spice-vdagent-0.21.0-1.7 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:11399-1 Final 1 1 2024-06-15T00:00:00Z current 2024-06-15T00:00:00Z 2024-06-15T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z spice-vdagent-0.21.0-1.7 on GA media These are all security issues fixed in the spice-vdagent-0.21.0-1.7 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-11399 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2017-15108/ SUSE CVE CVE-2017-15108 page https://www.suse.com/security/cve/CVE-2020-25650/ SUSE CVE CVE-2020-25650 page openSUSE Tumbleweed spice-vdagent-0.21.0-1.7 spice-vdagent-0.21.0-1.7 as a component of openSUSE Tumbleweed spice-vdagent up to and including 0.17.0 does not properly escape save directory before passing to shell, allowing local attacker with access to the session the agent runs in to inject arbitrary commands to be executed. CVE-2017-15108 openSUSE Tumbleweed:spice-vdagent-0.21.0-1.7 important 4.6 AV:L/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-15108.html CVE-2017-15108 https://bugzilla.suse.com/1070724 SUSE Bug 1070724 A flaw was found in the way the spice-vdagentd daemon handled file transfers from the host system to the virtual machine. Any unprivileged local guest user with access to the UNIX domain socket path `/run/spice-vdagentd/spice-vdagent-sock` could use this flaw to perform a memory denial of service for spice-vdagentd or even other processes in the VM system. The highest threat from this vulnerability is to system availability. This flaw affects spice-vdagent versions 0.20 and previous versions. CVE-2020-25650 openSUSE Tumbleweed:spice-vdagent-0.21.0-1.7 moderate 2.1 AV:L/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-25650.html CVE-2020-25650 https://bugzilla.suse.com/1177780 SUSE Bug 1177780