Bug 7536 - spice-gtk new security issue CVE-2012-4425
: spice-gtk new security issue CVE-2012-4425
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: All Linux
: Normal Severity: major
: ---
Assigned To: QA Team
: http://lwn.net/Vulnerabilities/516706/
: has_procedure mga2-64-OK mga2-32-OK
: validated_update
  Show dependency treegraph
Reported: 2012-09-20 19:50 CEST by David Walser
Modified: 2012-09-30 22:52 CEST (History)
8 users (show)

See Also:
Source RPM: spice-gtk-0.9-1.mga2.src.rpm
Status comment:


Description David Walser 2012-09-20 19:50:14 CEST
RedHat has issued an advisory on September 17:

Mageia 2 is also affected.

This vulnerability is related to CVE-2012-3524 (Bug 7474).

This particular CVE is an issue that really is a combination issue including spice-gtk and glib2.0.  The RedHat advisory above just patched spice-gtk, but Fedora at least is also preparing a glib2.0 update for this, and there is a suggested patch for that here:

Tracker for Fedora's glib2.0 update:

Colin Guthrie has applied the glib2.0 patch to our package in updates_testing, but the version there is newer than what we shipped in Mageia 2, because Olav Vitters is still preparing an update to the glib/gtk/gnome stack in Mageia 2.

Either the Mageia 2 SVN branch needs to be reverted to the branched version and the patch applied there, or we need to decide it's OK to update glib now, or something else.  In the meantime, here's the version currently built in updates_testing.

glib2.0 (Mageia 2):

from glib2.0-2.32.4-1.1.mga2.src.rpm
Comment 1 David Walser 2012-09-22 16:14:13 CEST
glib2.0 is OK in Cauldron, as it's fixed in 2.33.14.
Comment 2 David Walser 2012-09-26 20:11:37 CEST
Fedora's advisories for these issues have now been released.




The glib2.0 advisory is using the same CVE as dbus, CVE-2012-3524.
Comment 3 Colin Guthrie 2012-09-27 01:57:22 CEST
I've submitted an updated spice-gtk that should fix this spice-gtk exploit vector: spice-gtk-0.9-1.1.mga2.src.rpm
Comment 4 David Walser 2012-09-27 02:07:19 CEST
What's the status of this one in Cauldron?
Comment 5 David Walser 2012-09-27 02:20:17 CEST
I've split the glib2.0 update off yet again into Bug 7595.

For spice-gtk, pushing this to QA.


Updated spice-gtk packages fix security vulnerability:

It was discovered that the spice-gtk setuid helper application,
spice-client-glib-usb-acl-helper, did not clear the environment variables
read by the libraries it uses. A local attacker could possibly use this
flaw to escalate their privileges by setting specific environment variables
before running the helper application (CVE-2012-4425).


Updated packages in core/updates_testing:

from spice-gtk-0.9-1.1.mga2.src.rpm
Comment 6 Colin Guthrie 2012-09-27 09:25:11 CEST
(In reply to comment #4)
> What's the status of this one in Cauldron?

I've just applied the fix in Cauldron too (internet died last night for me so couldn't do it then) but as we have newer glib, we can't exploit this vector anyway.
Comment 7 claire robinson 2012-09-27 09:52:32 CEST
PoC: http://www.exploit-db.com/exploits/21323/

Procedure is in bug 7474 comment 15
Comment 8 Colin Guthrie 2012-09-27 10:29:37 CEST
Note that either the spice OR the glib updates should prevent exploit. Any one by itself should fix it so when testing you should really test the four permutations to be absolutely sure.
Comment 9 claire robinson 2012-09-27 11:23:21 CEST
It doesn't look like glib is ready yet Colin so I think we can treat them separately but will need to reinstall spice-gtk from release to test glib with in bug 7595 when it is ready for us.

Testing complete mga2 64

Used the PoC before update and got a root shell.

After update, deleted a.out and rebuilt it with gcc.
It now fails and has to be stopped with ctrl-c so the CVE appears closed.

Also basic regression tests.. 

Checked spicy (gtk app) can be started and spicy-stats displays some stats and snappy --version gives a sensible response.

Spicy-stats does show a warning but it is not a regression and there is no spice server to connect to to produce any stats.

(spicy-stats:8418): GSpice-WARNING **: main channel event: 20
Comment 10 Mårten Ström 2012-09-27 12:06:19 CEST
Testing i586, MGA2.
Comment 11 Colin Guthrie 2012-09-27 12:07:34 CEST
(In reply to comment #9)
> It doesn't look like glib is ready yet Colin

I'm trying to poke Olav to see what he things about pushing it earlier than the other updates, but I think overall we'll be happy to push out the newer version. After some discussions on IRC I think we'll probably push it out, but not 100% confirmed yet.
Comment 12 claire robinson 2012-09-27 13:53:38 CEST
I don't think Mårten intends to complete testing i586 so it still needs doing.
Comment 13 claire robinson 2012-09-27 18:17:37 CEST
Testing complete mga2 32


SRPM and advisory in comment 5

Could sysadmin please push from core/updates_testing to core/updates

Comment 14 Thomas Backlund 2012-09-30 22:52:22 CEST
Update pushed:

Note You need to log in before you can comment on or make changes to this bug.