Bug 7536 - spice-gtk new security issue CVE-2012-4425
Summary: spice-gtk new security issue CVE-2012-4425
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 2
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact:
URL: http://lwn.net/Vulnerabilities/516706/
Whiteboard: has_procedure mga2-64-OK mga2-32-OK
Keywords: validated_update
Depends on:
Reported: 2012-09-20 19:50 CEST by David Walser
Modified: 2012-09-30 22:52 CEST (History)
8 users (show)

See Also:
Source RPM: spice-gtk-0.9-1.mga2.src.rpm
Status comment:


Description David Walser 2012-09-20 19:50:14 CEST
RedHat has issued an advisory on September 17:

Mageia 2 is also affected.

This vulnerability is related to CVE-2012-3524 (Bug 7474).

This particular CVE is an issue that really is a combination issue including spice-gtk and glib2.0.  The RedHat advisory above just patched spice-gtk, but Fedora at least is also preparing a glib2.0 update for this, and there is a suggested patch for that here:

Tracker for Fedora's glib2.0 update:

Colin Guthrie has applied the glib2.0 patch to our package in updates_testing, but the version there is newer than what we shipped in Mageia 2, because Olav Vitters is still preparing an update to the glib/gtk/gnome stack in Mageia 2.

Either the Mageia 2 SVN branch needs to be reverted to the branched version and the patch applied there, or we need to decide it's OK to update glib now, or something else.  In the meantime, here's the version currently built in updates_testing.

glib2.0 (Mageia 2):

from glib2.0-2.32.4-1.1.mga2.src.rpm
David Walser 2012-09-20 19:50:23 CEST

CC: (none) => mageia

David Walser 2012-09-20 19:50:32 CEST

CC: (none) => tmb

David Walser 2012-09-20 19:50:41 CEST

CC: (none) => olav

David Walser 2012-09-20 19:50:53 CEST

CC: (none) => jani.valimaa

David Walser 2012-09-20 19:51:00 CEST

CC: (none) => fundawang

David Walser 2012-09-20 19:51:08 CEST

CC: (none) => cjw

David Walser 2012-09-20 19:57:32 CEST

Whiteboard: (none) => MGA2TOO
Severity: normal => major

Comment 1 David Walser 2012-09-22 16:14:13 CEST
glib2.0 is OK in Cauldron, as it's fixed in 2.33.14.
Comment 2 David Walser 2012-09-26 20:11:37 CEST
Fedora's advisories for these issues have now been released.




The glib2.0 advisory is using the same CVE as dbus, CVE-2012-3524.
Comment 3 Colin Guthrie 2012-09-27 01:57:22 CEST
I've submitted an updated spice-gtk that should fix this spice-gtk exploit vector: spice-gtk-0.9-1.1.mga2.src.rpm
Comment 4 David Walser 2012-09-27 02:07:19 CEST
What's the status of this one in Cauldron?
Comment 5 David Walser 2012-09-27 02:20:17 CEST
I've split the glib2.0 update off yet again into Bug 7595.

For spice-gtk, pushing this to QA.


Updated spice-gtk packages fix security vulnerability:

It was discovered that the spice-gtk setuid helper application,
spice-client-glib-usb-acl-helper, did not clear the environment variables
read by the libraries it uses. A local attacker could possibly use this
flaw to escalate their privileges by setting specific environment variables
before running the helper application (CVE-2012-4425).


Updated packages in core/updates_testing:

from spice-gtk-0.9-1.1.mga2.src.rpm

Assignee: bugsquad => qa-bugs

Comment 6 Colin Guthrie 2012-09-27 09:25:11 CEST
(In reply to comment #4)
> What's the status of this one in Cauldron?

I've just applied the fix in Cauldron too (internet died last night for me so couldn't do it then) but as we have newer glib, we can't exploit this vector anyway.
Comment 7 claire robinson 2012-09-27 09:52:32 CEST
PoC: http://www.exploit-db.com/exploits/21323/

Procedure is in bug 7474 comment 15

Hardware: i586 => All
Version: Cauldron => 2
Whiteboard: MGA2TOO => has_procedure

Comment 8 Colin Guthrie 2012-09-27 10:29:37 CEST
Note that either the spice OR the glib updates should prevent exploit. Any one by itself should fix it so when testing you should really test the four permutations to be absolutely sure.
Comment 9 claire robinson 2012-09-27 11:23:21 CEST
It doesn't look like glib is ready yet Colin so I think we can treat them separately but will need to reinstall spice-gtk from release to test glib with in bug 7595 when it is ready for us.

Testing complete mga2 64

Used the PoC before update and got a root shell.

After update, deleted a.out and rebuilt it with gcc.
It now fails and has to be stopped with ctrl-c so the CVE appears closed.

Also basic regression tests.. 

Checked spicy (gtk app) can be started and spicy-stats displays some stats and snappy --version gives a sensible response.

Spicy-stats does show a warning but it is not a regression and there is no spice server to connect to to produce any stats.

(spicy-stats:8418): GSpice-WARNING **: main channel event: 20

Whiteboard: has_procedure => has_procedure mga2-64-OK

Comment 10 Mårten Ström 2012-09-27 12:06:19 CEST
Testing i586, MGA2.

CC: (none) => marten

Comment 11 Colin Guthrie 2012-09-27 12:07:34 CEST
(In reply to comment #9)
> It doesn't look like glib is ready yet Colin

I'm trying to poke Olav to see what he things about pushing it earlier than the other updates, but I think overall we'll be happy to push out the newer version. After some discussions on IRC I think we'll probably push it out, but not 100% confirmed yet.
Comment 12 claire robinson 2012-09-27 13:53:38 CEST
I don't think MÃ¥rten intends to complete testing i586 so it still needs doing.
Comment 13 claire robinson 2012-09-27 18:17:37 CEST
Testing complete mga2 32


SRPM and advisory in comment 5

Could sysadmin please push from core/updates_testing to core/updates


Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs
Whiteboard: has_procedure mga2-64-OK => has_procedure mga2-64-OK mga2-32-OK

Comment 14 Thomas Backlund 2012-09-30 22:52:22 CEST
Update pushed:

Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.