Heap-based buffer overflow in SPICE before 0.12.6 allows guest OS users to read and write to arbitrary memory locations on the host via guest QXL commands related to surface creation.
lists.freedesktop.org/archives/spice-devel/2015-October/022191.html
rhn.redhat.com/errata/RHSA-2015-1889.html
rhn.redhat.com/errata/RHSA-2015-1890.html
www.debian.org/security/2015/dsa-3371
www.openwall.com/lists/oss-security/2015/10/06/4
www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html
www.securitytracker.com/id/1033753
www.ubuntu.com/usn/USN-2766-1
bugzilla.redhat.com/show_bug.cgi?id=1261889
security.gentoo.org/glsa/201606-05