1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
|
PublicDateAtUSN: 2016-06-09
Candidate: CVE-2016-0749
PublicDate: 2016-06-09
References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0749
http://www.ubuntu.com/usn/usn-3014-1
Description:
The smartcard interaction in SPICE allows remote attackers to cause a
denial of service (QEMU-KVM process crash) or possibly execute arbitrary
code via vectors related to connecting to a guest VM, which triggers a
heap-based buffer overflow.
Ubuntu-Description:
Notes:
mdeslaur> technically, this doesn't affect trusty since it is compiled
mdeslaur> with --disable-smartcard.
Bugs:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=826585
Priority: medium
Discovered-by: Jing Zhao
Assigned-to: mdeslaur
Patches_spice:
upstream_spice: needs-triage
precise_spice: ignored (reached end-of-life)
precise/esm_spice: DNE (precise was needed)
trusty_spice: released (0.12.4-0nocelt2ubuntu1.3)
vivid/stable-phone-overlay_spice: DNE
vivid/ubuntu-core_spice: DNE
wily_spice: released (0.12.5-1.1ubuntu2.1)
xenial_spice: released (0.12.6-4ubuntu0.1)
yakkety_spice: released (0.12.6-4ubuntu1)
zesty_spice: released (0.12.6-4ubuntu1)
devel_spice: released (0.12.6-4ubuntu1)
|