Bug 10987 - spice new security issue CVE-2013-4130
Summary: spice new security issue CVE-2013-4130
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 3
Hardware: i586 Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/563138/
Whiteboard: MGA2TOO has_procedure mga3-32-ok mga3...
Keywords: validated_update
Depends on:
Reported: 2013-08-12 20:05 CEST by David Walser
Modified: 2013-08-22 20:10 CEST (History)
6 users (show)

See Also:
Source RPM: spice-0.12.2-5.mga3.src.rpm
Status comment:


Description David Walser 2013-08-12 20:05:23 CEST
Fedora has issued an advisory on August 2:

The RedHat bug contains a link to the upstream fix:

It's not clear which versions are affected, but this package exists in Mageia 2 and Mageia 3 as well.


Steps to Reproduce:
David Walser 2013-08-12 20:05:39 CEST

CC: (none) => cjw, olav
Whiteboard: (none) => MGA3TOO, MGA2TOO

Comment 1 David Walser 2013-08-14 17:21:01 CEST
This was fixed upstream in 0.12.4.

Funda fixed this in Cauldron in spice-0.12.4-1.mga4.

CC: (none) => fundawang
Version: Cauldron => 3
Whiteboard: MGA3TOO, MGA2TOO => MGA2TOO

Comment 2 David Walser 2013-08-14 17:24:55 CEST
Christiaan, was this OK when Funda removed your patch?

It says that the patch was for more than fixing automake, it also made it use the spice-protocol package instead of a bundled copy...
Comment 3 David Walser 2013-08-14 17:38:30 CEST
It definitely looks like Mageia 2 is also affected.

The first hunk of the patch applies:

Because of code changes, the second doesn't apply, but I imagine that change is supposed to still go somewhere (there are functions using RING_FOREACH), it just isn't immediately clear where.
Comment 4 David Walser 2013-08-14 17:42:15 CEST
Alpine Linux believed they fixed this in spice 0.10.0 by just applying the first hunk:

As found here:

which itself was found here:
Comment 5 David Walser 2013-08-14 17:59:56 CEST
I'm using Alpine's patch for Mageia 2, hopefully that's sufficient.

Patched packages uploaded for Mageia 2 and Mageia 3.


Updated spice packages fix security vulnerability:

An user able to initiate spice connection to the guest could use a flaw in 
server/red_channel.c to crash the guest (CVE-2013-4130).


Updated packages in core/updates_testing:

from SRPMS:

Assignee: bugsquad => qa-bugs

Comment 6 claire robinson 2013-08-15 18:20:43 CEST
Should be able to test this with virt-manager

Comment 7 claire robinson 2013-08-16 15:02:22 CEST
set up virt-manager as in the link above then once started used..

$ spicec -h -p 5900

to connect to it and display the running machine. It cuts off after a second or two, i think probably due to virt-manager's own internal spice client competing for the connection.

Does virt-manager need to be updated too for this CVE?
Comment 8 claire robinson 2013-08-16 16:28:55 CEST
Oops forgot mga3 64 testing complete

Whiteboard: MGA2TOO => MGA2TOO has_procedure mga3-64-ok

Comment 9 David Walser 2013-08-16 17:05:32 CEST
Does virt-manager work with the release version and not the update?  I really don't know anything about this stuff.
Comment 10 claire robinson 2013-08-16 17:24:01 CEST
Looks like it uses python-spice-client-gtk so might not be necessary

# urpmq --requires virt-manager
Comment 11 claire robinson 2013-08-17 14:16:14 CEST
Testing complete mga3 32

Whiteboard: MGA2TOO has_procedure mga3-64-ok => MGA2TOO has_procedure mga3-32-ok mga3-64-ok

Comment 12 claire robinson 2013-08-19 09:10:28 CEST
Testing complete mga2 64

Whiteboard: MGA2TOO has_procedure mga3-32-ok mga3-64-ok => MGA2TOO has_procedure mga3-32-ok mga3-64-ok mga2-64-ok

Comment 13 David GEIGER 2013-08-20 12:11:53 CEST
Testing complete mga2_32, ok for me nothing to report.

CC: (none) => geiger.david68210
Whiteboard: MGA2TOO has_procedure mga3-32-ok mga3-64-ok mga2-64-ok => MGA2TOO has_procedure mga3-32-ok mga3-64-ok mga2-64-ok mga2-32-ok

Comment 14 claire robinson 2013-08-20 12:28:10 CEST
Thanks David. I've been having trouble getting virt-manager to work with spice on mga2 32 in my lxde vbox install.

Validating. Advisory uploaded.

Could sysadmin please push from 2 & 3 core/updates_testing to updates


Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 15 Thomas Backlund 2013-08-22 20:10:29 CEST
Update pushed:

CC: (none) => tmb
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.