It was discovered that the spice-gtk setuid helper application, spice-client-glib-usb-acl-helper, did not clear the environment variables read by the libraries it uses. A local attacker could possibly use this flaw to escalate their privileges by setting specific environment variables before running the helper application. This flaw is similar to CVE-2012-3524
Created spice-gtk tracking bugs for this issue Affects: fedora-all [bug 857228]
Acknowledgement: Red Hat would like to thank Sebastian Krahmer of the SUSE Security Team for reporting this issue.
Reference: http://seclists.org/oss-sec/2012/q3/470
Created glib2 tracking bugs for this issue Affects: fedora-all [bug 857227]
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2012:1284 https://rhn.redhat.com/errata/RHSA-2012-1284.html
Upstream patch: http://cgit.freedesktop.org/spice/spice-gtk/commit/?id=efbf867bb88845d5edf839550b54494b1bb752b9