oss-sec mailing list archives

spice-server: CVE-2016-9577, CVE-2016-9578: remote DoS and buffer overflow from crafted messages

From: Doran Moppert <dmoppert () redhat com>
Date: Thu, 23 Feb 2017 18:26:20 +1030

Two vulnerabilities in the server component of SPICE
<https://spice-space.org/> were recently assigned CVEs by Red Hat -
distros got notified during embargo, but I neglected to follow up here:

 - CVE-2016-9577 spice: Buffer overflow in main_channel_alloc_msg_rcv_buf
   <https://bugzilla.redhat.com/show_bug.cgi?id=1401603>

 - CVE-2016-9578 spice: Remote DoS via crafted message
   <https://bugzilla.redhat.com/show_bug.cgi?id=1399566>

Both of these attacks are accessible to unauthenticated attackers that
can make connections to the SPICE server.  CVE-2016-9577 may lead to
code execution (heap overflow), while the impact of CVE-2016-9578 is
limited to denial of service.

Both issues were reported by Frediano Ziglio, and fixed in the following
upstream commits:

https://cgit.freedesktop.org/spice/spice/commit/?id=ec124b982abcd23364963ffcd4c370b1ec962fc9
https://cgit.freedesktop.org/spice/spice/commit/?id=e16eee1d8be00b186437bf61e4e1871cd8d0211a
https://cgit.freedesktop.org/spice/spice/commit/?id=1d3e26c0ee75712fa4bbbcfa09d8d5866b66c8af


-- 
Doran Moppert
Red Hat Product Security

Attachment: _bin
Description:

Current thread:

spice-server: CVE-2016-9577, CVE-2016-9578: remote DoS and buffer overflow from crafted messages Doran Moppert (Feb 22)