Bug 1598234 (CVE-2018-10893)

Summary: CVE-2018-10893 spice-client: Insufficient encoding checks for LZ can cause different integer/buffer overflows
Product: [Other] Security Response Reporter: Laura Pardo <lpardo>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: alon, berrange, carnil, cfergeau, dblechte, dmoppert, erik-fedora, fidencio, fziglio, hdegoede, marcandre.lureau, mkenneth, rh-spice-bugs, rjones, sandmann, security-response-team, victortoso
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Multiple integer overflow and buffer overflow issues were discovered in spice-client's handling of LZ compressed frames. A malicious server could cause the client to crash or, potentially, execute arbitrary code.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-07-18 12:44:20 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1598235, 1598236, 1598237, 1598651, 1598652, 1598653, 1658523    
Bug Blocks: 1598238    
Attachments:
Description Flags
First patch
none
Second patch none

Description Laura Pardo 2018-07-04 20:39:23 UTC 
A flaw was found in spice-client. An improper check on LZ images sent by the server could lead to an integer/buffer overflows on the client.


References:
https://bugzilla.redhat.com/show_bug.cgi?id=1594904
Comment 1 Laura Pardo 2018-07-04 20:40:09 UTC 
Created mingw-spice-gtk tracking bugs for this issue:

Affects: fedora-all [bug 1598236]


Created spice-gtk tracking bugs for this issue:

Affects: fedora-all [bug 1598235]
Comment 7 Salvatore Bonaccorso 2018-07-07 06:24:17 UTC 
Hi Laura

Since the Red Hat reference is not accessible, are there any details available for this issue? Is the issue adressed already?

Regards,
Salvatore
Comment 10 Doran Moppert 2018-07-12 01:14:31 UTC 
Acknowledgments:

Name: Frediano Ziglio (Red Hat)
Comment 11 Christophe Fergeau 2018-07-16 09:06:14 UTC 
Created attachment 1459094 [details]
First patch
Comment 12 Christophe Fergeau 2018-07-16 09:06:53 UTC 
Created attachment 1459095 [details]
Second patch
Comment 13 Andrej Nemec 2018-09-11 13:00:33 UTC 
References:

https://lists.freedesktop.org/archives/spice-devel/2018-July/044489.html
Comment 16 Frediano Ziglio 2018-10-15 09:45:39 UTC 
*** Bug 1594904 has been marked as a duplicate of this bug. ***
Comment 19 Victor Toso 2019-07-18 12:44:20 UTC 
Too late for last z-stream batch for 7.6, closing.
Comment 21 errata-xmlrpc 2019-08-06 12:30:18 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:2229 https://access.redhat.com/errata/RHSA-2019:2229
Comment 22 errata-xmlrpc 2020-02-11 08:58:21 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2020:0471 https://access.redhat.com/errata/RHSA-2020:0471