libspice-client-glib-2_0-8-0.39-1.8 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:11398 Final 1 1 2024-06-17T21:45:33Z current 2024-06-17T21:45:33Z 2024-06-17T21:45:33Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z libspice-client-glib-2_0-8-0.39-1.8 on GA media These are all security issues fixed in the libspice-client-glib-2_0-8-0.39-1.8 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-11398 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) E-Mail link for openSUSE-SU-2024:11398 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2018-10873/ SUSE CVE CVE-2018-10873 page https://www.suse.com/security/cve/CVE-2018-10893/ SUSE CVE CVE-2018-10893 page https://www.suse.com/security/cve/CVE-2020-14355/ SUSE CVE CVE-2020-14355 page openSUSE Tumbleweed libspice-client-glib-2_0-8-0.39-1.8 libspice-client-glib-helper-0.39-1.8 libspice-client-gtk-3_0-5-0.39-1.8 spice-gtk-0.39-1.8 spice-gtk-devel-0.39-1.8 spice-gtk-lang-0.39-1.8 typelib-1_0-SpiceClientGlib-2_0-0.39-1.8 typelib-1_0-SpiceClientGtk-3_0-0.39-1.8 libspice-client-glib-2_0-8-0.39-1.8 as a component of openSUSE Tumbleweed libspice-client-glib-helper-0.39-1.8 as a component of openSUSE Tumbleweed libspice-client-gtk-3_0-5-0.39-1.8 as a component of openSUSE Tumbleweed spice-gtk-0.39-1.8 as a component of openSUSE Tumbleweed spice-gtk-devel-0.39-1.8 as a component of openSUSE Tumbleweed spice-gtk-lang-0.39-1.8 as a component of openSUSE Tumbleweed typelib-1_0-SpiceClientGlib-2_0-0.39-1.8 as a component of openSUSE Tumbleweed typelib-1_0-SpiceClientGtk-3_0-0.39-1.8 as a component of openSUSE Tumbleweed A vulnerability was discovered in SPICE before version 0.14.1 where the generated code used for demarshalling messages lacked sufficient bounds checks. A malicious client or server, after authentication, could send specially crafted messages to its peer which would result in a crash or, potentially, other impacts. CVE-2018-10873 openSUSE Tumbleweed:libspice-client-glib-2_0-8-0.39-1.8 openSUSE Tumbleweed:libspice-client-glib-helper-0.39-1.8 openSUSE Tumbleweed:libspice-client-gtk-3_0-5-0.39-1.8 openSUSE Tumbleweed:spice-gtk-0.39-1.8 openSUSE Tumbleweed:spice-gtk-devel-0.39-1.8 openSUSE Tumbleweed:spice-gtk-lang-0.39-1.8 openSUSE Tumbleweed:typelib-1_0-SpiceClientGlib-2_0-0.39-1.8 openSUSE Tumbleweed:typelib-1_0-SpiceClientGtk-3_0-0.39-1.8 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-10873.html CVE-2018-10873 https://bugzilla.suse.com/1104448 SUSE Bug 1104448 Multiple integer overflow and buffer overflow issues were discovered in spice-client's handling of LZ compressed frames. A malicious server could cause the client to crash or, potentially, execute arbitrary code. CVE-2018-10893 openSUSE Tumbleweed:libspice-client-glib-2_0-8-0.39-1.8 openSUSE Tumbleweed:libspice-client-glib-helper-0.39-1.8 openSUSE Tumbleweed:libspice-client-gtk-3_0-5-0.39-1.8 openSUSE Tumbleweed:spice-gtk-0.39-1.8 openSUSE Tumbleweed:spice-gtk-devel-0.39-1.8 openSUSE Tumbleweed:spice-gtk-lang-0.39-1.8 openSUSE Tumbleweed:typelib-1_0-SpiceClientGlib-2_0-0.39-1.8 openSUSE Tumbleweed:typelib-1_0-SpiceClientGtk-3_0-0.39-1.8 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-10893.html CVE-2018-10893 https://bugzilla.suse.com/1101295 SUSE Bug 1101295 Multiple buffer overflow vulnerabilities were found in the QUIC image decoding process of the SPICE remote display system, before spice-0.14.2-1. Both the SPICE client (spice-gtk) and server are affected by these flaws. These flaws allow a malicious client or server to send specially crafted messages that, when processed by the QUIC image compression algorithm, result in a process crash or potential code execution. CVE-2020-14355 openSUSE Tumbleweed:libspice-client-glib-2_0-8-0.39-1.8 openSUSE Tumbleweed:libspice-client-glib-helper-0.39-1.8 openSUSE Tumbleweed:libspice-client-gtk-3_0-5-0.39-1.8 openSUSE Tumbleweed:spice-gtk-0.39-1.8 openSUSE Tumbleweed:spice-gtk-devel-0.39-1.8 openSUSE Tumbleweed:spice-gtk-lang-0.39-1.8 openSUSE Tumbleweed:typelib-1_0-SpiceClientGlib-2_0-0.39-1.8 openSUSE Tumbleweed:typelib-1_0-SpiceClientGtk-3_0-0.39-1.8 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-14355.html CVE-2020-14355 https://bugzilla.suse.com/1177158 SUSE Bug 1177158