Security update for spice SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2019:0167-1 Final 1 1 2019-03-23T10:57:40Z current 2019-03-23T10:57:40Z 2019-03-23T10:57:40Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for spice This update for spice fixes the following issues: Security issue fixed: - CVE-2019-3813: Fixed a out-of-bounds read in the memslot_get_virt function that could lead to denial-of-service or code-execution (bsc#1122706). Non-security issue fixed: - Include spice-server tweak to compensate for performance issues with Windows guests (bsc#1109044). This update was imported from the SUSE:SLE-15:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2019-167 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/KOYZQCCPVZTLRGKL5HJUTHZCJ6BLDEZI/#KOYZQCCPVZTLRGKL5HJUTHZCJ6BLDEZI E-Mail link for openSUSE-SU-2019:0167-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1109044 SUSE Bug 1109044 https://bugzilla.suse.com/1122706 SUSE Bug 1122706 https://www.suse.com/security/cve/CVE-2019-3813/ SUSE CVE CVE-2019-3813 page openSUSE Leap 15.0 libspice-server-devel-0.14.0-lp150.3.6.1 libspice-server1-0.14.0-lp150.3.6.1 libspice-server-devel-0.14.0-lp150.3.6.1 as a component of openSUSE Leap 15.0 libspice-server1-0.14.0-lp150.3.6.1 as a component of openSUSE Leap 15.0 Spice, versions 0.5.2 through 0.14.1, are vulnerable to an out-of-bounds read due to an off-by-one error in memslot_get_virt. This may lead to a denial of service, or, in the worst case, code-execution by unauthenticated attackers. CVE-2019-3813 openSUSE Leap 15.0:libspice-server-devel-0.14.0-lp150.3.6.1 openSUSE Leap 15.0:libspice-server1-0.14.0-lp150.3.6.1 important 5.4 AV:A/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/KOYZQCCPVZTLRGKL5HJUTHZCJ6BLDEZI/#KOYZQCCPVZTLRGKL5HJUTHZCJ6BLDEZI https://www.suse.com/security/cve/CVE-2019-3813.html CVE-2019-3813 https://bugzilla.suse.com/1122706 SUSE Bug 1122706