Mageia Bugzilla – Bug 10987
spice new security issue CVE-2013-4130
Last modified: 2013-08-22 20:10:29 CEST
Fedora has issued an advisory on August 2:
The RedHat bug contains a link to the upstream fix:
It's not clear which versions are affected, but this package exists in Mageia 2 and Mageia 3 as well.
Steps to Reproduce:
This was fixed upstream in 0.12.4.
Funda fixed this in Cauldron in spice-0.12.4-1.mga4.
Christiaan, was this OK when Funda removed your patch?
It says that the patch was for more than fixing automake, it also made it use the spice-protocol package instead of a bundled copy...
It definitely looks like Mageia 2 is also affected.
The first hunk of the patch applies:
Because of code changes, the second doesn't apply, but I imagine that change is supposed to still go somewhere (there are functions using RING_FOREACH), it just isn't immediately clear where.
Alpine Linux believed they fixed this in spice 0.10.0 by just applying the first hunk:
As found here:
which itself was found here:
I'm using Alpine's patch for Mageia 2, hopefully that's sufficient.
Patched packages uploaded for Mageia 2 and Mageia 3.
Updated spice packages fix security vulnerability:
An user able to initiate spice connection to the guest could use a flaw in
server/red_channel.c to crash the guest (CVE-2013-4130).
Updated packages in core/updates_testing:
Should be able to test this with virt-manager
set up virt-manager as in the link above then once started used..
$ spicec -h 127.0.0.1 -p 5900
to connect to it and display the running machine. It cuts off after a second or two, i think probably due to virt-manager's own internal spice client competing for the connection.
Does virt-manager need to be updated too for this CVE?
Oops forgot mga3 64 testing complete
Does virt-manager work with the release version and not the update? I really don't know anything about this stuff.
Looks like it uses python-spice-client-gtk so might not be necessary
# urpmq --requires virt-manager
Testing complete mga3 32
Testing complete mga2 64
Testing complete mga2_32, ok for me nothing to report.
Thanks David. I've been having trouble getting virt-manager to work with spice on mga2 32 in my lxde vbox install.
Validating. Advisory uploaded.
Could sysadmin please push from 2 & 3 core/updates_testing to updates