Frediano Ziglio

**Nome do Software Vulnerável e Versões Afetadas** Linux kernel (versões afetadas não especificadas) **Descrição** Um estouro de buffer ocorre no arquivo `drivers/xen/sys-hypervisor.c`. O ID de compilação retornado pela função `HYPERVISOR xen version(XENVER build id)` não é uma string e não possui terminação NUL. Consequentemente, a função `sprintf()` em `buildid show()` continua lendo e copiando dados até encontrar um caractere NUL, resultando em um estouro de buffer. **Recomendações** No momento, não há informações sobre uma versão mais recente que contenha a correção para esta vulnerabilidade.

**Nome do software vulnerável e versões afetadas** Versões do SPICE anteriores à 0.14.2-1 Versões do spice-gtk anteriores à 0.14.2-1 **Descrição** O problema está relacionado a vulnerabilidades de estouro de buffer no processo de decodificação de imagens QUIC do sistema de exibição remota SPICE. Essas vulnerabilidades podem ser exploradas por um cliente ou servidor mal-intencionado que envie mensagens especialmente criadas, o que pode resultar em uma falha do processo ou na potencial execução de código ao ser processado pelo algoritmo de compressão de imagens QUIC. Isso poderia permitir que um invasor acessasse dados confidenciais, comprometesse sua integridade e causasse uma negação de serviço. **Recomendações** Para versões do SPICE anteriores à 0.14.2-1, atualize para a versão 0.14.2-1 ou posterior para resolver o problema. Para versões do spice-gtk anteriores à 0.14.2-1, atualize para a versão 0.14.2-1 ou posterior para resolver o problema. Como solução alternativa temporária, considere restringir o acesso ao processo de decodificação de imagens QUIC até que um patch esteja disponível.

**Name of the Vulnerable Software and Affected Versions** SPICE versions prior to 0.14.1 **Description** A vulnerability was discovered in the demarshalling of messages, where the generated code lacked sufficient bounds checks. This could allow a malicious client or server, after authentication, to send specially crafted messages to its peer, resulting in a crash or potentially other impacts. The issue is related to errors in message processing, leading to buffer overflow. Exploitation of the vulnerability could allow a remote attacker to access confidential information or cause a denial of service. **Recommendations** For versions prior to 0.14.1, update to version 0.14.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the `demarshal.py` function or the `write validate array item()` function until a patch is available. Avoid using the vulnerable demarshalling code in the SPICE protocol until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** spice-client (affected versions not specified) **Description** The issue is related to integer overflow in the spice-client software for remote access. It may allow a remote attacker to gain access to confidential information or cause a denial of service. Additionally, multiple integer overflow and buffer overflow issues were found in the handling of LZ compressed frames, which could cause the client to crash or potentially execute arbitrary code if a malicious server is involved. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** spice-gtk versions through 0.34 **Description** A flaw in the spice-client's message processing from the server allows an attacker with control of a malicious spice-server to potentially crash the client or execute arbitrary code with the permissions of the user running the client. The issue is related to insufficient input validation, which can be exploited by a remote attacker using specially crafted server messages. **Recommendations** For spice-gtk versions through 0.34, consider disabling the spice-client until a patch is available to prevent potential exploitation. Restrict access to the spice-server to minimize the risk of remote attackers sending malicious messages. Avoid using the spice-client with untrusted spice-servers until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** SPICE versions prior to 0.13.90 **Description** A vulnerability was discovered in the server's protocol handling, allowing an attacker who can connect to the SPICE server to send crafted messages, causing the process to crash. **Recommendations** For versions prior to 0.13.90, update to version 0.13.90 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** SPICE versions prior to 0.13.90 **Description** A vulnerability was discovered in the server's protocol handling, allowing an authenticated attacker to send crafted messages to the SPICE server. This could cause a heap overflow, leading to a crash or possible code execution. **Recommendations** For versions prior to 0.13.90, update to version 0.13.90 or later to resolve the issue. As a temporary workaround, consider restricting access to the SPICE server to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** SPICE versions prior to 0.12.6 **Description** The issue allows guest OS users to read and write to arbitrary memory locations on the host via guest QXL commands related to surface creation. **Recommendations** For versions prior to 0.12.6, update to version 0.12.6 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** SPICE versions prior to 0.12.6 **Description** The issue allows guest OS users to cause a denial of service, resulting in heap-based memory corruption and QEMU-KVM crash, or possibly execute arbitrary code on the host. This is achieved via QXL commands related to the `surface id` parameter. **Recommendations** For versions prior to 0.12.6, update to version 0.12.6 or later to resolve the issue. As a temporary workaround, consider restricting the use of QXL commands related to the `surface id` parameter to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** SPICE version 0.12.4 **Description** A race condition in the `worker update monitors config` function allows a remote authenticated guest user to cause a denial of service, resulting in heap-based memory corruption and QEMU-KVM crash, or possibly execute arbitrary code on the host. **Recommendations** For SPICE version 0.12.4, consider disabling the `worker update monitors config` function as a temporary workaround until a patch is available. Restrict access to the QEMU-KVM process to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.