[Bug 1592227] Re: Sync spice 0.12.6-4.1 (main) from Debian unstable (main)
Serge Hallyn
1592227 at bugs.launchpad.net
Tue Jun 14 15:20:30 UTC 2016
Thanks - confirmed the packages are identical except for changelog,
ubuntu-maintainers, and diff context dates.
** Changed in: spice (Ubuntu)
Status: New => Triaged
** Changed in: spice (Ubuntu)
Status: Triaged => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1592227
Title:
Sync spice 0.12.6-4.1 (main) from Debian unstable (main)
Status in spice package in Ubuntu:
Fix Released
Bug description:
Please sync spice 0.12.6-4.1 (main) from Debian unstable (main)
Explanation of the Ubuntu delta and why it can be dropped:
* SECURITY UPDATE: denial of service and possible code execution via
memory allocation flaw in smartcard interaction
- debian/patches/CVE-2016-0749/*.patch: add a ref to item and allocate
msg with the expected size in server/smartcard.c.
- CVE-2016-0749
* SECURITY UPDATE: host memory access from guest with invalid primary
surface parameters
- debian/patches/CVE-2016-2150/*.patch: create a function to validate
surface parameters in server/red_parse_qxl.*, improve primary surface
parameter checks in server/red_worker.c.
- CVE-2016-2150
Done in Debian.
Changelog entries since current yakkety version 0.12.6-4ubuntu1:
spice (0.12.6-4.1) unstable; urgency=high
* Non-maintainer upload.
* CVE-2016-0749: heap-based buffer overflow in smartcard interaction
(Closes: #826585)
* CVE-2016-2150: host memory access from guest using crafted primary surface
parameters (Closes: #826584)
-- Salvatore Bonaccorso <carnil at debian.org> Mon, 06 Jun 2016
19:22:10 +0200
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/spice/+bug/1592227/+subscriptions
More information about the Ubuntu-sponsors
mailing list