-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 03 Dec 2020 21:37:35 +0200 Source: spice-vdagent Architecture: source Version: 0.20.0-2 Distribution: unstable Urgency: medium Maintainer: Debian QA Group <packages@qa.debian.org> Changed-By: Adrian Bunk <bunk@debian.org> Closes: 973769 Changes: spice-vdagent (0.20.0-2) unstable; urgency=medium . * QA upload. * Set Maintainer to Debian QA Group. (see #911430) * Add changes from Ubuntu: * SECURITY UPDATE: Memory DoS via Arbitrary Entries in active_xfers Hash Table - debian/patches/CVE-2020-25650-1.patch: avoid agents allocating file transfers in src/vdagentd/vdagentd.c. - debian/patches/CVE-2020-25650-2.patch: avoid uncontrolled active_xfers allocations in src/vdagentd/vdagentd.c. - CVE-2020-25650 * SECURITY UPDATE: Possible File Transfer DoS and Information Leak via active_xfers Hash Map - debian/patches/CVE-2020-25651-1.patch: cleanup active_xfers when the client disconnects in src/vdagentd/vdagentd.c. - debian/patches/CVE-2020-25651-2.patch: do not allow using an already used file-xfer id in src/vdagentd/vdagentd.c. - CVE-2020-25651 * SECURITY UPDATE: Possibility to Exhaust File Descriptors in vdagentd - debian/patches/CVE-2020-25652-1.patch: avoid unlimited agent connections in src/udscs.c. - debian/patches/CVE-2020-25652-2.patch: limit number of agents per session to 1 in src/vdagentd/vdagentd.c. - CVE-2020-25652 * SECURITY UPDATE: UNIX Domain Socket Peer PID Retrieved via SO_PEERCRED is Subject to Race Condition - debian/patches/CVE-2020-25653-1.patch: avoid user session hijacking in src/vdagent-connection.c, src/vdagent-connection.h, src/vdagentd/vdagentd.c. - debian/patches/CVE-2020-25653-2.patch: better check for sessions in src/vdagentd/console-kit.c, src/vdagentd/dummy-session-info.c, src/vdagentd/session-info.h, src/vdagentd/systemd-login.c, src/vdagentd/vdagentd.c. - CVE-2020-25653 * Additional fixes: - debian/patches/CVE-2020-2565x-1.patch: avoid calling chmod in src/vdagentd/vdagentd.c. (Closes: #973769) Checksums-Sha1: 747b9ee64e58d740233d881a364fb3fcca0aaa69 2450 spice-vdagent_0.20.0-2.dsc dd906212e4a36bba56ceed956820d2c25a51dc6a 21116 spice-vdagent_0.20.0-2.debian.tar.xz Checksums-Sha256: fc27ab22dc76114b5bba8f63199500054baa6a555bc4fb4da17aabdd12acceca 2450 spice-vdagent_0.20.0-2.dsc 92233464205236df6fe8f078473fb6ec39526f62cc5aa467ab5d4c02e301e6fe 21116 spice-vdagent_0.20.0-2.debian.tar.xz Files: 936eaa0aec5a1e6f428427c476515cef 2450 x11 optional spice-vdagent_0.20.0-2.dsc 9fc51158d5991bdea3fd13923dbaa691 21116 x11 optional spice-vdagent_0.20.0-2.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAl/JQHAACgkQiNJCh6LY mLFh5hAAkzH4F6AEiV6Am5FOGOIeqSdU0yVJ6Ey+KEyQdcKOhZxxilFibnWsIIIS hQxiqB43HMg18XBH1IRgjYF6WYJ4OzkiZN8YUZJd+t1PoeGEabjvD6+HWlixIgu3 7mRWGKmeVb7144xZCnC9Tugb+Nb1wCbX6cHQtsacDql4Wm/oGernZ8y32PpvP+XQ SbxKfoYFWOcO3KWfeaRYtWLyYe+yiL9XTE9CjhCOsUIRVRvjQoH0sN1gaUQDzse0 wM7K6f8DCA5PErmo8fDQpqK3sp+efH3pXxfus/8M1d7G9XJub4DvEL682kbDef0m X6sPa8e2pzRuoW6J8Puy0goLxptw08dG3Ic6MRUm9BqfxZS22LZp+WLsi4LoQAB6 Z/9X4K09JHTHhaMQYWjeKMdBTJFzrfG8oxp4hXiX4nFyUSixhXxTRSyJS/YyFPRT w5bbUmbo61N60ScAazxUvzLGYqm1DfPhVux2VirxiCyUNFxthUKIsdOoGJ5q2IUB sWHa+IWsnzpu/39/iKMoi8EMuzTBSjUz/wQXVqvZvfsxZbGsXiXnjluHMAi6Ntcj sEs5Z+mPdfRMig29ApY19xy1otnETM/+dJNP3m2mldSK8hqHwPUJ+QbHN6eO19R6 v1WQRMupgH+Jbb1TSsxmlrbCzLfuoNSMNhCUOXbYs/VMAEr99lY= =FPrc -----END PGP SIGNATURE-----