From ${URL}: A vulnerability was discovered in spice, in the server's protocol handling. An authenticated attacker could send specially crafted messages to the spice server, causing out-of-bounds memory accesses leading to parts of server memory being leaked or a crash. Upstream patches on current 0.13* (aka "development") version: https://cgit.freedesktop.org/spice/spice/commit/?id= ... fbbcdad773e2791cfb988f4748faa41943551ca6 571cec91e71c2aae0d5f439ea2d8439d0c3d75eb 111ab38611cef5012f1565a65fa2d8a8a05cce37 Fixed in: 0.13.3-r2 Vulnerable version left in tree: 0.13.3-r1 Security, please assign rating.
Arches, please test and mark stable =app-emulation/spice-0.13.3-r2 Keywords for app-emulation/spice: | | u | | a a p s a n r | n | | l m h i p p r m m i i s | e u s | r | p d a p a p c a x m i 6 o s 3 | a s l | e | h 6 r p 6 p 6 r 8 6 p 8 s c 9 s | p e o | p | a 4 m a 4 c 4 c 6 4 s k 2 v 0 h | i d t | o -------------+---------------------------------+-------+------- 0.13.3-r1 | o + o o o o o o + ~ o o o o o o | 6 o 0 | gentoo [I]0.13.3-r2 | o ~ o o o o o o ~ ~ o o o o o o | 6 o | gentoo 9999 | o o o o o o o o o o o o o o o o | 6 o | gentoo
Stable on alpha.
(In reply to Tobias Klausmann from comment #2) > Stable on alpha. Bullshit. Amd64 stable.
x86 stable
GLSA Vote: No @maintainer, please cleanup the vulnerable version.
Tree is clean: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=226a96538f19a77dccbb4bc5137adb8192a3af8f