Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 477010 (CVE-2013-4130)

Summary: <app-emulation/spice-0.12.3-r1: unsafe clients ring access abort (CVE-2013-4130)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: minor CC: dev-zero, virtualization
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B3 [noglsa]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2013-07-16 05:10:22 UTC
From ${URL} :

Currently, both red_channel_pipes_add_type() and red_channel_pipes_add_empty_msg() use plaing 
RING_FOREACH() which is not safe versus removals from the ring within the loop body. Yet, when 
(network) error does occur, the current item could be removed from the ring down the road and the 
assertion in RING_FOREACH()'s ring_next() could trip, causing the process containing the spice 
server to abort.

An user able to initiate spice connection to the guest could use this flaw to crash the guest.

Upstream fix:

@maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
Comment 1 Doug Goldstein (RETIRED) gentoo-dev 2013-07-24 14:25:47 UTC
Fixed in spice-0.12.3-r1. Please stabilize that version.

Comment 2 Doug Goldstein (RETIRED) gentoo-dev 2013-07-24 14:34:46 UTC
(In reply to Doug Goldstein from comment #1)
> Fixed in spice-0.12.3-r1. Please stabilize that version.
> TARGET KEYWORDS: amd64 x86

Having twins apparently makes you fall asleep at the keyboard while typing so let me fix that. "Please stable that version."
Comment 3 Agostino Sarubbo gentoo-dev 2013-07-24 18:43:32 UTC
amd64 stable
Comment 4 Agostino Sarubbo gentoo-dev 2013-07-27 22:04:37 UTC
x86 stable
Comment 5 Chris Reffett (RETIRED) gentoo-dev Security 2013-08-27 03:11:20 UTC
GLSA vote: no.
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2013-08-27 03:11:28 UTC
CVE-2013-4130 (
  The (1) red_channel_pipes_add_type and (2) red_channel_pipes_add_empty_msg
  functions in server/red_channel.c in SPICE before 0.12.4 do not properly
  perform ring loops, which might allow remote attackers to cause a denial of
  service (reachable assertion and server exit) by triggering a network error.
Comment 7 Sergey Popov gentoo-dev 2013-10-07 09:56:38 UTC
GLSA vote: no

Closing as noglsa