Alpine: multiple spice packages: security update to 0.12.7-r1 (deprecated)

critical Tenable Self-Hosted Container Security Plugin ID 400958

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- Race condition in the worker_update_monitors_config function in SPICE 0.12.4 allows a remote authenticated
guest user to cause a denial of service (heap-based memory corruption and QEMU-KVM crash) or possibly
execute arbitrary code on the host via unspecified vectors. (CVE-2015-3247)

- The smartcard interaction in SPICE allows remote attackers to cause a denial of service (QEMU-KVM process
crash) or possibly execute arbitrary code via vectors related to connecting to a guest VM, which triggers
a heap-based buffer overflow. (CVE-2016-0749)

- SPICE allows local guest OS users to read from or write to arbitrary host memory locations via crafted
primary surface parameters, a similar issue to CVE-2015-5261. (CVE-2016-2150)

See Also

https://git.alpinelinux.org/aports/commit/?id=5bb854b78247cfca2f9c179b2cce5f9d8a8f57eb

https://git.alpinelinux.org/aports/commit/?id=a56e4e3c1e2f4297d2771d28dac70e5afc81839e

Plugin Details

Severity: Critical

ID: 400958

Version: Revision 1.27

Type: Local

Published: 8/16/2023

Updated: 6/24/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2016-0749

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 8/26/2016

Vulnerability Publication Date: 9/3/2015

Reference Information

CVE: CVE-2015-3247, CVE-2016-0749, CVE-2016-2150

BID: 76676