feel free to tell me if I
> > should delay it longer.
> >
> > Regards,
> > Salvatore
> 
> Please upload to ftp-master NOW.

Thanks for confirming, so have uploaded to unstable.

> btw, would you like co-maintain, or takeover spice ?

I guess i would take too much on my plate if I do so, so thus "no
cannot" ... sorry! :(

Regards,
Salvatore

Message #32 received at 801089-close@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 801089-close@bugs.debian.org

Subject: Bug#801089: fixed in spice 0.12.5-1+deb8u2

Date: Sat, 10 Oct 2015 18:47:07 +0000

Source: spice
Source-Version: 0.12.5-1+deb8u2

We believe that the bug you reported is fixed in the latest version of
spice, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 801089@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated spice package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 06 Oct 2015 23:02:42 +0200
Source: spice
Binary: spice-client libspice-server1 libspice-server1-dbg libspice-server-dev
Architecture: source
Version: 0.12.5-1+deb8u2
Distribution: jessie-security
Urgency: high
Maintainer: Liang Guo <guoliang@debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 801089 801091
Description: 
 libspice-server-dev - Header files and development documentation for spice-server
 libspice-server1 - Implements the server side of the SPICE protocol
 libspice-server1-dbg - Debugging symbols for libspice-server1
 spice-client - Implements the client side of the SPICE protocol
Changes:
 spice (0.12.5-1+deb8u2) jessie-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Add series of patches for CVE-2015-5260 and CVE-2015-6261.
     CVE-2015-5260: insufficient validation of surface_id parameter can cause
     crash. (Closes: #801089)
     CVE-2015-5261: host memory access from guest using crafted images.
     (Closes: #801091)
Checksums-Sha1: 
 5e2164701b4d53748cea23a39230c08bfcc14759 2355 spice_0.12.5-1+deb8u2.dsc
 9df0315e5d107869b57960ac5954d9e2ba5abf36 24968 spice_0.12.5-1+deb8u2.debian.tar.xz
Checksums-Sha256: 
 9c68b917fe393e4544d2970ec5a5506d187a60194cb8ee958332488d5beeb13d 2355 spice_0.12.5-1+deb8u2.dsc
 2941836cec7e3d4c9f2e46bb0c859fcc6cfb305ba1503e6f8317d90fc0b6d9ec 24968 spice_0.12.5-1+deb8u2.debian.tar.xz
Files: 
 6c1e0bbfcd8b651e193829d212d370bd 2355 misc optional spice_0.12.5-1+deb8u2.dsc
 b4c866c1fd31f4fd54c65c41a68ddc4c 24968 misc optional spice_0.12.5-1+deb8u2.debian.tar.xz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJWFDhoAAoJEAVMuPMTQ89Eq1EP/jQoKDKYj/IynAzE6E+6imLv
pbHb/ErLGn/mWaScc5B7d8Wpt/SMqI/7qYL863pHDSIM60r0m8lZg7aNdsNUXudJ
EKyqxGcwjtDtmX3TKrn6UTcTZoOESKX/yfZf3zaZr6uqISftfBzwlJGN2a/uwMRw
G0OMKDpMhEgTHdRZbvMtUNXr5d96hrUCvkkk7G/6Z1UmbmFjNNEPrJr4LVnLONMG
nfFyJVKfxZAZ9T3HLz2X+BLRh45eIO4rRSjjPOC14aY0udzT4vaPNFbSwBd+4wq1
3tzRgL+lLSaW3R+Pciejpmoz20Q3A3oFvWuSW6H9AVL/F+GLVhXy3+Y7DL3PD0q7
W/t7a7x5gRlqOQclu36FF992tH1RKtPcsJOwsn57pGkcURhdca2Bq3CIoyezc8QF
0JQ6Z4TNX2Og/ONWd8mhBrPy9YXPLuTbmxl5NJJuUdsmxRh7r81J+7+Z/nEpI3SM
5MdZjKw0q/BwciW+eIxjJGk2MKBhqKqrSxh+UmlJpar2wQPkgJnxxRAJIrOsY/dq
OkWU/sgkHc+G9uGP3/BTUBLs9MxWFy42igELKphfTio69KiR1vh8lvlehWBBYS/l
eN3wSSql8ylfgnn07mraWELNrjhGBN3/DEolkItVVhHx+ZYUCv9mz78A1yQg5Vmw
GFJiGKtJ6oX7uychO+mU
=gLq1
-----END PGP SIGNATURE-----

Message #37 received at 801089-close@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 801089-close@bugs.debian.org

Subject: Bug#801089: fixed in spice 0.11.0-1+deb7u2

Date: Sat, 10 Oct 2015 18:47:35 +0000

Source: spice
Source-Version: 0.11.0-1+deb7u2

We believe that the bug you reported is fixed in the latest version of
spice, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 801089@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated spice package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 08 Oct 2015 17:41:09 +0200
Source: spice
Binary: spice-client libspice-server1 libspice-server-dev
Architecture: source amd64
Version: 0.11.0-1+deb7u2
Distribution: wheezy-security
Urgency: high
Maintainer: Liang Guo <guoliang@debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Description: 
 libspice-server-dev - Header files and development documentation for spice-server
 libspice-server1 - Implements the server side of the SPICE protocol
 spice-client - Implements the client side of the SPICE protocol
Closes: 801089 801091
Changes: 
 spice (0.11.0-1+deb7u2) wheezy-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Add series of patches for CVE-2015-5260 and CVE-2015-6261.
     CVE-2015-5260: insufficient validation of surface_id parameter can cause
     crash. (Closes: #801089)
     CVE-2015-5261: host memory access from guest using crafted images.
     (Closes: #801091)
Checksums-Sha1: 
 492497a72f5115b0163c433d968b431f75476c49 2276 spice_0.11.0-1+deb7u2.dsc
 850c4898591e8e10474b57b0f18deeab0edb84e9 33438 spice_0.11.0-1+deb7u2.debian.tar.gz
 d702c5ab5934d37b79d07068cfdcdcfc6dfdb96e 438298 spice-client_0.11.0-1+deb7u2_amd64.deb
 cebadde632bc68f095a0948d391d353dd52096cf 376668 libspice-server1_0.11.0-1+deb7u2_amd64.deb
 d987d0cf85ab1836779a64a92b80947bbe1794d9 456838 libspice-server-dev_0.11.0-1+deb7u2_amd64.deb
Checksums-Sha256: 
 47b5f1376f7e29a71c7d67c68b0b4a1643c1076014575fa4415203ea040878bc 2276 spice_0.11.0-1+deb7u2.dsc
 615354e2a4778bcacc885d02b3cf0d85cc4eec38bf63b32dcde816c75febcf22 33438 spice_0.11.0-1+deb7u2.debian.tar.gz
 fee899722c4b557aaf1a168f973d4af0cb4d91d0778a301f2fdeb7865df87a90 438298 spice-client_0.11.0-1+deb7u2_amd64.deb
 282b9128348c5cc6c04e0f4f99cd7ddcc7d5660dbd3b252d03ca92f703b9a697 376668 libspice-server1_0.11.0-1+deb7u2_amd64.deb
 a712a1d834b7f41ad67cac894f29df432134adc55dcc8c498a1eac36c037e68e 456838 libspice-server-dev_0.11.0-1+deb7u2_amd64.deb
Files: 
 c8789994db6eb4360b5afe463d86a5fa 2276 misc optional spice_0.11.0-1+deb7u2.dsc
 6ab31f06d2fab118944cf75b40e4b665 33438 misc optional spice_0.11.0-1+deb7u2.debian.tar.gz
 dfbfe9f635aeb847b99d380247909b9b 438298 misc optional spice-client_0.11.0-1+deb7u2_amd64.deb
 1ff6d68b051bfe52a2ac280ea5a48c29 376668 libs optional libspice-server1_0.11.0-1+deb7u2_amd64.deb
 fea3f8784b179de8bef322d69d45c538 456838 libdevel optional libspice-server-dev_0.11.0-1+deb7u2_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJWF8+SAAoJEAVMuPMTQ89E6I8P/1FV7obiUyCZwqKSOyw+BOPx
EyQAHKdGTLpLHuELlpHgvnY+pqThLyYggABr8d0muE/kaUXptdJLEoXcPM20ya8l
19w1BzqSELTM0kNxkbtKBjIYewTDHi9PUbGfxcxgakMOuUd08s77OdK5vpBJipV7
tnyEsKFdHidYJkClbicMxkq2EduGn22+p5jnzaSxVCbIdZBif9iMIX8QCgMZiFH9
GCs1x/8JTeGFFUXp5UiD21R5dJrlStUQ9BGYEA3ea5ejuDXwsBAVIAb87YFDkof3
xPYWYBLEmIbxXoKKs83VBKD37KE3eJypldL/P6QliNO8iv8XhqSz78Psd2OlZKO1
FrRSOiy04GtbLLoqSZ0jhIe93G44bpJy37UqFbvLstIufEdsDDg0wvKrxPBEhYGj
RtZlb/1BQGmGRO6s5haVjfYyTtRfO0he45JA2b5OUbF9t8KOZxlEzFhzPQLj4VbA
eKG4VrwD5alVTPu8elJAAwd24fPa6YY6mBDISybzyc+s66OvR67SQ51ok7ryJyPA
0Uhb9OlMquNkqdVuhQX2Ly0td0Wnh9tZcHWkeUA2vj4N9PGfyoL0cTwXDpnFyRwE
Mx+jhzexM9KA3pdjpGGGiLogkyQqK9yfI3TomjhTATGakoXGb46l4QAK0yGr1/RV
JWM298tQ7rGGTH17e81I
=X/1m
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.