Format: 1.8
Date: Thu, 29 Oct 2020 13:53:06 -0400
Source: spice-vdagent
Binary: spice-vdagent
Architecture: arm64
Version: 0.20.0-1ubuntu0.1
Distribution: groovy
Urgency: medium
Maintainer: Launchpad Build Daemon <buildd@bos02-arm64-012.buildd>
Changed-By: Marc Deslauriers <marc.deslauriers@ubuntu.com>
Description:
 spice-vdagent - Spice agent for Linux
Changes:
 spice-vdagent (0.20.0-1ubuntu0.1) groovy-security; urgency=medium
 .
   * SECURITY UPDATE: Memory DoS via Arbitrary Entries in active_xfers Hash
     Table
     - debian/patches/CVE-2020-25650-1.patch: avoid agents allocating file
       transfers in src/vdagentd/vdagentd.c.
     - debian/patches/CVE-2020-25650-2.patch: avoid uncontrolled
       active_xfers allocations in src/vdagentd/vdagentd.c.
     - CVE-2020-25650
   * SECURITY UPDATE: Possible File Transfer DoS and Information Leak via
     active_xfers Hash Map
     - debian/patches/CVE-2020-25651-1.patch: cleanup active_xfers when the
       client disconnects in src/vdagentd/vdagentd.c.
     - debian/patches/CVE-2020-25651-2.patch: do not allow using an already
       used file-xfer id in src/vdagentd/vdagentd.c.
     - CVE-2020-25651
   * SECURITY UPDATE: Possibility to Exhaust File Descriptors in vdagentd
     - debian/patches/CVE-2020-25652-1.patch: avoid unlimited agent
       connections in src/udscs.c.
     - debian/patches/CVE-2020-25652-2.patch: limit number of agents per
       session to 1 in src/vdagentd/vdagentd.c.
     - CVE-2020-25652
   * SECURITY UPDATE: UNIX Domain Socket Peer PID Retrieved via SO_PEERCRED
     is Subject to Race Condition
     - debian/patches/CVE-2020-25653-1.patch: avoid user session hijacking
       in src/vdagent-connection.c, src/vdagent-connection.h,
       src/vdagentd/vdagentd.c.
     - debian/patches/CVE-2020-25653-2.patch: better check for sessions in
       src/vdagentd/console-kit.c, src/vdagentd/dummy-session-info.c,
       src/vdagentd/session-info.h, src/vdagentd/systemd-login.c,
       src/vdagentd/vdagentd.c.
     - CVE-2020-25653
   * Additional fixes:
     - debian/patches/CVE-2020-2565x-1.patch: avoid calling chmod in
       src/vdagentd/vdagentd.c.
Checksums-Sha1:
 6cc25bad234842af619e16ae5108b3f15c397cfb 156008 spice-vdagent-dbgsym_0.20.0-1ubuntu0.1_arm64.ddeb
 8a478389b7b1e44a4a42f75ddeacde470dc7f8ba 14332 spice-vdagent_0.20.0-1ubuntu0.1_arm64.buildinfo
 ad854ab90766f544e34532e04abf6cee8d4efad7 50736 spice-vdagent_0.20.0-1ubuntu0.1_arm64.deb
Checksums-Sha256:
 a0d0c8eb00f7239827abd20e6e86f2c51e3341c91ff8b765ec93b754a785df93 156008 spice-vdagent-dbgsym_0.20.0-1ubuntu0.1_arm64.ddeb
 a7d53afd5c3400fac068777eb47aa27e11271dd5d8371a7836f65298df0f040c 14332 spice-vdagent_0.20.0-1ubuntu0.1_arm64.buildinfo
 08a64ed075b3d85d7bee71af68f19e5eaa5541937e3cb293faa9011cd0e747d7 50736 spice-vdagent_0.20.0-1ubuntu0.1_arm64.deb
Files:
 e4a88fe198e1e20a7c469fc17b28e522 156008 debug optional spice-vdagent-dbgsym_0.20.0-1ubuntu0.1_arm64.ddeb
 8d83c951499222ae1171f1e83a8f321a 14332 x11 optional spice-vdagent_0.20.0-1ubuntu0.1_arm64.buildinfo
 4dc0fcaad5985988fba9356f00a7be9b 50736 x11 optional spice-vdagent_0.20.0-1ubuntu0.1_arm64.deb
Original-Maintainer: Liang Guo <guoliang@debian.org>