CVE-2016-9578

NameCVE-2016-9578
DescriptionA vulnerability was discovered in SPICE before 0.13.90 in the server's protocol handling. An attacker able to connect to the SPICE server could send crafted messages which would cause the process to crash.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-825-1, DSA-3790-1
NVD severitymedium
Debian Bugs854336

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
spice (PTS)stretch (security), stretch0.12.8-2.1+deb9u3fixed
buster0.14.0-1.3fixed
bullseye, sid0.14.3-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
spicesourcewheezy0.11.0-1+deb7u4DLA-825-1
spicesourcejessie0.12.5-1+deb8u4DSA-3790-1
spicesource(unstable)0.12.8-2.1854336

Notes

Fixed by: https://cgit.freedesktop.org/spice/spice/commit/?h=0.12&id=1c6517973095a67c8cb57f3550fc1298404ab556 (0.12.x)
Fixed by: https://cgit.freedesktop.org/spice/spice/commit/?h=0.12&id=f66dc643635518e53dfbe5262f814a64eec54e4a (0.12.x)

Search for package or bug name: Reporting problems