Mageia Bugzilla – Bug 7536
spice-gtk new security issue CVE-2012-4425
Last modified: 2012-09-30 22:52:22 CEST
RedHat has issued an advisory on September 17:
Mageia 2 is also affected.
This vulnerability is related to CVE-2012-3524 (Bug 7474).
This particular CVE is an issue that really is a combination issue including spice-gtk and glib2.0. The RedHat advisory above just patched spice-gtk, but Fedora at least is also preparing a glib2.0 update for this, and there is a suggested patch for that here:
Tracker for Fedora's glib2.0 update:
Colin Guthrie has applied the glib2.0 patch to our package in updates_testing, but the version there is newer than what we shipped in Mageia 2, because Olav Vitters is still preparing an update to the glib/gtk/gnome stack in Mageia 2.
Either the Mageia 2 SVN branch needs to be reverted to the branched version and the patch applied there, or we need to decide it's OK to update glib now, or something else. In the meantime, here's the version currently built in updates_testing.
glib2.0 (Mageia 2):
glib2.0 is OK in Cauldron, as it's fixed in 2.33.14.
Fedora's advisories for these issues have now been released.
The glib2.0 advisory is using the same CVE as dbus, CVE-2012-3524.
I've submitted an updated spice-gtk that should fix this spice-gtk exploit vector: spice-gtk-0.9-1.1.mga2.src.rpm
What's the status of this one in Cauldron?
I've split the glib2.0 update off yet again into Bug 7595.
For spice-gtk, pushing this to QA.
Updated spice-gtk packages fix security vulnerability:
It was discovered that the spice-gtk setuid helper application,
spice-client-glib-usb-acl-helper, did not clear the environment variables
read by the libraries it uses. A local attacker could possibly use this
flaw to escalate their privileges by setting specific environment variables
before running the helper application (CVE-2012-4425).
Updated packages in core/updates_testing:
(In reply to comment #4)
> What's the status of this one in Cauldron?
I've just applied the fix in Cauldron too (internet died last night for me so couldn't do it then) but as we have newer glib, we can't exploit this vector anyway.
Procedure is in bug 7474 comment 15
Note that either the spice OR the glib updates should prevent exploit. Any one by itself should fix it so when testing you should really test the four permutations to be absolutely sure.
It doesn't look like glib is ready yet Colin so I think we can treat them separately but will need to reinstall spice-gtk from release to test glib with in bug 7595 when it is ready for us.
Testing complete mga2 64
Used the PoC before update and got a root shell.
After update, deleted a.out and rebuilt it with gcc.
It now fails and has to be stopped with ctrl-c so the CVE appears closed.
Also basic regression tests..
Checked spicy (gtk app) can be started and spicy-stats displays some stats and snappy --version gives a sensible response.
Spicy-stats does show a warning but it is not a regression and there is no spice server to connect to to produce any stats.
(spicy-stats:8418): GSpice-WARNING **: main channel event: 20
Testing i586, MGA2.
(In reply to comment #9)
> It doesn't look like glib is ready yet Colin
I'm trying to poke Olav to see what he things about pushing it earlier than the other updates, but I think overall we'll be happy to push out the newer version. After some discussions on IRC I think we'll probably push it out, but not 100% confirmed yet.
I don't think Mårten intends to complete testing i586 so it still needs doing.
Testing complete mga2 32
SRPM and advisory in comment 5
Could sysadmin please push from core/updates_testing to core/updates