Security Information / 2015 / Security Information -- DSA-3371-1 spice

Debian Security Advisory

DSA-3371-1 spice -- security update

Date Reported:

09 Oct 2015

Affected Packages:

spice

Vulnerable:

Yes

Security database references:

In the Debian bugtracking system: Bug 801089, Bug 801091.
In Mitre's CVE dictionary: CVE-2015-5260, CVE-2015-5261.

More information:

Frediano Ziglio of Red Hat discovered several vulnerabilities in spice, a SPICE protocol client and server library. A malicious guest can exploit these flaws to cause a denial of service (QEMU process crash), execute arbitrary code on the host with the privileges of the hosting QEMU process or read and write arbitrary memory locations on the host.

For the oldstable distribution (wheezy), these problems have been fixed in version 0.11.0-1+deb7u2.

For the stable distribution (jessie), these problems have been fixed in version 0.12.5-1+deb8u2.

For the unstable distribution (sid), these problems have been fixed in version 0.12.5-1.3.

We recommend that you upgrade your spice packages.