[3.3] spice: security update 0.12.6 (CVE-2015-5260, CVE-2015-5261)
CVE-2015-5260 spice: insufficient validation of surface_id parameter can cause crash
A heap-based buffer overflow flaw was found in the way spice handled
certain QXL commands related
to the “surface_id” parameter. A user in a guest could use this flaw to
crash the host QEMU-KVM process or,
possibly, execute arbitrary code with the privileges of the host
QEMU-KVM process.
References:
https://bugzilla.redhat.com/show\_bug.cgi?id=CVE-2015-5260
https://bugzilla.novell.com/show\_bug.cgi?id=CVE-2015-5260
http://cgit.freedesktop.org/spice/spice/commit/?id=dd558bb833254fb49069eca052b92ae1abe3e8ff
http://lists.freedesktop.org/archives/spice-devel/2015-October/022169.html
CVE-2015-5261 spice: host memory access from guest using crafted images
A heap-based buffer overflow flaw was found in the way SPICE handled
certain guest
QXL commands related to surface creation. A user in a guest could use
this flaw
to read and write arbitrary memory locations on the host.
References:
https://bugzilla.redhat.com/show\_bug.cgi?id=CVE-2015-5261
http://seclists.org/oss-sec/2015/q4/40
http://cgit.freedesktop.org/spice/spice/commit/?id=ee1beff2ab0961066c71466a195430fb2473240d
(from redmine: issue id 4763, created on 2015-10-12, closed on 2015-10-14)
- Relations:
- relates #4672 (closed)
- parent #4762 (closed)
- Changesets:
- Revision a8876452 by Natanael Copa on 2015-10-13T09:01:43Z:
main/spice: security upgrade to 0.12.6
CVE-2015-3247
CVE-2015-5260
CVE-2015-5261
ref #4670
fixes #4672
ref #4762
fixes #4763