Bug 1260822 - (CVE-2015-5260) CVE-2015-5260 spice: insufficient validation of surface_id parameter can cause crash
CVE-2015-5260 spice: insufficient validation of surface_id parameter can caus...
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On: 1259783 1260908 1260971 1262769 1262770 1262771 1272346
Blocks: 1260823
  Show dependency treegraph
Reported: 2015-09-07 20:52 EDT by Summer Long
Modified: 2015-10-16 03:45 EDT (History)
14 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
A heap-based buffer overflow flaw was found in the way spice handled certain QXL commands related to the "surface_id" parameter. A user in a guest could use this flaw to crash the host QEMU-KVM process or, possibly, execute arbitrary code with the privileges of the host QEMU-KVM process.
Story Points: ---
Clone Of:
Last Closed: 2015-10-15 14:40:36 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:1889 normal SHIPPED_LIVE Important: spice-server security update 2015-10-12 19:07:08 EDT
Red Hat Product Errata RHSA-2015:1890 normal SHIPPED_LIVE Important: spice security update 2015-10-12 20:20:55 EDT

  None (edit)
Description Summer Long 2015-09-07 20:52:17 EDT
surface_id is a field for many QXL commands (commands that a guest can freely craft and send). Particularly are used to create and destroy new surfaces. This field is used as an index for a static allocated array.
In different paths, the value passes without being stopped (in many cases it just give some warnings if enabled) so you can corrupt memory very easily.
A client can be modified to produce memory corruption. Although it is not easy to write specific data at a specific offset, it is still possible to write some value at some offset (dirtying near data). This means that the problem can be used for heap corruption which is usually exploitable.
Comment 1 Martin Prpič 2015-09-08 04:00:41 EDT
Created spice tracking bugs for this issue:

Affects: fedora-all [bug 1260908]
Comment 10 Martin Prpič 2015-10-06 04:26:55 EDT

This issue was discovered by Frediano Ziglio of Red Hat.
Comment 11 errata-xmlrpc 2015-10-12 15:08:51 EDT
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2015:1889 https://rhn.redhat.com/errata/RHSA-2015-1889.html
Comment 12 errata-xmlrpc 2015-10-12 16:21:07 EDT
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2015:1890 https://rhn.redhat.com/errata/RHSA-2015-1890.html

Note You need to log in before you can comment on or make changes to this bug.