Free and open-source vulnerability scanner
Mageni eases for you the vulnerability scanning, assessment, and management process. It is free and open-source.
Install NowAvailable for macOS, Windows, and Linux
Debian Security Advisory DSA 3596-1 (spice - security update)
Information
Severity
Severity
Family
Family
CVSSv2 Base
CVSSv2 Base
CVSSv2 Vector
CVSSv2 Vector
Solution Type
Solution Type
Created
Created
Modified
Modified
Summary
Several vulnerabilities were discovered in spice, a SPICE protocol client and server library. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2016-0749 Jing Zhao of Red Hat discovered a memory allocation flaw, leading to a heap-based buffer overflow in spice's smartcard interaction. A user connecting to a guest VM via spice can take advantage of this flaw to cause a denial-of-service (QEMU process crash), or potentially to execute arbitrary code on the host with the privileges of the hosting QEMU process. CVE-2016-2150 Frediano Ziglio of Red Hat discovered that a malicious guest inside a virtual machine can take control of the corresponding QEMU process in the host using crafted primary surface parameters.
Affected Software
Affected Software
spice on Debian Linux
Detection Method
Detection Method
This check tests the installed software version using the apt package manager.
Solution
Solution
For the stable distribution (jessie), these problems have been fixed in version 0.12.5-1+deb8u3. We recommend that you upgrade your spice packages.