Bug 1233238 (CVE-2015-3247)

Summary: CVE-2015-3247 spice: memory corruption in worker_update_monitors_config()
Product: [Other] Security Response Reporter: Vasyl Kaigorodov <vkaigoro>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: acathrow, alonbl, astepano, bazulay, bmcclain, bsanford, carnil, cfergeau, dblechte, ddu, ecohen, fdeutsch, fidencio, gklein, idith, iheim, jrusnack, lsurette, michal.skrivanek, mkenneth, pstehlik, rbalakri, security-response-team, sherold, uril, ycui, yeylon
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
A race condition flaw, leading to a heap-based memory corruption, was found in spice's worker_update_monitors_config() function, which runs under the QEMU-KVM context on the host. A user in a guest could leverage this flaw to crash the host QEMU-KVM process or, possibly, execute arbitrary code with the privileges of the host QEMU-KVM process.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2015-10-30 11:12:34 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1230118, 1238867, 1239124, 1239125, 1239127, 1239128, 1241180, 1241181, 1260598    
Bug Blocks: 1206715, 1233239    

Description Vasyl Kaigorodov 2015-06-18 13:58:41 UTC 
It was reported that function worker_update_monitors_config in spice-server contains a race condition which can be exploited as a heap corruption from the guest.

Suggested patch: https://bugzilla.redhat.com/attachment.cgi?id=1037193

Acknowledgements:

This issue was discovered by Frediano Ziglio of Red Hat.
Comment 14 errata-xmlrpc 2015-09-03 16:47:32 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2015:1715 https://rhn.redhat.com/errata/RHSA-2015-1715.html
Comment 15 errata-xmlrpc 2015-09-03 17:09:33 UTC 
This issue has been addressed in the following products:

  RHEV-H and Agents for RHEL-6
  RHEV-H and Agents for RHEL-7

Via RHSA-2015:1713 https://rhn.redhat.com/errata/RHSA-2015-1713.html
Comment 16 errata-xmlrpc 2015-09-03 18:14:41 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2015:1714 https://rhn.redhat.com/errata/RHSA-2015-1714.html
Comment 17 Huzaifa S. Sidhpurwala 2015-09-07 10:55:15 UTC 
Created spice tracking bugs for this issue:

Affects: fedora-all [bug 1260598]
Comment 18 Stefan Cornelius 2015-09-07 14:23:37 UTC 
*** Bug 1230118 has been marked as a duplicate of this bug. ***