Arch Linux

Description
===========

- CVE-2015-3247 (race condition flaw)
A race condition flaw, leading to a heap-based memory corruption, was found in spice's worker_update_monitors_config() function, which runs under the QEMU-KVM context on the host. A user in a guest could leverage this flaw to crash the host QEMU-KVM process or, possibly, execute arbitrary code with the privileges of the host QEMU-KVM process. [1][5]

- CVE-2015-5260 (heap-based buffer overflow)
A heap-based buffer overflow flaw was found in the way spice handled certain QXL commands related to the "surface_id" parameter. A user in a guest could use this flaw to crash the host QEMU-KVM process or, possibly, execute arbitrary code with the privileges of the host QEMU-KVM process. [2][4]

- CVE-2015-5261 (heap-based buffer overflow)
A heap-based buffer overflow flaw was found in the way SPICE handled certain guest QXL commands related to surface creation. A user in a guest could use this flaw to read and write arbitrary memory locations on the host. [3][4]

Resolution
==========

Upgrade to spice 0.12.6.

References
==========
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1233238
[2] https://bugzilla.redhat.com/show_bug.cgi?id=1260822
[3] https://bugzilla.redhat.com/show_bug.cgi?id=1261889
[4] http://lists.freedesktop.org/archives/spice-devel/2015-October/022168.html
[5] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=797976;msg=21