Bugzilla – Bug 982385
VUL-0: CVE-2016-0749: spice: heap overflow
Last modified: 2020-06-08 19:12:41 UTC
via redhat email CRD: 2016-06-06 From: Stefan Cornelius <scorneli@redhat.com> Subject: [security@suse.de] CVE-2016-2150 and CVE-2016-0749 There are two issues in spice. There's a small description below, I've attached our patches to this mail (from our RHEL7, not sure how well they apply to the newest upstream or older versions). Both of them are still embargoed, there's no coordinated release date set yet. Will anyone need >2 weeks? I can share reproducers/instructions upon request. However, I remember that at least CVE-2016-0749 was rather painful to reproduce and I forgot the exact steps that I took already, so I probably won't be able to help you very much there. CVE-2016-0749: ============== A memory allocation flaw, leading to a heap-based buffer overflow was found in spice's smartcard interaction, which runs under the QEMU-KVM context on the host. A user connecting to a guest VM via spice could possibly exploit this flaw to crash the QEMU-KVM process, or, possibly, execute arbitrary code with the privileges of the host QEMU-KVM process. Discovered by: Jing Zhao, Red Hat Patches: 0065-smartcard-add-a-ref-to-item-before-adding-to-pipe.patch 0066-smartcard-allocate-msg-with-the-expected-size.patch
Created attachment 678943 [details] 0065-smartcard-add-a-ref-to-item-before-adding-to-pipe.patch 0065-smartcard-add-a-ref-to-item-before-adding-to-pipe.patch
Created attachment 678944 [details] 0066-smartcard-allocate-msg-with-the-expected-size.patch 0066-smartcard-allocate-msg-with-the-expected-size.patch
bugbot adjusting priority
is public now.
SUSE-SU-2016:1559-1: An update that fixes four vulnerabilities is now available. Category: security (moderate) Bug References: 944787,948976,982385,982386 CVE References: CVE-2015-5260,CVE-2015-5261,CVE-2016-0749,CVE-2016-2150 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP1 (src): spice-0.12.5-4.1 SUSE Linux Enterprise Server 12-SP1 (src): spice-0.12.5-4.1 SUSE Linux Enterprise Desktop 12-SP1 (src): spice-0.12.5-4.1
SUSE-SU-2016:1561-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 982385,982386 CVE References: CVE-2016-0749,CVE-2016-2150 Sources used: SUSE Linux Enterprise Software Development Kit 12 (src): spice-0.12.4-8.9.1 SUSE Linux Enterprise Server 12 (src): spice-0.12.4-8.9.1 SUSE Linux Enterprise Desktop 12 (src): spice-0.12.4-8.9.1
This is an autogenerated message for OBS integration: This bug (982385) was mentioned in https://build.opensuse.org/request/show/401753 42.1 / spice
This is an autogenerated message for OBS integration: This bug (982385) was mentioned in https://build.opensuse.org/request/show/401858 13.2 / spice
openSUSE-SU-2016:1725-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 982385,982386 CVE References: CVE-2016-0749,CVE-2016-2150 Sources used: openSUSE 13.2 (src): spice-0.12.4-4.12.1
openSUSE-SU-2016:1726-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 982385,982386 CVE References: CVE-2016-0749,CVE-2016-2150 Sources used: openSUSE Leap 42.1 (src): spice-0.12.5-8.1
close
This is an autogenerated message for OBS integration: This bug (982385) was mentioned in https://build.opensuse.org/request/show/454133 Factory / spice