-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Fri, 31 Aug 2018 23:52:16 +0200 Source: spice-gtk Binary: spice-client-gtk spice-client-glib-usb-acl-helper libspice-client-glib-2.0-8 gir1.2-spice-client-glib-2.0 libspice-client-glib-2.0-dev libspice-client-gtk-2.0-4 gir1.2-spice-client-gtk-2.0 libspice-client-gtk-2.0-dev libspice-client-gtk-3.0-4 gir1.2-spice-client-gtk-3.0 libspice-client-gtk-3.0-dev python-spice-client-gtk Architecture: source amd64 Version: 0.25-1+deb8u1 Distribution: jessie-security Urgency: medium Maintainer: Liang Guo <guoliang@debian.org> Changed-By: Mike Gabriel <sunweaver@debian.org> Description: gir1.2-spice-client-glib-2.0 - GObject for communicating with Spice servers (GObject-Introspecti gir1.2-spice-client-gtk-2.0 - GTK2 widget for SPICE clients (GObject-Introspection) gir1.2-spice-client-gtk-3.0 - GTK3 widget for SPICE clients (GObject-Introspection) libspice-client-glib-2.0-8 - GObject for communicating with Spice servers (runtime library) libspice-client-glib-2.0-dev - GObject for communicating with Spice servers (development files) libspice-client-gtk-2.0-4 - GTK2 widget for SPICE clients (runtime library) libspice-client-gtk-2.0-dev - GTK2 widget for SPICE clients (development files) libspice-client-gtk-3.0-4 - GTK3 widget for SPICE clients (runtime library) libspice-client-gtk-3.0-dev - GTK3 widget for SPICE clients (development files) python-spice-client-gtk - GTK2 widget for SPICE clients (Python binding) spice-client-glib-usb-acl-helper - Spice client glib usb acl helper spice-client-gtk - Simple clients for interacting with SPICE servers Changes: spice-gtk (0.25-1+deb8u1) jessie-security; urgency=medium . * Non-maintainer upload by the LTS Team. * CVE-2018-10873: A vulnerability was discovered in SPICE before version 0.14.1 where the generated code used for demarshalling messages lacked sufficient bounds checks. A malicious client or server, after authentication, could send specially crafted messages to its peer which would result in a crash or, potentially, other impacts. . Fix: Bail out with an error if the pointer to the start of some message data is strictly greater than the pointer to the end of the message data. . See review comments in debian/patches/CVE-2018-10873.patch about potential weaknesses of this fix. Checksums-Sha1: 9aab0ec657bc54dc5ccd166ce689e0b11d70e927 3501 spice-gtk_0.25-1+deb8u1.dsc dc4caf42d7497ba424efc22720946d116ead5dd2 1242457 spice-gtk_0.25.orig.tar.bz2 54c8eba041a4869e72c96bee0bbfcdfcb00dfd3c 13972 spice-gtk_0.25-1+deb8u1.debian.tar.xz 84ab52bc5daf372b39ef44f1cb58cfa3482d3c93 143616 spice-client-gtk_0.25-1+deb8u1_amd64.deb fa9d7025d2b91d2675a8909a4b511823ea5b3895 123280 spice-client-glib-usb-acl-helper_0.25-1+deb8u1_amd64.deb 8d542868ac90156114f25b0762f39850358f5d8c 412092 libspice-client-glib-2.0-8_0.25-1+deb8u1_amd64.deb 898d653b9242ab6017d8612b42d047fdbcb75bea 125106 gir1.2-spice-client-glib-2.0_0.25-1+deb8u1_amd64.deb 75322d47740ff7309dc1307c0e64283ce406608c 145686 libspice-client-glib-2.0-dev_0.25-1+deb8u1_amd64.deb 33aed38a899ccaa22513005a31bf267aff79ca81 151410 libspice-client-gtk-2.0-4_0.25-1+deb8u1_amd64.deb 21167358f47bc0979cf5c3cdee009663e4065662 119952 gir1.2-spice-client-gtk-2.0_0.25-1+deb8u1_amd64.deb dbc8bd3adc88e7eb4c8483a988ba222db6f7c70c 176978 libspice-client-gtk-2.0-dev_0.25-1+deb8u1_amd64.deb a3cc8d419902dc8efada7d0bd241347b9f205f3d 152324 libspice-client-gtk-3.0-4_0.25-1+deb8u1_amd64.deb 20b2ab3c988612608d8234c74d0b1cfed4171c1c 119950 gir1.2-spice-client-gtk-3.0_0.25-1+deb8u1_amd64.deb d041db3f114c2e7fd2f215890a0396cb8c4c9cff 125098 libspice-client-gtk-3.0-dev_0.25-1+deb8u1_amd64.deb 1ee5f41db8580f7b0044690f17e23d4f1878b436 129330 python-spice-client-gtk_0.25-1+deb8u1_amd64.deb Checksums-Sha256: d1cef3d9d26636900cb51e082eca45989806b6397649d50c11cf94ef91a7b17b 3501 spice-gtk_0.25-1+deb8u1.dsc 0730c6a80ad9f5012f65927d443377019f300573f7ccc93db84eadec462ad087 1242457 spice-gtk_0.25.orig.tar.bz2 d07351332754dbb78e3f707f6cfa7ab278bd2d46c60e5a77be46b4f33d2048d1 13972 spice-gtk_0.25-1+deb8u1.debian.tar.xz c209f961d0a5057e6a49ed81860ec9270a096a3296d494c9b35ee8dd5b120b45 143616 spice-client-gtk_0.25-1+deb8u1_amd64.deb 0486197f8560f1b2e499c5ad18a5477dedb1cb1bf773d763264eba607963b56a 123280 spice-client-glib-usb-acl-helper_0.25-1+deb8u1_amd64.deb 76da8267fd1a307f401a535d8e5df66d6ec7c110d6d5ead0d8fe4784d019e8f0 412092 libspice-client-glib-2.0-8_0.25-1+deb8u1_amd64.deb 6a861c0dca7d063bb1a2ce9395eafa674543277771fa23f8bf874c063674a35a 125106 gir1.2-spice-client-glib-2.0_0.25-1+deb8u1_amd64.deb bed7c5cb8a6137c4e2f989f7f9017e74653456caea8d6941ed36a71e0ed08802 145686 libspice-client-glib-2.0-dev_0.25-1+deb8u1_amd64.deb f9aff8f0cc54e9102d2c303114861ecf041ed819142b9eab95904309662db2b4 151410 libspice-client-gtk-2.0-4_0.25-1+deb8u1_amd64.deb 3fe3f2bd3ce546599ffea728462b230321e5e1aefaceb84e56a052e3c8446ba4 119952 gir1.2-spice-client-gtk-2.0_0.25-1+deb8u1_amd64.deb 9e80ecf69735ae6cb3962946999c555a6ccadaf114ce5ba4027f891bfe415003 176978 libspice-client-gtk-2.0-dev_0.25-1+deb8u1_amd64.deb fc3368768342f36d7ef81bd94ec8f4262758e53481aa1b872315c6dca8a7e63e 152324 libspice-client-gtk-3.0-4_0.25-1+deb8u1_amd64.deb 22dfc6a76165570a74e44906269870344f5695bd06bf2984c01f87b7c3d183a2 119950 gir1.2-spice-client-gtk-3.0_0.25-1+deb8u1_amd64.deb 35b041d20ec48e810ceddfcbcd6252587c989098ac837717289b7c94a0e2b968 125098 libspice-client-gtk-3.0-dev_0.25-1+deb8u1_amd64.deb ab30e245dc89e4758015dc78047f0a47986367edafc36fff740643c50ba1c210 129330 python-spice-client-gtk_0.25-1+deb8u1_amd64.deb Files: 90062c86a9b6138e8e0ae2614d07a3f6 3501 misc optional spice-gtk_0.25-1+deb8u1.dsc a79f1ff8b21d295b2a028e52708fb551 1242457 misc optional spice-gtk_0.25.orig.tar.bz2 2df27f3d789a4b5f26065c2ecf5b5700 13972 misc optional spice-gtk_0.25-1+deb8u1.debian.tar.xz 20e8cd2b8e0188eb12177796ad575cf8 143616 misc optional spice-client-gtk_0.25-1+deb8u1_amd64.deb 735d326be3cb0d65cf63dc4f2da027e5 123280 misc optional spice-client-glib-usb-acl-helper_0.25-1+deb8u1_amd64.deb 3991e4d6ac829959fa15873150f347a1 412092 libs optional libspice-client-glib-2.0-8_0.25-1+deb8u1_amd64.deb 85e8299740e5b935b9f3cf57c8b06fad 125106 introspection optional gir1.2-spice-client-glib-2.0_0.25-1+deb8u1_amd64.deb 66a06c717c5e6a8264b49e4a2c0b6825 145686 libdevel optional libspice-client-glib-2.0-dev_0.25-1+deb8u1_amd64.deb 7eec2952092da795269e0c2f6596dda5 151410 libs optional libspice-client-gtk-2.0-4_0.25-1+deb8u1_amd64.deb 2c2b7c892a66bd614c2d71f2fccb065e 119952 introspection optional gir1.2-spice-client-gtk-2.0_0.25-1+deb8u1_amd64.deb 35822cc2f68c97e30130291ffb1f3a3f 176978 libdevel optional libspice-client-gtk-2.0-dev_0.25-1+deb8u1_amd64.deb ce4ebe9c049971ba6a06ad95452a4493 152324 libs optional libspice-client-gtk-3.0-4_0.25-1+deb8u1_amd64.deb 479865fdf785ba2d39965e12fb0c46aa 119950 introspection optional gir1.2-spice-client-gtk-3.0_0.25-1+deb8u1_amd64.deb 6bf38ba3d42687fa8417390d03223073 125098 libdevel optional libspice-client-gtk-3.0-dev_0.25-1+deb8u1_amd64.deb f086477757cac64d2e218360e4e9121a 129330 python optional python-spice-client-gtk_0.25-1+deb8u1_amd64.deb -----BEGIN PGP SIGNATURE----- iQJJBAEBCAAzFiEEm/uu6GwKpf+/IgeCmvRrMCV3GzEFAluJuxoVHHN1bndlYXZl ckBkZWJpYW4ub3JnAAoJEJr0azAldxsxxdoP/j0aOI4GE3rqPOEADFD/NN3m4ig0 kzMLRHzFuCGSmFqT82KeaM7l8re9cifdXlq2ojlNNiQVfGpJF1+egYCfhio/zeV+ E0QZYOlEoNvh+YzJ7Uwx8YP+88CGusnx1oz7IU9JftjaXQ/D0AEXcXWIMgEijdQE Sq3wuIwnOOjvVFakR0yl4G+x9Fr6qdgsYntWmEJNk0qZTLfisstSFXpR6ulGm4F2 HL/mucUpGZYNWew5nZ8lYkSR3SUV9B6klDrUgzy/yud8VP7Ts85+D6SgqOVVpYDQ 6TXX0m/Z4NU1mChGJ7tVj6RuqO12tbUV0nOEDkM4c9FAwaE2rgiJtY5fVs5eDJZL /l+aRsHaNEZDNnOMnfM+KDfo27hHXOzgyVZ15WHS+LlBmqmcr5K5Goe5Z9uu/ueq aMDKqG5OMI8kc4/AJ3F7yHGsd/ljoUeezqaPuIK/EOU8XRbD7NHrSnQeXkprS+KH TZ+6OfwykxG3oW1A1xgMf7H0nlMhRVba0JuRK984R9l6E+t1K2zPIErwbL6QY0kF PGbzVKnwfx4isG+b+8GEuUYheJKe8G7WT8FT3X/qamyGxuOvuGv4+msjzXqTVDMC lhUydUzU9B9MvR73Gap0YIEE6iH3RC4Rma1snvevegWaqENEl2L1f+BHMtnQOGuS nfj9zpRYYGZTpG9c =A8rH -----END PGP SIGNATURE-----