Bug 7536

glib2.0 is OK in Cauldron, as it's fixed in 2.33.14.

Fedora's advisories for these issues have now been released.

dbus:
http://lists.fedoraproject.org/pipermail/package-announce/2012-September/088256.html

glib2.0:
http://lists.fedoraproject.org/pipermail/package-announce/2012-September/088257.html

spice-gtk:
http://lists.fedoraproject.org/pipermail/package-announce/2012-September/088245.html

The glib2.0 advisory is using the same CVE as dbus, CVE-2012-3524.

I've submitted an updated spice-gtk that should fix this spice-gtk exploit vector: spice-gtk-0.9-1.1.mga2.src.rpm

What's the status of this one in Cauldron?

I've split the glib2.0 update off yet again into Bug 7595.

For spice-gtk, pushing this to QA.

Advisory:
========================

Updated spice-gtk packages fix security vulnerability:

It was discovered that the spice-gtk setuid helper application,
spice-client-glib-usb-acl-helper, did not clear the environment variables
read by the libraries it uses. A local attacker could possibly use this
flaw to escalate their privileges by setting specific environment variables
before running the helper application (CVE-2012-4425).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4425
https://rhn.redhat.com/errata/RHSA-2012-1284.html
========================

Updated packages in core/updates_testing:
========================
spice-gtk-0.9-1.1.mga2
libspice-client-glib2.0_1-0.9-1.1.mga2
libspice-client-glib-gir2.0-0.9-1.1.mga2
libspice-client-gtk3.0_1-0.9-1.1.mga2
libspice-client-gtk-gir3.0-0.9-1.1.mga2
libspice-controller0-0.9-1.1.mga2
libspice-gtk-devel-0.9-1.1.mga2

from spice-gtk-0.9-1.1.mga2.src.rpm

Assignee: bugsquad => qa-bugs

(In reply to comment #4)
> What's the status of this one in Cauldron?

I've just applied the fix in Cauldron too (internet died last night for me so couldn't do it then) but as we have newer glib, we can't exploit this vector anyway.

PoC: http://www.exploit-db.com/exploits/21323/

Procedure is in bug 7474 comment 15

Hardware: i586 => All
Version: Cauldron => 2
Whiteboard: MGA2TOO => has_procedure

Note that either the spice OR the glib updates should prevent exploit. Any one by itself should fix it so when testing you should really test the four permutations to be absolutely sure.

It doesn't look like glib is ready yet Colin so I think we can treat them separately but will need to reinstall spice-gtk from release to test glib with in bug 7595 when it is ready for us.

Testing complete mga2 64

Used the PoC before update and got a root shell.

After update, deleted a.out and rebuilt it with gcc.
It now fails and has to be stopped with ctrl-c so the CVE appears closed.


Also basic regression tests.. 

Checked spicy (gtk app) can be started and spicy-stats displays some stats and snappy --version gives a sensible response.

Spicy-stats does show a warning but it is not a regression and there is no spice server to connect to to produce any stats.

(spicy-stats:8418): GSpice-WARNING **: main channel event: 20

Whiteboard: has_procedure => has_procedure mga2-64-OK

Testing i586, MGA2.

CC: (none) => marten

(In reply to comment #9)
> It doesn't look like glib is ready yet Colin

I'm trying to poke Olav to see what he things about pushing it earlier than the other updates, but I think overall we'll be happy to push out the newer version. After some discussions on IRC I think we'll probably push it out, but not 100% confirmed yet.

I don't think MÃ¥rten intends to complete testing i586 so it still needs doing.

Testing complete mga2 32

Validating

SRPM and advisory in comment 5

Could sysadmin please push from core/updates_testing to core/updates

Thanks!

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs
Whiteboard: has_procedure mga2-64-OK => has_procedure mga2-64-OK mga2-32-OK

Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0278

Status: NEW => RESOLVED
Resolution: (none) => FIXED