FS#68531 - [spice-vdagent] CVE-2020-25650 CVE-2020-25651 CVE-2020-25652 CVE-2020-25653

Attached to Project: Community Packages
Opened by loqs (loqs) - Wednesday, 04 November 2020, 23:52 GMT
Last edited by Balló György (City-busz) - Sunday, 14 March 2021, 16:29 GMT
Task Type Bug Report
Category Security
Status Closed
Assigned To Balló György (City-busz)
Levente Polyak (anthraxx)
Architecture All
Severity Medium
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Description:
CVE-2020-25650
Memory DoS via Arbitrary Entries in active_xfers Hash Table. Fixed by [2] [3]

CVE-2020-25651
Possible File Transfer DoS and Information Leak via active_xfers Hash Map. Fixed by [8] [9]

CVE-2020-25652
Possibility to Exhaust File Descriptors in vdagentd. Fixed by [4] [7].

CVE-2020-25653
UNIX Doman Socket Peer PID Retrieved via SO_PEERCRED is Subject to Race Condition [5] [6]

As the backports from Ubuntu [10] do not apply cleanly, I would suggest moving the commit to [11], cuurent master [12] adds a test that fails on this system.
This would require spice-protocol being updated to 0.14.3.

Additional info:
* spice-vdagent 0.20.0+6+g8adf50d-1
[1] https://gitlab.freedesktop.org/spice/linux/vd_agent/-/commit/ce144335ff45b16be2241c45a683cc01e0f50558 CVE-2020-2565x-1.patch
[2] https://gitlab.freedesktop.org/spice/linux/vd_agent/-/commit/1a8b93ca6ac0b690339ab7f0afc6fc45d198d332 CVE-2020-25650-1.patch
[3] https://gitlab.freedesktop.org/spice/linux/vd_agent/-/commit/9d35d8a86fb310fc1f29d428c0a96995948d2357 CVE-2020-25650-2.patch
[4] https://gitlab.freedesktop.org/spice/linux/vd_agent/-/commit/91caa9223857708475d29df1768208fed1675340 CVE-2020-25652-1.patch
[5] https://gitlab.freedesktop.org/spice/linux/vd_agent/-/commit/51c415df82a52e9ec033225783c77df95f387891 CVE-2020-25653-1.patch
[6] https://gitlab.freedesktop.org/spice/linux/vd_agent/-/commit/5c50131797e985d0a5654c1fd7000ae945ed29a7 CVE-2020-25653-2.patch
[7] https://gitlab.freedesktop.org/spice/linux/vd_agent/-/commit/812ca777469a377c84b9861d7d326bfc72563304 CVE-2020-25652-2.patch
[8] https://gitlab.freedesktop.org/spice/linux/vd_agent/-/commit/e4bfd1b632b6c14e8411dbe3565115a78cd3d256 CVE-2020-25651-1.patch
[9] https://gitlab.freedesktop.org/spice/linux/vd_agent/-/commit/b7db1c20c9f80154fb54392eb44add3486d3e427 CVE-2020-25651-2.patch
[10] https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/spice-vdagent/0.20.0-1ubuntu0.1/spice-vdagent_0.20.0-1ubuntu0.1.debian.tar.xz
[11] https://gitlab.freedesktop.org/spice/linux/vd_agent/-/commit/b7db1c20c9f80154fb54392eb44add3486d3e427
[12] https://gitlab.freedesktop.org/spice/linux/vd_agent/-/commit/5094d5cfe66748dffcca8529745f8b3c76195d7a
This task depends upon

Closed by  Balló György (City-busz)
Sunday, 14 March 2021, 16:29 GMT
Reason for closing:  Fixed
Additional comments about closing:  spice-vdagent 0.21.0-1

Loading...