FS#46738 - [spice][CVE-2015-3247][CVE-2015-5260][CVE-2015-5261]multiple issues

Attached to Project: Arch Linux
Opened by Christian Rebischke (Shibumi) - Thursday, 15 October 2015, 16:05 GMT
Last edited by Doug Newgard (Scimmia) - Monday, 19 October 2015, 13:13 GMT
Task Type Bug Report
Category Packages: Extra
Status Closed
Assigned To Tobias Powalowski (tpowa)
Architecture All
Severity High
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 1
Private No

Details

Description
===========

- CVE-2015-3247 (race condition flaw)
A race condition flaw, leading to a heap-based memory corruption, was found in spice's worker_update_monitors_config() function, which runs under the QEMU-KVM context on the host. A user in a guest could leverage this flaw to crash the host QEMU-KVM process or, possibly, execute arbitrary code with the privileges of the host QEMU-KVM process. [1][5]

- CVE-2015-5260 (heap-based buffer overflow)
A heap-based buffer overflow flaw was found in the way spice handled certain QXL commands related to the "surface_id" parameter. A user in a guest could use this flaw to crash the host QEMU-KVM process or, possibly, execute arbitrary code with the privileges of the host QEMU-KVM process. [2][4]

- CVE-2015-5261 (heap-based buffer overflow)
A heap-based buffer overflow flaw was found in the way SPICE handled certain guest QXL commands related to surface creation. A user in a guest could use this flaw to read and write arbitrary memory locations on the host. [3][4]

Resolution
==========

Upgrade to spice 0.12.6.

References
==========
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1233238
[2] https://bugzilla.redhat.com/show_bug.cgi?id=1260822
[3] https://bugzilla.redhat.com/show_bug.cgi?id=1261889
[4] http://lists.freedesktop.org/archives/spice-devel/2015-October/022168.html
[5] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=797976;msg=21
This task depends upon

Closed by  Doug Newgard (Scimmia)
Monday, 19 October 2015, 13:13 GMT
Reason for closing:  Fixed
Additional comments about closing:  spice 0.12.6-1
Comment by Christian Rebischke (Shibumi) - Thursday, 15 October 2015, 16:07 GMT
rename the bug please:

Old:
[spice][CVE-2015-3247][CVE-2015-5260][CVE-2015-5261]heap-based buffer overflows

New:
[spice][CVE-2015-3247][CVE-2015-5260][CVE-2015-5261]multiple issues

thx,

Christian Rebischke (Archlinux Security Team)

Loading...