Accepted spice-vdagent 0.20.0-2 (source) into unstable
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 03 Dec 2020 21:37:35 +0200
Source: spice-vdagent
Architecture: source
Version: 0.20.0-2
Distribution: unstable
Urgency: medium
Maintainer: Debian QA Group <packages@qa.debian.org>
Changed-By: Adrian Bunk <bunk@debian.org>
Closes: 973769
Changes:
spice-vdagent (0.20.0-2) unstable; urgency=medium
.
* QA upload.
* Set Maintainer to Debian QA Group. (see #911430)
* Add changes from Ubuntu:
* SECURITY UPDATE: Memory DoS via Arbitrary Entries in active_xfers Hash
Table
- debian/patches/CVE-2020-25650-1.patch: avoid agents allocating file
transfers in src/vdagentd/vdagentd.c.
- debian/patches/CVE-2020-25650-2.patch: avoid uncontrolled
active_xfers allocations in src/vdagentd/vdagentd.c.
- CVE-2020-25650
* SECURITY UPDATE: Possible File Transfer DoS and Information Leak via
active_xfers Hash Map
- debian/patches/CVE-2020-25651-1.patch: cleanup active_xfers when the
client disconnects in src/vdagentd/vdagentd.c.
- debian/patches/CVE-2020-25651-2.patch: do not allow using an already
used file-xfer id in src/vdagentd/vdagentd.c.
- CVE-2020-25651
* SECURITY UPDATE: Possibility to Exhaust File Descriptors in vdagentd
- debian/patches/CVE-2020-25652-1.patch: avoid unlimited agent
connections in src/udscs.c.
- debian/patches/CVE-2020-25652-2.patch: limit number of agents per
session to 1 in src/vdagentd/vdagentd.c.
- CVE-2020-25652
* SECURITY UPDATE: UNIX Domain Socket Peer PID Retrieved via SO_PEERCRED
is Subject to Race Condition
- debian/patches/CVE-2020-25653-1.patch: avoid user session hijacking
in src/vdagent-connection.c, src/vdagent-connection.h,
src/vdagentd/vdagentd.c.
- debian/patches/CVE-2020-25653-2.patch: better check for sessions in
src/vdagentd/console-kit.c, src/vdagentd/dummy-session-info.c,
src/vdagentd/session-info.h, src/vdagentd/systemd-login.c,
src/vdagentd/vdagentd.c.
- CVE-2020-25653
* Additional fixes:
- debian/patches/CVE-2020-2565x-1.patch: avoid calling chmod in
src/vdagentd/vdagentd.c.
(Closes: #973769)
Checksums-Sha1:
747b9ee64e58d740233d881a364fb3fcca0aaa69 2450 spice-vdagent_0.20.0-2.dsc
dd906212e4a36bba56ceed956820d2c25a51dc6a 21116 spice-vdagent_0.20.0-2.debian.tar.xz
Checksums-Sha256:
fc27ab22dc76114b5bba8f63199500054baa6a555bc4fb4da17aabdd12acceca 2450 spice-vdagent_0.20.0-2.dsc
92233464205236df6fe8f078473fb6ec39526f62cc5aa467ab5d4c02e301e6fe 21116 spice-vdagent_0.20.0-2.debian.tar.xz
Files:
936eaa0aec5a1e6f428427c476515cef 2450 x11 optional spice-vdagent_0.20.0-2.dsc
9fc51158d5991bdea3fd13923dbaa691 21116 x11 optional spice-vdagent_0.20.0-2.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAl/JQHAACgkQiNJCh6LY
mLFh5hAAkzH4F6AEiV6Am5FOGOIeqSdU0yVJ6Ey+KEyQdcKOhZxxilFibnWsIIIS
hQxiqB43HMg18XBH1IRgjYF6WYJ4OzkiZN8YUZJd+t1PoeGEabjvD6+HWlixIgu3
7mRWGKmeVb7144xZCnC9Tugb+Nb1wCbX6cHQtsacDql4Wm/oGernZ8y32PpvP+XQ
SbxKfoYFWOcO3KWfeaRYtWLyYe+yiL9XTE9CjhCOsUIRVRvjQoH0sN1gaUQDzse0
wM7K6f8DCA5PErmo8fDQpqK3sp+efH3pXxfus/8M1d7G9XJub4DvEL682kbDef0m
X6sPa8e2pzRuoW6J8Puy0goLxptw08dG3Ic6MRUm9BqfxZS22LZp+WLsi4LoQAB6
Z/9X4K09JHTHhaMQYWjeKMdBTJFzrfG8oxp4hXiX4nFyUSixhXxTRSyJS/YyFPRT
w5bbUmbo61N60ScAazxUvzLGYqm1DfPhVux2VirxiCyUNFxthUKIsdOoGJ5q2IUB
sWHa+IWsnzpu/39/iKMoi8EMuzTBSjUz/wQXVqvZvfsxZbGsXiXnjluHMAi6Ntcj
sEs5Z+mPdfRMig29ApY19xy1otnETM/+dJNP3m2mldSK8hqHwPUJ+QbHN6eO19R6
v1WQRMupgH+Jbb1TSsxmlrbCzLfuoNSMNhCUOXbYs/VMAEr99lY=
=FPrc
-----END PGP SIGNATURE-----