ASA-202107-12 log original external raw

[ASA-202107-12] spice: multiple issues
Arch Linux Security Advisory ASA-202107-12 ========================================== Severity: Critical Date : 2021-07-06 CVE-ID : CVE-2020-14355 CVE-2021-20201 Package : spice Type : multiple issues Remote : Yes Link : Summary ======= The package spice before version 0.15.0-1 is vulnerable to multiple issues including arbitrary code execution and denial of service. Resolution ========== Upgrade to 0.15.0-1. # pacman -Syu "spice>=0.15.0-1" The problems have been fixed upstream in version 0.15.0. Workaround ========== None. Description =========== - CVE-2020-14355 (arbitrary code execution) Multiple buffer overflow vulnerabilities were found in the QUIC image decoding process of the SPICE remote display system. More specifically, these flaws reside in the spice-common shared code between the client and server of SPICE. In other words, both the client (spice-gtk) and server are affected by these flaws. A malicious client or server could send specially crafted messages which could result in a process crash or potential code execution scenario. The issues have been fixed in spice (server) version 0.14.90 and spice-gtk (client) version 0.39. - CVE-2021-20201 (denial of service) An issue was discovered in SPICE server before version 0.15.0. There is a vulnerability which might make it easier for remote attackers to cause a denial of service (CPU consumption) by performing many renegotiations within a single connection. Impact ====== A remote attacker could execute arbitrary code on the SPICE server using crafted messages, or cause high CPU consumption by performing many renegotiations. References ==========