From ${URL} : It is possible for a guest issuing QXL commands to host to allow reading and writing host memory in a range of about 16-20gb. The guest can create a surface very large (say 1000000 x 1000000). If width * height overflow the 32 bit and became a small number the host will accept the command and will create the surface. Now guest can copy areas of surfaces to access any area of memory covered by the image. Considering overflows, pixman implementation and image formats (32 bit, top-down or down-top) the range (the guest pass an offset into video memory for the start) the range if about +/- 8gb. @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Major changes in 0.12.6: ======================== * Removed spicec client code, it has been superseded by remote-viewer and other spice-gtk based clients * Unix socket support * LZ4 support * Let clients specify their preferred image compression format * Allow to record and replay a spice-server session * Fixes for CVE-2015-3247 CVE-2015-5260 and CVE-2015-5261 * spice-protocol submodule has been removed,, spice-protocol must now be installed when building spice-server * Remove write polling in chardevs to reduce wakeups * Various bugs, crashes fixes, code cleanups, ... @maintainers: Please bump
commit 4b9af846b69fddc4708c2bd0a49d77a49212e6f3 Author: Matthias Maier <tamiko@gentoo.org> Date: Sun Nov 15 01:30:25 2015 -0600 app-emulation/spice: version bump to 0.12.6 (CVE-2015-5260, CVE-2015-5260) - Bump to latest version that fixes to security issues. - Introduce libressl support Bugs: 545180 Bugs: 560006 Bugs: 562890 Bugs: 565250 Package-Manager: portage-2.2.23 commit 4afce62fa2103017af0f310d6354e0e3d3fd3c7f Author: Matthias Maier <tamiko@gentoo.org> Date: Sun Nov 15 01:26:53 2015 -0600 app-emulation/spice-protocol: version bump to 0.12.10 Package-Manager: portage-2.2.23
Arches, please stabilize app-emulation/spice-protocol-0.12.10 app-emulation/spice-0.12.6 Target keywords: amd64 x86
amd64 stable
x86 stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one.
commit b74805e260664d8d968d65ca63c00c99c31e762d Author: Matthias Maier <tamiko@gentoo.org> Date: Wed Nov 18 13:25:53 2015 -0600 app-emulation/spice: drop vulnerable (bug #562890, CVE-2015-{5260,5261}) Drop vulnerable version 0.12.5 Gentoo-Bug: 562890 Package-Manager: portage-2.2.24
Arches and Maintainer(s), Thank you for your work. New GLSA Request filed.
This issue was resolved and addressed in GLSA 201606-05 at https://security.gentoo.org/glsa/201606-05 by GLSA coordinator Kristian Fiskerstrand (K_F).