Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 562890 (CVE-2015-5261) - <app-emulation/spice-0.12.6: host memory access from guest using crafted images (CVE-2015-{5260,5261})
Summary: <app-emulation/spice-0.12.6: host memory access from guest using crafted imag...
Alias: CVE-2015-5261
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: B2 [glsa cve]
Depends on:
Blocks: CVE-2015-5260
  Show dependency tree
Reported: 2015-10-12 07:54 UTC by Agostino Sarubbo
Modified: 2016-06-16 18:51 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2015-10-12 07:54:52 UTC
From ${URL} :

It is possible for a guest issuing QXL commands to host to allow reading and writing host memory in 
a range of about 16-20gb.
The guest can create a surface very large (say 1000000 x 1000000). If width * height overflow the 
32 bit and became a small number the host will accept the command and will create the surface. Now 
guest can copy areas of surfaces to access any area of memory covered by the image. Considering 
overflows, pixman implementation and image formats (32 bit, top-down or down-top) the range (the 
guest pass an offset into video memory for the start) the range if about +/- 8gb.

@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Manuel Rüger (RETIRED) gentoo-dev 2015-11-08 09:45:39 UTC
Major changes in 0.12.6:
* Removed spicec client code, it has been superseded by remote-viewer and other
  spice-gtk based clients
* Unix socket support
* LZ4 support
* Let clients specify their preferred image compression format
* Allow to record and replay a spice-server session
* Fixes for CVE-2015-3247 CVE-2015-5260 and CVE-2015-5261
* spice-protocol submodule has been removed,, spice-protocol must now be
  installed when building spice-server
* Remove write polling in chardevs to reduce wakeups
* Various bugs, crashes fixes, code cleanups, ...

@maintainers: Please bump
Comment 2 Matthias Maier gentoo-dev 2015-11-15 07:48:25 UTC
commit 4b9af846b69fddc4708c2bd0a49d77a49212e6f3
Author: Matthias Maier <>
Date:   Sun Nov 15 01:30:25 2015 -0600

    app-emulation/spice: version bump to 0.12.6 (CVE-2015-5260, CVE-2015-5260)
     - Bump to latest version that fixes to security issues.
     - Introduce libressl support
    Bugs: 545180
    Bugs: 560006
    Bugs: 562890
    Bugs: 565250
    Package-Manager: portage-2.2.23

commit 4afce62fa2103017af0f310d6354e0e3d3fd3c7f
Author: Matthias Maier <>
Date:   Sun Nov 15 01:26:53 2015 -0600

    app-emulation/spice-protocol: version bump to 0.12.10
    Package-Manager: portage-2.2.23
Comment 3 Matthias Maier gentoo-dev 2015-11-15 07:52:13 UTC
Arches, please stabilize


Target keywords: amd64 x86
Comment 4 Agostino Sarubbo gentoo-dev 2015-11-16 16:53:45 UTC
amd64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2015-11-18 08:58:28 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 6 Matthias Maier gentoo-dev 2015-11-18 19:27:07 UTC
commit b74805e260664d8d968d65ca63c00c99c31e762d
Author: Matthias Maier <>
Date:   Wed Nov 18 13:25:53 2015 -0600

    app-emulation/spice: drop vulnerable (bug #562890, CVE-2015-{5260,5261})
    Drop vulnerable version 0.12.5
    Gentoo-Bug: 562890
    Package-Manager: portage-2.2.24
Comment 7 Yury German Gentoo Infrastructure gentoo-dev 2015-11-18 21:15:16 UTC
Arches and Maintainer(s), Thank you for your work.

New GLSA Request filed.
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2016-06-16 18:51:27 UTC
This issue was resolved and addressed in
 GLSA 201606-05 at
by GLSA coordinator Kristian Fiskerstrand (K_F).