---

CVE-2020-14355 - log back

CVE-2020-14355 edited at 05 Jul 2021 07:57:34

References

https://www.openwall.com/lists/oss-security/2020/10/06/10 https://gitlab.freedesktop.org/spice/spice-common/-/commit/762e0abae36033ccde658fd52d3235887b60862d https://gitlab.freedesktop.org/spice/spice-common/-/commit/404d74782c8b5e57d146c5bf3118bb41bf3378e4 https://gitlab.freedesktop.org/spice/spice-common/-/commit/ef1b6ff7b82e15d759e5415b8e35b92bb1a4c206 https://gitlab.freedesktop.org/spice/spice-common/-/commit/b24fe6b66b86e601c725d30f00c37e684b6395b6 + https://gitlab.freedesktop.org/spice/spice/-/commit/4f71d0cdb79d2f61da49d439a5b72e3ce0070313 + https://gitlab.freedesktop.org/spice/spice-gtk/-/commit/df0d3f9d95fe8235b95fa291feb746ba5e3bd6aa

CVE-2020-14355 edited at 05 Jul 2021 07:57:11
Description	- Multiple buffer overflow vulnerabilities were found in the QUIC image decoding process of the SPICE remote display system. More specifically, these flaws reside in the spice-common shared code between the client and server of SPICE. In other words, both the client (spice-gtk) and server are affected by these flaws. A malicious client or server could send specially crafted messages which could result in a process crash or potential code execution scenario. + Multiple buffer overflow vulnerabilities were found in the QUIC image decoding process of the SPICE remote display system. More specifically, these flaws reside in the spice-common shared code between the client and server of SPICE. In other words, both the client (spice-gtk) and server are affected by these flaws. A malicious client or server could send specially crafted messages which could result in a process crash or potential code execution scenario. The issues have been fixed in spice (server) version 0.14.90 and spice-gtk (client) version 0.39.
References	https://www.openwall.com/lists/oss-security/2020/10/06/10 - https://gitlab.freedesktop.org/spice/spice-common/-/commit/762e0aba + https://gitlab.freedesktop.org/spice/spice-common/-/commit/762e0abae36033ccde658fd52d3235887b60862d - https://gitlab.freedesktop.org/spice/spice-common/-/commit/404d7478 + https://gitlab.freedesktop.org/spice/spice-common/-/commit/404d74782c8b5e57d146c5bf3118bb41bf3378e4 - https://gitlab.freedesktop.org/spice/spice-common/-/commit/ef1b6ff7 + https://gitlab.freedesktop.org/spice/spice-common/-/commit/ef1b6ff7b82e15d759e5415b8e35b92bb1a4c206 - https://gitlab.freedesktop.org/spice/spice-common/-/commit/b24fe6b6 + https://gitlab.freedesktop.org/spice/spice-common/-/commit/b24fe6b66b86e601c725d30f00c37e684b6395b6

CVE-2020-14355 edited at 10 Oct 2020 13:48:54
Severity	- Unknown + Critical
Remote	- Unknown + Remote
Type	- Unknown + Arbitrary code execution
Description	+ Multiple buffer overflow vulnerabilities were found in the QUIC image decoding process of the SPICE remote display system. More specifically, these flaws reside in the spice-common shared code between the client and server of SPICE. In other words, both the client (spice-gtk) and server are affected by these flaws. A malicious client or server could send specially crafted messages which could result in a process crash or potential code execution scenario.
References	+ https://www.openwall.com/lists/oss-security/2020/10/06/10 + https://gitlab.freedesktop.org/spice/spice-common/-/commit/762e0aba + https://gitlab.freedesktop.org/spice/spice-common/-/commit/404d7478 + https://gitlab.freedesktop.org/spice/spice-common/-/commit/ef1b6ff7 + https://gitlab.freedesktop.org/spice/spice-common/-/commit/b24fe6b6
Notes

CVE-2020-14355 created at 10 Oct 2020 13:48:07