CESA-2016:1205 -- centos 7 spiceID: oval:org.secpod.oval:def:203946 | Date: (C)2016-06-09 (M)2023-02-20 |
Class: PATCH | Family: unix |
The Simple Protocol for Independent Computing Environments is a remote display system built for virtual environments which allows the user to view a computing "desktop" environment not only on the machine where it is running, but from anywhere on the Internet and from a wide variety of machine architectures. Security Fix: * A memory allocation flaw, leading to a heap-based buffer overflow, was found in spice"s smartcard interaction, which runs under the QEMU-KVM context on the host. A user connecting to a guest VM using spice could potentially use this flaw to crash the QEMU-KVM process or execute arbitrary code with the privileges of the host"s QEMU-KVM process. * A memory access flaw was found in the way spice handled certain guests using crafted primary surface parameters. A user in a guest could use this flaw to read from and write to arbitrary memory locations on the host. The CVE-2016-0749 issue was discovered by Jing Zhao and the CVE-2016-2150 issue was discovered by Frediano Ziglio .