Bug 944787 (CVE-2015-5260) - VUL-0: CVE-2015-5260: spice: Insufficient validation of surface_id parameter can cause crash
Summary: VUL-0: CVE-2015-5260: spice: Insufficient validation of surface_id parameter ...
Status: RESOLVED FIXED
Alias: CVE-2015-5260
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Cédric Bosdonnat
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/156378/
Whiteboard: CVSSv2:RedHat:CVE-2015-5260:5.8:(AV:N...
Keywords:
Depends on:
Blocks:
 
Reported: 2015-09-08 07:17 UTC by Victor Pereira
Modified: 2016-06-13 11:07 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Victor Pereira 2015-09-08 07:17:39 UTC 
rh#1260822


surface_id is a field for many QXL commands (commands that a guest can freely craft and send). Particularly are used to create and destroy new surfaces. This field is used as an index for a static allocated array.
In different paths, the value passes without being stopped (in many cases it just give some warnings if enabled) so you can corrupt memory very easily.
A client can be modified to produce memory corruption. Although it is not easy to write specific data at a specific offset, it is still possible to write some value at some offset (dirtying near data). This means that the problem can be used for heap corruption which is usually exploitable.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1260822
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5260
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5260
Comment 1 Swamp Workflow Management 2015-09-08 22:00:18 UTC 
bugbot adjusting priority
Comment 4 Bernhard Wiedemann 2015-10-06 16:00:13 UTC 
This is an autogenerated message for OBS integration:
This bug (944787) was mentioned in
https://build.opensuse.org/request/show/336760 Leap:42.1 / spice
Comment 5 Bernhard Wiedemann 2015-10-07 12:00:11 UTC 
This is an autogenerated message for OBS integration:
This bug (944787) was mentioned in
https://build.opensuse.org/request/show/336979 Factory / spice
Comment 6 Swamp Workflow Management 2015-10-15 08:10:28 UTC 
openSUSE-SU-2015:1750-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 848279,944460,944787,948976
CVE References: CVE-2013-4282,CVE-2015-3247,CVE-2015-5260,CVE-2015-5261
Sources used:
openSUSE 13.2 (src):    spice-0.12.4-4.6.1
openSUSE 13.1 (src):    spice-0.12.4-2.3.1
Comment 9 Marcus Meissner 2016-05-07 08:23:07 UTC 
rl;eased
Comment 10 Swamp Workflow Management 2016-05-07 11:08:11 UTC 
SUSE-SU-2016:1259-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 944460,944787,948976
CVE References: CVE-2015-3247,CVE-2015-5260,CVE-2015-5261
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    spice-0.12.4-5.1
SUSE Linux Enterprise Server 11-SP4 (src):    spice-0.12.4-5.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    spice-0.12.4-5.1
Comment 12 Swamp Workflow Management 2016-06-13 11:07:43 UTC 
SUSE-SU-2016:1559-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 944787,948976,982385,982386
CVE References: CVE-2015-5260,CVE-2015-5261,CVE-2016-0749,CVE-2016-2150
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    spice-0.12.5-4.1
SUSE Linux Enterprise Server 12-SP1 (src):    spice-0.12.5-4.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    spice-0.12.5-4.1