20251 – spice new security issues CVE-2016-9577 and CVE-2016-9578

Bug 20251 - spice new security issues CVE-2016-9577 and CVE-2016-9578

Summary: spice new security issues CVE-2016-9577 and CVE-2016-9578

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	5
Hardware:	All Linux

Priority:	Normal Severity: major
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:	https://lwn.net/Vulnerabilities/713771/
Whiteboard:	advisory MGA5-64-OK MGA5-32-OK
Keywords:	validated_update

Depends on:
Blocks:

Reported:	2017-02-07 12:07 CET by David Walser
Modified:	2017-02-23 15:59 CET (History)
CC List:	4 users (show)

See Also:
Source RPM:	spice-0.13.3-2.mga6.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2017-02-07 12:07:43 CET

RedHat has issued an advisory on February 6:
https://rhn.redhat.com/errata/RHSA-2017-0254.html

Mageia 5 is also affected.

David Walser 2017-02-07 12:07:52 CET

Whiteboard: (none) => MGA5TOO

Comment 1 Marja Van Waes 2017-02-08 09:50:28 CET

Assigning to all packagers collectively, since there is no registered maintainer for this package.

CC: (none) => marja11
Assignee: bugsquad => pkg-bugs

Comment 2 Nicolas Salguero 2017-02-16 15:41:30 CET

Suggested advisory:
========================

The updated packages fix security vulnerabilities:

An authenticated attacker could send crafted messages to the spice server causing a heap overflow leading to a crash or possible code execution. (CVE-2016-9577)

An attacker able to connect to the spice server could send crafted messages which would cause the process to crash. (CVE-2016-9578)

References:
https://rhn.redhat.com/errata/RHSA-2017-0254.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9577
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9578
========================

Updated packages in core/updates_testing:
========================
spice-client-0.12.5-2.4.mga5
lib(64)spice-server1-0.12.5-2.4.mga5
lib(64)spice-server-devel-0.12.5-2.4.mga5

from SRPMS:
spice-0.12.5-2.4.mga5.src.rpm

Status: NEW => ASSIGNED
CC: (none) => nicolas.salguero
Version: Cauldron => 5
Assignee: pkg-bugs => qa-bugs
Whiteboard: MGA5TOO => (none)

Dave Hodgins 2017-02-19 21:51:50 CET

CC: (none) => davidwhodgins
Whiteboard: (none) => advisory

Comment 3 Dave Hodgins 2017-02-20 05:48:37 CET

Trying to test with qemu ...

qemu-kvm -net user -net nic,model=virtio -cdrom file:/s3/m4/Mageia-6-sta2-LiveDVD-Plasma-x86_64-DVD/Mageia-6-sta2-LiveDVD-Plasma-x86_64-DVD.iso -boot d -m 512 -spice port=7777,password=munged

# netstat -tapn|grep qemu
tcp        0      0 0.0.0.0:7777            0.0.0.0:*               LISTEN      13251/qemu-kvm

shows that qemu is listening.

spicec -h 127.0.0.1 -p 7777 -w munged
successfully connects to the guest although it's very slow.

I'll try testing on an i586 host system later, if no one beats me to it.

Whiteboard: advisory => advisory MGA5-64-OK

Comment 4 Dave Hodgins 2017-02-22 02:38:30 CET

Same testing on an i586 install done.

Keywords: (none) => validated_update
Whiteboard: advisory MGA5-64-OK => advisory MGA5-64-OK MGA5-32-OK
CC: (none) => sysadmin-bugs

Comment 5 Mageia Robot 2017-02-23 15:59:42 CET

An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0062.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.