Bug 16700

Summary: spice new security issue CVE-2015-3247
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: davidwhodgins, sysadmin-bugs, yann.cantin
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/656656/
Whiteboard: MGA4TOO has_procedure advisory MGA5-64-OK mga4-32-ok
Source RPM: spice-0.12.5-2.mga5.src.rpm CVE:
Status comment:

Description David Walser 2015-09-04 16:33:39 CEST 
RedHat has issued an advisory on September 3:
https://rhn.redhat.com/errata/RHSA-2015-1714.html

Patched packages uploaded for Mageia 4, Mageia 5, and Cauldron.

Advisory:
========================

Updated spice packages fix security vulnerability:

A race condition flaw, leading to a heap-based memory corruption, was found
in spice's worker_update_monitors_config() function, which runs under the
QEMU-KVM context on the host. A user in a guest could leverage this flaw to
crash the host QEMU-KVM process or, possibly, execute arbitrary code with
the privileges of the host QEMU-KVM process (CVE-2015-3247).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3247
https://rhn.redhat.com/errata/RHSA-2015-1714.html
========================

Updated packages in core/updates_testing:
========================
spice-client-0.12.4-4.1.mga4
libspice-server1-0.12.4-4.1.mga4
libspice-server-devel-0.12.4-4.1.mga4
spice-client-0.12.5-2.1.mga5
libspice-server1-0.12.5-2.1.mga5
libspice-server-devel-0.12.5-2.1.mga5

from SRPMS:
spice-0.12.4-4.1.mga4.src.rpm
spice-0.12.5-2.1.mga5.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2015-09-04 16:34:45 CEST 
Testing procedure in:
https://bugs.mageia.org/show_bug.cgi?id=10987

Whiteboard: (none) => MGA4TOO has_procedure

Comment 2 Yann Cantin 2015-09-04 18:41:50 CEST 
host  : mga5 x86_64
guest : cauldron x86_64 (virt-manager)

Installed packages on host :
 spice-client-0.12.5-2.1.mga5
 lib64spice-server1-0.12.5-2.1.mga5

On the host : spicec -h 127.0.0.1 -p 5900
- guest console display OK
- start prefdm on guest, X display OK

Update OK.

CC: (none) => yann.cantin
Whiteboard: MGA4TOO has_procedure => MGA4TOO has_procedure MGA5-64-OK

Comment 3 Yann Cantin 2015-09-11 22:28:22 CEST 
Re-test after qemu update (https://bugs.mageia.org/show_bug.cgi?id=16604) : OK.
Comment 4 Dave Hodgins 2015-09-15 01:10:20 CEST 
After installing spice client ...

urpmi virt-manager
The following packages can't be installed because they depend on packages
that are older than the installed ones:
lib64spice-client-glib-gir2.0-0.21-2.mga4
virt-manager-0.10.0-12.git1ffcc0cc.1.mga4

Are there more updates needed?

CC: (none) => davidwhodgins
Whiteboard: MGA4TOO has_procedure MGA5-64-OK => MGA4TOO has_procedure MGA5-64-OK feedback

Comment 5 David Walser 2015-09-15 02:59:00 CEST 
While virt-manager can be used to test this, those two packages you listed aren't involved in this update or affected by it.  You must have something wrong on your system.

Whiteboard: MGA4TOO has_procedure MGA5-64-OK feedback => MGA4TOO has_procedure MGA5-64-OK

Comment 6 claire robinson 2015-09-15 14:23:22 CEST 
Testing complete mga4 32

In Vbox, very slow but works.

Tested qemu at the same time, using virt-manager. Set Video to QXL and Display to Spice. Created a new machine with hdd and began installing a boot.iso.

Whiteboard: MGA4TOO has_procedure MGA5-64-OK => MGA4TOO has_procedure MGA5-64-OK mga4-32-ok

Comment 7 claire robinson 2015-09-15 15:03:02 CEST 
Validating. Advisory uploaded.

Please push to 4 & 5 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: MGA4TOO has_procedure MGA5-64-OK mga4-32-ok => MGA4TOO has_procedure advisory MGA5-64-OK mga4-32-ok
CC: (none) => sysadmin-bugs

Comment 8 Mageia Robot 2015-09-15 16:56:20 CEST 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0373.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED