Bug 568699 (CVE-2010-0428)

Summary: CVE-2010-0428 libspice: Insufficient guest provided pointers validation
Product: [Other] Security Response Reporter: Petr Matousek <pmatouse>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: alexl, apevec, bsanford, cmeadors, ehabkost, iheim, jrb, kraxel, kreilly, plyons, sct, security-response-team, tburke, uril
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-01-04 14:08:52 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 568719, 568720, 568721, 568722, 568811, 833974    
Bug Blocks:    

Description Petr Matousek 2010-02-26 12:09:54 UTC 
Izik Eidus found a bug in QEMU that allows priviledged guest user
to touch arbitrary memory in the hosting QEMU process. The bug is in
QXL/libspice code. Guest and host share region of memory and
use it to communicate with each other. Malicious user can use the
lack of validation of pointers embedded into data structures in
this memory area to touch host's abitrary memory location and/or make
the hosting QEMU process crash by dereferencing invalid pointer.
Comment 7 errata-xmlrpc 2010-08-19 21:26:04 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2010:0633 https://rhn.redhat.com/errata/RHSA-2010-0633.html
Comment 8 errata-xmlrpc 2010-08-19 21:45:28 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Virtualization for RHEL-5

Via RHSA-2010:0622 https://rhn.redhat.com/errata/RHSA-2010-0622.html