Your submission was sent successfully! Close

You have successfully unsubscribed! Close

CVE-2016-0749

Published: 9 June 2016

The smartcard interaction in SPICE allows remote attackers to cause a denial of service (QEMU-KVM process crash) or possibly execute arbitrary code via vectors related to connecting to a guest VM, which triggers a heap-based buffer overflow.

Notes

Author	Note
mdeslaur	technically, this doesn't affect trusty since it is compiled with --disable-smartcard.

Priority

CVSS 3 base score: 9.8

Status

Package	Release	Status
spice Launchpad, Ubuntu, Debian	precise	Does not exist (precise was needed)
	trusty	Released (0.12.4-0nocelt2ubuntu1.3)
	upstream	Needs triage
	wily	Released (0.12.5-1.1ubuntu2.1)
	xenial	Released (0.12.6-4ubuntu0.1)
	yakkety	Released (0.12.6-4ubuntu1)
	zesty	Released (0.12.6-4ubuntu1)

References

Bugs

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=826585

Join the discussion

Canonical is offering Expanded Security Maintenance

Canonical is offering Ubuntu Expanded Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›

Further reading