See https://access.redhat.com/security/cve/CVE-2015-5260, https://access.redhat.com/security/cve/CVE-2015-5261 and http://openwall.com/lists/oss-security/2015/10/06/4 for some details on the security problems discovered. These patches were already be sended to different distribution and updates are available for RedHat products (and perhaps others). First two patches contains additional checks for accessing surfaces array in RedWorker structure (see server/red_worker.c). The other patches group up similar issues related to races between host and guest and some structure checking. Some of these missing checks allow quite easily to read/write large arbitrary memory ranges in the host. Frediano Ziglio (19): worker: validate correctly surfaces worker: avoid double free or double create of surfaces Define a constant to limit data from guest. Fix some integer overflow causing large memory allocations Check properly surface to be created Fix buffer reading overflow Prevent 32 bit integer overflow in bitmap_consistent Fix race condition on red_get_clip_rects Fix race in red_get_image Fix race condition in red_get_string Fix integer overflow computing glyph_size in red_get_string Fix race condition in red_get_data_chunks_ptr Prevent memory leak if red_get_data_chunks_ptr fails Prevent DoS from guest trying to allocate too much data on host for chunks Fix some possible overflows in red_get_string for 32 bit Make sure we can read QXLPathSeg structures Avoid race condition copying segments in red_get_path Prevent data_size to be set independently from data Prevent leak if size from red_get_data_chunks don't match in red_get_image server/red_parse_qxl.c | 218 ++++++++++++++++++++++++++++++++++++++----------- server/red_worker.c | 42 ++++++---- 2 files changed, 196 insertions(+), 64 deletions(-) -- 2.4.3 _______________________________________________ Spice-devel mailing list Spice-devel@xxxxxxxxxxxxxxxxxxxxx http://lists.freedesktop.org/mailman/listinfo/spice-devel