CVE-2016-9578

Name	CVE-2016-9578
Description	A vulnerability was discovered in SPICE before 0.13.90 in the server's protocol handling. An attacker able to connect to the SPICE server could send crafted messages which would cause the process to crash.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DLA-825-1, DSA-3790-1
Debian Bugs	854336

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
spice (PTS)	buster, buster (security)	0.14.0-1.3+deb10u1	fixed
	bullseye	0.14.3-2.1	fixed
	trixie, sid, bookworm	0.15.1-1	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Origin	Debian Bugs
spice	source	wheezy	0.11.0-1+deb7u4	DLA-825-1
spice	source	jessie	0.12.5-1+deb8u4	DSA-3790-1
spice	source	(unstable)	0.12.8-2.1		854336

Notes

Fixed by: https://cgit.freedesktop.org/spice/spice/commit/?h=0.12&id=1c6517973095a67c8cb57f3550fc1298404ab556 (0.12.x)
Fixed by: https://cgit.freedesktop.org/spice/spice/commit/?h=0.12&id=f66dc643635518e53dfbe5262f814a64eec54e4a (0.12.x)