Mageia alert MGASA-2016-0250 (spice)

From:
    	       Mageia Updates <buildsystem-daemon@mageia.org> 
To:
    	       updates-announce@ml.mageia.org 
Subject:
    	       [updates-announce] MGASA-2016-0250: Updated spice packages fix security vulnerabilities 
Date:
    	       Fri, 8 Jul 2016 22:41:41 +0200
Message-ID:
    	       <20160708204141.636A59F754@duvel.mageia.org>
MGASA-2016-0250 - Updated spice packages fix security vulnerabilities

Publication date: 08 Jul 2016
URL: http://advisories.mageia.org/MGASA-2016-0250.html
Type: security
Affected Mageia releases: 5
CVE: CVE-2016-0749,
     CVE-2016-2150

Description:
Updated spice packages fix security vulnerabilities:

A memory allocation flaw, leading to a heap-based buffer overflow, was found in
spice's smartcard interaction, which runs under the QEMU-KVM context on the
host. A user connecting to a guest VM using spice could potentially use this
flaw to crash the QEMU-KVM process or execute arbitrary code with the privileges
of the host's QEMU-KVM process (CVE-2016-0749).

A memory access flaw was found in the way spice handled certain guests using
crafted primary surface parameters. A user in a guest could use this flaw to
read from and write to arbitrary memory locations on the host (CVE-2016-2150).

References:
- https://bugs.mageia.org/show_bug.cgi?id=18649
- https://rhn.redhat.com/errata/RHSA-2016-1205.html
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0749
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2150

SRPMS:
- 5/core/spice-0.12.5-2.3.mga5

From:		Mageia Updates <buildsystem-daemon@mageia.org>
To:		updates-announce@ml.mageia.org
Subject:		[updates-announce] MGASA-2016-0250: Updated spice packages fix security vulnerabilities
Date:		Fri, 8 Jul 2016 22:41:41 +0200
Message-ID:		<20160708204141.636A59F754@duvel.mageia.org>