Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2012-4425

Overview

Vulnerability Score 6.9 6.9
CVE Id CVE-2012-4425
Last Modified 31 Oct 2012 12:04:04
Published 18 Sep 2012 01:55:08
Confidentiality Impact COMPLETE COMPLETE
Integrity Impact COMPLETE COMPLETE
Availability Impact COMPLETE COMPLETE
Access Vector LOCAL
Access Complexity MEDIUM
Authentication NONE

CVE-2012-4425

Summary

libgio, when used in setuid or other privileged programs in spice-gtk and possibly other products, allows local users to gain privileges and execute arbitrary code via the DBUS_SYSTEM_BUS_ADDRESS environment variable. NOTE: it could be argued that this is a vulnerability in the applications that do not cleanse environment variables, not in libgio itself.

Vulnerable Systems

Application

  • Freedesktop Spice-gtk -

  • Gtk Libgio -


References

MISC - https://bugzilla.redhat.com/show_bug.cgi?id=857283

MLIST - [spice-devel] 20120914 [spice-gtk] usb-acl-helper: Clear environment

BID - 55555

MLIST - [oss-security] 20120917 Re: libdbus CVE-2012-3524 fix

MLIST - [oss-security] 20120914 Re: libdbus CVE-2012-3524 fix

MLIST - [oss-security] 20120912 libdbus CVE-2012-3524 fix

EXPLOIT-DB - 21323

MLIST - [scm-commits] 20120914 [spice-gtk/f18] Add patch fixing CVE 2012-4425

REDHAT - RHSA-2012:1284


Last Updated: 27 May 2016 11:00:44