From report: Hi all, There are two issues in spice. There's a small description below, I've attached our patches to this mail (from our RHEL7, not sure how well they apply to the newest upstream or older versions). Both of them are still embargoed, there's no coordinated release date set yet. Will anyone need >2 weeks? I can share reproducers/instructions upon request. However, I remember that at least CVE-2016-0749 was rather painful to reproduce and I forgot the exact steps that I took already, so I probably won't be able to help you very much there. CVE-2016-2150: ============== It was found that one malicious guest inside a virtual machine can take control of the corresponding Qemu process in the host using crafted primary surface parameters. This issue is similar to CVE-2015-5261, but it's using different path in the code. Discovered by: Frediano Ziglio, Red Hat Patches: 0067-create-a-function-to-validate-surface-parameters.patch 0068-improve-primary-surface-parameter-checks.patch CVE-2016-0749: ============== A memory allocation flaw, leading to a heap-based buffer overflow was found in spice's smartcard interaction, which runs under the QEMU-KVM context on the host. A user connecting to a guest VM via spice could possibly exploit this flaw to crash the QEMU-KVM process, or, possibly, execute arbitrary code with the privileges of the host QEMU-KVM process. Discovered by: Jing Zhao, Red Hat Patches: 0065-smartcard-add-a-ref-to-item-before-adding-to-pipe.patch 0066-smartcard-allocate-msg-with-the-expected-size.patch Kind regards, -- Stefan Cornelius / Red Hat Product Security
Created attachment 435380 [details, diff] 0068-improve-primary-surface-parameter-checks
Created attachment 435382 [details, diff] 0067-create-a-function-to-validate-surface-parameters
Created attachment 435384 [details, diff] 0066-smartcard-allocate-msg-with-the-expected-size
Created attachment 435386 [details, diff] 0065-smartcard-add-a-ref-to-item-before-adding-to-pipe
CCing maintainers. A reminder that this is a confidential pre-notification, do not share, discuss or apply patches in public repositories until public release.
looks like it only impacts qemu when built with USE=smartcard which i think is a somewhat uncommon option
btw, those attached patches are needed by app-emulation/spice, can be applied with version 0.12.6-r2, 0.12.7 (but fail at version 0.13.1) I think this bug should be CCed to app-emulation/spice maintainer?
(In reply to Yixun Lan from comment #7) > btw, those attached patches are needed by app-emulation/spice, can be > applied with version 0.12.6-r2, 0.12.7 (but fail at version 0.13.1) > > I think this bug should be CCed to app-emulation/spice maintainer? thanks, I wasn't aware it was a separate package influenced, added CC
public in https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=826584
What a mess: - Upstream has a version 0.12.7 (minor patches on 0.12.6) on their website for download; no version 0.12.6 is explicitly tagged in git *sigh* - above patches are not yet fully applied to master; only CVE-2016-2150 is patched on master (not for 0.12.7, or 0.12.6) - CVE-2016-0749 is not fixed upstream. I have applied above patches *without* modification to 0.12.7-r1 I have applied the following patches *with* modification to 0.13.1-r2 CVE-2016-2150: Commits 69628ea1375282cb7ca5b4dc4410e7aa67e0fc02 Commits 790d8f3e53d324f496fc719498422e433aae8654 *instead of* 0067-create-a-function-to-validate-surface-parameters.patch *instead of* 0068-improve-primary-surface-parameter-checks.patch CVE-2016-0749: Ported the following commits to 0.13.1 (patches did not apply due to refactoring of some internal data structures and renaming). *modified* 0065-smartcard-add-a-ref-to-item-before-adding-to-pipe.patch *modified* 0066-smartcard-allocate-msg-with-the-expected-size.patch Vulnerable version left in tree: 0.12.6-r2 commit a24f3f05ce3b27bc73e173c7776808f1426c3e3a Author: Matthias Maier <tamiko@gentoo.org> Date: Tue Jun 14 00:42:09 2016 -0500 app-emulation/spice: drop vulnerable versions, bug #584126 Package-Manager: portage-2.2.28 commit 76546db063fa388fbd42de1860e0d79d17948011 Author: Matthias Maier <tamiko@gentoo.org> Date: Tue Jun 14 00:37:13 2016 -0500 app-emulation/spice: fix vuln 0.13.1, bug #584126 Apply the following patches to 0.13.1: CVE-2016-2150: Commits 69628ea1375282cb7ca5b4dc4410e7aa67e0fc02 Commits 790d8f3e53d324f496fc719498422e433aae8654 *instead of* 0067-create-a-function-to-validate-surface-parameters.patch *instead of* 0068-improve-primary-surface-parameter-checks.patch CVE-2016-0749: Ported the following commits to 0.13.1 (patches did not apply due to refactoring of some internal data structures and renaming). *modified* 0065-smartcard-add-a-ref-to-item-before-adding-to-pipe.patch *modified* 0066-smartcard-allocate-msg-with-the-expected-size.patch Gentoo-Bug: 584126 Package-Manager: portage-2.2.28 commit e78aee5d6b747e4dd0c6aed30b959107957a7c17 Author: Matthias Maier <tamiko@gentoo.org> Date: Mon Jun 13 23:39:52 2016 -0500 app-emulation/spice: fix vuln 0.12.7, bug #584126 Apply the following patches to 0.12.7: CVE-2016-2150: 0067-create-a-function-to-validate-surface-parameters.patch 0068-improve-primary-surface-parameter-checks.patch CVE-2016-0749: 0065-smartcard-add-a-ref-to-item-before-adding-to-pipe.patch 0066-smartcard-allocate-msg-with-the-expected-size.patch Gentoo-Bug: 584126 Package-Manager: portage-2.2.28 Signed-off-by: Matthias Maier <tamiko@gentoo.org>
Arches, please stabilize =app-emulation/spice-0.12.7-r1 =app-emulation/spice-protocol-0.12.11 =net-misc/spice-gtk-0.31 Target keywords:"amd64 x86"
amd64 stable
x86 stable. Maintainer(s), please cleanup.
Added to existing GLSA request.
CVE-2016-2150 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2150): SPICE allows local guest OS users to read from or write to arbitrary host memory locations via crafted primary surface parameters, a similar issue to CVE-2015-5261. CVE-2016-0749 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0749): The smartcard interaction in SPICE allows remote attackers to cause a denial of service (QEMU-KVM process crash) or possibly execute arbitrary code via vectors related to connecting to a guest VM, which triggers a heap-based buffer overflow.
Cleaned up. commit b91694cb994cb01a2e80bf0ebdb619c9ee831491 Author: Matthias Maier <tamiko@gentoo.org> Date: Wed Jun 15 11:36:29 2016 -0500 app-emulation/spice-protocol: Drop obsolete, bug #584126 Package-Manager: portage-2.2.28 commit 85940795ce339c397d6496331e0eada962a082a4 Author: Matthias Maier <tamiko@gentoo.org> Date: Wed Jun 15 11:35:27 2016 -0500 app-emulation/spice: drop vulnerable, bug #584126 Package-Manager: portage-2.2.28 commit 308730cf2bfcd6e117dd6cbeb5c96c7cc7cb4620 Author: Matthias Maier <tamiko@gentoo.org> Date: Wed Jun 15 11:37:24 2016 -0500 net-misc/spice-gtk: drop obsolete, bug #584126 Package-Manager: portage-2.2.28
This issue was resolved and addressed in GLSA 201606-05 at https://security.gentoo.org/glsa/201606-05 by GLSA coordinator Kristian Fiskerstrand (K_F).
