1598234 – (CVE-2018-10893) CVE-2018-10893 spice-client: Insufficient encoding checks for LZ can cause different integer/buffer overflows

Bug 1598234 (CVE-2018-10893) - CVE-2018-10893 spice-client: Insufficient encoding checks for LZ can cause different integer/buffer overflows

Summary: CVE-2018-10893 spice-client: Insufficient encoding checks for LZ can cause di...

Keywords:
Status:	CLOSED WONTFIX
Alias:	CVE-2018-10893
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	1594904 (view as bug list)
Depends On:	1598235 1598236 1598237 1598651 1598652 1598653 1658523
Blocks:	1598238
TreeView+	depends on / blocked

Reported:	2018-07-04 20:39 UTC by Laura Pardo
Modified:	2021-02-17 00:01 UTC (History)
CC List:	17 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:	Multiple integer overflow and buffer overflow issues were discovered in spice-client's handling of LZ compressed frames. A malicious server could cause the client to crash or, potentially, execute arbitrary code.
Clone Of:
Environment:
Last Closed:	2019-07-18 12:44:20 UTC
Embargoed:

Attachments	(Terms of Use)
First patch (2.28 KB, patch) 2018-07-16 09:06 UTC, Christophe Fergeau	no flags	Details \| Diff
Second patch (2.83 KB, patch) 2018-07-16 09:06 UTC, Christophe Fergeau	no flags	Details \| Diff
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2019:2229	0	None	None	None	2019-08-06 12:30:19 UTC
Red Hat Product Errata	RHSA-2020:0471	0	None	None	None	2020-02-11 08:58:29 UTC

Description Laura Pardo 2018-07-04 20:39:23 UTC

A flaw was found in spice-client. An improper check on LZ images sent by the server could lead to an integer/buffer overflows on the client.


References:
https://bugzilla.redhat.com/show_bug.cgi?id=1594904

Comment 1 Laura Pardo 2018-07-04 20:40:09 UTC

Created mingw-spice-gtk tracking bugs for this issue:

Affects: fedora-all [bug 1598236]


Created spice-gtk tracking bugs for this issue:

Affects: fedora-all [bug 1598235]

Comment 7 Salvatore Bonaccorso 2018-07-07 06:24:17 UTC

Hi Laura

Since the Red Hat reference is not accessible, are there any details available for this issue? Is the issue adressed already?

Regards,
Salvatore

Comment 10 Doran Moppert 2018-07-12 01:14:31 UTC

Acknowledgments:

Name: Frediano Ziglio (Red Hat)

Comment 11 Christophe Fergeau 2018-07-16 09:06:14 UTC

Created attachment 1459094 [details]
First patch

Comment 12 Christophe Fergeau 2018-07-16 09:06:53 UTC

Created attachment 1459095 [details]
Second patch

Comment 13 Andrej Nemec 2018-09-11 13:00:33 UTC

References:

https://lists.freedesktop.org/archives/spice-devel/2018-July/044489.html

Comment 16 Frediano Ziglio 2018-10-15 09:45:39 UTC

*** Bug 1594904 has been marked as a duplicate of this bug. ***

Comment 19 Victor Toso 2019-07-18 12:44:20 UTC

Too late for last z-stream batch for 7.6, closing.

Comment 21 errata-xmlrpc 2019-08-06 12:30:18 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:2229 https://access.redhat.com/errata/RHSA-2019:2229

Comment 22 errata-xmlrpc 2020-02-11 08:58:21 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2020:0471 https://access.redhat.com/errata/RHSA-2020:0471

Note You need to log in before you can comment on or make changes to this bug.