Red Hat Bugzilla – Bug 1006669
CVE-2013-4324 spice-gtk: Insecure calling of polkit via polkit_unix_process_new()
Last modified: 2015-10-15 13:59:50 EDT
Sebastian Krahmer reported a security issue was found in polkit (CVE-2013-4288 bz 1002375).
It was found that spice-gtk was vulnerable to this issue as well, since it communicated to polkit authority using the unsafe polkit_unix_process_new() interface. Consequently polkit has now deprecated the use of polkit_unix_process_new() and spice-gtk has been patched to use the safer (already existing) polkit_unix_process_new_for_owner() interface.
This issue has been assigned CVE-2013-4324.
Created attachment 796257 [details]
This is now public:
Created spice-gtk tracking bugs for this issue:
Affects: fedora-all [bug 1009540]
This issue has been addressed in following products:
Red Hat Enterprise Linux 6
Via RHSA-2013:1273 https://rhn.redhat.com/errata/RHSA-2013-1273.html
spice-gtk-0.20-6.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.