spice-gtk-0.35-5.el7.1, spice-0.14.0-9.el7.1

エラータID: AXSA:2020-682:05

Release date: 
Tuesday, October 13, 2020 - 08:20
Subject: 
spice-gtk-0.35-5.el7.1, spice-0.14.0-9.el7.1
Affected Channels: 
Asianux Server 7 for x86_64
Severity: 
High
Description: 

The Simple Protocol for Independent Computing Environments (SPICE) is a remote display system built for virtual environments which allows the user to view a computing 'desktop' environment not only on the machine where it is running, but from anywhere on the Internet and from a wide variety of machine architectures.

The spice-gtk packages provide a GIMP Toolkit (GTK+) widget for Simple Protocol for Independent Computing Environments (SPICE) clients. Both Virtual Machine Manager and Virtual Machine Viewer can make use of this widget to access virtual machines using the SPICE protocol.

Security Fix(es):

* spice: multiple buffer overflow vulnerabilities in QUIC decoding code (CVE-2020-14355)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2020-14355
Multiple buffer overflow vulnerabilities were found in the QUIC image decoding process of the SPICE remote display system, before spice-0.14.2-1. Both the SPICE client (spice-gtk) and server are affected by these flaws. These flaws allow a malicious client or server to send specially crafted messages that, when processed by the QUIC image compression algorithm, result in a process crash or potential code execution.

Solution: 

Update packages.

CVEs: 
CVE-2020-14355
Multiple buffer overflow vulnerabilities were found in the QUIC image decoding process of the SPICE remote display system, before spice-0.14.2-1. Both the SPICE client (spice-gtk) and server are affected by these flaws. These flaws allow a malicious client or server to send specially crafted messages that, when processed by the QUIC image compression algorithm, result in a process crash or potential code execution.
Additional Info: 

N/A

Download: 

SRPMS
  1. spice-gtk-0.35-5.el7.1.src.rpm
    MD5: d0bc6e2ffbf45320ce03574135789921
    SHA-256: d10eab1b995fac8a69ab7e879a64b796e39f3642afbff07302db374f47b49b07
    Size: 1.40 MB
  2. spice-0.14.0-9.el7.1.src.rpm
    MD5: d676f9eae62fb31ef544031c3bb9f0ed
    SHA-256: 0892df8a20bdb0557bb1dcc25c2ffd03c3803819cabe214eebb68f4dea318f72
    Size: 1.33 MB

Asianux Server 7 for x86_64
  1. spice-glib-0.35-5.el7.1.x86_64.rpm
    MD5: 849a82270376f76cff8d721fe9bd05d7
    SHA-256: 6089012df1546fffc496203e82b9405a96778771a0cedd31d54ab5fc4d61be53
    Size: 355.93 kB
  2. spice-gtk3-0.35-5.el7.1.x86_64.rpm
    MD5: 54ff9608a1f089aaa097fa4ecaf7c4a3
    SHA-256: 6b1e7070631fed34194213d92c958b2861f207098c0b69dd2796a3ef7a34a69a
    Size: 86.57 kB
  3. spice-server-0.14.0-9.el7.1.x86_64.rpm
    MD5: 4257c2cc7851e569607c6593ea5d5c00
    SHA-256: 191e6ac93f83690300bc6159fc9db22aa088e5c504785f5a7e64e82db03d8000
    Size: 403.43 kB
  4. spice-glib-0.35-5.el7.1.i686.rpm
    MD5: 6efcb2f4222e83bf922ea719bc28d182
    SHA-256: 4b0375796a2f36e49f8d1e67b862e1a2d0ad2cf1e8384e791ee1625e6db00142
    Size: 354.61 kB
  5. spice-gtk3-0.35-5.el7.1.i686.rpm
    MD5: 0d6c0319dfce92fd0a1a4668507adb59
    SHA-256: df4b21de73ab4b38bf2224172af04c63f1bf32624e38136763c4b06a8ecf6c2a
    Size: 85.91 kB
  6. spice-glib-0.35-5.el7.1.i686.rpm
    MD5: 6efcb2f4222e83bf922ea719bc28d182
    SHA-256: 4b0375796a2f36e49f8d1e67b862e1a2d0ad2cf1e8384e791ee1625e6db00142
    Size: 354.61 kB
  7. spice-gtk3-0.35-5.el7.1.i686.rpm
    MD5: 0d6c0319dfce92fd0a1a4668507adb59
    SHA-256: df4b21de73ab4b38bf2224172af04c63f1bf32624e38136763c4b06a8ecf6c2a
    Size: 85.91 kB