Fedora Account System
Red Hat Associate
Red Hat Customer
A vulnerability was found in spice-vdagent. On macOS and BSD platforms, the dummy-session-info.c:session_info_create() function unconditionally returns NULL because neither ConsoleKit nor systemd-logind exists. In vdagentd.c:agent_connect(), the entire UID/PID verification block is wrapped inside a conditional check on session_info. When session_info is NULL (always on macOS/BSD), zero authentication is performed. Any process that connects to the UDSCS socket is silently accepted as the daemon's trusted agent, allowing an unprivileged local user to become active_session_conn with no credential checks. This enables receiving all host-to-guest messages (clipboard data, file transfers, monitor config), injecting clipboard data to the SPICE host, intercepting file transfers, and preventing the legitimate agent from becoming active. Additionally, the check_uid_of_pid() function reads /proc/%u/status which does not exist on macOS/Darwin. On Linux with systemd-logind, the daemon logs "UID mismatch" but reportedly still processes commands from unauthorized connections. Note: macOS/BSD is not a platform shipped by Red Hat, but the vulnerability exists in the upstream spice-vdagent codebase.