oss-sec mailing list archives
spice CVE-2018-10873: post-auth crash or potential heap corruption when demarshalling
From: Doran Moppert <dmoppert () redhat com>
Date: Fri, 17 Aug 2018 10:21:42 +0930
Frediano Ziglio reported a missing check in the code generated by spice-common/python_modules/demarshal.py, which could be exploited to cause integer overflow leading to a crash and/or heap OOB read/writes. The generated code is used in both client and server, so both are vulnerable. The most obvious outcome is a crash (since the overflowed integers are very large), but it's possible a crafty attacker could leverage this into worse, even RCE. Demarshalling code is only used post-authentication, so attacking a server would require valid credentials. The attached patch fixes both demarshal.py and the generated code. This is planned to be included in forthcoming releases spice 0.14.1 and spice-gtk 0.36. https://bugzilla.redhat.com/show_bug.cgi?id=1596008 -- Doran Moppert Red Hat Product Security
Attachment:
0001-Fix-flexible-array-buffer-overflow.patch
Description:
Attachment:
_bin
Description:
Current thread:
- spice CVE-2018-10873: post-auth crash or potential heap corruption when demarshalling Doran Moppert (Aug 16)
- Re: spice CVE-2018-10873: post-auth crash or potential heap corruption when demarshalling Florian Weimer (Aug 17)
- Re: spice CVE-2018-10873: post-auth crash or potential heap corruption when demarshalling Frediano Ziglio (Aug 17)
- Re: spice CVE-2018-10873: post-auth crash or potential heap corruption when demarshalling Jeffrey Walton (Aug 17)
- Re: spice CVE-2018-10873: post-auth crash or potential heap corruption when demarshalling Frediano Ziglio (Aug 17)
- Re: spice CVE-2018-10873: post-auth crash or potential heap corruption when demarshalling Florian Weimer (Aug 17)