reds_handle_ticket uses a fixed size 'password' buffer for the decrypted password whose size is SPICE_MAX_PASSWORD_LENGTH. However, RSA_private_decrypt which we call for the decryption expects the destination buffer to be at least RSA_size(link->tiTicketing.rsa) bytes long. An remote attacker able to initiate spice connection to the guest could use this flaw to crash the guest. Acknowledgements: This issue was discovered by Tomas Jamrisko of Red Hat.
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2013:1474 https://rhn.redhat.com/errata/RHSA-2013-1474.html
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2013:1473 https://rhn.redhat.com/errata/RHSA-2013-1473.html
This issue has been addressed in following products: RHEV-H and Agents for RHEL-6 Via RHSA-2013:1460 https://rhn.redhat.com/errata/RHSA-2013-1460.html