Debian 10228 Published by

A spice-vdagent security update has been released for Debian GNU/Linux 9 LTS to address several vulnerabilities.



DLA 2524-1: spice-vdagent security update


-------------------------------------------------------------------------
Debian LTS Advisory DLA-2524-1 debian-lts@lists.debian.org
  https://www.debian.org/lts/security/ Abhijith PA
January 13, 2021   https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package : spice-vdagent
Version : 0.17.0-1+deb9u1
CVE ID : CVE-2017-15108 CVE-2020-25650 CVE-2020-25651 CVE-2020-25652
CVE-2020-25653
Debian Bug : 883238 973769

Several vulnerabilities were discovered in spice-vdagent, a spice
guest agent for enchancing SPICE integeration and experience.

CVE-2017-15108

spice-vdagent does not properly escape save directory before
passing to shell, allowing local attacker with access to the
session the agent runs in to inject arbitrary commands to be
executed.

CVE-2020-25650

A flaw was found in the way the spice-vdagentd daemon handled file
transfers from the host system to the virtual machine. Any
unprivileged local guest user with access to the UNIX domain
socket path `/run/spice-vdagentd/spice-vdagent-sock` could use
this flaw to perform a memory denial of service for spice-vdagentd
or even other processes in the VM system. The highest threat from
this vulnerability is to system availability. This flaw affects
spice-vdagent versions 0.20 and previous versions.

CVE-2020-25651

A flaw was found in the SPICE file transfer protocol. File data
from the host system can end up in full or in parts in the client
connection of an illegitimate local user in the VM system. Active
file transfers from other users could also be interrupted,
resulting in a denial of service. The highest threat from this
vulnerability is to data confidentiality as well as system
availability.

CVE-2020-25652

A flaw was found in the spice-vdagentd daemon, where it did not
properly handle client connections that can be established via the
UNIX domain socket in `/run/spice-vdagentd/spice-vdagent-sock`.
Any unprivileged local guest user could use this flaw to prevent
legitimate agents from connecting to the spice-vdagentd daemon,
resulting in a denial of service. The highest threat from this
vulnerability is to system availability.

CVE-2020-25653

A race condition vulnerability was found in the way the
spice-vdagentd daemon handled new client connections. This flaw
may allow an unprivileged local guest user to become the active
agent for spice-vdagentd, possibly resulting in a denial of
service or information leakage from the host. The highest threat
from this vulnerability is to data confidentiality as well as
system availability.

For Debian 9 stretch, these problems have been fixed in version
0.17.0-1+deb9u1.

We recommend that you upgrade your spice-vdagent packages.

For the detailed security status of spice-vdagent please refer to
its security tracker page at:
  https://security-tracker.debian.org/tracker/spice-vdagent

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at:   https://wiki.debian.org/LTS