Mageia alert MGASA-2017-0239 (spice)

From:
    	     
 
Mageia Updates <buildsystem-daemon@mageia.org> 
To:
    	     
 
updates-announce@ml.mageia.org 
Subject:
    	     
 
[updates-announce] MGASA-2017-0239: Updated spice packages fix security vulnerability 
Date:
    	     
 
Thu, 3 Aug 2017 21:06:24 +0200
Message-ID:
    	     
 
<20170803190624.E70E69F875@duvel.mageia.org>
MGASA-2017-0239 - Updated spice packages fix security vulnerability

Publication date: 03 Aug 2017
URL: http://advisories.mageia.org/MGASA-2017-0239.html
Type: security
Affected Mageia releases: 5, 6
CVE: CVE-2017-7506

Description:
A vulnerability was discovered in spice, in the server's protocol handling. An
authenticated attacker could send specially crafted messages to the spice
server, causing out-of-bounds memory accesses leading to parts of server memory
being leaked or a crash (CVE-2017-7506).

The Mageia 5 package has been patched to fix this issue.  The Mageia 6 package
has been updated to version 0.13.90, containing fixes for this and several other
issues.

References:
- https://bugs.mageia.org/show_bug.cgi?id=21230
- https://cgit.freedesktop.org/spice/spice/tree/NEWS?id=34d...
- https://bugzilla.redhat.com/show_bug.cgi?id=1452606
- https://www.debian.org/security/2017/dsa-3907
- https://lists.opensuse.org/opensuse-security-announce/201...
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7506

SRPMS:
- 6/core/spice-0.13.90-1.mga6
- 6/core/spice-protocol-0.12.13-1.mga6
- 5/core/spice-0.12.5-2.5.mga5