Upstream information

CVE-2020-14355 at MITRE

Description

Multiple buffer overflow vulnerabilities were found in the QUIC image decoding process of the SPICE remote display system, before spice-0.14.2-1. Both the SPICE client (spice-gtk) and server are affected by these flaws. These flaws allow a malicious client or server to send specially crafted messages that, when processed by the QUIC image compression algorithm, result in a process crash or potential code execution.

SUSE information

Overall state of this security issue: Pending

This issue is currently rated as having moderate severity.

CVSS v2 Scores
  National Vulnerability Database
Base Score 6.5
Vector AV:N/AC:L/Au:S/C:P/I:P/A:P
Access Vector Network
Access Complexity Low
Authentication Single
Confidentiality Impact Partial
Integrity Impact Partial
Availability Impact Partial
CVSS v3 Scores
  National Vulnerability Database SUSE
Base Score 6.6 6.6
Vector CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L
Access Vector Network Network
Access Complexity Low Low
Privileges Required High High
User Interaction None None
Scope Changed Changed
Confidentiality Impact Low Low
Integrity Impact Low Low
Availability Impact Low Low
CVSSv3 Version 3.1 3.1
SUSE Bugzilla entry: 1177158 [CONFIRMED]

SUSE Security Advisories:

List of released packages

Product(s) Fixed package version(s) References
HPE Helion Openstack 8
  • libspice-client-glib-2_0-8 >= 0.33-3.9.1
  • libspice-client-glib-helper >= 0.33-3.9.1
  • libspice-client-gtk-3_0-5 >= 0.33-3.9.1
  • libspice-controller0 >= 0.33-3.9.1
  • libspice-server1 >= 0.12.8-15.1
  • spice >= 0.12.8-15.1
  • spice-gtk >= 0.33-3.9.1
  • typelib-1_0-SpiceClientGlib-2_0 >= 0.33-3.9.1
  • typelib-1_0-SpiceClientGtk-3_0 >= 0.33-3.9.1
Patchnames:
HPE-Helion-OpenStack-8-2020-3084
HPE-Helion-OpenStack-8-2020-3085
SUSE Enterprise Storage 5
  • libspice-client-glib-2_0-8 >= 0.33-3.9.1
  • libspice-client-glib-helper >= 0.33-3.9.1
  • libspice-client-gtk-3_0-5 >= 0.33-3.9.1
  • libspice-controller0 >= 0.33-3.9.1
  • libspice-server1 >= 0.12.8-15.1
  • spice >= 0.12.8-15.1
  • spice-gtk >= 0.33-3.9.1
  • typelib-1_0-SpiceClientGlib-2_0 >= 0.33-3.9.1
  • typelib-1_0-SpiceClientGtk-3_0 >= 0.33-3.9.1
Patchnames:
SUSE-Storage-5-2020-3084
SUSE-Storage-5-2020-3085
SUSE Linux Enterprise Module for Basesystem 15 SP2
  • libspice-client-glib-2_0-8 >= 0.37-3.3.2
  • libspice-client-glib-helper >= 0.37-3.3.2
  • libspice-client-gtk-3_0-5 >= 0.37-3.3.2
  • spice-gtk >= 0.37-3.3.2
Patchnames:
SUSE-SLE-Module-Basesystem-15-SP2-2020-3071
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 SP2
  • spice-gtk >= 0.37-3.3.2
  • spice-gtk-lang >= 0.37-3.3.2
Patchnames:
SUSE-SLE-Module-Development-Tools-OBS-15-SP2-2020-3071
SUSE Linux Enterprise Module for Server Applications 15 SP2
  • libspice-server-devel >= 0.14.2-3.3.1
  • libspice-server1 >= 0.14.2-3.3.1
  • spice >= 0.14.2-3.3.1
  • spice-gtk >= 0.37-3.3.2
  • spice-gtk-devel >= 0.37-3.3.2
  • typelib-1_0-SpiceClientGlib-2_0 >= 0.37-3.3.2
  • typelib-1_0-SpiceClientGtk-3_0 >= 0.37-3.3.2
Patchnames:
SUSE-SLE-Module-Server-Applications-15-SP2-2020-3070
SUSE-SLE-Module-Server-Applications-15-SP2-2020-3071
SUSE Linux Enterprise Server 12 SP3-BCL
SUSE Linux Enterprise Server for SAP Applications 12 SP3-BCL
  • libspice-client-glib-2_0-8 >= 0.33-3.9.1
  • libspice-client-glib-helper >= 0.33-3.9.1
  • libspice-client-gtk-3_0-5 >= 0.33-3.9.1
  • libspice-controller0 >= 0.33-3.9.1
  • libspice-server1 >= 0.12.8-15.1
  • spice >= 0.12.8-15.1
  • spice-gtk >= 0.33-3.9.1
  • typelib-1_0-SpiceClientGlib-2_0 >= 0.33-3.9.1
  • typelib-1_0-SpiceClientGtk-3_0 >= 0.33-3.9.1
Patchnames:
SUSE-SLE-SERVER-12-SP3-BCL-2020-3084
SUSE-SLE-SERVER-12-SP3-BCL-2020-3085
SUSE Linux Enterprise Server 12 SP3-ESPOS
SUSE Linux Enterprise Server for SAP Applications 12 SP3-ESPOS
  • libspice-client-glib-2_0-8 >= 0.33-3.9.1
  • libspice-client-glib-helper >= 0.33-3.9.1
  • libspice-client-gtk-3_0-5 >= 0.33-3.9.1
  • libspice-controller0 >= 0.33-3.9.1
  • libspice-server1 >= 0.12.8-15.1
  • spice >= 0.12.8-15.1
  • spice-gtk >= 0.33-3.9.1
  • typelib-1_0-SpiceClientGlib-2_0 >= 0.33-3.9.1
  • typelib-1_0-SpiceClientGtk-3_0 >= 0.33-3.9.1
Patchnames:
SUSE-SLE-SERVER-12-SP3-ESPOS-2020-3084
SUSE-SLE-SERVER-12-SP3-ESPOS-2020-3085
SUSE Linux Enterprise Server 12 SP3-LTSS
SUSE Linux Enterprise Server for SAP Applications 12 SP3-LTSS
  • libspice-client-glib-2_0-8 >= 0.33-3.9.1
  • libspice-client-glib-helper >= 0.33-3.9.1
  • libspice-client-gtk-3_0-5 >= 0.33-3.9.1
  • libspice-controller0 >= 0.33-3.9.1
  • libspice-server1 >= 0.12.8-15.1
  • spice >= 0.12.8-15.1
  • spice-gtk >= 0.33-3.9.1
  • typelib-1_0-SpiceClientGlib-2_0 >= 0.33-3.9.1
  • typelib-1_0-SpiceClientGtk-3_0 >= 0.33-3.9.1
Patchnames:
SUSE-SLE-SERVER-12-SP3-2020-3084
SUSE-SLE-SERVER-12-SP3-2020-3085
SUSE Linux Enterprise Server 12 SP4-ESPOS
SUSE Linux Enterprise Server for SAP Applications 12 SP4-ESPOS
  • libspice-client-glib-2_0-8 >= 0.33-3.9.1
  • libspice-client-glib-helper >= 0.33-3.9.1
  • libspice-client-gtk-3_0-5 >= 0.33-3.9.1
  • libspice-controller0 >= 0.33-3.9.1
  • libspice-server1 >= 0.12.8-15.1
  • spice >= 0.12.8-15.1
  • spice-gtk >= 0.33-3.9.1
  • typelib-1_0-SpiceClientGlib-2_0 >= 0.33-3.9.1
  • typelib-1_0-SpiceClientGtk-3_0 >= 0.33-3.9.1
Patchnames:
SUSE-SLE-SERVER-12-SP4-ESPOS-2020-3084
SUSE-SLE-SERVER-12-SP4-ESPOS-2020-3085
SUSE Linux Enterprise Server 12 SP4-LTSS
SUSE Linux Enterprise Server for SAP Applications 12 SP4-LTSS
  • libspice-client-glib-2_0-8 >= 0.33-3.9.1
  • libspice-client-glib-helper >= 0.33-3.9.1
  • libspice-client-gtk-3_0-5 >= 0.33-3.9.1
  • libspice-controller0 >= 0.33-3.9.1
  • libspice-server1 >= 0.12.8-15.1
  • spice >= 0.12.8-15.1
  • spice-gtk >= 0.33-3.9.1
  • typelib-1_0-SpiceClientGlib-2_0 >= 0.33-3.9.1
  • typelib-1_0-SpiceClientGtk-3_0 >= 0.33-3.9.1
Patchnames:
SUSE-SLE-SERVER-12-SP4-LTSS-2020-3084
SUSE-SLE-SERVER-12-SP4-LTSS-2020-3085
SUSE Linux Enterprise Server 12 SP5
SUSE Linux Enterprise Server for SAP Applications 12 SP5
  • libspice-client-glib-2_0-8 >= 0.33-3.9.1
  • libspice-client-glib-helper >= 0.33-3.9.1
  • libspice-client-gtk-3_0-5 >= 0.33-3.9.1
  • libspice-controller0 >= 0.33-3.9.1
  • libspice-server1 >= 0.12.8-15.1
  • spice >= 0.12.8-15.1
  • spice-gtk >= 0.33-3.9.1
  • typelib-1_0-SpiceClientGlib-2_0 >= 0.33-3.9.1
  • typelib-1_0-SpiceClientGtk-3_0 >= 0.33-3.9.1
Patchnames:
SUSE-SLE-SERVER-12-SP5-2020-3084
SUSE-SLE-SERVER-12-SP5-2020-3085
SUSE Linux Enterprise Server for SAP Applications 12 SP3
  • libspice-client-glib-2_0-8 >= 0.33-3.9.1
  • libspice-client-glib-helper >= 0.33-3.9.1
  • libspice-client-gtk-3_0-5 >= 0.33-3.9.1
  • libspice-controller0 >= 0.33-3.9.1
  • libspice-server1 >= 0.12.8-15.1
  • spice >= 0.12.8-15.1
  • spice-gtk >= 0.33-3.9.1
  • typelib-1_0-SpiceClientGlib-2_0 >= 0.33-3.9.1
  • typelib-1_0-SpiceClientGtk-3_0 >= 0.33-3.9.1
Patchnames:
SUSE-SLE-SAP-12-SP3-2020-3084
SUSE-SLE-SAP-12-SP3-2020-3085
SUSE Linux Enterprise Server for SAP Applications 12 SP4
  • libspice-client-glib-2_0-8 >= 0.33-3.9.1
  • libspice-client-glib-helper >= 0.33-3.9.1
  • libspice-client-gtk-3_0-5 >= 0.33-3.9.1
  • libspice-controller0 >= 0.33-3.9.1
  • libspice-server1 >= 0.12.8-15.1
  • spice >= 0.12.8-15.1
  • spice-gtk >= 0.33-3.9.1
  • typelib-1_0-SpiceClientGlib-2_0 >= 0.33-3.9.1
  • typelib-1_0-SpiceClientGtk-3_0 >= 0.33-3.9.1
Patchnames:
SUSE-SLE-SAP-12-SP4-2020-3084
SUSE-SLE-SAP-12-SP4-2020-3085
SUSE Linux Enterprise Software Development Kit 12 SP5
  • libspice-server-devel >= 0.12.8-15.1
  • spice >= 0.12.8-15.1
  • spice-gtk >= 0.33-3.9.1
  • spice-gtk-devel >= 0.33-3.9.1
  • typelib-1_0-SpiceClientGtk-3_0 >= 0.33-3.9.1
Patchnames:
SUSE-SLE-SDK-12-SP5-2020-3084
SUSE-SLE-SDK-12-SP5-2020-3085
SUSE OpenStack Cloud 8
  • libspice-client-glib-2_0-8 >= 0.33-3.9.1
  • libspice-client-glib-helper >= 0.33-3.9.1
  • libspice-client-gtk-3_0-5 >= 0.33-3.9.1
  • libspice-controller0 >= 0.33-3.9.1
  • libspice-server1 >= 0.12.8-15.1
  • spice >= 0.12.8-15.1
  • spice-gtk >= 0.33-3.9.1
  • typelib-1_0-SpiceClientGlib-2_0 >= 0.33-3.9.1
  • typelib-1_0-SpiceClientGtk-3_0 >= 0.33-3.9.1
Patchnames:
SUSE-OpenStack-Cloud-8-2020-3084
SUSE-OpenStack-Cloud-8-2020-3085
SUSE OpenStack Cloud 9
  • libspice-client-glib-2_0-8 >= 0.33-3.9.1
  • libspice-client-glib-helper >= 0.33-3.9.1
  • libspice-client-gtk-3_0-5 >= 0.33-3.9.1
  • libspice-controller0 >= 0.33-3.9.1
  • libspice-server1 >= 0.12.8-15.1
  • spice >= 0.12.8-15.1
  • spice-gtk >= 0.33-3.9.1
  • typelib-1_0-SpiceClientGlib-2_0 >= 0.33-3.9.1
  • typelib-1_0-SpiceClientGtk-3_0 >= 0.33-3.9.1
Patchnames:
SUSE-OpenStack-Cloud-9-2020-3084
SUSE-OpenStack-Cloud-9-2020-3085
SUSE OpenStack Cloud Crowbar 8
  • libspice-client-glib-2_0-8 >= 0.33-3.9.1
  • libspice-client-glib-helper >= 0.33-3.9.1
  • libspice-client-gtk-3_0-5 >= 0.33-3.9.1
  • libspice-controller0 >= 0.33-3.9.1
  • libspice-server1 >= 0.12.8-15.1
  • spice >= 0.12.8-15.1
  • spice-gtk >= 0.33-3.9.1
  • typelib-1_0-SpiceClientGlib-2_0 >= 0.33-3.9.1
  • typelib-1_0-SpiceClientGtk-3_0 >= 0.33-3.9.1
Patchnames:
SUSE-OpenStack-Cloud-Crowbar-8-2020-3084
SUSE-OpenStack-Cloud-Crowbar-8-2020-3085
SUSE OpenStack Cloud Crowbar 9
  • libspice-client-glib-2_0-8 >= 0.33-3.9.1
  • libspice-client-glib-helper >= 0.33-3.9.1
  • libspice-client-gtk-3_0-5 >= 0.33-3.9.1
  • libspice-controller0 >= 0.33-3.9.1
  • libspice-server1 >= 0.12.8-15.1
  • spice >= 0.12.8-15.1
  • spice-gtk >= 0.33-3.9.1
  • typelib-1_0-SpiceClientGlib-2_0 >= 0.33-3.9.1
  • typelib-1_0-SpiceClientGtk-3_0 >= 0.33-3.9.1
Patchnames:
SUSE-OpenStack-Cloud-Crowbar-9-2020-3084
SUSE-OpenStack-Cloud-Crowbar-9-2020-3085
openSUSE Leap 15.2
  • libspice-client-glib-2_0-8 >= 0.37-lp152.2.3.1
  • libspice-client-glib-2_0-8-debuginfo >= 0.37-lp152.2.3.1
  • libspice-client-glib-helper >= 0.37-lp152.2.3.1
  • libspice-client-glib-helper-debuginfo >= 0.37-lp152.2.3.1
  • libspice-client-gtk-3_0-5 >= 0.37-lp152.2.3.1
  • libspice-client-gtk-3_0-5-debuginfo >= 0.37-lp152.2.3.1
  • libspice-server-devel >= 0.14.2-lp152.2.3.1
  • libspice-server1 >= 0.14.2-lp152.2.3.1
  • libspice-server1-debuginfo >= 0.14.2-lp152.2.3.1
  • spice >= 0.14.2-lp152.2.3.1
  • spice-debugsource >= 0.14.2-lp152.2.3.1
  • spice-gtk >= 0.37-lp152.2.3.1
  • spice-gtk-debuginfo >= 0.37-lp152.2.3.1
  • spice-gtk-debugsource >= 0.37-lp152.2.3.1
  • spice-gtk-devel >= 0.37-lp152.2.3.1
  • spice-gtk-lang >= 0.37-lp152.2.3.1
  • typelib-1_0-SpiceClientGlib-2_0 >= 0.37-lp152.2.3.1
  • typelib-1_0-SpiceClientGtk-3_0 >= 0.37-lp152.2.3.1
Patchnames:
openSUSE-2020-1802
openSUSE-2020-1803


Status of this issue by product and package

Please note that this evaluation state might be work in progress, incomplete or outdated. Also information for service packs in the LTSS phase is only included for issues meeting the LTSS criteria. If in doubt, feel free to contact us for clarification.

Product(s) Source package State
HPE Helion OpenStack 8 spice Released
HPE Helion OpenStack 8 spice-gtk Released
SUSE Enterprise Storage 5 spice Released
SUSE Enterprise Storage 5 spice-gtk Released
SUSE Linux Enterprise 15-SP1 Module for Basesystem spice-gtk Affected
SUSE Linux Enterprise 15-SP1 Module for Server Applications spice Affected
SUSE Linux Enterprise 15-SP1 Module for Server Applications spice-gtk Affected
SUSE Linux Enterprise 15-SP2 Module for Basesystem spice-gtk Released
SUSE Linux Enterprise 15-SP2 Module for Server Applications spice Released
SUSE Linux Enterprise 15-SP2 Module for Server Applications spice-gtk Released
SUSE Linux Enterprise High Performance Computing 12 SP5 spice Released
SUSE Linux Enterprise High Performance Computing 12 SP5 spice-gtk Released
SUSE Linux Enterprise High Performance Computing 15 LTSS spice Affected
SUSE Linux Enterprise High Performance Computing 15 LTSS spice-gtk Affected
SUSE Linux Enterprise Point of Service Image Server 12 spice Affected
SUSE Linux Enterprise Point of Service Image Server 12 spice-gtk Affected
SUSE Linux Enterprise Server 11 SP4 LTSS spice Affected
SUSE Linux Enterprise Server 12 SP2 BCL spice Affected
SUSE Linux Enterprise Server 12 SP2 BCL spice-gtk Affected
SUSE Linux Enterprise Server 12 SP2 ESPOS spice Affected
SUSE Linux Enterprise Server 12 SP2 ESPOS spice-gtk Affected
SUSE Linux Enterprise Server 12 SP2 LTSS spice Affected
SUSE Linux Enterprise Server 12 SP2 LTSS spice-gtk Affected
SUSE Linux Enterprise Server 12 SP3 BCL spice Released
SUSE Linux Enterprise Server 12 SP3 BCL spice-gtk Released
SUSE Linux Enterprise Server 12 SP3 ESPOS spice Released
SUSE Linux Enterprise Server 12 SP3 ESPOS spice-gtk Already fixed
SUSE Linux Enterprise Server 12 SP3 LTSS spice Released
SUSE Linux Enterprise Server 12 SP3 LTSS spice-gtk Released
SUSE Linux Enterprise Server 12 SP4 ESPOS spice Released
SUSE Linux Enterprise Server 12 SP4 ESPOS spice-gtk Already fixed
SUSE Linux Enterprise Server 12 SP4 LTSS spice Released
SUSE Linux Enterprise Server 12 SP4 LTSS spice-gtk Released
SUSE Linux Enterprise Server 12 SP5 spice Released
SUSE Linux Enterprise Server 12 SP5 spice-gtk Released
SUSE Linux Enterprise Server 15 LTSS spice Affected
SUSE Linux Enterprise Server 15 LTSS spice-gtk Affected
SUSE Linux Enterprise Server ESPOS 15 spice Affected
SUSE Linux Enterprise Server ESPOS 15 spice-gtk Affected
SUSE Linux Enterprise Server for SAP Applications 12 SP2 spice Affected
SUSE Linux Enterprise Server for SAP Applications 12 SP2 spice-gtk Affected
SUSE Linux Enterprise Server for SAP Applications 12 SP3 spice Released
SUSE Linux Enterprise Server for SAP Applications 12 SP3 spice-gtk Released
SUSE Linux Enterprise Server for SAP Applications 12 SP4 spice Released
SUSE Linux Enterprise Server for SAP Applications 12 SP4 spice-gtk Released
SUSE Linux Enterprise Server for SAP Applications 12 SP5 spice Released
SUSE Linux Enterprise Server for SAP Applications 12 SP5 spice-gtk Released
SUSE Linux Enterprise Server for SAP Applications 15 spice Affected
SUSE Linux Enterprise Server for SAP Applications 15 spice-gtk Affected
SUSE OpenStack Cloud 7 spice Affected
SUSE OpenStack Cloud 7 spice-gtk Affected
SUSE OpenStack Cloud 8 spice Released
SUSE OpenStack Cloud 8 spice-gtk Released
SUSE OpenStack Cloud 9 spice Released
SUSE OpenStack Cloud 9 spice-gtk Released
SUSE OpenStack Cloud Crowbar 8 spice Released
SUSE OpenStack Cloud Crowbar 8 spice-gtk Released
SUSE OpenStack Cloud Crowbar 9 spice Released
SUSE OpenStack Cloud Crowbar 9 spice-gtk Released