Public bug reported:
Please sync spice 0.12.6-4.1 (main) from Debian unstable (main)
Explanation of the Ubuntu delta and why it can be dropped:
* SECURITY UPDATE: denial of service and possible code execution via
memory allocation flaw in smartcard interaction
- debian/patches/CVE-2016-0749/*.patch: add a ref to item and allocate
msg with the expected size in server/smartcard.c.
- CVE-2016-0749
* SECURITY UPDATE: host memory access from guest with invalid primary
surface parameters
- debian/patches/CVE-2016-2150/*.patch: create a function to validate
surface parameters in server/red_parse_qxl.*, improve primary surface
parameter checks in server/red_worker.c.
- CVE-2016-2150
Done in Debian.
Changelog entries since current yakkety version 0.12.6-4ubuntu1:
spice (0.12.6-4.1) unstable; urgency=high
* Non-maintainer upload.
* CVE-2016-0749: heap-based buffer overflow in smartcard interaction
(Closes: #826585)
* CVE-2016-2150: host memory access from guest using crafted primary surface
parameters (Closes: #826584)
-- Salvatore Bonaccorso <[email protected]> Mon, 06 Jun 2016 19:22:10
+0200
** Affects: spice (Ubuntu)
Importance: Wishlist
Status: New
** Changed in: spice (Ubuntu)
Importance: Undecided => Wishlist
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1592227
Title:
Sync spice 0.12.6-4.1 (main) from Debian unstable (main)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/spice/+bug/1592227/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
