Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 584126 (CVE-2016-0749, CVE-2016-2150) - <app-emulation/spice-0.12.7-r1: multiple vulnerabilities (CVE-2016-{0749,2150})
Summary: <app-emulation/spice-0.12.7-r1: multiple vulnerabilities (CVE-2016-{0749,2150})
Status: RESOLVED FIXED
Alias: CVE-2016-0749, CVE-2016-2150
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B2 [glsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2016-05-25 21:01 UTC by Kristian Fiskerstrand
Modified: 2016-06-16 21:56 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
0068-improve-primary-surface-parameter-checks (0068-improve-primary-surface-parameter-checks.patch,1.36 KB, patch)
2016-05-25 21:03 UTC, Kristian Fiskerstrand
no flags Details | Diff
0067-create-a-function-to-validate-surface-parameters (0067-create-a-function-to-validate-surface-parameters.patch,4.24 KB, patch)
2016-05-25 21:04 UTC, Kristian Fiskerstrand
no flags Details | Diff
0066-smartcard-allocate-msg-with-the-expected-size (0066-smartcard-allocate-msg-with-the-expected-size.patch,4.29 KB, patch)
2016-05-25 21:04 UTC, Kristian Fiskerstrand
no flags Details | Diff
0065-smartcard-add-a-ref-to-item-before-adding-to-pipe (0065-smartcard-add-a-ref-to-item-before-adding-to-pipe.patch,6.67 KB, patch)
2016-05-25 21:04 UTC, Kristian Fiskerstrand
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Kristian Fiskerstrand gentoo-dev Security 2016-05-25 21:01:24 UTC
From report:
Hi all,

There are two issues in spice. There's a small description below, I've
attached our patches to this mail (from our RHEL7, not sure how well
they apply to the newest upstream or older versions).

Both of them are still embargoed, there's no coordinated release date
set yet. Will anyone need >2 weeks?

I can share reproducers/instructions upon request. However, I remember
that at least CVE-2016-0749 was rather painful to reproduce and I forgot
the exact steps that I took already, so I probably won't be able to help
you very much there. 


CVE-2016-2150:
==============

It was found that one malicious guest inside a virtual machine can take
control of the corresponding Qemu process in the host using crafted
primary surface parameters.

This issue is similar to CVE-2015-5261, but it's using different path
in the code.

Discovered by: Frediano Ziglio, Red Hat

Patches:
0067-create-a-function-to-validate-surface-parameters.patch
0068-improve-primary-surface-parameter-checks.patch


CVE-2016-0749:
==============

A memory allocation flaw, leading to a heap-based buffer overflow was
found in spice's smartcard interaction, which runs under the QEMU-KVM
context on the host. A user connecting to a guest VM via spice could
possibly exploit this flaw to crash the QEMU-KVM process, or, possibly,
execute arbitrary code with the privileges of the host QEMU-KVM process.

Discovered by: Jing Zhao, Red Hat

Patches:
0065-smartcard-add-a-ref-to-item-before-adding-to-pipe.patch
0066-smartcard-allocate-msg-with-the-expected-size.patch

Kind regards,
-- 
Stefan Cornelius / Red Hat Product Security
Comment 1 Kristian Fiskerstrand gentoo-dev Security 2016-05-25 21:03:44 UTC
Created attachment 435380 [details, diff]
0068-improve-primary-surface-parameter-checks
Comment 2 Kristian Fiskerstrand gentoo-dev Security 2016-05-25 21:04:01 UTC
Created attachment 435382 [details, diff]
0067-create-a-function-to-validate-surface-parameters
Comment 3 Kristian Fiskerstrand gentoo-dev Security 2016-05-25 21:04:23 UTC
Created attachment 435384 [details, diff]
0066-smartcard-allocate-msg-with-the-expected-size
Comment 4 Kristian Fiskerstrand gentoo-dev Security 2016-05-25 21:04:41 UTC
Created attachment 435386 [details, diff]
0065-smartcard-add-a-ref-to-item-before-adding-to-pipe
Comment 5 Kristian Fiskerstrand gentoo-dev Security 2016-05-25 21:08:40 UTC
CCing maintainers. A reminder that this is a confidential pre-notification, do not share, discuss or apply patches in public repositories until public release.
Comment 6 SpanKY gentoo-dev 2016-05-25 21:26:23 UTC
looks like it only impacts qemu when built with USE=smartcard which i think is a somewhat uncommon option
Comment 7 Yixun Lan gentoo-dev 2016-06-02 03:13:58 UTC
btw, those attached patches are needed by app-emulation/spice, can be applied with version 0.12.6-r2, 0.12.7 (but fail at version 0.13.1)

I think this bug should be CCed to app-emulation/spice maintainer?
Comment 8 Kristian Fiskerstrand gentoo-dev Security 2016-06-03 19:53:40 UTC
(In reply to Yixun Lan from comment #7)
> btw, those attached patches are needed by app-emulation/spice, can be
> applied with version 0.12.6-r2, 0.12.7 (but fail at version 0.13.1)
> 
> I think this bug should be CCed to app-emulation/spice maintainer?

thanks, I wasn't aware it was a separate package influenced, added CC
Comment 9 Kristian Fiskerstrand gentoo-dev Security 2016-06-10 22:32:31 UTC
public in https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=826584
Comment 10 Matthias Maier gentoo-dev 2016-06-14 05:50:07 UTC
What a mess:

 - Upstream has a version 0.12.7 (minor patches on 0.12.6) on their website for 
   download; no version 0.12.6 is explicitly tagged in git *sigh*

 - above patches are not yet fully applied to master; only CVE-2016-2150 is patched 
   on master (not for 0.12.7, or 0.12.6)

 - CVE-2016-0749 is not fixed upstream.

I have applied above patches *without* modification to 0.12.7-r1

I have applied the following patches *with* modification to 0.13.1-r2

    CVE-2016-2150:
    
      Commits 69628ea1375282cb7ca5b4dc4410e7aa67e0fc02
      Commits 790d8f3e53d324f496fc719498422e433aae8654
    
      *instead of* 0067-create-a-function-to-validate-surface-parameters.patch
      *instead of* 0068-improve-primary-surface-parameter-checks.patch
    
    CVE-2016-0749:
    
      Ported the following commits to 0.13.1 (patches did not apply due to
      refactoring of some internal data structures and renaming).
    
      *modified* 0065-smartcard-add-a-ref-to-item-before-adding-to-pipe.patch
      *modified* 0066-smartcard-allocate-msg-with-the-expected-size.patch



Vulnerable version left in tree: 0.12.6-r2




commit a24f3f05ce3b27bc73e173c7776808f1426c3e3a
Author: Matthias Maier <tamiko@gentoo.org>
Date:   Tue Jun 14 00:42:09 2016 -0500

    app-emulation/spice: drop vulnerable versions, bug #584126
    
    Package-Manager: portage-2.2.28

commit 76546db063fa388fbd42de1860e0d79d17948011
Author: Matthias Maier <tamiko@gentoo.org>
Date:   Tue Jun 14 00:37:13 2016 -0500

    app-emulation/spice: fix vuln 0.13.1, bug #584126
    
    Apply the following patches to 0.13.1:
    
    CVE-2016-2150:
    
      Commits 69628ea1375282cb7ca5b4dc4410e7aa67e0fc02
      Commits 790d8f3e53d324f496fc719498422e433aae8654
    
      *instead of* 0067-create-a-function-to-validate-surface-parameters.patch
      *instead of* 0068-improve-primary-surface-parameter-checks.patch
    
    CVE-2016-0749:
    
      Ported the following commits to 0.13.1 (patches did not apply due to
      refactoring of some internal data structures and renaming).
    
      *modified* 0065-smartcard-add-a-ref-to-item-before-adding-to-pipe.patch
      *modified* 0066-smartcard-allocate-msg-with-the-expected-size.patch
    
    Gentoo-Bug: 584126
    
    Package-Manager: portage-2.2.28

commit e78aee5d6b747e4dd0c6aed30b959107957a7c17
Author: Matthias Maier <tamiko@gentoo.org>
Date:   Mon Jun 13 23:39:52 2016 -0500

    app-emulation/spice: fix vuln 0.12.7, bug #584126
    
    Apply the following patches to 0.12.7:
    
    CVE-2016-2150:
    
      0067-create-a-function-to-validate-surface-parameters.patch
      0068-improve-primary-surface-parameter-checks.patch
    
    CVE-2016-0749:
    
      0065-smartcard-add-a-ref-to-item-before-adding-to-pipe.patch
      0066-smartcard-allocate-msg-with-the-expected-size.patch
    
    Gentoo-Bug: 584126
    
    Package-Manager: portage-2.2.28
    Signed-off-by: Matthias Maier <tamiko@gentoo.org>
Comment 11 Matthias Maier gentoo-dev 2016-06-14 06:00:13 UTC
Arches, please stabilize

  =app-emulation/spice-0.12.7-r1
  =app-emulation/spice-protocol-0.12.11
  =net-misc/spice-gtk-0.31

Target keywords:"amd64 x86"
Comment 12 Agostino Sarubbo gentoo-dev 2016-06-14 10:20:20 UTC
amd64 stable
Comment 13 Agostino Sarubbo gentoo-dev 2016-06-15 07:18:44 UTC
x86 stable.

Maintainer(s), please cleanup.
Comment 14 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-06-15 10:11:59 UTC
Added to existing GLSA request.
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2016-06-15 10:25:31 UTC
CVE-2016-2150 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2150):
  SPICE allows local guest OS users to read from or write to arbitrary host
  memory locations via crafted primary surface parameters, a similar issue to
  CVE-2015-5261.

CVE-2016-0749 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0749):
  The smartcard interaction in SPICE allows remote attackers to cause a denial
  of service (QEMU-KVM process crash) or possibly execute arbitrary code via
  vectors related to connecting to a guest VM, which triggers a heap-based
  buffer overflow.
Comment 16 Matthias Maier gentoo-dev 2016-06-15 16:39:34 UTC
Cleaned up.

commit b91694cb994cb01a2e80bf0ebdb619c9ee831491
Author: Matthias Maier <tamiko@gentoo.org>
Date:   Wed Jun 15 11:36:29 2016 -0500

    app-emulation/spice-protocol: Drop obsolete, bug #584126
    
    Package-Manager: portage-2.2.28

commit 85940795ce339c397d6496331e0eada962a082a4
Author: Matthias Maier <tamiko@gentoo.org>
Date:   Wed Jun 15 11:35:27 2016 -0500

    app-emulation/spice: drop vulnerable, bug #584126
    
    Package-Manager: portage-2.2.28

commit 308730cf2bfcd6e117dd6cbeb5c96c7cc7cb4620
Author: Matthias Maier <tamiko@gentoo.org>
Date:   Wed Jun 15 11:37:24 2016 -0500

    net-misc/spice-gtk: drop obsolete, bug #584126
    
    Package-Manager: portage-2.2.28
Comment 17 GLSAMaker/CVETool Bot gentoo-dev 2016-06-16 18:51:37 UTC
This issue was resolved and addressed in
 GLSA 201606-05 at https://security.gentoo.org/glsa/201606-05
by GLSA coordinator Kristian Fiskerstrand (K_F).