CVE-2020-14355

Published: 06 October 2020

Multiple buffer overflow vulnerabilities were found in the QUIC image decoding process of the SPICE remote display system, before spice-0.14.2-1. Both the SPICE client (spice-gtk) and server are affected by these flaws. These flaws allow a malicious client or server to send specially crafted messages that, when processed by the QUIC image compression algorithm, result in a process crash or potential code execution.

Priority

Medium

CVSS 3 base score: 6.6

Status

Package Release Status
spice
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 21.04 (Hirsute Hippo)
Released (0.14.3-1ubuntu2)
Ubuntu 20.10 (Groovy Gorilla)
Released (0.14.3-1ubuntu2)
Ubuntu 20.04 LTS (Focal Fossa)
Released (0.14.2-4ubuntu3.1)
Ubuntu 18.04 LTS (Bionic Beaver)
Released (0.14.0-1ubuntu2.5)
Ubuntu 16.04 LTS (Xenial Xerus)
Released (0.12.6-4ubuntu0.5)
Ubuntu 14.04 ESM (Trusty Tahr)
Released (0.12.4-0nocelt2ubuntu1.8+esm1)
Ubuntu 12.04 ESM (Precise Pangolin) Does not exist

spice-gtk
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 21.04 (Hirsute Hippo) Needed

Ubuntu 20.10 (Groovy Gorilla) Needed

Ubuntu 20.04 LTS (Focal Fossa) Needed

Ubuntu 18.04 LTS (Bionic Beaver) Needed

Ubuntu 16.04 LTS (Xenial Xerus) Needed

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

Ubuntu 12.04 ESM (Precise Pangolin) Does not exist