From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id BF4841382C5 for ; Sun, 8 Apr 2018 23:44:25 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id E216FE0C78; Sun, 8 Apr 2018 23:37:24 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 0338CE089B for ; Sun, 8 Apr 2018 23:33:57 +0000 (UTC) Received: from localhost (pool-71-163-21-11.washdc.fios.verizon.net [71.163.21.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: bman) by smtp.gentoo.org (Postfix) with ESMTPSA id BAFB3335C09 for ; Sun, 8 Apr 2018 23:33:56 +0000 (UTC) Date: Sun, 8 Apr 2018 19:33:54 -0400 From: Aaron Bauman To: gentoo-announce@lists.gentoo.org Subject: [gentoo-announce] [ GLSA 201804-09 ] SPICE VDAgent: Arbitrary command injection Message-ID: <20180408233354.GL24250@monkey> Reply-To: security@gentoo.org Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-announce@lists.gentoo.org MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="S6vg04ofUPzW4qJg" Content-Disposition: inline User-Agent: Mutt/1.9.4 (2018-02-28) X-Archives-Salt: 13b2f6c6-65a1-4a8d-8c33-80e077cd5f51 X-Archives-Hash: 3fab41bd053c43e9ef572693b43face3 --S6vg04ofUPzW4qJg Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201804-09 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: SPICE VDAgent: Arbitrary command injection Date: April 08, 2018 Bugs: #650020 ID: 201804-09 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis =3D=3D=3D=3D=3D=3D=3D=3D A vulnerability in SPICE VDAgent could allow local attackers to execute arbitrary commands. Background =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Provides a complete open source solution for remote access to virtual machines in a seamless way so you can play videos, record audio, share USB devices and share folders without complications. Affected packages =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 app-emulation/spice-vdagent < 0.17.0_p20180319 >=3D 0.17.0_p20180319=20 Description =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D SPICE VDAgent does not properly escape save directory before passing to shell. Impact =3D=3D=3D=3D=3D=3D A local attacker could execute arbitrary commands. Workaround =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D There is no known workaround at this time. Resolution =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D All SPICE VDAgent users should upgrade to the latest version: # emerge --sync # emerge -a -1 -v ">=3Dapp-emulation/spice-vdagent-0.17.0_p20180319" References =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D [ 1 ] CVE-2017-15108 https://nvd.nist.gov/vuln/detail/CVE-2017-15108 Availability =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201804-09 Concerns? =3D=3D=3D=3D=3D=3D=3D=3D=3D Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License =3D=3D=3D=3D=3D=3D=3D Copyright 2018 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 --S6vg04ofUPzW4qJg Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEiDRK3jyVBE/RkymqpRQw84X1dt0FAlrKpuIACgkQpRQw84X1 dt2nFgf+NK9RJ+vUuaSvRrzk5t6Wd2rfC68mJGM9kU8g84Qr2rSPMcT/ghKcX24T /fENGw9MQWGxwRQJQ9YTK43Pe1w4s6hM5/b9nTbOG2TKiaGg1SVRrOPoeI2HCPpz AUX2vn+xZ17I8+iNQdukwkwxlgkhyxt2ooRI7PkojPdWyO2+3I1ZKVs7WVSSgjA7 9/r93pFFWqNHv/CYJxBU6RY00QDn4BCWPrQg2BaAI88PuTsFRjvPpa8wuk8opPHS RO4k1PBMFPdMdshTol7+PBBvX30J+NCXiAvc82BDkzGiLCPypQn7ahDsy0v7e48g 5Zt/A3fGNTzZLHZ89kUeCpJB8qkCnQ== =oMr3 -----END PGP SIGNATURE----- --S6vg04ofUPzW4qJg--