RedHat has issued an advisory on September 17: https://rhn.redhat.com/errata/RHSA-2012-1284.html Mageia 2 is also affected. This vulnerability is related to CVE-2012-3524 (Bug 7474). This particular CVE is an issue that really is a combination issue including spice-gtk and glib2.0. The RedHat advisory above just patched spice-gtk, but Fedora at least is also preparing a glib2.0 update for this, and there is a suggested patch for that here: https://bugzilla.redhat.com/show_bug.cgi?id=847402 Tracker for Fedora's glib2.0 update: https://bugzilla.redhat.com/show_bug.cgi?id=857227 Colin Guthrie has applied the glib2.0 patch to our package in updates_testing, but the version there is newer than what we shipped in Mageia 2, because Olav Vitters is still preparing an update to the glib/gtk/gnome stack in Mageia 2. Either the Mageia 2 SVN branch needs to be reverted to the branched version and the patch applied there, or we need to decide it's OK to update glib now, or something else. In the meantime, here's the version currently built in updates_testing. glib2.0 (Mageia 2): glib2.0-common-2.32.4-1.1.mga2 libglib2.0_0-2.32.4-1.1.mga2 libgio2.0_0-2.32.4-1.1.mga2 libglib2.0-devel-2.32.4-1.1.mga2 libglib2.0-static-devel-2.32.4-1.1.mga2 glib-gettextize-2.32.4-1.1.mga2 from glib2.0-2.32.4-1.1.mga2.src.rpm
CC: (none) => mageia
CC: (none) => tmb
CC: (none) => olav
CC: (none) => jani.valimaa
CC: (none) => fundawang
CC: (none) => cjw
Whiteboard: (none) => MGA2TOOSeverity: normal => major
glib2.0 is OK in Cauldron, as it's fixed in 2.33.14.
Fedora's advisories for these issues have now been released. dbus: http://lists.fedoraproject.org/pipermail/package-announce/2012-September/088256.html glib2.0: http://lists.fedoraproject.org/pipermail/package-announce/2012-September/088257.html spice-gtk: http://lists.fedoraproject.org/pipermail/package-announce/2012-September/088245.html The glib2.0 advisory is using the same CVE as dbus, CVE-2012-3524.
I've submitted an updated spice-gtk that should fix this spice-gtk exploit vector: spice-gtk-0.9-1.1.mga2.src.rpm
What's the status of this one in Cauldron?
I've split the glib2.0 update off yet again into Bug 7595. For spice-gtk, pushing this to QA. Advisory: ======================== Updated spice-gtk packages fix security vulnerability: It was discovered that the spice-gtk setuid helper application, spice-client-glib-usb-acl-helper, did not clear the environment variables read by the libraries it uses. A local attacker could possibly use this flaw to escalate their privileges by setting specific environment variables before running the helper application (CVE-2012-4425). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4425 https://rhn.redhat.com/errata/RHSA-2012-1284.html ======================== Updated packages in core/updates_testing: ======================== spice-gtk-0.9-1.1.mga2 libspice-client-glib2.0_1-0.9-1.1.mga2 libspice-client-glib-gir2.0-0.9-1.1.mga2 libspice-client-gtk3.0_1-0.9-1.1.mga2 libspice-client-gtk-gir3.0-0.9-1.1.mga2 libspice-controller0-0.9-1.1.mga2 libspice-gtk-devel-0.9-1.1.mga2 from spice-gtk-0.9-1.1.mga2.src.rpm
Assignee: bugsquad => qa-bugs
(In reply to comment #4) > What's the status of this one in Cauldron? I've just applied the fix in Cauldron too (internet died last night for me so couldn't do it then) but as we have newer glib, we can't exploit this vector anyway.
PoC: http://www.exploit-db.com/exploits/21323/ Procedure is in bug 7474 comment 15
Hardware: i586 => AllVersion: Cauldron => 2Whiteboard: MGA2TOO => has_procedure
Note that either the spice OR the glib updates should prevent exploit. Any one by itself should fix it so when testing you should really test the four permutations to be absolutely sure.
It doesn't look like glib is ready yet Colin so I think we can treat them separately but will need to reinstall spice-gtk from release to test glib with in bug 7595 when it is ready for us. Testing complete mga2 64 Used the PoC before update and got a root shell. After update, deleted a.out and rebuilt it with gcc. It now fails and has to be stopped with ctrl-c so the CVE appears closed. Also basic regression tests.. Checked spicy (gtk app) can be started and spicy-stats displays some stats and snappy --version gives a sensible response. Spicy-stats does show a warning but it is not a regression and there is no spice server to connect to to produce any stats. (spicy-stats:8418): GSpice-WARNING **: main channel event: 20
Whiteboard: has_procedure => has_procedure mga2-64-OK
Testing i586, MGA2.
CC: (none) => marten
(In reply to comment #9) > It doesn't look like glib is ready yet Colin I'm trying to poke Olav to see what he things about pushing it earlier than the other updates, but I think overall we'll be happy to push out the newer version. After some discussions on IRC I think we'll probably push it out, but not 100% confirmed yet.
I don't think MÃ¥rten intends to complete testing i586 so it still needs doing.
Testing complete mga2 32 Validating SRPM and advisory in comment 5 Could sysadmin please push from core/updates_testing to core/updates Thanks!
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugsWhiteboard: has_procedure mga2-64-OK => has_procedure mga2-64-OK mga2-32-OK
Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0278
Status: NEW => RESOLVEDResolution: (none) => FIXED