libgio, when used in setuid or other privileged programs in spice-gtk and
possibly other products, allows local users to gain privileges and execute
arbitrary code via the DBUS_SYSTEM_BUS_ADDRESS environment variable. NOTE:
it could be argued that this is a vulnerability in the applications that do
not cleanse environment variables, not in libgio itself.
Looks like a patch may be available at:
Rough look at the issue appears that it exists before the 0.14 release. Not sure how long it exists before that.
GLSA vote: yes.
Vote: yes. GLSA request filed.
This issue was resolved and addressed in
GLSA 201406-29 at http://security.gentoo.org/glsa/glsa-201406-29.xml
by GLSA coordinator Chris Reffett (creffett).