CVE-2016-9578
Published: 6 February 2017
A vulnerability was discovered in SPICE before 0.13.90 in the server's protocol handling. An attacker able to connect to the SPICE server could send crafted messages which would cause the process to crash.
Priority
Status
Package | Release | Status |
---|---|---|
spice Launchpad, Ubuntu, Debian |
precise |
Ignored
(end of life)
|
trusty |
Released
(0.12.4-0nocelt2ubuntu1.4)
|
|
upstream |
Needs triage
|
|
xenial |
Released
(0.12.6-4ubuntu0.2)
|
|
yakkety |
Released
(0.12.8-1ubuntu0.1)
|
|
zesty |
Released
(0.12.8-2ubuntu1)
|
|
Patches: upstream: https://cgit.freedesktop.org/spice/spice/commit/?h=0.12&id=1c6517973095a67c8cb57f3550fc1298404ab556 upstream: https://cgit.freedesktop.org/spice/spice/commit/?h=0.12&id=f66dc643635518e53dfbe5262f814a64eec54e4a |
Severity score breakdown
Parameter | Value |
---|---|
Base score | 7.5 |
Attack vector | Network |
Attack complexity | Low |
Privileges required | None |
User interaction | None |
Scope | Unchanged |
Confidentiality | None |
Integrity impact | None |
Availability impact | High |
Vector | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |