spice: security update 0.12.6 (CVE-2015-5260, CVE-2015-5261)
CVE-2015-5260 spice: insufficient validation of surface_id parameter can cause crash
A heap-based buffer overflow flaw was found in the way spice handled
certain QXL commands related
to the “surface_id” parameter. A user in a guest could use this flaw to
crash the host QEMU-KVM process or,
possibly, execute arbitrary code with the privileges of the host
QEMU-KVM process.
References:
https://bugzilla.redhat.com/show\_bug.cgi?id=CVE-2015-5260
https://bugzilla.novell.com/show\_bug.cgi?id=CVE-2015-5260
http://cgit.freedesktop.org/spice/spice/commit/?id=dd558bb833254fb49069eca052b92ae1abe3e8ff
http://lists.freedesktop.org/archives/spice-devel/2015-October/022169.html
CVE-2015-5261 spice: host memory access from guest using crafted images
A heap-based buffer overflow flaw was found in the way SPICE handled
certain guest
QXL commands related to surface creation. A user in a guest could use
this flaw
to read and write arbitrary memory locations on the host.
References:
https://bugzilla.redhat.com/show\_bug.cgi?id=CVE-2015-5261
http://seclists.org/oss-sec/2015/q4/40
http://cgit.freedesktop.org/spice/spice/commit/?id=ee1beff2ab0961066c71466a195430fb2473240d
(from redmine: issue id 4762, created on 2015-10-12, closed on 2015-10-14)
- Relations:
- relates #4670 (closed)
- child #4763 (closed)
- child #4764 (closed)
- child #4765 (closed)
- child #4766 (closed)
- child #4767 (closed)
- Changesets:
- Revision a8876452 by Natanael Copa on 2015-10-13T09:01:43Z:
main/spice: security upgrade to 0.12.6
CVE-2015-3247
CVE-2015-5260
CVE-2015-5261
ref #4670
fixes #4672
ref #4762
fixes #4763
- Revision 31cb1271 by Natanael Copa on 2015-10-13T09:24:59Z:
main/spice: security upgrade to 0.12.6
CVE-2015-3247
CVE-2015-5260
CVE-2015-5261
ref #4671
fixes #4671
ref #4762
fixes #4764
- Revision 1f85f43a by Natanael Copa on 2015-10-13T12:04:11Z:
main/spice: security upgrade to 0.12.6
CVE-2015-3247
CVE-2015-5260
CVE-2015-5261
ref #4670
fixes #4674
ref #4762
fixes #4766
- Revision 73bbe97f by Natanael Copa on 2015-10-13T12:04:56Z:
main/spice: security upgrade to 0.12.6
CVE-2015-3247
CVE-2015-5260
CVE-2015-5261
ref #4670
fixes #4673
ref #4762
fixes #4765
- Revision 7ed15a61 by Natanael Copa on 2015-10-13T13:37:31Z:
main/spice: security upgrade to 0.12.6
CVE-2015-3247
CVE-2015-5260
CVE-2015-5261
ref #4670
fixes #4675
ref #4762
fixes #4767