Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 753956 (CVE-2020-25650, CVE-2020-25651, CVE-2020-25652, CVE-2020-25653) - <app-emulation/spice-vdagent-0.21.0: Multiple vulnerabilities (CVE-2020-{25650,25651,25652,25653})
Summary: <app-emulation/spice-vdagent-0.21.0: Multiple vulnerabilities (CVE-2020-{2565...
Status: RESOLVED FIXED
Alias: CVE-2020-25650, CVE-2020-25651, CVE-2020-25652, CVE-2020-25653
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://www.openwall.com/lists/oss-se...
Whiteboard: B3 [glsa?]
Keywords:
Depends on: 823212
Blocks:
  Show dependency tree
 
Reported: 2020-11-11 01:47 UTC by John Helmert III
Modified: 2023-06-19 03:06 UTC (History)
2 users (show)

See Also:
Package list:
app-emulation/spice-vdagent-0.21.0
Runtime testing required: ---
nattka: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-11-11 01:47:30 UTC
Extensive documentation at $URL. Four DoS vulnerabilities, one can also result in information disclosure. No release yet, but tarball of patches is also at $URL and it appears to be the commit series on 29 October at the upstream repo: https://gitlab.freedesktop.org/spice/linux/vd_agent/-/commits/master
Comment 1 Larry the Git Cow gentoo-dev 2021-04-04 18:35:36 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6317607037454a8d45565920954e1811c1f39f11

commit 6317607037454a8d45565920954e1811c1f39f11
Author:     Matthias Maier <tamiko@gentoo.org>
AuthorDate: 2021-04-04 18:35:00 +0000
Commit:     Matthias Maier <tamiko@gentoo.org>
CommitDate: 2021-04-04 18:35:24 +0000

    app-emulation/spice-vdagent: drop vulnerable
    
    Bug: https://bugs.gentoo.org/753956
    Package-Manager: Portage-3.0.18, Repoman-3.0.3
    Signed-off-by: Matthias Maier <tamiko@gentoo.org>

 app-emulation/spice-vdagent/Manifest               |  1 -
 .../spice-vdagent/spice-vdagent-0.20.0.ebuild      | 62 ----------------------
 2 files changed, 63 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1201373dd0a53e02ba2fa762386adc1c25417ed1

commit 1201373dd0a53e02ba2fa762386adc1c25417ed1
Author:     Matthias Maier <tamiko@gentoo.org>
AuthorDate: 2021-04-04 18:33:11 +0000
Commit:     Matthias Maier <tamiko@gentoo.org>
CommitDate: 2021-04-04 18:35:21 +0000

    app-emulation/spice-vdagent: version bump to 0.21.0
    
    Fixes for
      CVE-2020-25650
      CVE-2020-25651
      CVE-2020-25652
      CVE-2020-25653
    
    Bug: https://bugs.gentoo.org/753956
    Package-Manager: Portage-3.0.18, Repoman-3.0.3
    Signed-off-by: Matthias Maier <tamiko@gentoo.org>

 app-emulation/spice-vdagent/Manifest               |  1 +
 .../spice-vdagent/spice-vdagent-0.21.0.ebuild      | 62 ++++++++++++++++++++++
 2 files changed, 63 insertions(+)
Comment 2 Matthias Maier gentoo-dev 2021-04-04 18:37:03 UTC
Arches, please stabilize app-emulation/spice-vdagent-0.21.0
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-04-11 11:11:32 UTC
amd64 done
Comment 4 Larry the Git Cow gentoo-dev 2021-04-12 16:04:29 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ac2d1c9307a6b2082cb8de3880084295adfe8364

commit ac2d1c9307a6b2082cb8de3880084295adfe8364
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2021-04-12 16:03:19 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-04-12 16:03:19 +0000

    app-emulation/spice-vdagent: Revert "Stabilize 0.21.0 amd64, #753956"
    
    Apologies - my script chucked this into the 'success' bin after I killed the
    test for hanging. Investigating.
    
    (I am not aware of any actual runtime issues with this package, but we should
    do this to be safe.)
    
    This reverts commit 5c1fa98b7829ef8086092975d491c53c70cc14e7.
    
    Bug: https://bugs.gentoo.org/753956
    Signed-off-by: Sam James <sam@gentoo.org>

 app-emulation/spice-vdagent/spice-vdagent-0.21.0.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 5 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-11-12 02:10:54 UTC
Popping out stabilization as it's blocked anyway.
Comment 6 Larry the Git Cow gentoo-dev 2023-06-18 02:07:57 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ae2e20389d4bae50fcad0996e6dc6ff2496cc95a

commit ae2e20389d4bae50fcad0996e6dc6ff2496cc95a
Author:     Matthias Maier <tamiko@gentoo.org>
AuthorDate: 2023-06-18 02:07:38 +0000
Commit:     Matthias Maier <tamiko@gentoo.org>
CommitDate: 2023-06-18 02:07:53 +0000

    app-emulation/spice-vdagent: drop 0.19.0-r1, 0.21.0
    
    Bug: https://bugs.gentoo.org/753956
    Signed-off-by: Matthias Maier <tamiko@gentoo.org>

 app-emulation/spice-vdagent/Manifest               |  2 -
 .../spice-vdagent/spice-vdagent-0.19.0-r1.ebuild   | 63 --------------------
 .../spice-vdagent/spice-vdagent-0.21.0.ebuild      | 67 ----------------------
 3 files changed, 132 deletions(-)
Comment 7 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-06-19 03:06:08 UTC
Denial of service only, no GLSA. All done.