There is a race in spice-xpi when a local attacker is able to create a unix socket with the expected name that is used for parameter passing (password, cert file) between spice-xpi and spice client.
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2010:0632 https://rhn.redhat.com/errata/RHSA-2010-0632.html
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2010:0651 https://rhn.redhat.com/errata/RHSA-2010-0651.html