Date: Fri, 17 Aug 2018 10:21:42 +0930 From: Doran Moppert <dmoppert@...hat.com> To: oss-security@...ts.openwall.com Subject: spice CVE-2018-10873: post-auth crash or potential heap corruption when demarshalling Frediano Ziglio reported a missing check in the code generated by spice-common/python_modules/demarshal.py, which could be exploited to cause integer overflow leading to a crash and/or heap OOB read/writes. The generated code is used in both client and server, so both are vulnerable. The most obvious outcome is a crash (since the overflowed integers are very large), but it's possible a crafty attacker could leverage this into worse, even RCE. Demarshalling code is only used post-authentication, so attacking a server would require valid credentials. The attached patch fixes both demarshal.py and the generated code. This is planned to be included in forthcoming releases spice 0.14.1 and spice-gtk 0.36. https://bugzilla.redhat.com/show_bug.cgi?id=1596008 -- Doran Moppert Red Hat Product Security View attachment "0001-Fix-flexible-array-buffer-overflow.patch" of type "text/plain" (11744 bytes) Content of type "application/pgp-signature" skipped
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.