oss-sec mailing list archives

CVE-2019-3813: spice: Off-by-one error in array access in spice/server/memslot.c

From: Scott Gayou <sgayou () redhat com>
Date: Mon, 28 Jan 2019 11:53:15 -0700

Hello,

spice versions 0.5.2 through 0.14.1 are vulnerable to an out-of-bounds read
due to an off-by-one error in memslot_get_virt. This may lead to a
denial-of-service, or, in the worst case, code-execution by unauthenticated
attackers.

The attached patch fixes the issue in spice and is planned to be included
in forthcoming release spice 0.14.2.

This issue was reported by Christophe Fergeau (Red Hat).

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1665371

Thank you.

-- 
Scott Gayou / Red Had Product Security

Attachment: 0001-memslot-Fix-off-by-one-error-in-group-slot-boundary-.patch
Description:

Current thread:

CVE-2019-3813: spice: Off-by-one error in array access in spice/server/memslot.c Scott Gayou (Jan 28)
- Re: CVE-2019-3813: spice: Off-by-one error in array access in spice/server/memslot.c Peter Korsgaard (Jan 28)