Bug 16919 - spice new security issues CVE-2015-5260 and CVE-2015-5261
Summary: spice new security issues CVE-2015-5260 and CVE-2015-5261
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: i586 Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/659759/
Whiteboard: has_procedure mga5-64-ok advisory
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2015-10-07 18:24 CEST by David Walser
Modified: 2015-10-09 20:49 CEST (History)
2 users (show)

See Also:
Source RPM: spice-0.12.5-2.1.mga5.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2015-10-07 18:24:09 CEST 
Ubuntu has issued an advisory on October 6:
http://www.ubuntu.com/usn/usn-2766-1/

Patched packages uploaded for Mageia 5 and Cauldron.

Advisory:
========================

Updated spice packages fix security vulnerabilities:

Frediano Ziglio discovered multiple buffer overflows, undefined behavior
signed integer operations, race conditions, memory leaks, and denial
of service issues in Spice. A malicious guest operating system could
potentially exploit these issues to escape virtualization (CVE-2015-5260,
CVE-2015-5261).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5260
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5261
http://www.ubuntu.com/usn/usn-2766-1/
========================

Updated packages in core/updates_testing:
========================
spice-client-0.12.5-2.2.mga5
libspice-server1-0.12.5-2.2.mga5
libspice-server-devel-0.12.5-2.2.mga5

from spice-0.12.5-2.2.mga5.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2015-10-07 18:24:25 CEST 
Testing procedure in:
https://bugs.mageia.org/show_bug.cgi?id=10987

Whiteboard: (none) => has_procedure

Dave Hodgins 2015-10-09 00:14:08 CEST

CC: (none) => davidwhodgins
Whiteboard: has_procedure => has_procedure advisory

Comment 2 claire robinson 2015-10-09 15:15:50 CEST 
Testing complete mga5 64 connecting to a VM set up to use spice in virt-manager.

HowTo:

To use virt-manager first install it along with qemu and libvirt-utils, then start libvirtd service. When you start virt-manager (in system tools in the menu) it asks for root password and should show local qemu to connect to.

Create a new VM, it's mostly like Vbox. On the last step tick the box to customise the machine before install.

On the Video Default tab select QXL as the Model and apply it. In the Display Default tab select Spice Server as the Default Server and apply it again. You can then click Begin Installation.

When the machine starts you should be able to close the display and then test spice with..

$ spicec -h 127.0.0.1 -p 5900

It should display the VM.

Keywords: (none) => validated_update
Whiteboard: has_procedure advisory => has_procedure mga5-64-ok advisory
CC: (none) => sysadmin-bugs

Comment 3 Mageia Robot 2015-10-09 20:49:00 CEST 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0394.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.