spice security update

2017-08-2409:44:09

CentOS Project

lists.centos.org

6.5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

0.003 Low

EPSS

Percentile

68.9%

JSON

CentOS Errata and Security Advisory CESA-2017:2471

The Simple Protocol for Independent Computing Environments (SPICE) is a remote display system built for virtual environments which allows the user to view a computing ‘desktop’ environment not only on the machine where it is running, but from anywhere on the Internet and from a wide variety of machine architectures.

Security Fix(es):

A vulnerability was discovered in spice server’s protocol handling. An authenticated attacker could send specially crafted messages to the spice server, causing out-of-bounds memory accesses, leading to parts of server memory being leaked or a crash. (CVE-2017-7506)

This issue was discovered by Frediano Ziglio (Red Hat).

Merged security bulletin from advisories:
https://lists.centos.org/pipermail/centos-cr-announce/2017-August/030953.html

Affected packages:
spice-server
spice-server-devel

Upstream details at:
https://access.redhat.com/errata/RHSA-2017:2471

OSVersionArchitecturePackageVersionFilename
CentOS7x86_64spice-server< 0.12.8-2.el7.1spice-server-0.12.8-2.el7.1.x86_64.rpm
CentOS7x86_64spice-server-devel< 0.12.8-2.el7.1spice-server-devel-0.12.8-2.el7.1.x86_64.rpm

OS	Version	Architecture	Package	Version	Filename
CentOS	7	x86_64	spice-server	< 0.12.8-2.el7.1	spice-server-0.12.8-2.el7.1.x86_64.rpm
CentOS	7	x86_64	spice-server-devel	< 0.12.8-2.el7.1	spice-server-devel-0.12.8-2.el7.1.x86_64.rpm