CVE-2012-4425 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4425): libgio, when used in setuid or other privileged programs in spice-gtk and possibly other products, allows local users to gain privileges and execute arbitrary code via the DBUS_SYSTEM_BUS_ADDRESS environment variable. NOTE: it could be argued that this is a vulnerability in the applications that do not cleanse environment variables, not in libgio itself. Looks like a patch may be available at: http://permalink.gmane.org/gmane.linux.redhat.fedora.extras.cvs/853051
Rough look at the issue appears that it exists before the 0.14 release. Not sure how long it exists before that.
GLSA vote: yes.
Vote: yes. GLSA request filed.
This issue was resolved and addressed in GLSA 201406-29 at http://security.gentoo.org/glsa/glsa-201406-29.xml by GLSA coordinator Chris Reffett (creffett).