spice-client-glib-usb-acl-helper: CVE-2012-4425: privilege escalation via crafted environment variables

Debian Bug report logs - #689155
spice-client-glib-usb-acl-helper: CVE-2012-4425: privilege escalation via crafted environment variables

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Simon McVittie <smcv@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: spice-client-glib-usb-acl-helper: CVE-2012-4425: privilege escalation via crafted environment variables

Date: Sat, 29 Sep 2012 16:22:09 +0100

[Message part 1 (text/plain, inline)]

Package: libspice-client-glib-2.0-1
Version: 0.12-4
Severity: critical
File: /usr/lib/x86_64-linux-gnu/spice-gtk/spice-client-glib-usb-acl-helper
Tags: security upstream patch
Justification: local root security hole

spice-client-glib-usb-acl-helper is setuid root, and does not properly
sanitize the environment variables supplied by its caller. In particular,
it can be induced to execute arbitrary code with effective uid 0
by setting environment variables that will be used by GDBus, the
GLib D-Bus client implementation.

Newer GLib packages might mitigate this, but Debian's current GLib does
not appear to do so. Here is a relatively benign exploit:

This upstream commit fixes the vulnerability (patch attached):
http://cgit.freedesktop.org/spice/spice-gtk/commit/?id=efbf867bb88845d5edf839550b54494b1bb752b9

It might need some adjustment to apply to Debian's older spice-gtk, but
probably not much - here is the Fedora 17 patch, also for 0.12:
http://permalink.gmane.org/gmane.linux.redhat.fedora.extras.cvs/853050

There is a workaround for the vulnerability, although it will break some of
spice-gtk's functionality:

    chmod 0750 /usr/lib/*/spice-gtk/spice-client-glib-usb-acl-helper

-- System Information:
Debian Release: wheezy/sid
  APT prefers testing-proposed-updates
  APT policy: (500, 'testing-proposed-updates'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages libspice-client-glib-2.0-1:amd64 depends on:
ii  libacl1                  2.2.51-8
ii  libc6                    2.13-35
ii  libglib2.0-0             2.33.12+really2.32.4-1
ii  libgudev-1.0-0           175-7
ii  libjpeg8                 8d-1
ii  libpixman-1-0            0.26.0-3
ii  libpolkit-gobject-1-0    0.105-1
ii  libpulse-mainloop-glib0  2.1-3+collabora1
ii  libpulse0                2.1-3+collabora1
ii  libsasl2-2               2.1.25.dfsg1-5
ii  libssl1.0.0              1.0.1c-4
ii  libusb-1.0-0             2:1.0.12-2
ii  libusbredirhost1         0.4.3-2
ii  libusbredirparser0       0.4.3-2
ii  multiarch-support        2.13-35
ii  zlib1g                   1:1.2.7.dfsg-13

libspice-client-glib-2.0-1:amd64 recommends no packages.

libspice-client-glib-2.0-1:amd64 suggests no packages.

-- no debconf information

[spice-gtk.patch (text/x-diff, attachment)]

Message #10 received at 689155-close@bugs.debian.org (full text, mbox, reply):

From: Liang Guo <guoliang@debian.org>

To: 689155-close@bugs.debian.org

Subject: Bug#689155: fixed in spice-gtk 0.12-5

Date: Mon, 01 Oct 2012 15:17:40 +0000

Source: spice-gtk
Source-Version: 0.12-5

We believe that the bug you reported is fixed in the latest version of
spice-gtk, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 689155@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Liang Guo <guoliang@debian.org> (supplier of updated spice-gtk package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Mon, 01 Oct 2012 21:30:21 +0800
Source: spice-gtk
Binary: spice-client-gtk libspice-client-glib-2.0-1 gir1.2-spice-client-glib-2.0 libspice-client-glib-2.0-dev libspice-client-gtk-2.0-1 gir1.2-spice-client-gtk-2.0 libspice-client-gtk-2.0-dev libspice-client-gtk-3.0-1 gir1.2-spice-client-gtk-3.0 libspice-client-gtk-3.0-dev python-spice-client-gtk
Architecture: source amd64
Version: 0.12-5
Distribution: unstable
Urgency: high
Maintainer: Liang Guo <guoliang@debian.org>
Changed-By: Liang Guo <guoliang@debian.org>
Description: 
 gir1.2-spice-client-glib-2.0 - GObject for communicating with Spice servers (GObject-Introspecti
 gir1.2-spice-client-gtk-2.0 - GTK2 widget for SPICE clients (GObject-Introspection)
 gir1.2-spice-client-gtk-3.0 - GTK3 widget for SPICE clients (GObject-Introspection)
 libspice-client-glib-2.0-1 - GObject for communicating with Spice servers (runtime library)
 libspice-client-glib-2.0-dev - GObject for communicating with Spice servers (development files)
 libspice-client-gtk-2.0-1 - GTK2 widget for SPICE clients (runtime library)
 libspice-client-gtk-2.0-dev - GTK2 widget for SPICE clients (development files)
 libspice-client-gtk-3.0-1 - GTK3 widget for SPICE clients (runtime library)
 libspice-client-gtk-3.0-dev - GTK3 widget for SPICE clients (development files)
 python-spice-client-gtk - GTK2 widget for SPICE clients (Python binding)
 spice-client-gtk - Simple clients for interacting with SPICE servers
Closes: 689155
Changes: 
 spice-gtk (0.12-5) unstable; urgency=high
 .
   * Add patch clearenv-in-usb-acl-helper.patch (Closes: #689155)
Checksums-Sha1: 
 50db6661665a155de5cad9028dce2c66ca380c4d 3174 spice-gtk_0.12-5.dsc
 52625b6be554be3bbe4a2d12f3c1b7e4a5027adc 15268 spice-gtk_0.12-5.debian.tar.gz
 9f318507e970b4baf3ef9f3eae0285c90a215295 118558 spice-client-gtk_0.12-5_amd64.deb
 eca68098bf28211e8ae15b80e24ca3a841aea258 408130 libspice-client-glib-2.0-1_0.12-5_amd64.deb
 2f809f22cf84c5516aaf52af663807d320cbe6b3 65656 gir1.2-spice-client-glib-2.0_0.12-5_amd64.deb
 dfd78ba3a89d4992496f28b56c84d3f8114ab7d9 86258 libspice-client-glib-2.0-dev_0.12-5_amd64.deb
 d7a630f5cbed66a3c23d536a4a1c5e50f2e17868 92644 libspice-client-gtk-2.0-1_0.12-5_amd64.deb
 55cc502bfa8a2349ef0e0a322c98a15c2211e379 60634 gir1.2-spice-client-gtk-2.0_0.12-5_amd64.deb
 62bd3958bb17e563a87cee21b11c0361f20e5e2d 133990 libspice-client-gtk-2.0-dev_0.12-5_amd64.deb
 2bc1e95ce0997413629922bc4cd9831e254d315d 92558 libspice-client-gtk-3.0-1_0.12-5_amd64.deb
 b9eb66afd828bb84a3264f64fd3043049bf96232 60648 gir1.2-spice-client-gtk-3.0_0.12-5_amd64.deb
 2f89529e187a54c43f68f6e7f42787396527fd35 66044 libspice-client-gtk-3.0-dev_0.12-5_amd64.deb
 120238a74b6ddb6e55438752576c01e86c5f33f8 72164 python-spice-client-gtk_0.12-5_amd64.deb
Checksums-Sha256: 
 b2e387f4fdfafe66562db8737af827e61ba1569f3b69d5937cc4ed63aaa02f3d 3174 spice-gtk_0.12-5.dsc
 de7b86115cab75ab40e15f7fa66758f1ba454d1d71597bb8f4b493b5ee82c31d 15268 spice-gtk_0.12-5.debian.tar.gz
 cec9e0761fd4638e34648684ef60bf30c439f1c33d2d5cba68502137fecc3e24 118558 spice-client-gtk_0.12-5_amd64.deb
 854b4fe08b3135389a5a60b5fb5a38c07bb9aa5ed2bdca6d39c9f51247f493fa 408130 libspice-client-glib-2.0-1_0.12-5_amd64.deb
 1fbd4b1ac697afbb6a579c227fffaceab68efc9e6677c5afb37ae0c120d9b52e 65656 gir1.2-spice-client-glib-2.0_0.12-5_amd64.deb
 0520b37b7b6385bd943ab53b4639d0632213db4510fde75f6bfcde5f04b16ebd 86258 libspice-client-glib-2.0-dev_0.12-5_amd64.deb
 a24073b39d9ae86213d9872cfc89a464121dec3fc8d0e1aba2afaf4e0d9716b8 92644 libspice-client-gtk-2.0-1_0.12-5_amd64.deb
 f61b66b6b262479124276445aaf26eda6710995314fa5bf43866b712cfdba401 60634 gir1.2-spice-client-gtk-2.0_0.12-5_amd64.deb
 91b9d3e56ecd188b7e81a42c45747e4fe46e152f8f74229a57194acd1ed90f5f 133990 libspice-client-gtk-2.0-dev_0.12-5_amd64.deb
 9f7eb15181bd0572eb51fffde4e5cfdc815fca91411960465f6ef384a136f3e1 92558 libspice-client-gtk-3.0-1_0.12-5_amd64.deb
 920936dd8e8b35e45bada0e89192bd5d36f599276770fca5aea1e22149aec3af 60648 gir1.2-spice-client-gtk-3.0_0.12-5_amd64.deb
 c585d88335350a0b70813b688f7b44cc72f0706975a33ebaf4559c2161777d46 66044 libspice-client-gtk-3.0-dev_0.12-5_amd64.deb
 31c3e737d5f83fc5316393bb7064b404b287b1f8e95e9fd8c53308de8beaca2f 72164 python-spice-client-gtk_0.12-5_amd64.deb
Files: 
 e9bf8f6e2d900f1265c55425a0831c0a 3174 misc optional spice-gtk_0.12-5.dsc
 c9a49a966f652b6ea6c63cfeac012138 15268 misc optional spice-gtk_0.12-5.debian.tar.gz
 e6e7de9da37201b7e283dc52a65c9af4 118558 misc optional spice-client-gtk_0.12-5_amd64.deb
 d6f80e4d101cbefd79da41cedc8c22a5 408130 libs optional libspice-client-glib-2.0-1_0.12-5_amd64.deb
 c4ceafcac40089c86cb3981f93453148 65656 introspection optional gir1.2-spice-client-glib-2.0_0.12-5_amd64.deb
 4eba689680024ab4feb4ff21d56d7e8f 86258 libdevel optional libspice-client-glib-2.0-dev_0.12-5_amd64.deb
 63ce08e0bbf44789c9e87bd9884c74c6 92644 libs optional libspice-client-gtk-2.0-1_0.12-5_amd64.deb
 51a65aac0a58cb78a2efb170d226eb3f 60634 introspection optional gir1.2-spice-client-gtk-2.0_0.12-5_amd64.deb
 73f958c65e40999daa738384ac7e4553 133990 libdevel optional libspice-client-gtk-2.0-dev_0.12-5_amd64.deb
 455a460ba38d25ca1b8bec303b036fdf 92558 libs optional libspice-client-gtk-3.0-1_0.12-5_amd64.deb
 43a99f8f929636660c6a460537ee7f61 60648 introspection optional gir1.2-spice-client-gtk-3.0_0.12-5_amd64.deb
 9d98d65b29c3c44ae8ee366ed5a613b3 66044 libdevel optional libspice-client-gtk-3.0-dev_0.12-5_amd64.deb
 01b5bf7986120631d19b48c73c2d5a26 72164 python optional python-spice-client-gtk_0.12-5_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCAAGBQJQaa8SAAoJEIK1tAhowJe8sxwQAJNdWy9k929VqylrirZazbcj
lZI5qQCwu5ZrD4e9e6VliFG4R0hKmPAzGEadr5apDhsE5T5Bgr5L5yQISarffysx
9KYMNIy0RqIfn/0VdFJMwfDiJ66e2L6hvWeT8T9k3Y2mdKA+NcNJ5dQo3ijEzTL5
VALYykZDWRuB/rwTln1WjPNl16DYMHFnlrltMJBjZJhsBdb8xDW4AmsUnaaLOq6y
oNIj/GbPT34fYkKAOK61wW808bQJz1QuS1ep7HR7okerkG3XuUWRat9NxKzbhiRY
2yMhT2VbeJp7KPvlLYdIbCDM+Y6oRpbjiA55eQOiC1j7CkZdb/l5LWM2HPiDhmPh
b1kuWnP9VU/bywXOqGIelCdN/2aq6AdMKyN7BeTa97Dx2va8RgC4WDwkoHdE5QFi
7aGpSJ5m41HpUaIUdnxybERMn8xqGhCNAiEqgYawQr/cWyfF2f9CKKmCtIr3t2lH
XnEdKKg2QzLH3x96c74AcR5YIIHFwFEPbxG+CeVfIPLvZEXVP2ZqOBs+wcznxrcW
ljlrhgt/FPmKGkmtWurgCkXZVZ8ciSzadlIWjjoqFwI0eCBjQy0L9y4WtdEOu6MW
BJlyBAtykh/YG4U774tn6ZQGPNR9z8uSLSeBT0Y/SQJPZ1zBtE9NDaZlYMNLoan6
3Zdbuytkl0SlE5M7Qt01
=z93B
-----END PGP SIGNATURE-----

Message #15 received at 689155@bugs.debian.org (full text, mbox, reply):

From: Simon McVittie <smcv@debian.org>

To: 689155@bugs.debian.org

Subject: Re: Bug#689155 closed by Liang Guo <guoliang@debian.org> (Bug#689155: fixed in spice-gtk 0.12-5)

Date: Tue, 02 Oct 2012 10:06:25 +0100

On 01/10/12 16:21, Debian Bug Tracking System wrote:
> It has been closed by Liang Guo <guoliang@debian.org>.

Thanks for your quick upload! I've confirmed that it prevents the
attacks I was aware of, and requested an unblock (#689390).

    S

Message #20 received at 689155@bugs.debian.org (full text, mbox, reply):

From: Liang Guo <bluestonechina@gmail.com>

To: Simon McVittie <smcv@debian.org>, 689155@bugs.debian.org

Subject: Re: Bug#689155: closed by Liang Guo <guoliang@debian.org> (Bug#689155: fixed in spice-gtk 0.12-5)

Date: Tue, 2 Oct 2012 21:24:21 +0800

On Tue, Oct 2, 2012 at 5:06 PM, Simon McVittie <smcv@debian.org> wrote:
> On 01/10/12 16:21, Debian Bug Tracking System wrote:
>> It has been closed by Liang Guo <guoliang@debian.org>.
>
> Thanks for your quick upload! I've confirmed that it prevents the
> attacks I was aware of, and requested an unblock (#689390).
>
>     S
Thank you to submit the unblock bug. I'm on my vocation, so I cannot spend
more time on Debian.


-- 
Liang Guo
http://bluestone.cublog.cn

Send a report that this bug log contains spam.