Debian Bug report logs - #728314
spice: CVE-2013-4282: stack buffer overflow in reds_handle_ticket() function

version graph

Package: spice; Maintainer for spice is Liang Guo <guoliang@debian.org>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Wed, 30 Oct 2013 15:00:02 UTC

Severity: grave

Tags: fixed-upstream, patch, security, upstream

Found in version 0.11.0-1

Fixed in versions spice/0.12.4-0nocelt2, spice/0.11.0-1+deb7u1

Done: Salvatore Bonaccorso <carnil@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Liang Guo <guoliang@debian.org>:
Bug#728314; Package spice. (Wed, 30 Oct 2013 15:00:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Liang Guo <guoliang@debian.org>. (Wed, 30 Oct 2013 15:00:06 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: spice: CVE-2013-4282: stack buffer overflow in reds_handle_ticket() function
Date: Wed, 30 Oct 2013 15:57:59 +0100
Package: spice
Severity: grave
Tags: security upstream patch fixed-upstream

Hi,

the following vulnerability was published for spice.

CVE-2013-4282[0]:
stack buffer overflow in reds_handle_ticket() function

Upstream commit can be found in [2].

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4282
    http://security-tracker.debian.org/tracker/CVE-2013-4282
[1] https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4282
[2] http://cgit.freedesktop.org/spice/spice/commit/?id=8af619009660b24e0b41ad26b30289eea288fcc2

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore



Reply sent to Liang Guo <guoliang@debian.org>:
You have taken responsibility. (Fri, 08 Nov 2013 16:09:05 GMT) Full text and rfc822 format available.

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Fri, 08 Nov 2013 16:09:05 GMT) Full text and rfc822 format available.

Message #10 received at 728314-close@bugs.debian.org (full text, mbox):

From: Liang Guo <guoliang@debian.org>
To: 728314-close@bugs.debian.org
Subject: Bug#728314: fixed in spice 0.12.4-0nocelt2
Date: Fri, 08 Nov 2013 16:04:13 +0000
Source: spice
Source-Version: 0.12.4-0nocelt2

We believe that the bug you reported is fixed in the latest version of
spice, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 728314@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Liang Guo <guoliang@debian.org> (supplier of updated spice package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 07 Nov 2013 22:44:29 +0800
Source: spice
Binary: spice-client libspice-server1 libspice-server-dev
Architecture: source amd64
Version: 0.12.4-0nocelt2
Distribution: unstable
Urgency: high
Maintainer: Liang Guo <guoliang@debian.org>
Changed-By: Liang Guo <guoliang@debian.org>
Description: 
 libspice-server-dev - Header files and development documentation for spice-server
 libspice-server1 - Implements the server side of the SPICE protocol
 spice-client - Implements the client side of the SPICE protocol
Closes: 728314
Changes: 
 spice (0.12.4-0nocelt2) unstable; urgency=high
 .
   * Fix CVE-2013-4282 (Closes: #728314)
Checksums-Sha1: 
 0853a37408f87bbcdd0f9601fd12b62f5b648346 2236 spice_0.12.4-0nocelt2.dsc
 0e33122545037e8f270a7a4e1ddeee0cecae5254 22964 spice_0.12.4-0nocelt2.debian.tar.gz
 e0db2dad4cb9a0f8bc8a517b907ceb770123be2e 466622 spice-client_0.12.4-0nocelt2_amd64.deb
 544308b8c3d6cdb873d43ac00918e894b2de92dd 446620 libspice-server1_0.12.4-0nocelt2_amd64.deb
 c3cd06a4bec9efcbf1ff2dbf9e8bb462b21d896d 480430 libspice-server-dev_0.12.4-0nocelt2_amd64.deb
Checksums-Sha256: 
 f31c977fca864673e05674e9f9d8c1ed961ff9fd0aef96c0d599c457cd06c136 2236 spice_0.12.4-0nocelt2.dsc
 6c98a2a55149fd92ac6009669bbac72cac92c3d854d0db3398d8ba0abec609af 22964 spice_0.12.4-0nocelt2.debian.tar.gz
 d7d2a08304b6fff99f3f968eb63b189ac3b0022f0922b0120160d3de3eaee305 466622 spice-client_0.12.4-0nocelt2_amd64.deb
 3b8451381bb1397dcd7135a04beec2817290c86b27924bb31bc7a9fdad7fa715 446620 libspice-server1_0.12.4-0nocelt2_amd64.deb
 9bc2b4b558c47db7ec0eff77e4a1dce4a83a3419bdc6aae7e0d9644dd2138de1 480430 libspice-server-dev_0.12.4-0nocelt2_amd64.deb
Files: 
 879af74e742e2e5fb1972dce713c953c 2236 misc optional spice_0.12.4-0nocelt2.dsc
 1363e4d485fb6f987ff5af6d35738c5e 22964 misc optional spice_0.12.4-0nocelt2.debian.tar.gz
 bcb760c965e2dd45c18234bac6a9ce98 466622 misc optional spice-client_0.12.4-0nocelt2_amd64.deb
 880e3da6b8890e357f621fbae4bb47f5 446620 libs optional libspice-server1_0.12.4-0nocelt2_amd64.deb
 ccba0244e71267decf26beb0b9fe2fe3 480430 libdevel optional libspice-server-dev_0.12.4-0nocelt2_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)

iQIcBAEBCAAGBQJSfQlfAAoJEIK1tAhowJe8ts4P/1DyzKbyS3DVyV2ySKdB6RRK
o3nxWPETGPMZ2gWA9uJSGgwJeZa6R/oy/vUWvWQ17dKjO46HVngaGAoNnyHwqBh6
UN9mdNtTJw3i9D+WdHqLLmuPyNdKhp/mOCOQ/w7vpunT1tGAB0q1JCg/adgaOtMj
kes+IQ6m8qeRc7dSa1Khx2uJmQiJT/rc4dXS7NUmu2gZum9OFVmarsNYTN2fO2ob
WXXWKpg9bu0QhHp1wNaKDGBhFZu9FLo5Na7rmqQLx/489kVE6QUo0ZOyHytKNKvd
u3T+jlfXVEL7pxBZQXOi5Rn7xvM48zWsFOdi3UC7S747dEZvGMybZup3vDu+YzsZ
mRWnTew4DNU9OTxcy/HTNLvT2tyXfclLLaYlE+mwOF67mRyHazXjI0psApNODdm5
Lc9scdVCZVL5x4G1OOjrEtMJPjFm2aOmm6PhQxBcXcCWqEqgWc9B3+Ov7uLOjlE6
phvK2fbQH55rEc4M61EkaviM1/XRMfH38hQezNYK0SOmONvW1e3DJn+f/DzwT1g7
pxljbU+Zt/xu6nBC8DvCaAMaR2DsLfeQ8reVPUt8R/bVjrzoRBoksZmJr4W1QKJ0
b2rA76BYU5IE2TU3IqDLGbHxeU1vx239HKRR1pIyapeIrRxiH1CnCuvUeRpEplcy
xgKPFWZPlmVTeLK8msaC
=vlaJ
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, Liang Guo <guoliang@debian.org>:
Bug#728314; Package spice. (Fri, 03 Jan 2014 21:09:08 GMT) Full text and rfc822 format available.

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Liang Guo <guoliang@debian.org>. (Fri, 03 Jan 2014 21:09:08 GMT) Full text and rfc822 format available.

Message #15 received at 728314@bugs.debian.org (full text, mbox):

From: Salvatore Bonaccorso <carnil@debian.org>
To: 717030@bugs.debian.org, 728314@bugs.debian.org
Subject: preliminariy (backported) patches for CVE-2013-4130 and CVE-2013-4282
Date: Fri, 3 Jan 2014 22:07:05 +0100
[Message part 1 (text/plain, inline)]
Hi

Attached is a preliminary (not yet tested) debdiff, with backported
patches for CVE-2013-4130 and CVE-2013-4282 to wheezy.

Regards,
Salvatore
[spice_0.11.0-1+deb7u1.debdiff (text/plain, attachment)]
[signature.asc (application/pgp-signature, inline)]

Marked as found in versions 0.11.0-1. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Fri, 03 Jan 2014 21:39:06 GMT) Full text and rfc822 format available.

Reply sent to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility. (Sun, 12 Jan 2014 21:21:55 GMT) Full text and rfc822 format available.

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Sun, 12 Jan 2014 21:21:55 GMT) Full text and rfc822 format available.

Message #22 received at 728314-close@bugs.debian.org (full text, mbox):

From: Salvatore Bonaccorso <carnil@debian.org>
To: 728314-close@bugs.debian.org
Subject: Bug#728314: fixed in spice 0.11.0-1+deb7u1
Date: Sun, 12 Jan 2014 21:18:18 +0000
Source: spice
Source-Version: 0.11.0-1+deb7u1

We believe that the bug you reported is fixed in the latest version of
spice, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 728314@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated spice package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 03 Jan 2014 17:52:06 +0100
Source: spice
Binary: spice-client libspice-server1 libspice-server-dev
Architecture: source amd64
Version: 0.11.0-1+deb7u1
Distribution: wheezy-security
Urgency: high
Maintainer: Liang Guo <guoliang@debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Description: 
 libspice-server-dev - Header files and development documentation for spice-server
 libspice-server1 - Implements the server side of the SPICE protocol
 spice-client - Implements the client side of the SPICE protocol
Closes: 717030 728314
Changes: 
 spice (0.11.0-1+deb7u1) wheezy-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Add CVE-2013-4130.patch patch.
     CVE-2013-4130: unsafe clients ring access abort. An user able to
     initiate spice connection to the guest could use this flaw to crash the
     guest. (Closes: #717030)
   * Add CVE-2013-4282.patch patch.
     CVE-2013-4282: Fix buffer overflow when decrypting client SPICE ticket.
     A remote user able to initiate a SPICE connection to an application
     acting as a SPICE server could use this flaw to crash the application.
     (Closes: #728314)
Checksums-Sha1: 
 761c8f2e9f1758b9f161f65589b1afb4f34b7aa4 2293 spice_0.11.0-1+deb7u1.dsc
 889f96c26645b6cb050ddb0e3828a13ac29affe7 1442150 spice_0.11.0.orig.tar.bz2
 aa5350fae2e61b6770929fce929b223249962bc0 21976 spice_0.11.0-1+deb7u1.debian.tar.gz
 c40ce9de81192e42637609a5482eeebd741b1c6b 438090 spice-client_0.11.0-1+deb7u1_amd64.deb
 37dadf12d16cae7f381a57688643d1667581e3b8 376264 libspice-server1_0.11.0-1+deb7u1_amd64.deb
 bcbedcaa73a5737412c4161a20eddb44710bfba0 455444 libspice-server-dev_0.11.0-1+deb7u1_amd64.deb
Checksums-Sha256: 
 64a589c624c15e6151d79395fe1d3d390e5a7cf8906d4c1f45fac2567197f348 2293 spice_0.11.0-1+deb7u1.dsc
 7c906ffe9723a781fbbde5a97d9693f720dd58923b91a574af7edb60120c56a5 1442150 spice_0.11.0.orig.tar.bz2
 05aed9c7bb96e1d39be76d69c97c61620399b9bb0fb58da6bebfe983b26e7f1e 21976 spice_0.11.0-1+deb7u1.debian.tar.gz
 c0322a592508478806b634862e490b71e492a878187a4ffb491489d5c8339235 438090 spice-client_0.11.0-1+deb7u1_amd64.deb
 704648e0b4c669d434e7bff59537d562e003368afb18784588af4326e8c2ff3e 376264 libspice-server1_0.11.0-1+deb7u1_amd64.deb
 b926e96c5457069f969024f1781c7018906367c5490bb3cf2c4eec2abee5802e 455444 libspice-server-dev_0.11.0-1+deb7u1_amd64.deb
Files: 
 67dc44a3a5bdcebca774bad24040d75a 2293 misc optional spice_0.11.0-1+deb7u1.dsc
 1d36b7bba386caeb7f65a5d986c78070 1442150 misc optional spice_0.11.0.orig.tar.bz2
 b558c875d893e48886ec52f11b0cc843 21976 misc optional spice_0.11.0-1+deb7u1.debian.tar.gz
 e6578df68daea002f50cd66916d0cd9d 438090 misc optional spice-client_0.11.0-1+deb7u1_amd64.deb
 92f6d4850ad05e55b6efb929d92bd5c3 376264 libs optional libspice-server1_0.11.0-1+deb7u1_amd64.deb
 d2e36a0f017c21987aa01e437fb4d9ee 455444 libdevel optional libspice-server-dev_0.11.0-1+deb7u1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)

iQIcBAEBCgAGBQJSyXU6AAoJEAVMuPMTQ89Eyl8P/2gLryVZySlMJpvKgAaMSLQM
pccHcOqok95W/QQouWR94k9Vo1jyea50yCkzrjfB3WDz7N02ePMENuxmJvf3M2uk
hRJ+eLdJpbHsa/eVlpy2PfiHsWkxKfdF40I8T0fXEpXsiAZn8g9bEeqsSMdItlSB
4967sFtt7r944EDhw0jwVB/lJamwZApaRcS9btxaSDt0Y8aITDRXwOUhzVguX/R5
JCQ50L3HHwcp/HxrZVItTvkmpQVG5X1WT6sMJ1XiqWg6T4LBdgjAUxRpCGKvBWJF
18uRwhU1oZpFwHSbYfENouGO0kMhgvDmWcSi92tOeoYlm39AEESqjRXCNkOQYRgH
KVOAwH57vBXfiEdivmaXwnPP2F9zOK5aMjRWadQVLEPFF1v7AFx4E70Ip497MzoJ
in8Q8IsvZBmPzm3ORiJh/UBvR6l9GBCtc5ue/wqUpcfZq7PW8yg6R4sN43stk2BX
FQV39C/xCZtdfVGSeaHj2YJDcfn7cw6RdweO6iHp4ysT30v4xw4Zft3QHviR8HG3
zUiN1aqxFmkU4NETHS8yIyac3n+3Pn5UlZuXfs54WTjRz8OiD8ezYbXAz5/DLW40
04lTYNmLfBl/uA4ccnTQC0fCbTZlLxtmdEnn/kNgTzSUuL7eoqsG4eu14OvtAejw
vF34Gzj7hZlhW3NIc4e7
=pH/i
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 10 Feb 2014 07:26:49 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Mon Apr 21 12:11:05 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.