Sebastian Krahmer reported a security issue was found in polkit (CVE-2013-4288 bz 1002375). It was found that spice-gtk was vulnerable to this issue as well, since it communicated to polkit authority using the unsafe polkit_unix_process_new() interface. Consequently polkit has now deprecated the use of polkit_unix_process_new() and spice-gtk has been patched to use the safer (already existing) polkit_unix_process_new_for_owner() interface. This issue has been assigned CVE-2013-4324.
Created attachment 796257 [details] spice-gtk patch
This is now public: http://www.openwall.com/lists/oss-security/2013/09/18/4
Created spice-gtk tracking bugs for this issue: Affects: fedora-all [bug 1009540]
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2013:1273 https://rhn.redhat.com/errata/RHSA-2013-1273.html
spice-gtk-0.20-6.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.