Bug 16919

Summary: spice new security issues CVE-2015-5260 and CVE-2015-5261
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: davidwhodgins, sysadmin-bugs
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/659759/
Whiteboard: has_procedure mga5-64-ok advisory
Source RPM: spice-0.12.5-2.1.mga5.src.rpm CVE:
Status comment:

Description David Walser 2015-10-07 18:24:09 CEST 
Ubuntu has issued an advisory on October 6:
http://www.ubuntu.com/usn/usn-2766-1/

Patched packages uploaded for Mageia 5 and Cauldron.

Advisory:
========================

Updated spice packages fix security vulnerabilities:

Frediano Ziglio discovered multiple buffer overflows, undefined behavior
signed integer operations, race conditions, memory leaks, and denial
of service issues in Spice. A malicious guest operating system could
potentially exploit these issues to escape virtualization (CVE-2015-5260,
CVE-2015-5261).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5260
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5261
http://www.ubuntu.com/usn/usn-2766-1/
========================

Updated packages in core/updates_testing:
========================
spice-client-0.12.5-2.2.mga5
libspice-server1-0.12.5-2.2.mga5
libspice-server-devel-0.12.5-2.2.mga5

from spice-0.12.5-2.2.mga5.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2015-10-07 18:24:25 CEST 
Testing procedure in:
https://bugs.mageia.org/show_bug.cgi?id=10987

Whiteboard: (none) => has_procedure

Dave Hodgins 2015-10-09 00:14:08 CEST

CC: (none) => davidwhodgins
Whiteboard: has_procedure => has_procedure advisory

Comment 2 claire robinson 2015-10-09 15:15:50 CEST 
Testing complete mga5 64 connecting to a VM set up to use spice in virt-manager.

HowTo:

To use virt-manager first install it along with qemu and libvirt-utils, then start libvirtd service. When you start virt-manager (in system tools in the menu) it asks for root password and should show local qemu to connect to.

Create a new VM, it's mostly like Vbox. On the last step tick the box to customise the machine before install.

On the Video Default tab select QXL as the Model and apply it. In the Display Default tab select Spice Server as the Default Server and apply it again. You can then click Begin Installation.

When the machine starts you should be able to close the display and then test spice with..

$ spicec -h 127.0.0.1 -p 5900

It should display the VM.

Keywords: (none) => validated_update
Whiteboard: has_procedure advisory => has_procedure mga5-64-ok advisory
CC: (none) => sysadmin-bugs

Comment 3 Mageia Robot 2015-10-09 20:49:00 CEST 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0394.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED