Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 560006 (CVE-2015-5260)

Summary: <app-emulation/spice-0.12.6: insufficient validation of surface_id parameter can cause crash
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: minor CC: dev-zero, virtualization
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B3 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on: 562890    
Bug Blocks:    

Description Agostino Sarubbo gentoo-dev 2015-09-09 06:57:30 UTC
From ${URL} :

surface_id is a field for many QXL commands (commands that a guest can freely craft and send). 
Particularly are used to create and destroy new surfaces. This field is used as an index for a 
static allocated array.
In different paths, the value passes without being stopped (in many cases it just give some 
warnings if enabled) so you can corrupt memory very easily.
A client can be modified to produce memory corruption. Although it is not easy to write specific 
data at a specific offset, it is still possible to write some value at some offset (dirtying near 
data). This means that the problem can be used for heap corruption which is usually exploitable.

@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Manuel RĂ¼ger (RETIRED) gentoo-dev 2015-11-08 09:47:34 UTC
Fixed in 0.12.6, maintainers please bump
Comment 2 Matthias Maier gentoo-dev 2015-11-15 07:49:01 UTC
commit 4b9af846b69fddc4708c2bd0a49d77a49212e6f3
Author: Matthias Maier <>
Date:   Sun Nov 15 01:30:25 2015 -0600

    app-emulation/spice: version bump to 0.12.6 (CVE-2015-5260, CVE-2015-5260)
     - Bump to latest version that fixes to security issues.
     - Introduce libressl support
    Bugs: 545180
    Bugs: 560006
    Bugs: 562890
    Bugs: 565250
    Package-Manager: portage-2.2.23

commit 4afce62fa2103017af0f310d6354e0e3d3fd3c7f
Author: Matthias Maier <>
Date:   Sun Nov 15 01:26:53 2015 -0600

    app-emulation/spice-protocol: version bump to 0.12.10
    Package-Manager: portage-2.2.23

Stabilization on related security bug #562890
Comment 3 Aaron Bauman (RETIRED) gentoo-dev 2016-06-15 10:10:19 UTC
Added to existing GLSA request.
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2016-06-16 18:51:20 UTC
This issue was resolved and addressed in
 GLSA 201606-05 at
by GLSA coordinator Kristian Fiskerstrand (K_F).