-------------------------------------------------------------------------
Debian LTS Advisory DLA-2524-1                [email protected]
https://www.debian.org/lts/security/                          Abhijith PA
January 13, 2021                              https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package        : spice-vdagent
Version        : 0.17.0-1+deb9u1
CVE ID         : CVE-2017-15108 CVE-2020-25650 CVE-2020-25651 CVE-2020-25652 
                 CVE-2020-25653
Debian Bug     : 883238 973769

Several vulnerabilities were discovered in spice-vdagent, a spice 
guest agent for enchancing SPICE integeration and experience.

CVE-2017-15108

    spice-vdagent does not properly escape save directory before 
    passing to shell, allowing local attacker with access to the
    session the agent runs in to inject arbitrary commands to be
    executed.

CVE-2020-25650

    A flaw was found in the way the spice-vdagentd daemon handled file 
    transfers from the host system to the virtual machine. Any 
    unprivileged local guest user with access to the UNIX domain 
    socket path `/run/spice-vdagentd/spice-vdagent-sock` could use 
    this flaw to perform a memory denial of service for spice-vdagentd 
    or even other processes in the VM system. The highest threat from 
    this vulnerability is to system availability. This flaw affects 
    spice-vdagent versions 0.20 and previous versions.

CVE-2020-25651

    A flaw was found in the SPICE file transfer protocol. File data 
    from the host system can end up in full or in parts in the client 
    connection of an illegitimate local user in the VM system. Active 
    file transfers from other users could also be interrupted, 
    resulting in a denial of service. The highest threat from this 
    vulnerability is to data confidentiality as well as system 
    availability.

CVE-2020-25652

    A flaw was found in the spice-vdagentd daemon, where it did not 
    properly handle client connections that can be established via the 
    UNIX domain socket in `/run/spice-vdagentd/spice-vdagent-sock`. 
    Any unprivileged local guest user could use this flaw to prevent 
    legitimate agents from connecting to the spice-vdagentd daemon, 
    resulting in a denial of service. The highest threat from this 
    vulnerability is to system availability. 

CVE-2020-25653

    A race condition vulnerability was found in the way the 
    spice-vdagentd daemon handled new client connections. This flaw 
    may allow an unprivileged local guest user to become the active 
    agent for spice-vdagentd, possibly resulting in a denial of 
    service or information leakage from the host. The highest threat 
    from this vulnerability is to data confidentiality as well as 
    system availability.

For Debian 9 stretch, these problems have been fixed in version
0.17.0-1+deb9u1.

We recommend that you upgrade your spice-vdagent packages.

For the detailed security status of spice-vdagent please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/spice-vdagent

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS