libspice.so is vulnerable to denial of service. The vulnerability is possible because the function memslot_get_virt
lacks the proper boundary checking for slot_id
array in memslot.c
, which is calculated using a QXLPHYSICAL
address set by the guest QXL driver, thereby allowing an attacker to input malicious values through it to trigger the attack.
www.securityfocus.com/bid/106801
access.redhat.com/errata/RHSA-2019:0231
access.redhat.com/errata/RHSA-2019:0232
access.redhat.com/errata/RHSA-2019:0457
bugzilla.redhat.com/show_bug.cgi?id=1665371
gitlab.freedesktop.org/spice/spice/commit/a4a16ac42d2f19a17e36556546aa94d5cd83745f
lists.debian.org/debian-lts-announce/2019/01/msg00026.html
security.gentoo.org/glsa/202007-30
usn.ubuntu.com/3870-1/
www.debian.org/security/2019/dsa-4375