spice: Off-by-one error in array access in spice/server/memslot.c (CVE-2019-3813) (#9939) · Issues · alpine / aports

spice: Off-by-one error in array access in spice/server/memslot.c (CVE-2019-3813)

spice versions 0.5.2 through 0.14.1 are vulnerable to an out-of-bounds read
due to an off-by-one error in memslot_get_virt. This may lead to a
denial-of-service, or, in the worst case, code-execution by unauthenticated
attackers.

Fixed In Version:

spice 0.14.2

References:

https://www.openwall.com/lists/oss-security/2019/01/28/2

(from redmine: issue id 9939, created on 2019-01-29, closed on 2019-02-14)

Relations:
- child #9940 (closed)
- child #9941 (closed)
- child #9942 (closed)
- child #9943 (closed)

To upload designs, you'll need to enable LFS and have admin enable hashed storage. More information