RedHatRHSA-2016:1205(RHSA-2016:1205) Important: spice security update
0.037 Low
EPSS
Percentile
91.7%
The Simple Protocol for Independent Computing Environments (SPICE) is a remote display system built for virtual environments which allows the user to view a computing ‘desktop’ environment not only on the machine where it is running, but from anywhere on the Internet and from a wide variety of machine architectures.
Security Fix(es):
-
A memory allocation flaw, leading to a heap-based buffer overflow, was found in spice’s smartcard interaction, which runs under the QEMU-KVM context on the host. A user connecting to a guest VM using spice could potentially use this flaw to crash the QEMU-KVM process or execute arbitrary code with the privileges of the host’s QEMU-KVM process. (CVE-2016-0749)
-
A memory access flaw was found in the way spice handled certain guests using crafted primary surface parameters. A user in a guest could use this flaw to read from and write to arbitrary memory locations on the host. (CVE-2016-2150)
The CVE-2016-0749 issue was discovered by Jing Zhao (Red Hat) and the CVE-2016-2150 issue was discovered by Frediano Ziglio (Red Hat).
| OS | Version | Architecture | Package | Version | Filename |
|---|---|---|---|---|---|
| RedHat | 7 | x86_64 | spice-debuginfo | < 0.12.4-15.el7_2.1 | spice-debuginfo-0.12.4-15.el7_2.1.x86_64.rpm |
| RedHat | 7 | x86_64 | spice-server | < 0.12.4-15.el7_2.1 | spice-server-0.12.4-15.el7_2.1.x86_64.rpm |
| RedHat | 7 | src | spice | < 0.12.4-15.el7_2.1 | spice-0.12.4-15.el7_2.1.src.rpm |
| RedHat | 7 | x86_64 | spice-server-devel | < 0.12.4-15.el7_2.1 | spice-server-devel-0.12.4-15.el7_2.1.x86_64.rpm |
Related
