spice-vdagent: Multiple vulnerabilities

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2021.0183
                       spice-vdagent security update
                              15 January 2021

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           spice-vdagent
Publisher:         Debian
Operating System:  Debian GNU/Linux
Impact/Access:     Execute Arbitrary Code/Commands -- Existing Account
                   Denial of Service               -- Existing Account
                   Access Confidential Data        -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2020-25653 CVE-2020-25652 CVE-2020-25651
                   CVE-2020-25650 CVE-2017-15108 

Reference:         ASB-2020.0026
                   ESB-2021.0071
                   ESB-2020.4034
                   ESB-2020.4029.2

Original Bulletin: 
   https://www.debian.org/lts/security/2021/dla-2524

- --------------------------BEGIN INCLUDED TEXT--------------------

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-2524-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                          Abhijith PA
January 13, 2021                              https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : spice-vdagent
Version        : 0.17.0-1+deb9u1
CVE ID         : CVE-2017-15108 CVE-2020-25650 CVE-2020-25651 CVE-2020-25652
                 CVE-2020-25653
Debian Bug     : 883238 973769

Several vulnerabilities were discovered in spice-vdagent, a spice
guest agent for enchancing SPICE integeration and experience.

CVE-2017-15108

    spice-vdagent does not properly escape save directory before
    passing to shell, allowing local attacker with access to the
    session the agent runs in to inject arbitrary commands to be
    executed.

CVE-2020-25650

    A flaw was found in the way the spice-vdagentd daemon handled file
    transfers from the host system to the virtual machine. Any
    unprivileged local guest user with access to the UNIX domain
    socket path `/run/spice-vdagentd/spice-vdagent-sock` could use
    this flaw to perform a memory denial of service for spice-vdagentd
    or even other processes in the VM system. The highest threat from
    this vulnerability is to system availability. This flaw affects
    spice-vdagent versions 0.20 and previous versions.

CVE-2020-25651

    A flaw was found in the SPICE file transfer protocol. File data
    from the host system can end up in full or in parts in the client
    connection of an illegitimate local user in the VM system. Active
    file transfers from other users could also be interrupted,
    resulting in a denial of service. The highest threat from this
    vulnerability is to data confidentiality as well as system
    availability.

CVE-2020-25652

    A flaw was found in the spice-vdagentd daemon, where it did not
    properly handle client connections that can be established via the
    UNIX domain socket in `/run/spice-vdagentd/spice-vdagent-sock`.
    Any unprivileged local guest user could use this flaw to prevent
    legitimate agents from connecting to the spice-vdagentd daemon,
    resulting in a denial of service. The highest threat from this
    vulnerability is to system availability.

CVE-2020-25653

    A race condition vulnerability was found in the way the
    spice-vdagentd daemon handled new client connections. This flaw
    may allow an unprivileged local guest user to become the active
    agent for spice-vdagentd, possibly resulting in a denial of
    service or information leakage from the host. The highest threat
    from this vulnerability is to data confidentiality as well as
    system availability.

For Debian 9 stretch, these problems have been fixed in version
0.17.0-1+deb9u1.

We recommend that you upgrade your spice-vdagent packages.

For the detailed security status of spice-vdagent please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/spice-vdagent

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBYAD0guNLKJtyKPYoAQhQwxAAmkdYxb1gFPKNfTZfozrCb6w6MqdrIMMP
QY6irNkcomEwUFFs670qxvhKw9jk03OrqICW02gnnHgNzrZDwmyFBFz8DYJtSqYj
xNqsT2s3gr4ya+dmnvT8wR/FJGEinzkST0J1dPWBLVtJMiKpN94MuT7MO3ejoTZH
ixa4mwioGzlEwsCcWEai0tphVqrMr5+/vlEegTVXlFqOMAJkxXNw7vRgMRrcRD77
htORROYwjKJ/9nt+qa3OOqhOLXC0PGfGAAkIEgGKr9luhKTTbMP+oSc5hy04u2C5
DmFJyILqa5RC3nCOkFw3jzjrK388K7Bg8XmdDbVyPjNyp9feCDMccVPHXtlYTo+M
vqrFFgwf9u/9BlPQPkGKvWxUnfwU0olK1aexCA7gnpCpHuHt4c+0NN8oMO/fGWBb
zN0ZhQiVwDeUlJe7Xkc518mDskDpaRwH6ZejSbLc7OOVyukhpjtud2pLb/ytnZm/
YgzHuwEb9jG6348d2U7rtvkUnMu/9PonxHYtzn/G3beOCiLESLDkPqxob73mL+M3
48E1no37ZyuGNdbAIU1+QGt4KFKtUKqQxjpldthpgp4V7erCezsdcri7WOCyzh4b
+UGvfnVS2R/BIb6lTPzyEXk+Plh4uwVq9X1esTblbY3uoJ8Q1Akhtm/r/y5Yu8KK
NlphCrgvhO4=
=ABoV
-----END PGP SIGNATURE-----