Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
First Last Prev Next    This bug is not in your last search results.
Bug 1233238 - (CVE-2015-3247) CVE-2015-3247 spice: memory corruption in worker_update_monitors_config()
CVE-2015-3247 spice: memory corruption in worker_update_monitors_config()
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
impact=important,public=20150903,repo...
: Security
: 1230118 (view as bug list)
Depends On: 1230118 1238867 1239124 1239125 1239127 1239128 1241180 1241181 1260598
Blocks: 1206715 1233239
  Show dependency treegraph
 
Reported: 2015-06-18 09:58 EDT by Vasyl Kaigorodov
Modified: 2015-12-16 21:51 EST (History)
27 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
A race condition flaw, leading to a heap-based memory corruption, was found in spice's worker_update_monitors_config() function, which runs under the QEMU-KVM context on the host. A user in a guest could leverage this flaw to crash the host QEMU-KVM process or, possibly, execute arbitrary code with the privileges of the host QEMU-KVM process.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-10-30 07:12:34 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:1713 normal SHIPPED_LIVE Important: rhev-hypervisor security, bug fix, and enhancement update 2015-09-03 17:08:30 EDT
Red Hat Product Errata RHSA-2015:1714 normal SHIPPED_LIVE Important: spice security update 2015-09-03 18:14:00 EDT
Red Hat Product Errata RHSA-2015:1715 normal SHIPPED_LIVE Important: spice-server security update 2015-09-03 16:47:06 EDT

  None (edit)
Description Vasyl Kaigorodov 2015-06-18 09:58:41 EDT 
It was reported that function worker_update_monitors_config in spice-server contains a race condition which can be exploited as a heap corruption from the guest.

Suggested patch: https://bugzilla.redhat.com/attachment.cgi?id=1037193

Acknowledgements:

This issue was discovered by Frediano Ziglio of Red Hat.
Comment 14 errata-xmlrpc 2015-09-03 12:47:32 EDT 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2015:1715 https://rhn.redhat.com/errata/RHSA-2015-1715.html
Comment 15 errata-xmlrpc 2015-09-03 13:09:33 EDT 
This issue has been addressed in the following products:

  RHEV-H and Agents for RHEL-6
  RHEV-H and Agents for RHEL-7

Via RHSA-2015:1713 https://rhn.redhat.com/errata/RHSA-2015-1713.html
Comment 16 errata-xmlrpc 2015-09-03 14:14:41 EDT 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2015:1714 https://rhn.redhat.com/errata/RHSA-2015-1714.html
Comment 17 Huzaifa S. Sidhpurwala 2015-09-07 06:55:15 EDT 
Created spice tracking bugs for this issue:

Affects: fedora-all [bug 1260598]
Comment 18 Stefan Cornelius 2015-09-07 10:23:37 EDT 
*** Bug 1230118 has been marked as a duplicate of this bug. ***
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.