7.232. spice-gtk

Updated spice-gtk packages that fix several bugs and add various enhancements are now available for Red Hat Enterprise Linux 6.
The spice-gtk packages provide a GTK2 widget for SPICE clients. Both the virt-manager and virt-viewer utilities can make use of this widget to access virtual machines using the SPICE protocol.


The spice-gtk packages have been upgraded to upstream version 0.14, which provides a number of bug fixes and enhancements over the previous version. The following list includes notable enhancements:
  • Windows USB redirection support
  • Seamless migration
  • Better multi-monitor or resolution setting support
  • Improved handling of key-press and key-release events in high latency situations

Bug Fixes

When part of a key combination matched the grab sequence, the last key of the combination was sometimes not sent to the guest. As a consequence, the Left Ctrl+Alt+Del key combination was not passed to guests. This update ensures that all the keys are sent to the SPICE server even if they are part of a combination. Now, when a key combination matches the grab sequence, the procedure works as expected.
Previously, when a Uniform Resource Identifier (URI) contained an IPv6 address, errors occurred when parsing URIs in remote-viewer. As a consequence, remote-viewer could not be started from the command line with an IPv6 URI. Parsing of URIs containing IPv6 addresses is now fixed and it is possible to connect to an IPv6 address when starting remote-viewer from the command line.
High network jitter caused some key strokes to enter multiple characters instead of one. Improvements on the SPICE protocol have been made to avoid unwanted character repetition.
When the QEMU application was started with the --spice-disable-effects option and an invalid value, spice-gtk did not print any error message, which could confuse users. This bug is now fixed and QEMU exits when an invalid value is encountered.
Previously, an attempt to close connection to a display failed until one of the remaining windows got resized. Consequently, a previously closed window could be opened again without user's intention. Reopening of the closed display is now fixed and closing the remote-viewer windows works as expected.
Previously, SPICE motion messages were not properly synchronized between client and server after migration. As a consequence, mouse cursor state could get out of sync after migration. This update ensures SPICE motion messages are synchronized between client and server and mouse cursor state no longer gets out of sync.
Previously, the following error code was returned in various scenarios:
main-1:0: SSL_connect: error:00000001:lib(0):func(0):reason(1)
This code made debugging of connections failures cumbersome. With this update, the corresponding error message is printed for each of the different scenarios.
When using the --spice-color-value option with an invalid value, an error message is displayed. However, previously, the message was not clear enough. After the update, when using the --spice-color-value option with an invalid value, SPICE returns an error message including a suggestion of the value.
After connecting to an agent-less guest with 16-bit color depth, the initial screen was black and got drawn on change only. This bug is now fixed and the guest screen is rendered fully upon connection to an agent-less guest with 16-bit color depth.
Disabling client-side mouse acceleration temporarily when the pointer was in server mode and grabbed caused the mouse pointer to "jump" over the guest desktop at any faster movement. This bug is now fixed and the mouse pointer moves in a guest as supposed in a physical client.
Previously, the Ctrl+Shift composite key did not work, resulting in the same actions being triggered by different composite keys. This bug is now fixed and Ctrl+Shift works as expected.
Previously, when no host subject was specified, the remote-viewer tool failed to connect with the following error message:
Spice-Warning **: ssl_verify.c:484:openssl_verify: ssl: subject '' verification failed
With this update, when no host subject is specified, remote-viewer treats it like an empty host subject and verifies a common name CN= from the subject field with hostname.
Under certain circumstances, an unclear warning message was returned, incorrectly suggesting that a needless network connection was attempted. The error message has been improved to correctly reflect the state.
Previously, for security reasons, users were prompted to enter the root password when trying to redirect a USB device from a Red Hat Enterprise Linux 6.4 client to a SPICE guest. However, regular users do not have the root password. As this behavior is controlled by PolicyKit, changes in the /usr/share/polkit-1/actions/org.spice-space.lowlevelusbaccess.policy file have been made to allow access to the raw USB device without prompting for a password. A warning about the security implications of this have been included in the documentation.
Previously, implementation of the CONTROLLER_SEND_CAD event was missing in the spice-gtk controller. As a consequence, checking the box the "Pass Ctrl+Alt+Del to virtual machine box" in the user interface did not produce any result. Implementation for CONTROLLER_SEND_CAD has been added to the underlying source code and users can now tick the checkbox for Ctrl+Alt+Del to be intercepted on the virtual guest.
After a non-seamless migration of virtual machines with redirected USB devices, SPICE did not evaluate the USB state correctly. With this update, the related functions called from the channel_reset() function can rely on the state accurately, reflecting the USB state.
When there was no device to redirect, the redirection dialogue window did not provide clear enough information. With this update, a help message indicating that there is no device to redirect is included in the dialogue window as well as additional related guidance.
In some situations, SPICE attempted to send the 00 scan codes to virtual machines, which resulted in the unknown key pressed error messages being printed by the client. After this update, SPICE no longer sends the 00 scan codes to the spice-server.


The previous SPICE migration pathway was almost equivalent to automatically connecting the client to the migration target and starting the session from scratch. This pathway resulted in unrecoverable data loss, mainly USB, smartcard or copy-paste data that was on its way from the client to the guest and vice versa, when the non-live phase of the migration started. This update prevents data loss and the migration process completes successfully in this scenario.
RandR multi-monitor support for Linux guests and arbitrary resolution support for Linux and Windows guests have been added to the spice-gtk package. It is now possible to dynamically add new screens while using a virtual machine. Also, after resizing the window of the SPICE client, the resolution of the guest is automatically adjusted to match the size of the window.
Auto-discovery of already plugged-in USB devices on Red Hat Enterprise Linux clients by the USB Redirector has been added to the spice-gtk package.
This update adds more informative error messages to the spice-gtk package; the messages deal with host subject mismatch when invalid SSL certificates or SSL options are passed to QEMU to the spice-gtk package.
Users of spice-gtk are advised to upgrade to these updated packages, which fix these bugs and add these enhancements.
Updated spice-gtk packages that fix one security issue are now available for Red Hat Enterprise Linux 6.
The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link associated with the description below.
The spice-gtk packages provide a GIMP Toolkit (GTK+) widget for SPICE (Simple Protocol for Independent Computing Environments) clients. Both Virtual Machine Manager and Virtual Machine Viewer can make use of this widget to access virtual machines using the SPICE protocol.

Security Fix

spice-gtk communicated with PolicyKit for authorization via an API that is vulnerable to a race condition. This could lead to intended PolicyKit authorizations being bypassed. This update modifies spice-gtk to communicate with PolicyKit via a different API that is not vulnerable to the race condition.
All users of spice-gtk are advised to upgrade to these updated packages, which contain a backported patch to correct this issue.