Bug 10987 - spice new security issue CVE-2013-4130
Summary: spice new security issue CVE-2013-4130
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 3
Hardware: i586 Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/563138/
Whiteboard: MGA2TOO has_procedure mga3-32-ok mga3...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2013-08-12 20:05 CEST by David Walser
Modified: 2013-08-22 20:10 CEST (History)
6 users (show)

See Also:
Source RPM: spice-0.12.2-5.mga3.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2013-08-12 20:05:23 CEST
Fedora has issued an advisory on August 2:
https://lists.fedoraproject.org/pipermail/package-announce/2013-August/113748.html

The RedHat bug contains a link to the upstream fix:
https://bugzilla.redhat.com/show_bug.cgi?id=984769

It's not clear which versions are affected, but this package exists in Mageia 2 and Mageia 3 as well.

Reproducible: 

Steps to Reproduce:
David Walser 2013-08-12 20:05:39 CEST

CC: (none) => cjw, olav
Whiteboard: (none) => MGA3TOO, MGA2TOO

Comment 1 David Walser 2013-08-14 17:21:01 CEST
This was fixed upstream in 0.12.4.

Funda fixed this in Cauldron in spice-0.12.4-1.mga4.

CC: (none) => fundawang
Version: Cauldron => 3
Whiteboard: MGA3TOO, MGA2TOO => MGA2TOO

Comment 2 David Walser 2013-08-14 17:24:55 CEST
Christiaan, was this OK when Funda removed your patch?
http://svnweb.mageia.org/packages/cauldron/spice/current/SPECS/spice.spec?r1=456769&r2=456776

It says that the patch was for more than fixing automake, it also made it use the spice-protocol package instead of a bundled copy...
Comment 3 David Walser 2013-08-14 17:38:30 CEST
It definitely looks like Mageia 2 is also affected.

The first hunk of the patch applies:
http://cgit.freedesktop.org/spice/spice/patch/?id=53488f0275d6c8a121af49f7ac817d09ce68090d

Because of code changes, the second doesn't apply, but I imagine that change is supposed to still go somewhere (there are functions using RING_FOREACH), it just isn't immediately clear where.
Comment 4 David Walser 2013-08-14 17:42:15 CEST
Alpine Linux believed they fixed this in spice 0.10.0 by just applying the first hunk:
http://git.alpinelinux.org/cgit/aports/commit/?id=0840b37ba1b61fc6068907d72ce76359dface9e4

As found here:
http://bugs.alpinelinux.org/issues/2162

which itself was found here:
http://bugs.alpinelinux.org/issues/2159
Comment 5 David Walser 2013-08-14 17:59:56 CEST
I'm using Alpine's patch for Mageia 2, hopefully that's sufficient.

Patched packages uploaded for Mageia 2 and Mageia 3.

Advisory:
========================

Updated spice packages fix security vulnerability:

An user able to initiate spice connection to the guest could use a flaw in 
server/red_channel.c to crash the guest (CVE-2013-4130).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4130
https://lists.fedoraproject.org/pipermail/package-announce/2013-August/113748.html
========================

Updated packages in core/updates_testing:
========================
spice-client-0.10.1-1.1.mga2
libspice-server1-0.10.1-1.1.mga2
libspice-server-devel-0.10.1-1.1.mga2
spice-client-0.12.2-5.1.mga3
libspice-server1-0.12.2-5.1.mga3
libspice-server-devel-0.12.2-5.1.mga3

from SRPMS:
spice-0.10.1-1.1.mga2.src.rpm
spice-0.12.2-5.1.mga3.src.rpm

Assignee: bugsquad => qa-bugs

Comment 6 claire robinson 2013-08-15 18:20:43 CEST
Should be able to test this with virt-manager

http://www.linux-kvm.org/page/SPICE
Comment 7 claire robinson 2013-08-16 15:02:22 CEST
set up virt-manager as in the link above then once started used..

$ spicec -h 127.0.0.1 -p 5900

to connect to it and display the running machine. It cuts off after a second or two, i think probably due to virt-manager's own internal spice client competing for the connection.

Does virt-manager need to be updated too for this CVE?
Comment 8 claire robinson 2013-08-16 16:28:55 CEST
Oops forgot mga3 64 testing complete

Whiteboard: MGA2TOO => MGA2TOO has_procedure mga3-64-ok

Comment 9 David Walser 2013-08-16 17:05:32 CEST
Does virt-manager work with the release version and not the update?  I really don't know anything about this stuff.
Comment 10 claire robinson 2013-08-16 17:24:01 CEST
Looks like it uses python-spice-client-gtk so might not be necessary

# urpmq --requires virt-manager
Comment 11 claire robinson 2013-08-17 14:16:14 CEST
Testing complete mga3 32

Whiteboard: MGA2TOO has_procedure mga3-64-ok => MGA2TOO has_procedure mga3-32-ok mga3-64-ok

Comment 12 claire robinson 2013-08-19 09:10:28 CEST
Testing complete mga2 64

Whiteboard: MGA2TOO has_procedure mga3-32-ok mga3-64-ok => MGA2TOO has_procedure mga3-32-ok mga3-64-ok mga2-64-ok

Comment 13 David GEIGER 2013-08-20 12:11:53 CEST
Testing complete mga2_32, ok for me nothing to report.

CC: (none) => geiger.david68210
Whiteboard: MGA2TOO has_procedure mga3-32-ok mga3-64-ok mga2-64-ok => MGA2TOO has_procedure mga3-32-ok mga3-64-ok mga2-64-ok mga2-32-ok

Comment 14 claire robinson 2013-08-20 12:28:10 CEST
Thanks David. I've been having trouble getting virt-manager to work with spice on mga2 32 in my lxde vbox install.

Validating. Advisory uploaded.

Could sysadmin please push from 2 & 3 core/updates_testing to updates

Thanks!

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 15 Thomas Backlund 2013-08-22 20:10:29 CEST
Update pushed:
http://advisories.mageia.org/MGASA-2013-0255.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.