Bug 1598234 – CVE-2018-10893 spice-client: Insufficient encoding checks for LZ can cause different integer/buffer overflows

Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.

Bug 1598234 - (CVE-2018-10893) CVE-2018-10893 spice-client: Insufficient encoding checks for LZ can cause different integer/buffer overflows

Summary:	CVE-2018-10893 spice-client: Insufficient encoding checks for LZ can cause di...

Status:	NEW

Aliases:	CVE-2018-10893

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	medium Severity medium
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=moderate,public=20180625,repor...
Keywords:	Security

Duplicates:	1594904 (view as bug list)
Depends On:	1598235 1598236 1598237 1598651 1598652 1598653
Blocks:	1598238
	Show dependency tree / graph

Reported:	2018-07-04 16:39 EDT by Laura Pardo
Modified:	2018-10-15 05:45 EDT (History)
CC List:	17 users (show)

See Also:
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:	Multiple integer overflow and buffer overflow issues were discovered in spice-client's handling of LZ compressed frames. A malicious server could cause the client to crash or, potentially, execute arbitrary code.
Story Points:	---
Clone Of:
Environment:
Last Closed:
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
First patch (2.28 KB, patch) 2018-07-16 05:06 EDT, Christophe Fergeau	no flags	Details \| Diff
Second patch (2.83 KB, patch) 2018-07-16 05:06 EDT, Christophe Fergeau	no flags	Details \| Diff
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Laura Pardo 2018-07-04 16:39:23 EDT

A flaw was found in spice-client. An improper check on LZ images sent by the server could lead to an integer/buffer overflows on the client.


References:
https://bugzilla.redhat.com/show_bug.cgi?id=1594904

Comment 1 Laura Pardo 2018-07-04 16:40:09 EDT

Created mingw-spice-gtk tracking bugs for this issue:

Affects: fedora-all [bug 1598236]


Created spice-gtk tracking bugs for this issue:

Affects: fedora-all [bug 1598235]

Comment 7 Salvatore Bonaccorso 2018-07-07 02:24:17 EDT

Hi Laura

Since the Red Hat reference is not accessible, are there any details available for this issue? Is the issue adressed already?

Regards,
Salvatore

Comment 10 Doran Moppert 2018-07-11 21:14:31 EDT

Acknowledgments:

Name: Frediano Ziglio (Red Hat)

Comment 11 Christophe Fergeau 2018-07-16 05:06 EDT

Created attachment 1459094 [details]
First patch

Comment 12 Christophe Fergeau 2018-07-16 05:06 EDT

Created attachment 1459095 [details]
Second patch

Comment 13 Andrej Nemec 2018-09-11 09:00:33 EDT

References:

https://lists.freedesktop.org/archives/spice-devel/2018-July/044489.html

Comment 16 Frediano Ziglio 2018-10-15 05:45:39 EDT

*** Bug 1594904 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.