From RedHat bugzilla entry at URL: Florian Weimer found a local file disclosure flaw in accountsservice, an account management system using D-Bus for querying and manipulating user accounts. The implementation of the SetIconFile method of the org.freedesktop.Accounts.User D-Bus interface can disclose arbitrary files due to a race condition in user_change_icon_file_authorized_cb() in /usr/libexec/accounts-daemon. When this function calls get_caller_uid(), it uses PolicyKit to obtain the UID of the requesting process from /proc. At the time the UID is fetched, it may not match the original UID making the D-Bus request if the process has executed an SUID binary. The vulnerability is present in the latest stable version in Gentoo (accountsservice-0.6.15). It is fixed in >=sys-apps/accountsservice-0.6.22. =sys-apps/accountsservice-0.6.22 should be stabilized.
thanks. Arches, please test and mark stable: =sys-apps/accountsservice-0.6.22 Target KEYWORDS : "amd64 arm x86"
x86 stable
amd64 stable
arm stable, all arches done.
Thanks, everyone. GLSA vote: no.
Thanks, folks. GLSA Vote: no too. closing noglsa.