diff -Nru spice-0.14.0/debian/changelog spice-0.14.0/debian/changelog --- spice-0.14.0/debian/changelog 2018-05-22 17:33:20.000000000 +0000 +++ spice-0.14.0/debian/changelog 2018-08-20 18:44:02.000000000 +0000 @@ -1,3 +1,12 @@ +spice (0.14.0-1ubuntu2.2) bionic-security; urgency=medium + + * SECURITY UPDATE: Denial of service + - debian/patches/CVE-2018-10873.patch: fix in + spice-common/python_modules/demarshal.py, + - CVE-2018-10873 + + -- Leonidas S. Barbosa Mon, 20 Aug 2018 15:44:02 -0300 + spice (0.14.0-1ubuntu2.1) bionic-security; urgency=medium * SECURITY UPDATE: Integer overflow and buffer overflow diff -Nru spice-0.14.0/debian/patches/CVE-2018-10873.patch spice-0.14.0/debian/patches/CVE-2018-10873.patch --- spice-0.14.0/debian/patches/CVE-2018-10873.patch 1970-01-01 00:00:00.000000000 +0000 +++ spice-0.14.0/debian/patches/CVE-2018-10873.patch 2018-08-20 18:44:02.000000000 +0000 @@ -0,0 +1,28 @@ +Backported of: + +From bb15d4815ab586b4c4a20f4a565970a44824c42c Mon Sep 17 00:00:00 2001 +From: Frediano Ziglio +Date: Fri, 18 May 2018 11:41:57 +0100 +Subject: [PATCH] Fix flexible array buffer overflow + +This is kind of a DoS, possibly flexible array in the protocol +causes the network size check to be ignored due to integer overflows. + +The size of flexible array is computed as (message_end - position), +then this size is added to the number of bytes before the array and +this number is used to check if we overflow initial message. + +Signed-off-by: Frediano Ziglio +Signed-off-by: Christophe Fergeau +diff --git a/spice-common/python_modules/demarshal.py b/spice-common/python_modules/demarshal.py +index 01bc743..8e5c3fc 100644 +--- a/spice-common/python_modules/demarshal.py ++++ b/spice-common/python_modules/demarshal.py +@@ -318,6 +318,7 @@ def write_validate_array_item(writer, container, item, scope, parent_scope, star + writer.assign(nelements, array.size) + elif array.is_remaining_length(): + if element_type.is_fixed_nw_size(): ++ writer.error_check("%s > message_end" % item.get_position()) + if element_type.get_fixed_nw_size() == 1: + writer.assign(nelements, "message_end - %s" % item.get_position()) + else: diff -Nru spice-0.14.0/debian/patches/series spice-0.14.0/debian/patches/series --- spice-0.14.0/debian/patches/series 2018-05-22 17:33:20.000000000 +0000 +++ spice-0.14.0/debian/patches/series 2018-08-20 18:44:02.000000000 +0000 @@ -1,3 +1,4 @@ CVE-2017-12194-1.patch CVE-2017-12194-2.patch CVE-2017-12194-3.patch +CVE-2018-10873.patch