spice security update

2013-09-2002:25:25

CentOS Project

lists.centos.org

4.6 Medium

CVSS2

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:L/AC:L/Au:N/C:P/I:P/A:P

0.0004 Low

EPSS

Percentile

5.1%

JSON

CentOS Errata and Security Advisory CESA-2013:1273

The spice-gtk packages provide a GIMP Toolkit (GTK+) widget for SPICE
(Simple Protocol for Independent Computing Environments) clients. Both
Virtual Machine Manager and Virtual Machine Viewer can make use of this
widget to access virtual machines using the SPICE protocol.

spice-gtk communicated with PolicyKit for authorization via an API that is
vulnerable to a race condition. This could lead to intended PolicyKit
authorizations being bypassed. This update modifies spice-gtk to
communicate with PolicyKit via a different API that is not vulnerable to
the race condition. (CVE-2013-4324)

All users of spice-gtk are advised to upgrade to these updated packages,
which contain a backported patch to correct this issue.

Merged security bulletin from advisories:
https://lists.centos.org/pipermail/centos-announce/2013-September/082112.html

Affected packages:
spice-glib
spice-glib-devel
spice-gtk
spice-gtk-devel
spice-gtk-python
spice-gtk-tools

Upstream details at:
https://access.redhat.com/errata/RHSA-2013:1273

OSVersionArchitecturePackageVersionFilename
CentOS6i686spice-glib< 0.14-7.el6_4.3spice-glib-0.14-7.el6_4.3.i686.rpm
CentOS6i686spice-glib-devel< 0.14-7.el6_4.3spice-glib-devel-0.14-7.el6_4.3.i686.rpm
CentOS6i686spice-gtk< 0.14-7.el6_4.3spice-gtk-0.14-7.el6_4.3.i686.rpm
CentOS6i686spice-gtk-devel< 0.14-7.el6_4.3spice-gtk-devel-0.14-7.el6_4.3.i686.rpm
CentOS6i686spice-gtk-python< 0.14-7.el6_4.3spice-gtk-python-0.14-7.el6_4.3.i686.rpm
CentOS6i686spice-gtk-tools< 0.14-7.el6_4.3spice-gtk-tools-0.14-7.el6_4.3.i686.rpm
CentOS6i686spice-glib< 0.14-7.el6_4.3spice-glib-0.14-7.el6_4.3.i686.rpm
CentOS6x86_64spice-glib< 0.14-7.el6_4.3spice-glib-0.14-7.el6_4.3.x86_64.rpm
CentOS6i686spice-glib-devel< 0.14-7.el6_4.3spice-glib-devel-0.14-7.el6_4.3.i686.rpm
CentOS6x86_64spice-glib-devel< 0.14-7.el6_4.3spice-glib-devel-0.14-7.el6_4.3.x86_64.rpm

OS	Version	Architecture	Package	Version	Filename
CentOS	6	i686	spice-glib	< 0.14-7.el6_4.3	spice-glib-0.14-7.el6_4.3.i686.rpm
CentOS	6	i686	spice-glib-devel	< 0.14-7.el6_4.3	spice-glib-devel-0.14-7.el6_4.3.i686.rpm
CentOS	6	i686	spice-gtk	< 0.14-7.el6_4.3	spice-gtk-0.14-7.el6_4.3.i686.rpm
CentOS	6	i686	spice-gtk-devel	< 0.14-7.el6_4.3	spice-gtk-devel-0.14-7.el6_4.3.i686.rpm
CentOS	6	i686	spice-gtk-python	< 0.14-7.el6_4.3	spice-gtk-python-0.14-7.el6_4.3.i686.rpm
CentOS	6	i686	spice-gtk-tools	< 0.14-7.el6_4.3	spice-gtk-tools-0.14-7.el6_4.3.i686.rpm
CentOS	6	i686	spice-glib	< 0.14-7.el6_4.3	spice-glib-0.14-7.el6_4.3.i686.rpm
CentOS	6	x86_64	spice-glib	< 0.14-7.el6_4.3	spice-glib-0.14-7.el6_4.3.x86_64.rpm
CentOS	6	i686	spice-glib-devel	< 0.14-7.el6_4.3	spice-glib-devel-0.14-7.el6_4.3.i686.rpm
CentOS	6	x86_64	spice-glib-devel	< 0.14-7.el6_4.3	spice-glib-devel-0.14-7.el6_4.3.x86_64.rpm