Your message dated Mon, 01 Oct 2012 15:17:40 +0000
with message-id <e1tihka-0006e0...@franck.debian.org>
and subject line Bug#689155: fixed in spice-gtk 0.12-5
has caused the Debian Bug report #689155,
regarding spice-client-glib-usb-acl-helper: CVE-2012-4425: privilege escalation
via crafted environment variables
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
689155: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=689155
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: libspice-client-glib-2.0-1
Version: 0.12-4
Severity: critical
File: /usr/lib/x86_64-linux-gnu/spice-gtk/spice-client-glib-usb-acl-helper
Tags: security upstream patch
Justification: local root security hole
spice-client-glib-usb-acl-helper is setuid root, and does not properly
sanitize the environment variables supplied by its caller. In particular,
it can be induced to execute arbitrary code with effective uid 0
by setting environment variables that will be used by GDBus, the
GLib D-Bus client implementation.
Newer GLib packages might mitigate this, but Debian's current GLib does
not appear to do so. Here is a relatively benign exploit:
This upstream commit fixes the vulnerability (patch attached):
http://cgit.freedesktop.org/spice/spice-gtk/commit/?id=efbf867bb88845d5edf839550b54494b1bb752b9
It might need some adjustment to apply to Debian's older spice-gtk, but
probably not much - here is the Fedora 17 patch, also for 0.12:
http://permalink.gmane.org/gmane.linux.redhat.fedora.extras.cvs/853050
There is a workaround for the vulnerability, although it will break some of
spice-gtk's functionality:
chmod 0750 /usr/lib/*/spice-gtk/spice-client-glib-usb-acl-helper
-- System Information:
Debian Release: wheezy/sid
APT prefers testing-proposed-updates
APT policy: (500, 'testing-proposed-updates'), (500, 'unstable'), (500,
'testing'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages libspice-client-glib-2.0-1:amd64 depends on:
ii libacl1 2.2.51-8
ii libc6 2.13-35
ii libglib2.0-0 2.33.12+really2.32.4-1
ii libgudev-1.0-0 175-7
ii libjpeg8 8d-1
ii libpixman-1-0 0.26.0-3
ii libpolkit-gobject-1-0 0.105-1
ii libpulse-mainloop-glib0 2.1-3+collabora1
ii libpulse0 2.1-3+collabora1
ii libsasl2-2 2.1.25.dfsg1-5
ii libssl1.0.0 1.0.1c-4
ii libusb-1.0-0 2:1.0.12-2
ii libusbredirhost1 0.4.3-2
ii libusbredirparser0 0.4.3-2
ii multiarch-support 2.13-35
ii zlib1g 1:1.2.7.dfsg-13
libspice-client-glib-2.0-1:amd64 recommends no packages.
libspice-client-glib-2.0-1:amd64 suggests no packages.
-- no debconf information
>From efbf867bb88845d5edf839550b54494b1bb752b9 Mon Sep 17 00:00:00 2001
From: Colin Walters <walt...@verbum.org>
Date: Fri, 14 Sep 2012 09:21:28 +0000
Subject: usb-acl-helper: Clear environment
Otherwise we can be subject to attack via environment variables such
as DBUS_SYSTEM_BUS_ADDRESS.
This addresses CVE-2012-4425 http://seclists.org/oss-sec/2012/q3/470
---
diff --git a/configure.ac b/configure.ac
index 4a220d1..c7367cc 100644
--- a/configure.ac
+++ b/configure.ac
@@ -244,6 +244,8 @@ else
EXTERNAL_PNP_IDS="$with_pnp_ids_path"
fi
+AC_CHECK_FUNCS(clearenv)
+
PKG_CHECK_MODULES(GLIB2, glib-2.0 >= 2.22)
AC_SUBST(GLIB2_CFLAGS)
AC_SUBST(GLIB2_LIBS)
diff --git a/gtk/spice-client-glib-usb-acl-helper.c b/gtk/spice-client-glib-usb-acl-helper.c
index 724d62a..93b9b3a 100644
--- a/gtk/spice-client-glib-usb-acl-helper.c
+++ b/gtk/spice-client-glib-usb-acl-helper.c
@@ -158,7 +158,8 @@ static void cleanup(void)
if (state == STATE_WAITING_FOR_STDIN_EOF)
set_facl(path, getuid(), 0);
- g_main_loop_quit(loop);
+ if (loop)
+ g_main_loop_quit(loop);
}
/* Not available in polkit < 0.101 */
@@ -311,11 +312,32 @@ polkit_authority_get_sync (GCancellable *cancellable, GError **error)
}
#endif
+#ifndef HAVE_CLEARENV
+extern char **environ;
+
+static int
+clearenv (void)
+{
+ if (environ != NULL)
+ environ[0] = NULL;
+ return 0;
+}
+#endif
+
int main(void)
{
pid_t parent_pid;
GInputStream *stdin_unix_stream;
+ /* Nuke the environment to get a well-known and sanitized
+ * environment to avoid attacks via e.g. the DBUS_SYSTEM_BUS_ADDRESS
+ * environment variable and similar.
+ */
+ if (clearenv () != 0) {
+ FATAL_ERROR("Error clearing environment: %s\n", g_strerror (errno));
+ return 1;
+ }
+
g_type_init();
loop = g_main_loop_new(NULL, FALSE);
--
cgit v0.9.0.2-2-gbebe
--- End Message ---
--- Begin Message ---
Source: spice-gtk
Source-Version: 0.12-5
We believe that the bug you reported is fixed in the latest version of
spice-gtk, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 689...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Liang Guo <guoli...@debian.org> (supplier of updated spice-gtk package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 01 Oct 2012 21:30:21 +0800
Source: spice-gtk
Binary: spice-client-gtk libspice-client-glib-2.0-1
gir1.2-spice-client-glib-2.0 libspice-client-glib-2.0-dev
libspice-client-gtk-2.0-1 gir1.2-spice-client-gtk-2.0
libspice-client-gtk-2.0-dev libspice-client-gtk-3.0-1
gir1.2-spice-client-gtk-3.0 libspice-client-gtk-3.0-dev python-spice-client-gtk
Architecture: source amd64
Version: 0.12-5
Distribution: unstable
Urgency: high
Maintainer: Liang Guo <guoli...@debian.org>
Changed-By: Liang Guo <guoli...@debian.org>
Description:
gir1.2-spice-client-glib-2.0 - GObject for communicating with Spice servers
(GObject-Introspecti
gir1.2-spice-client-gtk-2.0 - GTK2 widget for SPICE clients
(GObject-Introspection)
gir1.2-spice-client-gtk-3.0 - GTK3 widget for SPICE clients
(GObject-Introspection)
libspice-client-glib-2.0-1 - GObject for communicating with Spice servers
(runtime library)
libspice-client-glib-2.0-dev - GObject for communicating with Spice servers
(development files)
libspice-client-gtk-2.0-1 - GTK2 widget for SPICE clients (runtime library)
libspice-client-gtk-2.0-dev - GTK2 widget for SPICE clients (development files)
libspice-client-gtk-3.0-1 - GTK3 widget for SPICE clients (runtime library)
libspice-client-gtk-3.0-dev - GTK3 widget for SPICE clients (development files)
python-spice-client-gtk - GTK2 widget for SPICE clients (Python binding)
spice-client-gtk - Simple clients for interacting with SPICE servers
Closes: 689155
Changes:
spice-gtk (0.12-5) unstable; urgency=high
.
* Add patch clearenv-in-usb-acl-helper.patch (Closes: #689155)
Checksums-Sha1:
50db6661665a155de5cad9028dce2c66ca380c4d 3174 spice-gtk_0.12-5.dsc
52625b6be554be3bbe4a2d12f3c1b7e4a5027adc 15268 spice-gtk_0.12-5.debian.tar.gz
9f318507e970b4baf3ef9f3eae0285c90a215295 118558
spice-client-gtk_0.12-5_amd64.deb
eca68098bf28211e8ae15b80e24ca3a841aea258 408130
libspice-client-glib-2.0-1_0.12-5_amd64.deb
2f809f22cf84c5516aaf52af663807d320cbe6b3 65656
gir1.2-spice-client-glib-2.0_0.12-5_amd64.deb
dfd78ba3a89d4992496f28b56c84d3f8114ab7d9 86258
libspice-client-glib-2.0-dev_0.12-5_amd64.deb
d7a630f5cbed66a3c23d536a4a1c5e50f2e17868 92644
libspice-client-gtk-2.0-1_0.12-5_amd64.deb
55cc502bfa8a2349ef0e0a322c98a15c2211e379 60634
gir1.2-spice-client-gtk-2.0_0.12-5_amd64.deb
62bd3958bb17e563a87cee21b11c0361f20e5e2d 133990
libspice-client-gtk-2.0-dev_0.12-5_amd64.deb
2bc1e95ce0997413629922bc4cd9831e254d315d 92558
libspice-client-gtk-3.0-1_0.12-5_amd64.deb
b9eb66afd828bb84a3264f64fd3043049bf96232 60648
gir1.2-spice-client-gtk-3.0_0.12-5_amd64.deb
2f89529e187a54c43f68f6e7f42787396527fd35 66044
libspice-client-gtk-3.0-dev_0.12-5_amd64.deb
120238a74b6ddb6e55438752576c01e86c5f33f8 72164
python-spice-client-gtk_0.12-5_amd64.deb
Checksums-Sha256:
b2e387f4fdfafe66562db8737af827e61ba1569f3b69d5937cc4ed63aaa02f3d 3174
spice-gtk_0.12-5.dsc
de7b86115cab75ab40e15f7fa66758f1ba454d1d71597bb8f4b493b5ee82c31d 15268
spice-gtk_0.12-5.debian.tar.gz
cec9e0761fd4638e34648684ef60bf30c439f1c33d2d5cba68502137fecc3e24 118558
spice-client-gtk_0.12-5_amd64.deb
854b4fe08b3135389a5a60b5fb5a38c07bb9aa5ed2bdca6d39c9f51247f493fa 408130
libspice-client-glib-2.0-1_0.12-5_amd64.deb
1fbd4b1ac697afbb6a579c227fffaceab68efc9e6677c5afb37ae0c120d9b52e 65656
gir1.2-spice-client-glib-2.0_0.12-5_amd64.deb
0520b37b7b6385bd943ab53b4639d0632213db4510fde75f6bfcde5f04b16ebd 86258
libspice-client-glib-2.0-dev_0.12-5_amd64.deb
a24073b39d9ae86213d9872cfc89a464121dec3fc8d0e1aba2afaf4e0d9716b8 92644
libspice-client-gtk-2.0-1_0.12-5_amd64.deb
f61b66b6b262479124276445aaf26eda6710995314fa5bf43866b712cfdba401 60634
gir1.2-spice-client-gtk-2.0_0.12-5_amd64.deb
91b9d3e56ecd188b7e81a42c45747e4fe46e152f8f74229a57194acd1ed90f5f 133990
libspice-client-gtk-2.0-dev_0.12-5_amd64.deb
9f7eb15181bd0572eb51fffde4e5cfdc815fca91411960465f6ef384a136f3e1 92558
libspice-client-gtk-3.0-1_0.12-5_amd64.deb
920936dd8e8b35e45bada0e89192bd5d36f599276770fca5aea1e22149aec3af 60648
gir1.2-spice-client-gtk-3.0_0.12-5_amd64.deb
c585d88335350a0b70813b688f7b44cc72f0706975a33ebaf4559c2161777d46 66044
libspice-client-gtk-3.0-dev_0.12-5_amd64.deb
31c3e737d5f83fc5316393bb7064b404b287b1f8e95e9fd8c53308de8beaca2f 72164
python-spice-client-gtk_0.12-5_amd64.deb
Files:
e9bf8f6e2d900f1265c55425a0831c0a 3174 misc optional spice-gtk_0.12-5.dsc
c9a49a966f652b6ea6c63cfeac012138 15268 misc optional
spice-gtk_0.12-5.debian.tar.gz
e6e7de9da37201b7e283dc52a65c9af4 118558 misc optional
spice-client-gtk_0.12-5_amd64.deb
d6f80e4d101cbefd79da41cedc8c22a5 408130 libs optional
libspice-client-glib-2.0-1_0.12-5_amd64.deb
c4ceafcac40089c86cb3981f93453148 65656 introspection optional
gir1.2-spice-client-glib-2.0_0.12-5_amd64.deb
4eba689680024ab4feb4ff21d56d7e8f 86258 libdevel optional
libspice-client-glib-2.0-dev_0.12-5_amd64.deb
63ce08e0bbf44789c9e87bd9884c74c6 92644 libs optional
libspice-client-gtk-2.0-1_0.12-5_amd64.deb
51a65aac0a58cb78a2efb170d226eb3f 60634 introspection optional
gir1.2-spice-client-gtk-2.0_0.12-5_amd64.deb
73f958c65e40999daa738384ac7e4553 133990 libdevel optional
libspice-client-gtk-2.0-dev_0.12-5_amd64.deb
455a460ba38d25ca1b8bec303b036fdf 92558 libs optional
libspice-client-gtk-3.0-1_0.12-5_amd64.deb
43a99f8f929636660c6a460537ee7f61 60648 introspection optional
gir1.2-spice-client-gtk-3.0_0.12-5_amd64.deb
9d98d65b29c3c44ae8ee366ed5a613b3 66044 libdevel optional
libspice-client-gtk-3.0-dev_0.12-5_amd64.deb
01b5bf7986120631d19b48c73c2d5a26 72164 python optional
python-spice-client-gtk_0.12-5_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBCAAGBQJQaa8SAAoJEIK1tAhowJe8sxwQAJNdWy9k929VqylrirZazbcj
lZI5qQCwu5ZrD4e9e6VliFG4R0hKmPAzGEadr5apDhsE5T5Bgr5L5yQISarffysx
9KYMNIy0RqIfn/0VdFJMwfDiJ66e2L6hvWeT8T9k3Y2mdKA+NcNJ5dQo3ijEzTL5
VALYykZDWRuB/rwTln1WjPNl16DYMHFnlrltMJBjZJhsBdb8xDW4AmsUnaaLOq6y
oNIj/GbPT34fYkKAOK61wW808bQJz1QuS1ep7HR7okerkG3XuUWRat9NxKzbhiRY
2yMhT2VbeJp7KPvlLYdIbCDM+Y6oRpbjiA55eQOiC1j7CkZdb/l5LWM2HPiDhmPh
b1kuWnP9VU/bywXOqGIelCdN/2aq6AdMKyN7BeTa97Dx2va8RgC4WDwkoHdE5QFi
7aGpSJ5m41HpUaIUdnxybERMn8xqGhCNAiEqgYawQr/cWyfF2f9CKKmCtIr3t2lH
XnEdKKg2QzLH3x96c74AcR5YIIHFwFEPbxG+CeVfIPLvZEXVP2ZqOBs+wcznxrcW
ljlrhgt/FPmKGkmtWurgCkXZVZ8ciSzadlIWjjoqFwI0eCBjQy0L9y4WtdEOu6MW
BJlyBAtykh/YG4U774tn6ZQGPNR9z8uSLSeBT0Y/SQJPZ1zBtE9NDaZlYMNLoan6
3Zdbuytkl0SlE5M7Qt01
=z93B
-----END PGP SIGNATURE-----
--- End Message ---
