Bug 944460 (CVE-2015-3247)

Summary: VUL-0: CVE-2015-3247 spice: memory corruption in worker_update_monitors_config()
Product: [Novell Products] SUSE Security Incidents Reporter: Victor Pereira <vpereira>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P3 - Medium CC: astieger, smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/156283/
Whiteboard: CVSSv2:NVD:CVE-2015-3247:6.9:(AV:L/AC:M/Au:N/C:C/I:C/A:C) CVSSv2:RedHat:CVE-2015-3247:7.7:(AV:A/AC:L/Au:S/C:C/I:C/A:C)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: CVE-2015-3247.patch
CVE-2015-3247.patch

Description Victor Pereira 2015-09-04 08:28:14 UTC
rh#1233238

It was reported that function worker_update_monitors_config in spice-server contains a race condition which can be exploited as a heap corruption from the guest.

Suggested patch: https://bugzilla.redhat.com/attachment.cgi?id=1037193

Acknowledgements:

This issue was discovered by Frediano Ziglio of Red Hat.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1233238
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3247
http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-3247.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3247
Comment 1 Swamp Workflow Management 2015-09-04 22:00:39 UTC
bugbot adjusting priority
Comment 2 Cédric Bosdonnat 2015-09-07 13:50:54 UTC
I don't have access to the patch you pointed to. Could you paste it here? Is it embargoed?
Comment 4 Andreas Stieger 2015-09-07 14:29:19 UTC
Created attachment 646440 [details]
CVE-2015-3247.patch

This one from https://bugzilla.redhat.com/attachment.cgi?id=1037193
almost identical
Comment 6 Bernhard Wiedemann 2015-09-07 18:00:08 UTC
This is an autogenerated message for OBS integration:
This bug (944460) was mentioned in
https://build.opensuse.org/request/show/329575 13.2 / spice
https://build.opensuse.org/request/show/329576 Leap:42.1 / spice
Comment 7 Cédric Bosdonnat 2015-09-14 12:06:29 UTC
Patches propagating to distros
Comment 8 Swamp Workflow Management 2015-09-17 07:09:48 UTC
openSUSE-SU-2015:1566-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 944460
CVE References: CVE-2015-3247
Sources used:
openSUSE 13.2 (src):    spice-0.12.4-4.3.1
Comment 12 Swamp Workflow Management 2015-10-14 08:09:51 UTC
SUSE-SU-2015:1733-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 944460,948976
CVE References: CVE-2015-3247,CVE-2015-5260,CVE-2015-5261
Sources used:
SUSE Linux Enterprise Software Development Kit 12 (src):    spice-0.12.4-8.5.1
SUSE Linux Enterprise Server 12 (src):    spice-0.12.4-8.5.1
SUSE Linux Enterprise Desktop 12 (src):    spice-0.12.4-8.5.1
Comment 13 Swamp Workflow Management 2015-10-15 08:10:17 UTC
openSUSE-SU-2015:1750-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 848279,944460,944787,948976
CVE References: CVE-2013-4282,CVE-2015-3247,CVE-2015-5260,CVE-2015-5261
Sources used:
openSUSE 13.2 (src):    spice-0.12.4-4.6.1
openSUSE 13.1 (src):    spice-0.12.4-2.3.1
Comment 15 Marcus Meissner 2016-05-07 08:23:30 UTC
released
Comment 16 Swamp Workflow Management 2016-05-07 11:08:01 UTC
SUSE-SU-2016:1259-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 944460,944787,948976
CVE References: CVE-2015-3247,CVE-2015-5260,CVE-2015-5261
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    spice-0.12.4-5.1
SUSE Linux Enterprise Server 11-SP4 (src):    spice-0.12.4-5.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    spice-0.12.4-5.1