CVE-2012-4425

Priority
Description
libgio, when used in setuid or other privileged programs in spice-gtk and
possibly other products, allows local users to gain privileges and execute
arbitrary code via the DBUS_SYSTEM_BUS_ADDRESS environment variable. NOTE:
it could be argued that this is a vulnerability in the applications that do
not cleanse environment variables, not in libgio itself.
Notes
 mdeslaur> RedHat has fixed this in spice-gtk itself.
 mdeslaur> Setting as low, since spice-gtk is probably one of the only
 mdeslaur> apps to do this.
Package
Upstream:released (2.33.14)
Ubuntu 12.04 ESM (Precise Pangolin):needed
Trusty/esm:not-affected (2.34.1-1)
Ubuntu 16.04 LTS (Xenial Xerus):not-affected (2.34.1-1)
Ubuntu 18.04 LTS (Bionic Beaver):not-affected (2.34.1-1)
Ubuntu 18.10 (Cosmic Cuttlefish):not-affected (2.34.1-1)
Ubuntu 19.04 (Disco Dingo):not-affected (2.34.1-1)
Ubuntu 19.10 (Eoan):not-affected (2.34.1-1)
Patches:
Upstream:http://git.gnome.org/browse/glib/commit/?id=d6cbb29f598d677d5fc1c974cba6d9f646cff491
Package
Priority: Medium
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE (precise was not-affected [code not compiled])
Trusty/esm:DNE (trusty was not-affected [0.14-1])
Ubuntu 16.04 LTS (Xenial Xerus):not-affected (0.14-1)
Ubuntu 18.04 LTS (Bionic Beaver):not-affected (0.14-1)
Ubuntu 18.10 (Cosmic Cuttlefish):not-affected (0.14-1)
Ubuntu 19.04 (Disco Dingo):not-affected (0.14-1)
Ubuntu 19.10 (Eoan):not-affected (0.14-1)
Patches:
Vendor:https://rhn.redhat.com/errata/RHSA-2012-1284.html
More Information

Updated: 2019-04-26 14:14:37 UTC (commit 30899e40836d26e1bb5f0b072d31fd87b6cf3bd4)