CVE-2013-4324
Published: 3 October 2013
spice-gtk 0.14, and possibly other versions, invokes the polkit authority using the insecure polkit_unix_process_new API function, which allows local users to bypass intended access restrictions by leveraging a PolkitUnixProcess PolkitSubject race condition via a (1) setuid process or (2) pkexec process, a related issue to CVE-2013-4288.
Priority
Status
Package | Release | Status |
---|---|---|
spice-gtk Launchpad, Ubuntu, Debian |
lucid |
Does not exist
|
precise |
Ignored
(end of life)
|
|
quantal |
Ignored
(end of life)
|
|
raring |
Ignored
(end of life)
|
|
saucy |
Ignored
(end of life)
|
|
trusty |
Does not exist
(trusty was not-affected [0.22-0nocent2])
|
|
upstream |
Needs triage
|
|
utopic |
Not vulnerable
(0.22-0nocent2)
|
|
vivid |
Not vulnerable
(0.22-0nocent2)
|
|
wily |
Not vulnerable
(0.22-0nocent2)
|
|
xenial |
Not vulnerable
(0.22-0nocent2)
|
|
yakkety |
Not vulnerable
(0.22-0nocent2)
|
|
zesty |
Not vulnerable
(0.22-0nocent2)
|