CVE-2013-4130
First published: Mon Jul 15 2013(Updated: )
Currently, both red_channel_pipes_add_type() and red_channel_pipes_add_empty_msg() use plaing RING_FOREACH() which is not safe versus removals from the ring within the loop body. Yet, when (network) error does occur, the current item could be removed from the ring down the road and the assertion in RING_FOREACH()'s ring_next() could trip, causing the process containing the spice server to abort. An user able to initiate spice connection to the guest could use this flaw to crash the guest. Upstream fix: <a href="http://cgit.freedesktop.org/spice/spice/commit/?id=53488f0275d6c8a121af49f7ac817d09ce68090d">http://cgit.freedesktop.org/spice/spice/commit/?id=53488f0275d6c8a121af49f7ac817d09ce68090d</a> Acknowledgements: This issue was discovered by David Gibson of Red Hat.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| SPICE | <=0.12.3 | |
| SPICE | =0.5.2 | |
| SPICE | =0.5.3 | |
| SPICE | =0.6.0 | |
| SPICE | =0.6.1 | |
| SPICE | =0.6.2 | |
| SPICE | =0.6.3 | |
| SPICE | =0.6.4 | |
| SPICE | =0.7.0 | |
| SPICE | =0.7.1 | |
| SPICE | =0.7.2 | |
| SPICE | =0.7.3 | |
| SPICE | =0.8.0 | |
| SPICE | =0.8.1 | |
| SPICE | =0.8.2 | |
| SPICE | =0.8.3 | |
| SPICE | =0.9.0 | |
| SPICE | =0.9.1 | |
| SPICE | =0.10.0 | |
| SPICE | =0.10.1 | |
| SPICE | =0.11.0 | |
| SPICE | =0.11.3 | |
| SPICE | =0.12.0 | |
| SPICE | =0.12.2 | |
| Ubuntu | =13.04 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://cgit.freedesktop.org/spice/spice/commit/?id=53488f0275d6c8a121af49f7ac817d09ce68090d
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=984802
- https://rhn.redhat.com/errata/RHSA-2013-1192.html
- https://rhn.redhat.com/errata/RHSA-2013-1260.html
- https://bugzilla.redhat.com/show_bug.cgi?id=984769
- http://rhn.redhat.com/errata/RHSA-2013-1260.html
- http://seclists.org/oss-sec/2013/q3/115
- http://www.debian.org/security/2014/dsa-2839
- http://www.ubuntu.com/usn/USN-1926-1
Frequently Asked Questions
What is the severity of CVE-2013-4130?
CVE-2013-4130 is considered a moderate severity vulnerability due to potential exploitation in the red channel pipe handling.
How do I fix CVE-2013-4130?
To fix CVE-2013-4130, upgrade to the latest version of SPICE that is not affected, which is above 0.12.3.
Which versions of SPICE are affected by CVE-2013-4130?
CVE-2013-4130 affects SPICE versions from 0.5.2 up to and including 0.12.3.
What is the impact of CVE-2013-4130?
The impact of CVE-2013-4130 includes possible network errors that could lead to an unsafe removal of items from the processing ring.
Is there a workaround for CVE-2013-4130?
There are limited workarounds for CVE-2013-4130; the recommended approach is to apply the available security updates.
- collector/redhat-bugzilla
- alias/CVE-2013-4130
- agent/type
- agent/last-modified-date
- agent/first-publish-date
- agent/event
- agent/references
- agent/author
- agent/weakness
- agent/remedy
- agent/severity
- agent/description
- agent/tags
- agent/softwarecombine
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/spice project
- canonical/spice
- version/spice/0.12.3
- version/spice/0.5.2
- version/spice/0.5.3
- version/spice/0.6.0
- version/spice/0.6.1
- version/spice/0.6.2
- version/spice/0.6.3
- version/spice/0.6.4
- version/spice/0.7.0
- version/spice/0.7.1
- version/spice/0.7.2
- version/spice/0.7.3
- version/spice/0.8.0
- version/spice/0.8.1
- version/spice/0.8.2
- version/spice/0.8.3
- version/spice/0.9.0
- version/spice/0.9.1
- version/spice/0.10.0
- version/spice/0.10.1
- version/spice/0.11.0
- version/spice/0.11.3
- version/spice/0.12.0
- version/spice/0.12.2
- vendor/canonical
- canonical/ubuntu
- version/ubuntu/13.04