Publishing details

Published on 2020-11-04

Changelog

spice-vdagent (0.20.0-1ubuntu0.1~ubuntu20.04.1~ppa1) focal; urgency=medium

  * No-change backport to focal

spice-vdagent (0.20.0-1ubuntu0.1) groovy-security; urgency=medium

  * SECURITY UPDATE: Memory DoS via Arbitrary Entries in active_xfers Hash
    Table
    - debian/patches/CVE-2020-25650-1.patch: avoid agents allocating file
      transfers in src/vdagentd/vdagentd.c.
    - debian/patches/CVE-2020-25650-2.patch: avoid uncontrolled
      active_xfers allocations in src/vdagentd/vdagentd.c.
    - CVE-2020-25650
  * SECURITY UPDATE: Possible File Transfer DoS and Information Leak via
    active_xfers Hash Map
    - debian/patches/CVE-2020-25651-1.patch: cleanup active_xfers when the
      client disconnects in src/vdagentd/vdagentd.c.
    - debian/patches/CVE-2020-25651-2.patch: do not allow using an already
      used file-xfer id in src/vdagentd/vdagentd.c.
    - CVE-2020-25651
  * SECURITY UPDATE: Possibility to Exhaust File Descriptors in vdagentd
    - debian/patches/CVE-2020-25652-1.patch: avoid unlimited agent
      connections in src/udscs.c.
    - debian/patches/CVE-2020-25652-2.patch: limit number of agents per
      session to 1 in src/vdagentd/vdagentd.c.
    - CVE-2020-25652
  * SECURITY UPDATE: UNIX Domain Socket Peer PID Retrieved via SO_PEERCRED
    is Subject to Race Condition
    - debian/patches/CVE-2020-25653-1.patch: avoid user session hijacking
      in src/vdagent-connection.c, src/vdagent-connection.h,
      src/vdagentd/vdagentd.c.
    - debian/patches/CVE-2020-25653-2.patch: better check for sessions in
      src/vdagentd/console-kit.c, src/vdagentd/dummy-session-info.c,
      src/vdagentd/session-info.h, src/vdagentd/systemd-login.c,
      src/vdagentd/vdagentd.c.
    - CVE-2020-25653
  * Additional fixes:
    - debian/patches/CVE-2020-2565x-1.patch: avoid calling chmod in
      src/vdagentd/vdagentd.c.

spice-vdagent (0.20.0-1) unstable; urgency=medium

  * Team upload.
  * New upstream release
    - Fix race fixes between client and guest clipboard (Closes: #854936)
    - Bump libglib2.0-dev, libgtk-3-dev and libspice-protocol-dev BD
    - Drop d/p/vdagentd-Fix-session-lookup-for-new-GNOME-versions.patch,
      applied upstream
  * debian/gbp.conf: Enable pristine-tar
  * debian/control: Bump Standards-Version to 4.5.0 (no further changes)
  * debian/rules: Do not pass --as-needed to the linker, this is the default now
  * Import two patch from upstream to fix crash in containers and shutdown of
    the daemon

 -- Giacomo Tazzari <email address hidden>  Wed, 04 Nov 2020 15:18:40 +0100

Available diffs

diff from 0.20.0-1~ubuntu20.04.1~ppa1 to 0.20.0-1ubuntu0.1~ubuntu20.04.1~ppa1 (7.3 KiB)

Builds

amd64

Built packages

spice-vdagent Spice agent for Linux

Package files

spice-vdagent_0.20.0-1ubuntu0.1~ubuntu20.04.1~ppa1.debian.tar.xz (20.7 KiB)
spice-vdagent_0.20.0-1ubuntu0.1~ubuntu20.04.1~ppa1.dsc (2.6 KiB)
spice-vdagent_0.20.0-1ubuntu0.1~ubuntu20.04.1~ppa1_amd64.deb (52.2 KiB)
spice-vdagent_0.20.0.orig.tar.bz2 (148.9 KiB)
spice-vdagent_0.20.0.orig.tar.bz2.asc (833 bytes)