Red Hat Bugzilla – Bug 620355
CVE-2010-2793 spice activex/spicec named pipe races
Last modified: 2015-08-19 04:51:59 EDT
There is a race in spice-activex when a local attacker is able to create a named pipe with the expected name that is used for parameter passing (password, cert file) between spice-activex and spice client.
Also ImpersonateNamedPipeClient() function that allows server to impersonate security context of connected user could be used to gain privileges of the spice user.
This issue has been addressed in following products:
Red Hat Enterprise Virtualization Manager
Via RHSA-2010:0818 https://rhn.redhat.com/errata/RHSA-2010-0818.html