CVE-2012-2737

Name of the Vulnerable Software and Affected Versions AccountsService versions prior to 0.6.22

Description The issue is related to the user change icon file authorized cb function in /usr/libexec/accounts-daemon, which does not properly check the UID when copying an icon file to the system cache directory. This allows local users to read arbitrary files via a race condition.

Recommendations For versions prior to 0.6.22, update to version 0.6.22 or later to resolve the issue. As a temporary workaround, consider restricting access to the user change icon file authorized cb function until a patch is available.