A vulnerability in SPICE VDAgent could allow local attackers to execute arbitrary commands.
Package | app-emulation/spice-vdagent on all architectures |
---|---|
Affected versions | < 0.17.0_p20180319 |
Unaffected versions | >= 0.17.0_p20180319 |
Provides a complete open source solution for remote access to virtual machines in a seamless way so you can play videos, record audio, share USB devices and share folders without complications.
SPICE VDAgent does not properly escape save directory before passing to shell.
A local attacker could execute arbitrary commands.
There is no known workaround at this time.
All SPICE VDAgent users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=app-emulation/spice-vdagent-0.17.0_p20180319"
Release date
April 08, 2018
Latest revision
April 08, 2018: 1
Severity
normal
Exploitable
local
Bugzilla entries