RedHat has issued an advisory on June 6: https://rhn.redhat.com/errata/RHSA-2016-1205.html Mageia 5 is also affected.
Whiteboard: (none) => MGA5TOO
Patched packages uploaded for Mageia 5 and Cauldron. Advisory: ======================== Updated spice packages fix security vulnerabilities: A memory allocation flaw, leading to a heap-based buffer overflow, was found in spice's smartcard interaction, which runs under the QEMU-KVM context on the host. A user connecting to a guest VM using spice could potentially use this flaw to crash the QEMU-KVM process or execute arbitrary code with the privileges of the host's QEMU-KVM process (CVE-2016-0749). A memory access flaw was found in the way spice handled certain guests using crafted primary surface parameters. A user in a guest could use this flaw to read from and write to arbitrary memory locations on the host (CVE-2016-2150). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0749 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2150 https://rhn.redhat.com/errata/RHSA-2016-1205.html ======================== Updated packages in core/updates_testing: ======================== spice-client-0.12.5-2.3.mga5 libspice-server1-0.12.5-2.3.mga5 libspice-server-devel-0.12.5-2.3.mga5 from spice-0.12.5-2.3.mga5.src.rpm
Version: Cauldron => 5Assignee: fundawang => qa-bugsWhiteboard: MGA5TOO => (none)
Procedure: https://bugs.mageia.org/show_bug.cgi?id=16919#c2
Whiteboard: (none) => has_procedure
Testing on mga5-64: already installed: qemu-2.4.1-5.mga5 qemu-img-2.4.1-5.mga5 virt-manager-1.1.0-7.mga5 lib64virt0-1.2.9.3-1.4.mga5 libvirt-utils-1.2.9.3-1.4.mga5 installed from testing: spice-client-0.12.5-2.3.mga5 lib64spice-server1-0.12.5-2.3.mga5 Used virt-manager to create a VM: Selected Customise machine before install Set QXL as Video Default model Set Spice server as default server Started installation of mga5-32 using boot.iso While packages were installing closed the display Executed: $ spicec -h 127.0.0.1 -p 5900 Spice opened a display showing the packages installing in the VM OK for mga5-64
CC: (none) => jimWhiteboard: has_procedure => has_procedure MGA5-64-OK
Thanks Jim. Validating.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Whiteboard: has_procedure MGA5-64-OK => has_procedure advisory MGA5-64-OK
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0250.html
Status: NEW => RESOLVEDResolution: (none) => FIXED