Bug#689390: unblock: spice-gtk/0.12-5
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Please unblock package spice-gtk. It fixes a root security hole via GDBus
(#689155), by correctly sanitizing the environment in a setuid helper
before doing anything non-trivial.
This is basically the same flaw as the one mitigated by #689070 in dbus,
but with GDBus instead of libdbus, and fixing it in the setuid program
rather than second-guessing it in the library.
unblock spice-gtk/0.12-5
-- System Information:
Debian Release: wheezy/sid
APT prefers testing-proposed-updates
APT policy: (500, 'testing-proposed-updates'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
diffstat for spice-gtk-0.12 spice-gtk-0.12
changelog | 6 ++
patches/clearenv-in-usb-acl-helper.patch | 64 +++++++++++++++++++++++++++++++
patches/series | 1
3 files changed, 71 insertions(+)
diff -Nru spice-gtk-0.12/debian/changelog spice-gtk-0.12/debian/changelog
--- spice-gtk-0.12/debian/changelog 2012-07-08 18:20:26.000000000 +0100
+++ spice-gtk-0.12/debian/changelog 2012-10-01 14:31:41.000000000 +0100
@@ -1,3 +1,9 @@
+spice-gtk (0.12-5) unstable; urgency=high
+
+ * Add patch clearenv-in-usb-acl-helper.patch (Closes: #689155)
+
+ -- Liang Guo <guoliang@debian.org> Mon, 01 Oct 2012 21:30:21 +0800
+
spice-gtk (0.12-4) unstable; urgency=low
* Correct version problem in *.pc (Closes: #680290)
diff -Nru spice-gtk-0.12/debian/patches/clearenv-in-usb-acl-helper.patch spice-gtk-0.12/debian/patches/clearenv-in-usb-acl-helper.patch
--- spice-gtk-0.12/debian/patches/clearenv-in-usb-acl-helper.patch 1970-01-01 01:00:00.000000000 +0100
+++ spice-gtk-0.12/debian/patches/clearenv-in-usb-acl-helper.patch 2012-10-01 14:29:38.000000000 +0100
@@ -0,0 +1,64 @@
+Author: Colin Walters <walters@verbum.org>
+Origin: upstream, commit:efbf867bb88845d5edf839550b54494b1bb752b9
+Date: Fri, 14 Sep 2012 09:21:28 +0000
+Subject: usb-acl-helper: Clear environment
+
+Otherwise we can be subject to attack via environment variables such
+as DBUS_SYSTEM_BUS_ADDRESS.
+This addresses CVE-2012-4425 http://seclists.org/oss-sec/2012/q3/470
+--- a/configure.ac
++++ b/configure.ac
+@@ -256,6 +256,8 @@
+ EXTERNAL_PNP_IDS="$with_pnp_ids_path"
+ fi
+
++AC_CHECK_FUNCS(clearenv)
++
+ PKG_CHECK_MODULES(GLIB2, glib-2.0 >= 2.22)
+ AC_SUBST(GLIB2_CFLAGS)
+ AC_SUBST(GLIB2_LIBS)
+--- a/gtk/spice-client-glib-usb-acl-helper.c
++++ b/gtk/spice-client-glib-usb-acl-helper.c
+@@ -158,7 +158,8 @@
+ if (state == STATE_WAITING_FOR_STDIN_EOF)
+ set_facl(path, getuid(), 0);
+
+- g_main_loop_quit(loop);
++ if (loop)
++ g_main_loop_quit(loop);
+ }
+
+ /* Not available in polkit < 0.101 */
+@@ -311,11 +312,32 @@
+ }
+ #endif
+
++#ifndef HAVE_CLEARENV
++extern char **environ;
++
++static int
++clearenv (void)
++{
++ if (environ != NULL)
++ environ[0] = NULL;
++ return 0;
++}
++#endif
++
+ int main(void)
+ {
+ pid_t parent_pid;
+ GInputStream *stdin_unix_stream;
+
++ /* Nuke the environment to get a well-known and sanitized
++ * environment to avoid attacks via e.g. the DBUS_SYSTEM_BUS_ADDRESS
++ * environment variable and similar.
++ */
++ if (clearenv () != 0) {
++ FATAL_ERROR("Error clearing environment: %s\n", g_strerror (errno));
++ return 1;
++ }
++
+ g_type_init();
+
+ loop = g_main_loop_new(NULL, FALSE);
diff -Nru spice-gtk-0.12/debian/patches/series spice-gtk-0.12/debian/patches/series
--- spice-gtk-0.12/debian/patches/series 2012-06-28 18:15:40.000000000 +0100
+++ spice-gtk-0.12/debian/patches/series 2012-10-01 14:19:27.000000000 +0100
@@ -2,3 +2,4 @@
fix-parsing-uri-query.patch
fix-spice-audio-binding.patch
make-celt-to-be-optional.patch
+clearenv-in-usb-acl-helper.patch
Reply to: