<net-misc/spice-0.21: use of insecure polkit libgobject-1 API (CVE-2013-4324) target keywords: amd64 x86 Please stabilize arch teams
amd64 stable
x86 stable
Added to the polkit GLSA.
CVE-2013-4324 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4324): spice-gtk 0.14, and possibly other versions, invokes the polkit authority using the insecure polkit_unix_process_new API function, which allows local users to bypass intended access restrictions by leveraging a PolkitUnixProcess PolkitSubject race condition via a (1) setuid process or (2) pkexec process, a related issue to CVE-2013-4288.
This issue was resolved and addressed in GLSA 201406-27 at http://security.gentoo.org/glsa/glsa-201406-27.xml by GLSA coordinator Chris Reffett (creffett).