Arch Linux Security Advisory ASA-202107-12

Severity: Critical
Date    : 2021-07-06
CVE-ID  : CVE-2020-14355 CVE-2021-20201
Package : spice
Type    : multiple issues
Remote  : Yes
Link    :


The package spice before version 0.15.0-1 is vulnerable to multiple
issues including arbitrary code execution and denial of service.


Upgrade to 0.15.0-1.

# pacman -Syu "spice>=0.15.0-1"

The problems have been fixed upstream in version 0.15.0.




- CVE-2020-14355 (arbitrary code execution)

Multiple buffer overflow vulnerabilities were found in the QUIC image
decoding process of the SPICE remote display system. More specifically,
these flaws reside in the spice-common shared code between the client
and server of SPICE. In other words, both the client (spice-gtk) and
server are affected by these flaws. A malicious client or server could
send specially crafted messages which could result in a process crash
or potential code execution scenario. The issues have been fixed in
spice (server) version 0.14.90 and spice-gtk (client) version 0.39.

- CVE-2021-20201 (denial of service)

An issue was discovered in SPICE server before version 0.15.0. There is
a vulnerability which might make it easier for remote attackers to
cause a denial of service (CPU consumption) by performing many
renegotiations within a single connection.


A remote attacker could execute arbitrary code on the SPICE server
using crafted messages, or cause high CPU consumption by performing
many renegotiations.