RHBA-2010:0559 - Bug Fix Advisory

Topic

An updated qffmpeg package that fixes an SELinux incompatibility is
now available.

Description

qffmpeg provides video codecs for the Spice remote desktop protocol.

This update addresses the following issue:

• shared libraries at /usr/lib/libqavcodec.so.51 required a text

relocation (a reference to an object with a variable address at
runtime using an absolute addressing mode). This is a potential
security problem and, consequently, when a Spice session attempted to
load these libraries an SELinux exception triggered and Spice failed
to launch with the following error:

spicec: error while loading shared libraries:
/usr/lib/libqavcodec.so.51:

cannot restore segment prot after reloc: Permission denied

This update corrects the affected qffmpeg assembly: text relocation is
no longer required and the exception is no longer triggered.
(BZ#576564)

Note: a workaround existed. The file context and default file context
of "/usr/lib/libqavcodec.so.51.71.0" could be changed as follows to
allow the library to load:

chcon -t textrel_shlib_t '/usr/lib/libqavcodec.so.51.71.0'

semanage fcontext -a -t textrel_shlib_t
'/usr/lib/libqavcodec.so.51.71.0'

This workaround is no longer necessary. If the workaround was used
prior to this update's release, undoing these changes is recommended.

All Spice users should install this updated package which fixes this
bug.

Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259

Affected Products

• Red Hat Enterprise Linux Server 5 x86_64
• Red Hat Enterprise Linux Workstation 5 x86_64

Fixes

• BZ - 576564 - SPICE: RHEL54/55-i386 Client Cannot open spice session SELinux prevent loading shared libraries: /usr/lib/libqavcodec.so.51.

CVEs

(none)

References

(none)