Bugzilla – Bug 948976
VUL-0: CVE-2015-5261 spice: host memory access from guest using crafted images
Last modified: 2016-06-13 11:07:58 UTC
It is possible for a guest issuing QXL commands to host to allow reading and writing host memory in a range of about 16-20gb. The guest can create a surface very large (say 1000000 x 1000000). If width * height overflow the 32 bit and became a small number the host will accept the command and will create the surface. Now guest can copy areas of surfaces to access any area of memory covered by the image. Considering overflows, pixman implementation and image formats (32 bit, top-down or down-top) the range (the guest pass an offset into video memory for the start) the range if about +/- 8gb. References: https://bugzilla.redhat.com/show_bug.cgi?id=1261889 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5261 http://seclists.org/oss-sec/2015/q4/40 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5261 No public patch available atm.
patches are public at http://lists.freedesktop.org/archives/spice-devel/2015-October/022168.html
This is an autogenerated message for OBS integration: This bug (948976) was mentioned in https://build.opensuse.org/request/show/336760 Leap:42.1 / spice
This is an autogenerated message for OBS integration: This bug (948976) was mentioned in https://build.opensuse.org/request/show/336979 Factory / spice
SUSE-SU-2015:1733-1: An update that fixes three vulnerabilities is now available. Category: security (moderate) Bug References: 944460,948976 CVE References: CVE-2015-3247,CVE-2015-5260,CVE-2015-5261 Sources used: SUSE Linux Enterprise Software Development Kit 12 (src): spice-0.12.4-8.5.1 SUSE Linux Enterprise Server 12 (src): spice-0.12.4-8.5.1 SUSE Linux Enterprise Desktop 12 (src): spice-0.12.4-8.5.1
openSUSE-SU-2015:1750-1: An update that fixes four vulnerabilities is now available. Category: security (moderate) Bug References: 848279,944460,944787,948976 CVE References: CVE-2013-4282,CVE-2015-3247,CVE-2015-5260,CVE-2015-5261 Sources used: openSUSE 13.2 (src): spice-0.12.4-4.6.1 openSUSE 13.1 (src): spice-0.12.4-2.3.1
can you also submit for sle11 sp4 spice?
released
SUSE-SU-2016:1259-1: An update that fixes three vulnerabilities is now available. Category: security (moderate) Bug References: 944460,944787,948976 CVE References: CVE-2015-3247,CVE-2015-5260,CVE-2015-5261 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): spice-0.12.4-5.1 SUSE Linux Enterprise Server 11-SP4 (src): spice-0.12.4-5.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): spice-0.12.4-5.1
SUSE-SU-2016:1559-1: An update that fixes four vulnerabilities is now available. Category: security (moderate) Bug References: 944787,948976,982385,982386 CVE References: CVE-2015-5260,CVE-2015-5261,CVE-2016-0749,CVE-2016-2150 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP1 (src): spice-0.12.5-4.1 SUSE Linux Enterprise Server 12-SP1 (src): spice-0.12.5-4.1 SUSE Linux Enterprise Desktop 12-SP1 (src): spice-0.12.5-4.1