CVE-2013-4324

Name of the Vulnerable Software and Affected Versions spice-gtk versions 0.14 spice-gtk-python versions 0.14 spice-glib versions 0.14 spice-glib-devel versions 0.14 spice-gtk-devel versions 0.14 spice-gtk-debuginfo versions 0.14 spice-gtk-tools versions 0.14

Description The issue allows local users to bypass intended access restrictions by leveraging a PolkitUnixProcess PolkitSubject race condition via a (1) setuid process or (2) pkexec process. This can lead to a violation of confidentiality, integrity, and availability of protected information. The polkit unix process new API function is used insecurely, contributing to the vulnerability.

Recommendations For spice-gtk version 0.14, consider disabling the polkit unix process new function until a patch is available. For spice-gtk-python version 0.14, restrict access to the polkit unix process new function to minimize the risk of exploitation. For spice-glib version 0.14, avoid using the polkit unix process new function in sensitive operations until the issue is resolved. For spice-glib-devel version 0.14, consider applying configuration changes to limit the impact of the vulnerability. For spice-gtk-devel version 0.14, restrict access to the vulnerable module to minimize the risk of exploitation. For spice-gtk-debuginfo version 0.14, consider disabling the polkit unix process new function until a patch is available. For spice-gtk-tools version 0.14, avoid using the polkit unix process new function in sensitive operations until the issue is resolved.