Fedora has issued an advisory on August 2: https://lists.fedoraproject.org/pipermail/package-announce/2013-August/113748.html The RedHat bug contains a link to the upstream fix: https://bugzilla.redhat.com/show_bug.cgi?id=984769 It's not clear which versions are affected, but this package exists in Mageia 2 and Mageia 3 as well. Reproducible: Steps to Reproduce:
CC: (none) => cjw, olavWhiteboard: (none) => MGA3TOO, MGA2TOO
This was fixed upstream in 0.12.4. Funda fixed this in Cauldron in spice-0.12.4-1.mga4.
CC: (none) => fundawangVersion: Cauldron => 3Whiteboard: MGA3TOO, MGA2TOO => MGA2TOO
Christiaan, was this OK when Funda removed your patch? http://svnweb.mageia.org/packages/cauldron/spice/current/SPECS/spice.spec?r1=456769&r2=456776 It says that the patch was for more than fixing automake, it also made it use the spice-protocol package instead of a bundled copy...
It definitely looks like Mageia 2 is also affected. The first hunk of the patch applies: http://cgit.freedesktop.org/spice/spice/patch/?id=53488f0275d6c8a121af49f7ac817d09ce68090d Because of code changes, the second doesn't apply, but I imagine that change is supposed to still go somewhere (there are functions using RING_FOREACH), it just isn't immediately clear where.
Alpine Linux believed they fixed this in spice 0.10.0 by just applying the first hunk: http://git.alpinelinux.org/cgit/aports/commit/?id=0840b37ba1b61fc6068907d72ce76359dface9e4 As found here: http://bugs.alpinelinux.org/issues/2162 which itself was found here: http://bugs.alpinelinux.org/issues/2159
I'm using Alpine's patch for Mageia 2, hopefully that's sufficient. Patched packages uploaded for Mageia 2 and Mageia 3. Advisory: ======================== Updated spice packages fix security vulnerability: An user able to initiate spice connection to the guest could use a flaw in server/red_channel.c to crash the guest (CVE-2013-4130). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4130 https://lists.fedoraproject.org/pipermail/package-announce/2013-August/113748.html ======================== Updated packages in core/updates_testing: ======================== spice-client-0.10.1-1.1.mga2 libspice-server1-0.10.1-1.1.mga2 libspice-server-devel-0.10.1-1.1.mga2 spice-client-0.12.2-5.1.mga3 libspice-server1-0.12.2-5.1.mga3 libspice-server-devel-0.12.2-5.1.mga3 from SRPMS: spice-0.10.1-1.1.mga2.src.rpm spice-0.12.2-5.1.mga3.src.rpm
Assignee: bugsquad => qa-bugs
Should be able to test this with virt-manager http://www.linux-kvm.org/page/SPICE
set up virt-manager as in the link above then once started used.. $ spicec -h 127.0.0.1 -p 5900 to connect to it and display the running machine. It cuts off after a second or two, i think probably due to virt-manager's own internal spice client competing for the connection. Does virt-manager need to be updated too for this CVE?
Oops forgot mga3 64 testing complete
Whiteboard: MGA2TOO => MGA2TOO has_procedure mga3-64-ok
Does virt-manager work with the release version and not the update? I really don't know anything about this stuff.
Looks like it uses python-spice-client-gtk so might not be necessary # urpmq --requires virt-manager
Testing complete mga3 32
Whiteboard: MGA2TOO has_procedure mga3-64-ok => MGA2TOO has_procedure mga3-32-ok mga3-64-ok
Testing complete mga2 64
Whiteboard: MGA2TOO has_procedure mga3-32-ok mga3-64-ok => MGA2TOO has_procedure mga3-32-ok mga3-64-ok mga2-64-ok
Testing complete mga2_32, ok for me nothing to report.
CC: (none) => geiger.david68210Whiteboard: MGA2TOO has_procedure mga3-32-ok mga3-64-ok mga2-64-ok => MGA2TOO has_procedure mga3-32-ok mga3-64-ok mga2-64-ok mga2-32-ok
Thanks David. I've been having trouble getting virt-manager to work with spice on mga2 32 in my lxde vbox install. Validating. Advisory uploaded. Could sysadmin please push from 2 & 3 core/updates_testing to updates Thanks!
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Update pushed: http://advisories.mageia.org/MGASA-2013-0255.html
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED