Package: release.debian.org Severity: normal User: [email protected] Usertags: unblock
Please unblock package spice-gtk. It fixes a root security hole via GDBus (#689155), by correctly sanitizing the environment in a setuid helper before doing anything non-trivial. This is basically the same flaw as the one mitigated by #689070 in dbus, but with GDBus instead of libdbus, and fixing it in the setuid program rather than second-guessing it in the library. unblock spice-gtk/0.12-5 -- System Information: Debian Release: wheezy/sid APT prefers testing-proposed-updates APT policy: (500, 'testing-proposed-updates'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash
diffstat for spice-gtk-0.12 spice-gtk-0.12 changelog | 6 ++ patches/clearenv-in-usb-acl-helper.patch | 64 +++++++++++++++++++++++++++++++ patches/series | 1 3 files changed, 71 insertions(+) diff -Nru spice-gtk-0.12/debian/changelog spice-gtk-0.12/debian/changelog --- spice-gtk-0.12/debian/changelog 2012-07-08 18:20:26.000000000 +0100 +++ spice-gtk-0.12/debian/changelog 2012-10-01 14:31:41.000000000 +0100 @@ -1,3 +1,9 @@ +spice-gtk (0.12-5) unstable; urgency=high + + * Add patch clearenv-in-usb-acl-helper.patch (Closes: #689155) + + -- Liang Guo <[email protected]> Mon, 01 Oct 2012 21:30:21 +0800 + spice-gtk (0.12-4) unstable; urgency=low * Correct version problem in *.pc (Closes: #680290) diff -Nru spice-gtk-0.12/debian/patches/clearenv-in-usb-acl-helper.patch spice-gtk-0.12/debian/patches/clearenv-in-usb-acl-helper.patch --- spice-gtk-0.12/debian/patches/clearenv-in-usb-acl-helper.patch 1970-01-01 01:00:00.000000000 +0100 +++ spice-gtk-0.12/debian/patches/clearenv-in-usb-acl-helper.patch 2012-10-01 14:29:38.000000000 +0100 @@ -0,0 +1,64 @@ +Author: Colin Walters <[email protected]> +Origin: upstream, commit:efbf867bb88845d5edf839550b54494b1bb752b9 +Date: Fri, 14 Sep 2012 09:21:28 +0000 +Subject: usb-acl-helper: Clear environment + +Otherwise we can be subject to attack via environment variables such +as DBUS_SYSTEM_BUS_ADDRESS. +This addresses CVE-2012-4425 http://seclists.org/oss-sec/2012/q3/470 +--- a/configure.ac ++++ b/configure.ac +@@ -256,6 +256,8 @@ + EXTERNAL_PNP_IDS="$with_pnp_ids_path" + fi + ++AC_CHECK_FUNCS(clearenv) ++ + PKG_CHECK_MODULES(GLIB2, glib-2.0 >= 2.22) + AC_SUBST(GLIB2_CFLAGS) + AC_SUBST(GLIB2_LIBS) +--- a/gtk/spice-client-glib-usb-acl-helper.c ++++ b/gtk/spice-client-glib-usb-acl-helper.c +@@ -158,7 +158,8 @@ + if (state == STATE_WAITING_FOR_STDIN_EOF) + set_facl(path, getuid(), 0); + +- g_main_loop_quit(loop); ++ if (loop) ++ g_main_loop_quit(loop); + } + + /* Not available in polkit < 0.101 */ +@@ -311,11 +312,32 @@ + } + #endif + ++#ifndef HAVE_CLEARENV ++extern char **environ; ++ ++static int ++clearenv (void) ++{ ++ if (environ != NULL) ++ environ[0] = NULL; ++ return 0; ++} ++#endif ++ + int main(void) + { + pid_t parent_pid; + GInputStream *stdin_unix_stream; + ++ /* Nuke the environment to get a well-known and sanitized ++ * environment to avoid attacks via e.g. the DBUS_SYSTEM_BUS_ADDRESS ++ * environment variable and similar. ++ */ ++ if (clearenv () != 0) { ++ FATAL_ERROR("Error clearing environment: %s\n", g_strerror (errno)); ++ return 1; ++ } ++ + g_type_init(); + + loop = g_main_loop_new(NULL, FALSE); diff -Nru spice-gtk-0.12/debian/patches/series spice-gtk-0.12/debian/patches/series --- spice-gtk-0.12/debian/patches/series 2012-06-28 18:15:40.000000000 +0100 +++ spice-gtk-0.12/debian/patches/series 2012-10-01 14:19:27.000000000 +0100 @@ -2,3 +2,4 @@ fix-parsing-uri-query.patch fix-spice-audio-binding.patch make-celt-to-be-optional.patch +clearenv-in-usb-acl-helper.patch
