PublicDateAtUSN: 2011-11-25
Candidate: CVE-2011-4349
PublicDate: 2011-12-10 17:55:00 UTC
References: 
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4349
 http://www.openwall.com/lists/oss-security/2011/11/25/1
 https://ubuntu.com/security/notices/USN-1289-1
Description:
 Multiple SQL injection vulnerabilities in (1) cd-mapping-db.c and (2)
 cd-device-db.c in colord before 0.1.15 allow local users to execute
 arbitrary SQL commands via vectors related to color devices and (a) device
 id, (b) property, or (c) profile id.
Ubuntu-Description: 
Notes: 
 tyhicks> colord runs as colord but unpriv'ed users can create devices
Bugs: 
 https://bugs.freedesktop.org/show_bug.cgi?id=42904
 https://bugzilla.novell.com/show_bug.cgi?id=698250
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=650021
Priority: medium
Discovered-by:
Assigned-to: mdeslaur
CVSS: 

Patches_colord:
 upstream: http://gitorious.org/colord/master/commit/1fadd90afcb4bbc47513466ee9bb1e4a8632ac3b
 upstream: http://gitorious.org/colord/master/commit/36549e0ed255e7dfa7852d08a75dd5f00cbd270e
upstream_colord: released (0.1.15)
hardy_colord: DNE
lucid_colord: DNE
maverick_colord: DNE
natty_colord: DNE
oneiric_colord: released (0.1.12-1ubuntu2.1)
devel_colord: released (0.1.12-1ubuntu3)