security update for spice-vdagent SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2018:0399-1 Final 1 1 2018-02-08T06:06:02Z current 2018-02-08T06:06:02Z 2018-02-08T06:06:02Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z security update for spice-vdagent This update for spice-vdagent provides the following fixes: This security issue was fixed: - CVE-2017-15108: Properly escape save directory that is passed to the shell to prevent local attacker with access to the session the agent runs from injecting arbitrary commands to be executed (bsc#1070724). This non-security issue was fixed: - Implement endian swapping, required for big-endian guests to connect to the spice client successfully. (bsc#1012215) This update was imported from the SUSE:SLE-12-SP2:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-updates/2018-02/msg00028.html E-Mail link for openSUSE-SU-2018:0399-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE Leap 42.3 spice-vdagent-0.16.0-8.1 spice-vdagent-0.16.0-8.1 as a component of openSUSE Leap 42.3 spice-vdagent up to and including 0.17.0 does not properly escape save directory before passing to shell, allowing local attacker with access to the session the agent runs in to inject arbitrary commands to be executed. CVE-2017-15108 openSUSE Leap 42.3:spice-vdagent-0.16.0-8.1 important Please Install the update. https://lists.opensuse.org/opensuse-updates/2018-02/msg00028.html https://www.suse.com/security/cve/CVE-2017-15108.html CVE-2017-15108 https://bugzilla.suse.com/1070724 SUSE Bug 1070724