Summary: | <app-emulation/spice-0.12.7-r1: multiple vulnerabilities (CVE-2016-{0749,2150}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Kristian Fiskerstrand (RETIRED) <k_f> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | dev-zero, dlan, vapier, virtualization |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | B2 [glsa cve] | ||
Package list: | Runtime testing required: | --- | |
Attachments: |
Description
Kristian Fiskerstrand (RETIRED)
2016-05-25 21:01:24 UTC
Created attachment 435380 [details, diff]
0068-improve-primary-surface-parameter-checks
Created attachment 435382 [details, diff]
0067-create-a-function-to-validate-surface-parameters
Created attachment 435384 [details, diff]
0066-smartcard-allocate-msg-with-the-expected-size
Created attachment 435386 [details, diff]
0065-smartcard-add-a-ref-to-item-before-adding-to-pipe
CCing maintainers. A reminder that this is a confidential pre-notification, do not share, discuss or apply patches in public repositories until public release. looks like it only impacts qemu when built with USE=smartcard which i think is a somewhat uncommon option btw, those attached patches are needed by app-emulation/spice, can be applied with version 0.12.6-r2, 0.12.7 (but fail at version 0.13.1) I think this bug should be CCed to app-emulation/spice maintainer? (In reply to Yixun Lan from comment #7) > btw, those attached patches are needed by app-emulation/spice, can be > applied with version 0.12.6-r2, 0.12.7 (but fail at version 0.13.1) > > I think this bug should be CCed to app-emulation/spice maintainer? thanks, I wasn't aware it was a separate package influenced, added CC What a mess: - Upstream has a version 0.12.7 (minor patches on 0.12.6) on their website for download; no version 0.12.6 is explicitly tagged in git *sigh* - above patches are not yet fully applied to master; only CVE-2016-2150 is patched on master (not for 0.12.7, or 0.12.6) - CVE-2016-0749 is not fixed upstream. I have applied above patches *without* modification to 0.12.7-r1 I have applied the following patches *with* modification to 0.13.1-r2 CVE-2016-2150: Commits 69628ea1375282cb7ca5b4dc4410e7aa67e0fc02 Commits 790d8f3e53d324f496fc719498422e433aae8654 *instead of* 0067-create-a-function-to-validate-surface-parameters.patch *instead of* 0068-improve-primary-surface-parameter-checks.patch CVE-2016-0749: Ported the following commits to 0.13.1 (patches did not apply due to refactoring of some internal data structures and renaming). *modified* 0065-smartcard-add-a-ref-to-item-before-adding-to-pipe.patch *modified* 0066-smartcard-allocate-msg-with-the-expected-size.patch Vulnerable version left in tree: 0.12.6-r2 commit a24f3f05ce3b27bc73e173c7776808f1426c3e3a Author: Matthias Maier <tamiko@gentoo.org> Date: Tue Jun 14 00:42:09 2016 -0500 app-emulation/spice: drop vulnerable versions, bug #584126 Package-Manager: portage-2.2.28 commit 76546db063fa388fbd42de1860e0d79d17948011 Author: Matthias Maier <tamiko@gentoo.org> Date: Tue Jun 14 00:37:13 2016 -0500 app-emulation/spice: fix vuln 0.13.1, bug #584126 Apply the following patches to 0.13.1: CVE-2016-2150: Commits 69628ea1375282cb7ca5b4dc4410e7aa67e0fc02 Commits 790d8f3e53d324f496fc719498422e433aae8654 *instead of* 0067-create-a-function-to-validate-surface-parameters.patch *instead of* 0068-improve-primary-surface-parameter-checks.patch CVE-2016-0749: Ported the following commits to 0.13.1 (patches did not apply due to refactoring of some internal data structures and renaming). *modified* 0065-smartcard-add-a-ref-to-item-before-adding-to-pipe.patch *modified* 0066-smartcard-allocate-msg-with-the-expected-size.patch Gentoo-Bug: 584126 Package-Manager: portage-2.2.28 commit e78aee5d6b747e4dd0c6aed30b959107957a7c17 Author: Matthias Maier <tamiko@gentoo.org> Date: Mon Jun 13 23:39:52 2016 -0500 app-emulation/spice: fix vuln 0.12.7, bug #584126 Apply the following patches to 0.12.7: CVE-2016-2150: 0067-create-a-function-to-validate-surface-parameters.patch 0068-improve-primary-surface-parameter-checks.patch CVE-2016-0749: 0065-smartcard-add-a-ref-to-item-before-adding-to-pipe.patch 0066-smartcard-allocate-msg-with-the-expected-size.patch Gentoo-Bug: 584126 Package-Manager: portage-2.2.28 Signed-off-by: Matthias Maier <tamiko@gentoo.org> Arches, please stabilize =app-emulation/spice-0.12.7-r1 =app-emulation/spice-protocol-0.12.11 =net-misc/spice-gtk-0.31 Target keywords:"amd64 x86" amd64 stable x86 stable. Maintainer(s), please cleanup. Added to existing GLSA request. CVE-2016-2150 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2150): SPICE allows local guest OS users to read from or write to arbitrary host memory locations via crafted primary surface parameters, a similar issue to CVE-2015-5261. CVE-2016-0749 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0749): The smartcard interaction in SPICE allows remote attackers to cause a denial of service (QEMU-KVM process crash) or possibly execute arbitrary code via vectors related to connecting to a guest VM, which triggers a heap-based buffer overflow. Cleaned up. commit b91694cb994cb01a2e80bf0ebdb619c9ee831491 Author: Matthias Maier <tamiko@gentoo.org> Date: Wed Jun 15 11:36:29 2016 -0500 app-emulation/spice-protocol: Drop obsolete, bug #584126 Package-Manager: portage-2.2.28 commit 85940795ce339c397d6496331e0eada962a082a4 Author: Matthias Maier <tamiko@gentoo.org> Date: Wed Jun 15 11:35:27 2016 -0500 app-emulation/spice: drop vulnerable, bug #584126 Package-Manager: portage-2.2.28 commit 308730cf2bfcd6e117dd6cbeb5c96c7cc7cb4620 Author: Matthias Maier <tamiko@gentoo.org> Date: Wed Jun 15 11:37:24 2016 -0500 net-misc/spice-gtk: drop obsolete, bug #584126 Package-Manager: portage-2.2.28 This issue was resolved and addressed in GLSA 201606-05 at https://security.gentoo.org/glsa/201606-05 by GLSA coordinator Kristian Fiskerstrand (K_F). |