CVE-2012-4425

Priority
Description
libgio, when used in setuid or other privileged programs in spice-gtk and
possibly other products, allows local users to gain privileges and execute
arbitrary code via the DBUS_SYSTEM_BUS_ADDRESS environment variable. NOTE:
it could be argued that this is a vulnerability in the applications that do
not cleanse environment variables, not in libgio itself.
Notes
 mdeslaur> RedHat has fixed this in spice-gtk itself.
 mdeslaur> Setting as low, since spice-gtk is probably one of the only
 mdeslaur> apps to do this.
Package
Upstream:released (2.33.14)
Ubuntu 12.04 ESM (Precise Pangolin):needed
Ubuntu 14.04 LTS (Trusty Tahr):not-affected (2.34.1-1)
Ubuntu 16.04 LTS (Xenial Xerus):not-affected (2.34.1-1)
Ubuntu 18.04 LTS (Bionic Beaver):not-affected (2.34.1-1)
Ubuntu 18.10 (Cosmic Cuttlefish):not-affected (2.34.1-1)
Ubuntu 19.04 (Disco Dingo):not-affected (2.34.1-1)
Patches:
Upstream:http://git.gnome.org/browse/glib/commit/?id=d6cbb29f598d677d5fc1c974cba6d9f646cff491
Package
Priority: Medium
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE (precise was not-affected [code not compiled])
Ubuntu 14.04 LTS (Trusty Tahr):not-affected (0.14-1)
Ubuntu 16.04 LTS (Xenial Xerus):not-affected (0.14-1)
Ubuntu 18.04 LTS (Bionic Beaver):not-affected (0.14-1)
Ubuntu 18.10 (Cosmic Cuttlefish):not-affected (0.14-1)
Ubuntu 19.04 (Disco Dingo):not-affected (0.14-1)
Patches:
Vendor:https://rhn.redhat.com/errata/RHSA-2012-1284.html
More Information

Updated: 2019-01-14 21:14:39 UTC (commit 51f9b73af244ba86b9321e46e526586c25a8e060)