Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

spice: Arbitrary code execution — GLSA 202007-30

A buffer overread has been discovered in spice possibly allowing remote execution of code.

Affected packages

Package app-emulation/spice on all architectures
Affected versions < 0.14.2
Unaffected versions >= 0.14.2

Background

Provides a complete open source solution for remote access to virtual machines in a seamless way so you can play videos, record audio, share USB devices, and share folders without complications.

Description

A flaw in spice’s memory handling code has been discovered, allowing an out of bounds read.

Impact

A remote attacker may be able to send malicious packets causing remote code execution.

Workaround

There is no known workaround at this time.

Resolution

All spice users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=app-emulation/spice-0.14.2"

References

Release date
July 27, 2020

Latest revision
July 27, 2020: 1

Severity
normal

Exploitable
remote

Bugzilla entries