Bugzilla – Bug 982386
VUL-0: CVE-2016-2150: spice: guest escape using crafted primary surface parameters
Last modified: 2021-06-08 22:30:46 UTC
CRD: 2016-06-06 Hi all, There are two issues in spice. There's a small description below, I've attached our patches to this mail (from our RHEL7, not sure how well they apply to the newest upstream or older versions). Both of them are still embargoed, there's no coordinated release date set yet. Will anyone need >2 weeks? I can share reproducers/instructions upon request. However, I remember that at least CVE-2016-0749 was rather painful to reproduce and I forgot the exact steps that I took already, so I probably won't be able to help you very much there. CVE-2016-2150: ============== It was found that one malicious guest inside a virtual machine can take control of the corresponding Qemu process in the host using crafted primary surface parameters. This issue is similar to CVE-2015-5261, but it's using different path in the code. Discovered by: Frediano Ziglio, Red Hat Patches: 0067-create-a-function-to-validate-surface-parameters.patch 0068-improve-primary-surface-parameter-checks.patch
Created attachment 678945 [details] 0067-create-a-function-to-validate-surface-parameters.patch 0067-create-a-function-to-validate-surface-parameters.patch
Created attachment 678946 [details] 0068-improve-primary-surface-parameter-checks.patch 0068-improve-primary-surface-parameter-checks.patch
bugbot adjusting priority
is public now
SUSE-SU-2016:1559-1: An update that fixes four vulnerabilities is now available. Category: security (moderate) Bug References: 944787,948976,982385,982386 CVE References: CVE-2015-5260,CVE-2015-5261,CVE-2016-0749,CVE-2016-2150 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP1 (src): spice-0.12.5-4.1 SUSE Linux Enterprise Server 12-SP1 (src): spice-0.12.5-4.1 SUSE Linux Enterprise Desktop 12-SP1 (src): spice-0.12.5-4.1
SUSE-SU-2016:1561-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 982385,982386 CVE References: CVE-2016-0749,CVE-2016-2150 Sources used: SUSE Linux Enterprise Software Development Kit 12 (src): spice-0.12.4-8.9.1 SUSE Linux Enterprise Server 12 (src): spice-0.12.4-8.9.1 SUSE Linux Enterprise Desktop 12 (src): spice-0.12.4-8.9.1
This is an autogenerated message for OBS integration: This bug (982386) was mentioned in https://build.opensuse.org/request/show/401753 42.1 / spice
This is an autogenerated message for OBS integration: This bug (982386) was mentioned in https://build.opensuse.org/request/show/401858 13.2 / spice
openSUSE-SU-2016:1725-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 982385,982386 CVE References: CVE-2016-0749,CVE-2016-2150 Sources used: openSUSE 13.2 (src): spice-0.12.4-4.12.1
openSUSE-SU-2016:1726-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 982385,982386 CVE References: CVE-2016-0749,CVE-2016-2150 Sources used: openSUSE Leap 42.1 (src): spice-0.12.5-8.1
close
This is an autogenerated message for OBS integration: This bug (982386) was mentioned in https://build.opensuse.org/request/show/454133 Factory / spice
Submitted for SLE11-SP4.
SUSE-SU-2021:14744-1: An update that fixes three vulnerabilities is now available. Category: security (important) Bug References: 1177158,1181686,982386 CVE References: CVE-2016-2150,CVE-2020-14355,CVE-2021-20201 JIRA References: Sources used: SUSE Linux Enterprise Server 11-SP4-LTSS (src): spice-0.12.4-21.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): spice-0.12.4-21.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.