Change logs for spice source package in Xenial

  • spice (0.12.6-4ubuntu0.4) xenial-security; urgency=medium
    
      * SECURITY UPDATE: off-by-one error in memslot_get_virt
        - debian/patches/CVE-2019-3813.patch: fix checks in
          server/red_memslots.c.
        - CVE-2019-3813
    
     -- Marc Deslauriers <email address hidden>  Thu, 24 Jan 2019 09:45:07 -0500
  • spice (0.12.6-4ubuntu0.3) xenial-security; urgency=medium
    
      * SECURITY UPDATE: buffer overflow via invalid monitor configurations
        - debian/patches/CVE-2017-7506-1.patch: disconnect when receiving
          overly big ClientMonitorsConfig in server/reds.c.
        - debian/patches/CVE-2017-7506-2.patch: avoid integer overflows
          handling monitor configuration in server/reds.c.
        - debian/patches/CVE-2017-7506-3.patch: avoid buffer overflows handling
          monitor configuration in server/reds.c.
        - CVE-2017-7506
    
     -- Marc Deslauriers <email address hidden>  Tue, 18 Jul 2017 13:34:33 -0400
  • spice (0.12.6-4ubuntu0.2) xenial-security; urgency=medium
    
      * SECURITY UPDATE: overflow when reading large messages
        - debian/patches/CVE-2016-9577.patch: check size in
          server/main_channel.c.
        - CVE-2016-9577
      * SECURITY UPDATE: DoS via crafted message
        - debian/patches/CVE-2016-9578-1.patch: limit size in server/reds.c.
        - debian/patches/CVE-2016-9578-2.patch: limit caps in server/reds.c.
        - CVE-2016-9578
    
     -- Marc Deslauriers <email address hidden>  Wed, 15 Feb 2017 14:02:33 -0500
  • spice (0.12.6-4ubuntu0.1) xenial-security; urgency=medium
    
      * SECURITY UPDATE: denial of service and possible code execution via
        memory allocation flaw in smartcard interaction
        - debian/patches/CVE-2016-0749/*.patch: add a ref to item and allocate
          msg with the expected size in server/smartcard.c.
        - CVE-2016-0749
      * SECURITY UPDATE: host memory access from guest with invalid primary
        surface parameters
        - debian/patches/CVE-2016-2150/*.patch: create a function to validate
          surface parameters in server/red_parse_qxl.*, improve primary surface
          parameter checks in server/red_worker.c.
        - CVE-2016-2150
    
     -- Marc Deslauriers <email address hidden>  Fri, 10 Jun 2016 10:12:39 -0400
  • spice (0.12.6-4) unstable; urgency=medium
    
      * stop depending libspice-server-dev on libcacard-dev (#802413).
        Instead, remove mention of libcacard from the .pc file, as it
        is not actually used when building with libspice-server.
      * remove Requires.private defs from .pc file -- we're not building static
        libs, but if Requires.private is present, pkg-config requires the other
        .pc files to be present too, which is wrong (Closes: #803926)
    
     -- Michael Tokarev <email address hidden>  Fri, 06 Nov 2015 10:43:55 +0300
  • spice (0.12.5-1.1ubuntu2) wily; urgency=medium
    
      * SECURITY UPDATE: multiple security issues
        - debian/patches/CVE-2015-526x/*.patch: apply series of patches from
          Red Hat to fix overflows, race conditions, memory leaks and denial of
          service issues.
        - CVE-2015-5260
        - CVE-2015-5261
    
     -- Marc Deslauriers <email address hidden>  Mon, 19 Oct 2015 12:29:46 -0400