SPICE VDAgent: Arbitrary command injection — GLSA 201804-09

A vulnerability in SPICE VDAgent could allow local attackers to execute arbitrary commands.

Affected packages

app-emulation/spice-vdagent on all architectures
Affected versions < 0.17.0_p20180319
Unaffected versions >= 0.17.0_p20180319

Background

Provides a complete open source solution for remote access to virtual machines in a seamless way so you can play videos, record audio, share USB devices and share folders without complications.

Description

SPICE VDAgent does not properly escape save directory before passing to shell.

Impact

A local attacker could execute arbitrary commands.

Workaround

There is no known workaround at this time.

Resolution

All SPICE VDAgent users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose
 ">=app-emulation/spice-vdagent-0.17.0_p20180319"
 

References

Release date
April 08, 2018

Latest revision
April 08, 2018: 1

Severity
normal

Exploitable
local

Bugzilla entries