[SECURITY] [DLA 2524-1] spice-vdagent security update

Debian LTS Advisory DLA-2524-1 [email protected]
https://www.debian.org/lts/security/ Abhijith PA
January 13, 2021 https://wiki.debian.org/LTS

Package : spice-vdagent
Version : 0.17.0-1+deb9u1
CVE ID : CVE-2017-15108 CVE-2020-25650 CVE-2020-25651 CVE-2020-25652
CVE-2020-25653
Debian Bug : 883238 973769

Several vulnerabilities were discovered in spice-vdagent, a spice
guest agent for enchancing SPICE integeration and experience.

CVE-2017-15108

spice-vdagent does not properly escape save directory before 
passing to shell, allowing local attacker with access to the
session the agent runs in to inject arbitrary commands to be
executed.

CVE-2020-25650

A flaw was found in the way the spice-vdagentd daemon handled file 
transfers from the host system to the virtual machine. Any 
unprivileged local guest user with access to the UNIX domain 
socket path `/run/spice-vdagentd/spice-vdagent-sock` could use 
this flaw to perform a memory denial of service for spice-vdagentd 
or even other processes in the VM system. The highest threat from 
this vulnerability is to system availability. This flaw affects 
spice-vdagent versions 0.20 and previous versions.

CVE-2020-25651

A flaw was found in the SPICE file transfer protocol. File data 
from the host system can end up in full or in parts in the client 
connection of an illegitimate local user in the VM system. Active 
file transfers from other users could also be interrupted, 
resulting in a denial of service. The highest threat from this 
vulnerability is to data confidentiality as well as system 
availability.

CVE-2020-25652

A flaw was found in the spice-vdagentd daemon, where it did not 
properly handle client connections that can be established via the 
UNIX domain socket in `/run/spice-vdagentd/spice-vdagent-sock`. 
Any unprivileged local guest user could use this flaw to prevent 
legitimate agents from connecting to the spice-vdagentd daemon, 
resulting in a denial of service. The highest threat from this 
vulnerability is to system availability. 

CVE-2020-25653

A race condition vulnerability was found in the way the 
spice-vdagentd daemon handled new client connections. This flaw 
may allow an unprivileged local guest user to become the active 
agent for spice-vdagentd, possibly resulting in a denial of 
service or information leakage from the host. The highest threat 
from this vulnerability is to data confidentiality as well as 
system availability.

For Debian 9 stretch, these problems have been fixed in version
0.17.0-1+deb9u1.

We recommend that you upgrade your spice-vdagent packages.

For the detailed security status of spice-vdagent please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/spice-vdagent

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
Attachment:
signature.asc
Description: PGP signature