Format: 1.8
Date: Thu, 29 Oct 2020 13:53:06 -0400
Source: spice-vdagent
Binary: spice-vdagent
Architecture: amd64
Version: 0.20.0-1ubuntu0.1
Distribution: groovy
Urgency: medium
Maintainer: Launchpad Build Daemon <buildd@lcy01-amd64-026.buildd>
Changed-By: Marc Deslauriers <marc.deslauriers@ubuntu.com>
Description:
 spice-vdagent - Spice agent for Linux
Changes:
 spice-vdagent (0.20.0-1ubuntu0.1) groovy-security; urgency=medium
 .
   * SECURITY UPDATE: Memory DoS via Arbitrary Entries in active_xfers Hash
     Table
     - debian/patches/CVE-2020-25650-1.patch: avoid agents allocating file
       transfers in src/vdagentd/vdagentd.c.
     - debian/patches/CVE-2020-25650-2.patch: avoid uncontrolled
       active_xfers allocations in src/vdagentd/vdagentd.c.
     - CVE-2020-25650
   * SECURITY UPDATE: Possible File Transfer DoS and Information Leak via
     active_xfers Hash Map
     - debian/patches/CVE-2020-25651-1.patch: cleanup active_xfers when the
       client disconnects in src/vdagentd/vdagentd.c.
     - debian/patches/CVE-2020-25651-2.patch: do not allow using an already
       used file-xfer id in src/vdagentd/vdagentd.c.
     - CVE-2020-25651
   * SECURITY UPDATE: Possibility to Exhaust File Descriptors in vdagentd
     - debian/patches/CVE-2020-25652-1.patch: avoid unlimited agent
       connections in src/udscs.c.
     - debian/patches/CVE-2020-25652-2.patch: limit number of agents per
       session to 1 in src/vdagentd/vdagentd.c.
     - CVE-2020-25652
   * SECURITY UPDATE: UNIX Domain Socket Peer PID Retrieved via SO_PEERCRED
     is Subject to Race Condition
     - debian/patches/CVE-2020-25653-1.patch: avoid user session hijacking
       in src/vdagent-connection.c, src/vdagent-connection.h,
       src/vdagentd/vdagentd.c.
     - debian/patches/CVE-2020-25653-2.patch: better check for sessions in
       src/vdagentd/console-kit.c, src/vdagentd/dummy-session-info.c,
       src/vdagentd/session-info.h, src/vdagentd/systemd-login.c,
       src/vdagentd/vdagentd.c.
     - CVE-2020-25653
   * Additional fixes:
     - debian/patches/CVE-2020-2565x-1.patch: avoid calling chmod in
       src/vdagentd/vdagentd.c.
Checksums-Sha1:
 d28a3cd36327bc9fc729367776f7bc0cfe12501b 156912 spice-vdagent-dbgsym_0.20.0-1ubuntu0.1_amd64.ddeb
 c955ef05f1bbb254eb3a8b78362d9d20151a86eb 14316 spice-vdagent_0.20.0-1ubuntu0.1_amd64.buildinfo
 355432a14cf6cef683338f59b12ccd0106462f97 54008 spice-vdagent_0.20.0-1ubuntu0.1_amd64.deb
Checksums-Sha256:
 82bd9e7213ae7099d28ce03ae61ab0a24d9670317632a663ffceef4b876cb198 156912 spice-vdagent-dbgsym_0.20.0-1ubuntu0.1_amd64.ddeb
 a52095c5efbc1c134b625bb35aaf6731518a18b242879d534d7cf0301b185098 14316 spice-vdagent_0.20.0-1ubuntu0.1_amd64.buildinfo
 f59ad0b0e53d88e498b1b1d7b2fc626b1bdba726ca9b18a5979116a0b767108d 54008 spice-vdagent_0.20.0-1ubuntu0.1_amd64.deb
Files:
 8b8ce2d45a436b95c35f6b4f58da9b0f 156912 debug optional spice-vdagent-dbgsym_0.20.0-1ubuntu0.1_amd64.ddeb
 800abaa379c1fca0ee8017560124e854 14316 x11 optional spice-vdagent_0.20.0-1ubuntu0.1_amd64.buildinfo
 79c63779433989b845f79149955ef692 54008 x11 optional spice-vdagent_0.20.0-1ubuntu0.1_amd64.deb
Original-Maintainer: Liang Guo <guoliang@debian.org>