CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
EPSS
Percentile
89.1%
CentOS Errata and Security Advisory CESA-2013:1192
The Simple Protocol for Independent Computing Environments (SPICE) is a
remote display protocol for virtual environments. SPICE users can access a
virtualized desktop or server from the local system or any system with
network access to the server. SPICE is used in Red Hat Enterprise Linux for
viewing virtualized guests running on the Kernel-based Virtual Machine
(KVM) hypervisor or on Red Hat Enterprise Virtualization Hypervisors.
A flaw was found in the way concurrent access to the clients ring buffer
was performed in the spice-server library. A remote user able to initiate a
SPICE connection to an application acting as a SPICE server could use this
flaw to crash the application. (CVE-2013-4130)
This issue was discovered by David Gibson of Red Hat.
Users of spice-server are advised to upgrade to this updated package, which
contains a backported patch to correct this issue. Applications acting as a
SPICE server must be restarted for this update to take effect. Note that
QEMU-KVM guests providing SPICE console access must be restarted for this
update to take effect.
Merged security bulletin from advisories:
https://lists.centos.org/pipermail/centos-announce/2013-September/082085.html
Affected packages:
spice-server
spice-server-devel
Upstream details at:
https://access.redhat.com/errata/RHSA-2013:1192
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
CentOS | 6 | x86_64 | spice-server | < 0.12.0-12.el6_4.3 | spice-server-0.12.0-12.el6_4.3.x86_64.rpm |
CentOS | 6 | x86_64 | spice-server-devel | < 0.12.0-12.el6_4.3 | spice-server-devel-0.12.0-12.el6_4.3.x86_64.rpm |