Bugzilla – Bug 1214684
VUL-0: CVE-2020-23793: spice,spice-gtk: improper input validation in function async_READ_handler
Last modified: 2023-08-30 13:11:01 UTC
CVE-2020-23793 An issue was discovered in spice-server spice-server-0.14.0-6.el7_6.1.x86_64 of Redhat's VDI product. There is a security vulnerablility that can restart KVMvirtual machine without any authorization. It is not yet known if there will be other other effects. References: https://github.com/zelat/spice-security-issues References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-23793 https://bugzilla.redhat.com/show_bug.cgi?id=2234984 https://www.cve.org/CVERecord?id=CVE-2020-23793 https://github.com/zelat/spice-security-issues
The recommended fix given in redhat bug, https://bugzilla.redhat.com/show_bug.cgi?id=2234984 is already in our older distros and is part of the newer distro tarballs. See bsc#1023079 (CVE-2016-9578) for the patch for the older distros. Fix is part of the tarball: SLE-15-SP1/SP2/SP3/SP4/SP5 Patch CVE-2016-9578-remote-dos-via-crafted-message.patch already included for: SLE-12-SP1/SP2/SP3/SP4/SP5, SLE11-SP4 I don't think there is anything more to be done.
Closing this since it was already fixed.