Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
Bug 1452606 - (CVE-2017-7506) CVE-2017-7506 spice: Possible buffer overflow via invalid monitor configurations
CVE-2017-7506 spice: Possible buffer overflow via invalid monitor configurations
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On: 1456646 1456647 1467533 1467534 1469376 1469377 1469378 1481885 1481886 1533710
Blocks: 1452607
  Show dependency treegraph
Reported: 2017-05-19 06:30 EDT by Adam Mariš
Modified: 2018-11-15 02:42 EST (History)
30 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was discovered in spice server's protocol handling. An authenticated attacker could send specially crafted messages to the spice server, causing out-of-bounds memory accesses, leading to parts of server memory being leaked or a crash.
Story Points: ---
Clone Of:
Last Closed: 2018-11-08 02:17:36 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:2471 normal SHIPPED_LIVE Important: spice security update 2017-08-15 03:49:20 EDT
Red Hat Product Errata RHSA-2018:3522 None None None 2018-11-07 18:01 EST

  None (edit)
Description Adam Mariš 2017-05-19 06:30:32 EDT
For authenticated client it is possible to cause buffer overflow via sending invalid monitor configurations.

Proposed patch:


Product bug:

Comment 1 Adam Mariš 2017-05-19 06:30:46 EDT

Name: Frediano Ziglio (Red Hat)
Comment 3 Frediano Ziglio 2017-05-25 04:02:59 EDT
Yes, there are mainly 2 issues:
1) number of monitors bigger than the number of items. This will lead some copy from host to client (the number is capped to 64 by Qemu). This is similar to heartbleed bug;
2) integer overflow of buffer_size. If you get a negative number this will probably cause realloc to return NULL and the VM will be closed with an abort. Using very large buffer (>2GB, you are copying from guest to host, not impossible) you can cause the integer overflow to leap and the memcpy will do a big copy. You can control the content of this big copy but how you can avoid a crash and use this overflow is behind my knowledge but maybe you can use different leap and knowing the realloc implementation avoid too big overflows.
Comment 17 Doran Moppert 2017-07-11 03:09:22 EDT
Created spice tracking bugs for this issue:

Affects: fedora-all [bug 1469377]
Comment 25 errata-xmlrpc 2017-08-14 23:50:01 EDT
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2017:2471 https://access.redhat.com/errata/RHSA-2017:2471
Comment 30 errata-xmlrpc 2018-11-07 18:00:50 EST
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2018:3522 https://access.redhat.com/errata/RHSA-2018:3522

Note You need to log in before you can comment on or make changes to this bug.