reds_handle_ticket uses a fixed size 'password' buffer for the decrypted password whose size is SPICE_MAX_PASSWORD_LENGTH. However, RSA_private_decrypt which we call for the decryption expects the
destination buffer to be at least RSA_size(link->tiTicketing.rsa) bytes long.
An remote attacker able to initiate spice connection to the guest could use this flaw to crash the guest.
Acknowledgements:
This issue was discovered by Tomas Jamrisko of Red Hat.