From https://www.openwall.com/lists/oss-security/2020/10/06/10 :
Multiple buffer overflow vulnerabilities were found in the QUIC image
decoding process of the SPICE remote display system. More
specifically, these flaws reside in the spice-common shared code
between the client and server of SPICE. In other words, both the
client (spice-gtk) and server are affected by these flaws. A malicious
client or server could send specially crafted messages which could
result in a process crash or potential code execution scenario.
CVE-2020-14355 has been assigned for this flaw by Red Hat Inc.
Credit: Frediano Ziglio (Red Hat)
@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
The bug has been referenced in the following commit(s):
Author: Matthias Maier <firstname.lastname@example.org>
AuthorDate: 2021-04-04 18:48:42 +0000
Commit: Matthias Maier <email@example.com>
CommitDate: 2021-04-04 18:54:34 +0000
app-emulation/spice: apply security patches for CVE-2020-14355
Package-Manager: Portage-3.0.18, Repoman-3.0.3
Signed-off-by: Matthias Maier <firstname.lastname@example.org>
.../spice-0.14.3-CVE-2020-14355-404d7478.patch | 31 +++++++
.../spice-0.14.3-CVE-2020-14355-762e0aba.patch | 13 +++
.../spice-0.14.3-CVE-2020-14355-b24fe6b6.patch | 18 ++++
.../spice-0.14.3-CVE-2020-14355-ef1b6ff7.patch | 17 ++++
app-emulation/spice/spice-0.14.3-r1.ebuild | 103 +++++++++++++++++++++
5 files changed, 182 insertions(+)
Arches please stabilize.
all arches done