A buffer overread has been discovered in spice possibly allowing remote execution of code.
|Package||app-emulation/spice on all architectures|
|Affected versions||< 0.14.2|
|Unaffected versions||>= 0.14.2|
Provides a complete open source solution for remote access to virtual machines in a seamless way so you can play videos, record audio, share USB devices, and share folders without complications.
A flaw in spice’s memory handling code has been discovered, allowing an out of bounds read.
A remote attacker may be able to send malicious packets causing remote code execution.
There is no known workaround at this time.
All spice users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=app-emulation/spice-0.14.2"
July 27, 2020
July 27, 2020: 1