MGASA-2016-0250

See a problem?
Please try reporting it to the source first.

Source

https://advisories.mageia.org/MGASA-2016-0250.html

Import Source

https://advisories.mageia.org/MGASA-2016-0250.json

JSON Data

https://api.osv.dev/v1/vulns/MGASA-2016-0250

Related

Published

2016-07-08T20:41:17Z

Modified

2016-07-08T20:34:23Z

Summary

Updated spice packages fix security vulnerabilities

Details

Updated spice packages fix security vulnerabilities:

A memory allocation flaw, leading to a heap-based buffer overflow, was found in spice's smartcard interaction, which runs under the QEMU-KVM context on the host. A user connecting to a guest VM using spice could potentially use this flaw to crash the QEMU-KVM process or execute arbitrary code with the privileges of the host's QEMU-KVM process (CVE-2016-0749).

A memory access flaw was found in the way spice handled certain guests using crafted primary surface parameters. A user in a guest could use this flaw to read from and write to arbitrary memory locations on the host (CVE-2016-2150).

References

Credits

- Mageia - COORDINATOR
- - https://wiki.mageia.org/en/Packages_Security_Team

Affected packages

Mageia:5 / spice

Package

Name: spice
Purl: pkg:rpm/mageia/spice?distro=mageia-5

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.12.5-2.3.mga5

Ecosystem specific

{
    "section": "core"
}