[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#855258: unblock: spice/0.12.8-2.1

Control: tags -1 moreinfo

On 16/02/17 06:06, Salvatore Bonaccorso wrote:
> Package: release.debian.org
> Severity: normal
> User: release.debian.org@packages.debian.org
> Usertags: unblock
> 
> Hi
> 
> Please unblock package spice
> 
> It fixes two CVEs, CVE-2016-9577 CVE-2016-9578, reported by Moritz as
> #854336. Markus Kschany fixed it as:
> 
> +spice (0.12.8-2.1) unstable; urgency=medium
> +
> +  * Non-maintainer upload.
> +  * Add CVE-2016-9577-and-CVE-2016-9578.patch:
> +    - CVE-2016-9577: A buffer overflow vulnerability in
> +      main_channel_alloc_msg_rcv_buf was found that occurs when reading large
> +      messages due to missing buffer size check.
> +    - CVE-2016-9578: A vulnerability was discovered in the server's
> +      protocol handling. An attacker able to connect to the spice server could
> +      send crafted messages which would cause the process to crash.
> +      (Closes: #854336)
> +
> + -- Markus Koschany <apo@debian.org>  Mon, 13 Feb 2017 21:42:01 +0100
> 
> Attached the resulting debdiff from the version in testing.
> 
> unblock spice/0.12.8-2.1

That failed to build on mips(64)el:

https://buildd.debian.org/status/package.php?p=spice

Cheers,
Emilio
Reply to: