Package: libspice-client-glib-2.0-1 Version: 0.12-4 Severity: critical File: /usr/lib/x86_64-linux-gnu/spice-gtk/spice-client-glib-usb-acl-helper Tags: security upstream patch Justification: local root security hole
spice-client-glib-usb-acl-helper is setuid root, and does not properly sanitize the environment variables supplied by its caller. In particular, it can be induced to execute arbitrary code with effective uid 0 by setting environment variables that will be used by GDBus, the GLib D-Bus client implementation. Newer GLib packages might mitigate this, but Debian's current GLib does not appear to do so. Here is a relatively benign exploit: This upstream commit fixes the vulnerability (patch attached): http://cgit.freedesktop.org/spice/spice-gtk/commit/?id=efbf867bb88845d5edf839550b54494b1bb752b9 It might need some adjustment to apply to Debian's older spice-gtk, but probably not much - here is the Fedora 17 patch, also for 0.12: http://permalink.gmane.org/gmane.linux.redhat.fedora.extras.cvs/853050 There is a workaround for the vulnerability, although it will break some of spice-gtk's functionality: chmod 0750 /usr/lib/*/spice-gtk/spice-client-glib-usb-acl-helper -- System Information: Debian Release: wheezy/sid APT prefers testing-proposed-updates APT policy: (500, 'testing-proposed-updates'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages libspice-client-glib-2.0-1:amd64 depends on: ii libacl1 2.2.51-8 ii libc6 2.13-35 ii libglib2.0-0 2.33.12+really2.32.4-1 ii libgudev-1.0-0 175-7 ii libjpeg8 8d-1 ii libpixman-1-0 0.26.0-3 ii libpolkit-gobject-1-0 0.105-1 ii libpulse-mainloop-glib0 2.1-3+collabora1 ii libpulse0 2.1-3+collabora1 ii libsasl2-2 2.1.25.dfsg1-5 ii libssl1.0.0 1.0.1c-4 ii libusb-1.0-0 2:1.0.12-2 ii libusbredirhost1 0.4.3-2 ii libusbredirparser0 0.4.3-2 ii multiarch-support 2.13-35 ii zlib1g 1:1.2.7.dfsg-13 libspice-client-glib-2.0-1:amd64 recommends no packages. libspice-client-glib-2.0-1:amd64 suggests no packages. -- no debconf information
>From efbf867bb88845d5edf839550b54494b1bb752b9 Mon Sep 17 00:00:00 2001 From: Colin Walters <[email protected]> Date: Fri, 14 Sep 2012 09:21:28 +0000 Subject: usb-acl-helper: Clear environment Otherwise we can be subject to attack via environment variables such as DBUS_SYSTEM_BUS_ADDRESS. This addresses CVE-2012-4425 http://seclists.org/oss-sec/2012/q3/470 --- diff --git a/configure.ac b/configure.ac index 4a220d1..c7367cc 100644 --- a/configure.ac +++ b/configure.ac @@ -244,6 +244,8 @@ else EXTERNAL_PNP_IDS="$with_pnp_ids_path" fi +AC_CHECK_FUNCS(clearenv) + PKG_CHECK_MODULES(GLIB2, glib-2.0 >= 2.22) AC_SUBST(GLIB2_CFLAGS) AC_SUBST(GLIB2_LIBS) diff --git a/gtk/spice-client-glib-usb-acl-helper.c b/gtk/spice-client-glib-usb-acl-helper.c index 724d62a..93b9b3a 100644 --- a/gtk/spice-client-glib-usb-acl-helper.c +++ b/gtk/spice-client-glib-usb-acl-helper.c @@ -158,7 +158,8 @@ static void cleanup(void) if (state == STATE_WAITING_FOR_STDIN_EOF) set_facl(path, getuid(), 0); - g_main_loop_quit(loop); + if (loop) + g_main_loop_quit(loop); } /* Not available in polkit < 0.101 */ @@ -311,11 +312,32 @@ polkit_authority_get_sync (GCancellable *cancellable, GError **error) } #endif +#ifndef HAVE_CLEARENV +extern char **environ; + +static int +clearenv (void) +{ + if (environ != NULL) + environ[0] = NULL; + return 0; +} +#endif + int main(void) { pid_t parent_pid; GInputStream *stdin_unix_stream; + /* Nuke the environment to get a well-known and sanitized + * environment to avoid attacks via e.g. the DBUS_SYSTEM_BUS_ADDRESS + * environment variable and similar. + */ + if (clearenv () != 0) { + FATAL_ERROR("Error clearing environment: %s\n", g_strerror (errno)); + return 1; + } + g_type_init(); loop = g_main_loop_new(NULL, FALSE); -- cgit v0.9.0.2-2-gbebe
