Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20180817005105.GB3712@sin.redhat.com>
Date: Fri, 17 Aug 2018 10:21:42 +0930
From: Doran Moppert <dmoppert@...hat.com>
To: oss-security@...ts.openwall.com
Subject: spice CVE-2018-10873: post-auth crash or potential heap corruption
 when demarshalling

Frediano Ziglio reported a missing check in the code generated by
spice-common/python_modules/demarshal.py, which could be exploited to
cause integer overflow leading to a crash and/or heap OOB read/writes.

The generated code is used in both client and server, so both are
vulnerable.  The most obvious outcome is a crash (since the overflowed
integers are very large), but it's possible a crafty attacker could
leverage this into worse, even RCE.  Demarshalling code is only used
post-authentication, so attacking a server would require valid
credentials.

The attached patch fixes both demarshal.py and the generated code.  This
is planned to be included in forthcoming releases spice 0.14.1 and
spice-gtk 0.36.

https://bugzilla.redhat.com/show_bug.cgi?id=1596008

-- 
Doran Moppert
Red Hat Product Security

View attachment "0001-Fix-flexible-array-buffer-overflow.patch" of type "text/plain" (11744 bytes)

Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.