Discussion:
Processed: spice: CVE-2018-10873: Missing check in demarshal.py:write_validate_array_item() allows for buffer overflow and denial of service
(too old to reply)
Debian Bug Tracking System
2018-08-17 03:00:01 UTC
Permalink
clone -1 -2
Bug #906315 [src:spice] spice: CVE-2018-10873: Missing check in demarshal.py:write_validate_array_item() allows for buffer overflow and denial of service
Bug 906315 cloned as bug 906316
reassign -2 src:spice-gtk 0.34-1.1
Bug #906316 [src:spice] spice: CVE-2018-10873: Missing check in demarshal.py:write_validate_array_item() allows for buffer overflow and denial of service
Bug reassigned from package 'src:spice' to 'src:spice-gtk'.
No longer marked as found in versions spice/0.14.0-1.
Ignoring request to alter fixed versions of bug #906316 to the same values previously set
Bug #906316 [src:spice-gtk] spice: CVE-2018-10873: Missing check in demarshal.py:write_validate_array_item() allows for buffer overflow and denial of service
Marked as found in versions spice-gtk/0.34-1.1.
retitle -2 spice-gtk: CVE-2018-10873: Missing check in demarshal.py:write_validate_array_item() allows for buffer overflow and denial of service
Bug #906316 [src:spice-gtk] spice: CVE-2018-10873: Missing check in demarshal.py:write_validate_array_item() allows for buffer overflow and denial of service
Changed Bug title to 'spice-gtk: CVE-2018-10873: Missing check in demarshal.py:write_validate_array_item() allows for buffer overflow and denial of service' from 'spice: CVE-2018-10873: Missing check in demarshal.py:write_validate_array_item() allows for buffer overflow and denial of service'.
--
906315: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=906315
906316: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=906316
Debian Bug Tracking System
Contact ***@bugs.debian.org with problems
Salvatore Bonaccorso
2018-08-17 08:10:02 UTC
Permalink
Hi,
|Missing check in demarshal.py:write_validate_array_item() allows for
|buffer overflow and denial of service
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
[0] https://security-tracker.debian.org/tracker/CVE-2018-10873
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10873
[1] http://www.openwall.com/lists/oss-security/2018/08/17/1
[2] https://bugzilla.redhat.com/show_bug.cgi?id=1596008
[3] https://gitlab.freedesktop.org/spice/spice-common/commit/bb15d4815ab586b4c4a20f4a565970a44824c42c
FTR, please see the followup from Florian in
http://www.openwall.com/lists/oss-security/2018/08/17/2 as well.

Regards,
Salvatore
Debian Bug Tracking System
2018-09-05 07:10:02 UTC
Permalink
Your message dated Wed, 05 Sep 2018 07:04:51 +0000
with message-id <E1fxRrv-000Cbs-***@fasolo.debian.org>
and subject line Bug#906316: fixed in spice-gtk 0.35-1
has caused the Debian Bug report #906316,
regarding spice-gtk: CVE-2018-10873: Missing check in demarshal.py:write_validate_array_item() allows for buffer overflow and denial of service
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ***@bugs.debian.org
immediately.)
--
906316: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=906316
Debian Bug Tracking System
Contact ***@bugs.debian.org with problems
Debian Bug Tracking System
2018-10-06 20:20:01 UTC
Permalink
tags 906315 + pending
Bug #906315 [src:spice] spice: CVE-2018-10873: Missing check in demarshal.py:write_validate_array_item() allows for buffer overflow and denial of service
Added tag(s) pending.
--
906315: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=906315
Debian Bug Tracking System
Contact ***@bugs.debian.org with problems
Salvatore Bonaccorso
2018-10-06 20:20:01 UTC
Permalink
Control: tags 906315 + pending


Dear maintainer,

I've prepared an NMU for spice (versioned as 0.14.0-1.1) and
uploaded it to DELAYED/2. Please feel free to tell me if I
should delay it longer.

Regards,
Salvatore
Debian Bug Tracking System
2018-10-08 21:10:02 UTC
Permalink
Your message dated Mon, 08 Oct 2018 20:59:12 +0000
with message-id <E1g9ccS-000El4-***@fasolo.debian.org>
and subject line Bug#906315: fixed in spice 0.14.0-1.1
has caused the Debian Bug report #906315,
regarding spice: CVE-2018-10873: Missing check in demarshal.py:write_validate_array_item() allows for buffer overflow and denial of service
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ***@bugs.debian.org
immediately.)
--
906315: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=906315
Debian Bug Tracking System
Contact ***@bugs.debian.org with problems
Debian Bug Tracking System
2018-10-20 09:50:04 UTC
Permalink
Your message dated Sat, 20 Oct 2018 09:48:23 +0000
with message-id <E1gDnrr-000FNX-***@fasolo.debian.org>
and subject line Bug#906315: fixed in spice 0.12.8-2.1+deb9u2
has caused the Debian Bug report #906315,
regarding spice: CVE-2018-10873: Missing check in demarshal.py:write_validate_array_item() allows for buffer overflow and denial of service
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ***@bugs.debian.org
immediately.)
--
906315: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=906315
Debian Bug Tracking System
Contact ***@bugs.debian.org with problems
Debian Bug Tracking System
2018-10-27 21:20:01 UTC
Permalink
Your message dated Sat, 27 Oct 2018 21:11:34 +0000
with message-id <E1gGVrq-000D2a-***@fasolo.debian.org>
and subject line Bug#906316: fixed in spice-gtk 0.33-3.3+deb9u1
has caused the Debian Bug report #906316,
regarding spice-gtk: CVE-2018-10873: Missing check in demarshal.py:write_validate_array_item() allows for buffer overflow and denial of service
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ***@bugs.debian.org
immediately.)
--
906316: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=906316
Debian Bug Tracking System
Contact ***@bugs.debian.org with problems
Loading...