From ${URL} : surface_id is a field for many QXL commands (commands that a guest can freely craft and send). Particularly are used to create and destroy new surfaces. This field is used as an index for a static allocated array. In different paths, the value passes without being stopped (in many cases it just give some warnings if enabled) so you can corrupt memory very easily. A client can be modified to produce memory corruption. Although it is not easy to write specific data at a specific offset, it is still possible to write some value at some offset (dirtying near data). This means that the problem can be used for heap corruption which is usually exploitable. @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Fixed in 0.12.6, maintainers please bump
commit 4b9af846b69fddc4708c2bd0a49d77a49212e6f3 Author: Matthias Maier <tamiko@gentoo.org> Date: Sun Nov 15 01:30:25 2015 -0600 app-emulation/spice: version bump to 0.12.6 (CVE-2015-5260, CVE-2015-5260) - Bump to latest version that fixes to security issues. - Introduce libressl support Bugs: 545180 Bugs: 560006 Bugs: 562890 Bugs: 565250 Package-Manager: portage-2.2.23 commit 4afce62fa2103017af0f310d6354e0e3d3fd3c7f Author: Matthias Maier <tamiko@gentoo.org> Date: Sun Nov 15 01:26:53 2015 -0600 app-emulation/spice-protocol: version bump to 0.12.10 Package-Manager: portage-2.2.23 Stabilization on related security bug #562890
Added to existing GLSA request.
This issue was resolved and addressed in GLSA 201606-05 at https://security.gentoo.org/glsa/201606-05 by GLSA coordinator Kristian Fiskerstrand (K_F).