VulnerableCode Package Details - pkg:deb/ubuntu/spice-gtk@0.23-1

Search for packages

Package details: pkg:deb/ubuntu/spice-gtk@0.23-1

Essentials
History (0)

purl	pkg:deb/ubuntu/spice-gtk@0.23-1

Next non-vulnerable version	0.35-2
Latest non-vulnerable version	0.35-2
Risk	4.5

Vulnerabilities affecting this package (2)

Vulnerability	Summary	Fixed by
VCID-afzs-1b88-aaaf Aliases: CVE-2018-10873	A vulnerability was discovered in SPICE before version 0.14.1 where the generated code used for demarshalling messages lacked sufficient bounds checks. A malicious client or server, after authentication, could send specially crafted messages to its peer which would result in a crash or, potentially, other impacts.	0.35-2 Affected by 0 other vulnerabilities.
VCID-q6fk-hm76-aaaf Aliases: CVE-2017-12194	A flaw was found in the way spice-client processed certain messages sent from the server. An attacker, having control of malicious spice-server, could use this flaw to crash the client or execute arbitrary code with permissions of the user running the client. spice-gtk versions through 0.34 are believed to be vulnerable.	0.35-2 Affected by 0 other vulnerabilities.

Vulnerabilities fixed by this package (1)

Vulnerability	Summary	Aliases
VCID-q679-j4uq-aaad	spice-gtk 0.14, and possibly other versions, invokes the polkit authority using the insecure polkit_unix_process_new API function, which allows local users to bypass intended access restrictions by leveraging a PolkitUnixProcess PolkitSubject race condition via a (1) setuid process or (2) pkexec process, a related issue to CVE-2013-4288.	CVE-2013-4324

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version