SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Spice Vendors:   Red Hat
(CentOS Issues Fix) Spice Race Condition and Buffer Overflows Let Local Guest System Users Crash the Host or Execute Arbitrary Code on the Host System
SecurityTracker Alert ID:  1033790
SecurityTracker URL:  http://securitytracker.com/id/1033790
CVE Reference:   CVE-2015-5260, CVE-2015-5261   (Links to External Site)
Date:  Oct 13 2015
Impact:   Denial of service via network, User access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 0.12.6
Description:   Three vulnerabilities were reported in Spice. A local user on the guest system can cause denial of service conditions on the host system. A local user on the guest system can gain elevated privileges on the host system.

A local user on the guest system can supply specially crafted QXL command 'surface_id' parameter values to trigger a heap overflow and cause the target QEMU-KVM process on the host system to crash [CVE-2015-5260].

A local user on the guest system can supply specially crafted QXL commands to trigger a heap overflow and read or write arbitrary memory locations on the target host system [CVE-2015-5261]. This can be exploited to gain elevated privileges on the host system.

A local user on the guest system can trigger a race condition in the worker_update_monitors_config() function to cause the target QEMU-KVM process on the host system to crash [CVE-2015-3247].

Frediano Ziglio of Red Hat reported these vulnerabilities.

Impact:   A local user on the guest system can cause denial of service conditions on the host system.

A local user on the guest system can gain elevated privileges on the host system.

Solution:   CentOS has issued a fix for CVE-2015-5260 and CVE-2015-5261.

x86_64:
2438f62fb457d22d95b6ca40e68743fc1765e9e34c1966eb30aa605f34e468a2 spice-server-0.12.4-9.el7_1.3.x86_64.rpm
37030fca2cc111cd73bf4ae8c233d30f75db887e8103eb8b91428b0777c61f50 spice-server-devel-0.12.4-9.el7_1.3.x86_64.rpm

Source:
10eefd09b96d5184be8b9c3addfcabbf37382b9dfc587260c2ebdf09913872ba spice-0.12.4-9.el7_1.3.src.rpm

x86_64:
48643f342673588b60585bde6ee2f6267c7efb4aca58f5d22d8dafcfee2dc77f spice-server-0.12.4-12.el6_7.3.x86_64.rpm
be05fbaa5cab61394106aafe500f342fc0ec2164807c8e46d9f59d31520738a3 spice-server-devel-0.12.4-12.el6_7.3.x86_64.rpm

Source:
085674b2a16790d3debe759958f2a430ff3aaa18b01088c5bc1e7b29b56d9b26 spice-server-0.12.4-12.el6_7.3.src.rpm

Cause:   Access control error, Boundary error, State error
Underlying OS:  Linux (CentOS)
Underlying OS Comments:  6, 7

Message History:   This archive entry is a follow-up to the message listed below.
Oct 7 2015 Spice Race Condition and Buffer Overflows Let Local Guest System Users Crash the Host or Execute Arbitrary Code on the Host System



 Source Message Contents

Subject:  [CentOS-announce] CESA-2015:1890 Important CentOS 7 spice Security Update


CentOS Errata and Security Advisory 2015:1890 Important

Upstream details at : https://rhn.redhat.com/errata/RHSA-2015-1890.html

The following updated files have been uploaded and are currently 
syncing to the mirrors: ( sha256sum Filename ) 

x86_64:
2438f62fb457d22d95b6ca40e68743fc1765e9e34c1966eb30aa605f34e468a2  spice-server-0.12.4-9.el7_1.3.x86_64.rpm
37030fca2cc111cd73bf4ae8c233d30f75db887e8103eb8b91428b0777c61f50  spice-server-devel-0.12.4-9.el7_1.3.x86_64.rpm

Source:
10eefd09b96d5184be8b9c3addfcabbf37382b9dfc587260c2ebdf09913872ba  spice-0.12.4-9.el7_1.3.src.rpm



-- 
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net

_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
https://lists.centos.org/mailman/listinfo/centos-announce
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC