Bug 18649

Summary: spice new security issues CVE-2016-0749 and CVE-2016-2150
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: jim, sysadmin-bugs
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/690141/
Whiteboard: has_procedure advisory MGA5-64-OK
Source RPM: spice-0.12.7-2.mga6.src.rpm CVE:
Status comment:

Description David Walser 2016-06-07 18:42:50 CEST 
RedHat has issued an advisory on June 6:
https://rhn.redhat.com/errata/RHSA-2016-1205.html

Mageia 5 is also affected.
David Walser 2016-06-07 18:43:02 CEST

Whiteboard: (none) => MGA5TOO

Comment 1 David Walser 2016-07-06 20:06:46 CEST 
Patched packages uploaded for Mageia 5 and Cauldron.

Advisory:
========================

Updated spice packages fix security vulnerabilities:

A memory allocation flaw, leading to a heap-based buffer overflow, was found in
spice's smartcard interaction, which runs under the QEMU-KVM context on the
host. A user connecting to a guest VM using spice could potentially use this
flaw to crash the QEMU-KVM process or execute arbitrary code with the privileges
of the host's QEMU-KVM process (CVE-2016-0749).

A memory access flaw was found in the way spice handled certain guests using
crafted primary surface parameters. A user in a guest could use this flaw to
read from and write to arbitrary memory locations on the host (CVE-2016-2150).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0749
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2150
https://rhn.redhat.com/errata/RHSA-2016-1205.html
========================

Updated packages in core/updates_testing:
========================
spice-client-0.12.5-2.3.mga5
libspice-server1-0.12.5-2.3.mga5
libspice-server-devel-0.12.5-2.3.mga5

from spice-0.12.5-2.3.mga5.src.rpm

Version: Cauldron => 5
Assignee: fundawang => qa-bugs
Whiteboard: MGA5TOO => (none)

Comment 2 claire robinson 2016-07-08 16:55:14 CEST 
Procedure: https://bugs.mageia.org/show_bug.cgi?id=16919#c2

Whiteboard: (none) => has_procedure

Comment 3 James Kerr 2016-07-08 18:45:50 CEST 
Testing on mga5-64:

already installed:
qemu-2.4.1-5.mga5
qemu-img-2.4.1-5.mga5
virt-manager-1.1.0-7.mga5
lib64virt0-1.2.9.3-1.4.mga5
libvirt-utils-1.2.9.3-1.4.mga5

installed from testing:
spice-client-0.12.5-2.3.mga5
lib64spice-server1-0.12.5-2.3.mga5

Used virt-manager to create a VM:
Selected Customise machine before install
Set QXL as Video Default model
Set Spice server as default server

Started installation of mga5-32 using boot.iso
While packages were installing closed the display
Executed:
$ spicec -h 127.0.0.1 -p 5900

Spice opened a display showing the packages installing in the VM

OK for mga5-64

CC: (none) => jim
Whiteboard: has_procedure => has_procedure MGA5-64-OK

Comment 4 claire robinson 2016-07-08 21:46:42 CEST 
Thanks Jim. Validating.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

claire robinson 2016-07-08 21:49:56 CEST

Whiteboard: has_procedure MGA5-64-OK => has_procedure advisory MGA5-64-OK

Comment 5 Mageia Robot 2016-07-08 22:41:46 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0250.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED