Vulnerability CVE-2020-14355: Information
Description
Multiple buffer overflow vulnerabilities were found in the QUIC image decoding process of the SPICE remote display system, before spice-0.14.2-1. Both the SPICE client (spice-gtk) and server are affected by these flaws. These flaws allow a malicious client or server to send specially crafted messages that, when processed by the QUIC image compression algorithm, result in a process crash or potential code execution.
Severity: MEDIUM (6.6) Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L
Fixed packages
Package name | Branch | Fixed in version | Version from repository | Errata ID | Task # | State |
|---|---|---|---|---|---|---|
| SPICE | sisyphus | 0.14.2-alt1 | 0.15.2-alt3 | ALT-PU-2019-1972-1 | 231199 | Fixed |
| SPICE | p10 | 0.14.2-alt1 | 0.15.0-alt1 | ALT-PU-2019-1972-1 | 231199 | Fixed |
| SPICE | p9 | 0.14.2-alt1 | 0.15.0-alt1 | ALT-PU-2019-1989-1 | 231442 | Fixed |
| SPICE | c10f1 | 0.14.2-alt1 | 0.15.0-alt1 | ALT-PU-2019-1972-1 | 231199 | Fixed |
| SPICE | c9f2 | 0.15.0-alt1 | 0.15.0-alt1 | ALT-PU-2021-1963-1 | 273330 | Fixed |
References to Advisories, Solutions, and Tools
Hyperlink | Resource |
|---|---|
| https://bugzilla.redhat.com/show_bug.cgi?id=1868435 |
|
| https://www.openwall.com/lists/oss-security/2020/10/06/10 |
|
| DSA-4771 |
|
| USN-4572-1 |
|
| USN-4572-2 |
|
| openSUSE-SU-2020:1803 |
|
| [debian-lts-announce] 20201101 [SECURITY] [DLA 2428-1] spice-gtk security update |
|
| openSUSE-SU-2020:1802 |
|
| [debian-lts-announce] 20201101 [SECURITY] [DLA 2427-1] spice security update |
|