[3.2] spice: security update 0.12.6 (CVE-2015-5260, CVE-2015-5261)
CVE-2015-5260 spice: insufficient validation of surface_id parameter can cause crash
A heap-based buffer overflow flaw was found in the way spice handled
certain QXL commands related
to the “surface_id” parameter. A user in a guest could use this flaw to
crash the host QEMU-KVM process or,
possibly, execute arbitrary code with the privileges of the host
QEMU-KVM process.
References:
https://bugzilla.redhat.com/show\_bug.cgi?id=CVE-2015-5260
https://bugzilla.novell.com/show\_bug.cgi?id=CVE-2015-5260
http://cgit.freedesktop.org/spice/spice/commit/?id=dd558bb833254fb49069eca052b92ae1abe3e8ff
http://lists.freedesktop.org/archives/spice-devel/2015-October/022169.html
CVE-2015-5261 spice: host memory access from guest using crafted images
A heap-based buffer overflow flaw was found in the way SPICE handled
certain guest
QXL commands related to surface creation. A user in a guest could use
this flaw
to read and write arbitrary memory locations on the host.
References:
https://bugzilla.redhat.com/show\_bug.cgi?id=CVE-2015-5261
http://seclists.org/oss-sec/2015/q4/40
http://cgit.freedesktop.org/spice/spice/commit/?id=ee1beff2ab0961066c71466a195430fb2473240d
(from redmine: issue id 4764, created on 2015-10-12, closed on 2015-10-14)
- Relations:
- relates #4671 (closed)
- parent #4762 (closed)
- Changesets:
- Revision 31cb1271 by Natanael Copa on 2015-10-13T09:24:59Z:
main/spice: security upgrade to 0.12.6
CVE-2015-3247
CVE-2015-5260
CVE-2015-5261
ref #4671
fixes #4671
ref #4762
fixes #4764