Vulnerability Details : CVE-2012-4425
libgio, when used in setuid or other privileged programs in spice-gtk and possibly other products, allows local users to gain privileges and execute arbitrary code via the DBUS_SYSTEM_BUS_ADDRESS environment variable. NOTE: it could be argued that this is a vulnerability in the applications that do not cleanse environment variables, not in libgio itself.
Vulnerability category: Execute code
Products affected by CVE-2012-4425
- cpe:2.3:a:gtk:libgio:-:*:*:*:*:*:*:*
- cpe:2.3:a:freedesktop:spice-gtk:-:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2012-4425
0.05%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 19 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2012-4425
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.9
|
MEDIUM | AV:L/AC:M/Au:N/C:C/I:C/A:C |
3.4
|
10.0
|
NIST |
CWE ids for CVE-2012-4425
-
Assigned by: nvd@nist.gov (Primary)
References for CVE-2012-4425
-
https://bugzilla.redhat.com/show_bug.cgi?id=857283
857283 – (CVE-2012-4425) CVE-2012-4425 spice-gtk/glib: Possible privilege escalation via un-sanitized environment variable
-
http://permalink.gmane.org/gmane.linux.redhat.fedora.extras.cvs/853051
Patch
-
http://www.openwall.com/lists/oss-security/2012/09/12/6
oss-security - libdbus CVE-2012-3524 fix
-
http://www.openwall.com/lists/oss-security/2012/09/17/2
oss-security - Re: libdbus CVE-2012-3524 fix
-
http://www.exploit-db.com/exploits/21323
libdbus - 'DBUS_SYSTEM_BUS_ADDRESS' Local Privilege Escalation - Linux local ExploitExploit
-
http://rhn.redhat.com/errata/RHSA-2012-1284.html
RHSA-2012:1284 - Security Advisory - Red Hat Customer Portal
-
http://www.openwall.com/lists/oss-security/2012/09/14/2
oss-security - Re: libdbus CVE-2012-3524 fix
-
http://www.spinics.net/lists/spice-devel/msg01940.html
[spice-gtk] usb-acl-helper: Clear environment — Spice DevelopmentExploit
-
http://www.securityfocus.com/bid/55555
libgio CVE-2012-4425 Privilege Escalation Vulnerability
Jump to