MidnightBSD

Advisories for spice-gtk_project

CVE-2013-4324 MEDIUM

spice-gtk 0.14, and possibly other versions, invokes the polkit authority using the insecure polkit_unix_process_new API function, which allows local users to bypass intended access restrictions by leveraging a PolkitUnixProcess PolkitSubject race condition via a (1) setuid process or (2) pkexec process, a related issue to CVE-2013-4288.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
spice-gtk_project spice-gtk 0.14
redhat enterprise_linux 6.0
CVE-2016-3066 MEDIUM

The spice-gtk widget allows remote authenticated users to obtain information from the host clipboard.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
spice-gtk_project spice-gtk 0.24
spice-gtk_project spice-gtk 0.22
spice-gtk_project spice-gtk 0.15.3
spice-gtk_project spice-gtk 0.16
spice-gtk_project spice-gtk 0.5
spice-gtk_project spice-gtk 0.28
spice-gtk_project spice-gtk 0.27
spice-gtk_project spice-gtk 0.32
spice-gtk_project spice-gtk 0.33
spice-gtk_project spice-gtk 0.29
spice-gtk_project spice-gtk 0.25
spice-gtk_project spice-gtk 0.26
spice-gtk_project spice-gtk 0.7
spice-gtk_project spice-gtk 0.31
spice-gtk_project spice-gtk 0.1.0
spice-gtk_project spice-gtk 0.12.101
spice-gtk_project spice-gtk 0.14
spice-gtk_project spice-gtk 0.23
spice-gtk_project spice-gtk 0.3
spice-gtk_project spice-gtk 0.8
spice-gtk_project spice-gtk 0.12
spice-gtk_project spice-gtk 0.18
spice-gtk_project spice-gtk 0.6
spice-gtk_project spice-gtk 0.2
spice-gtk_project spice-gtk 0.13.29
spice-gtk_project spice-gtk 0.15
spice-gtk_project spice-gtk 0.9
spice-gtk_project spice-gtk 0.21
spice-gtk_project spice-gtk 0.20
spice-gtk_project spice-gtk 0.4
spice-gtk_project spice-gtk 0.13
spice-gtk_project spice-gtk 0.30
spice-gtk_project spice-gtk 0.10
spice-gtk_project spice-gtk 0.11
spice-gtk_project spice-gtk 0.13.17
spice-gtk_project spice-gtk 0.19
spice-gtk_project spice-gtk 0.17
CVE-2017-12194 HIGH

A flaw was found in the way spice-client processed certain messages sent from the server. An attacker, having control of malicious spice-server, could use this flaw to crash the client or execute arbitrary code with permissions of the user running the client. spice-gtk versions through 0.34 are believed to be vulnerable.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-121,CWE-20,

Products Affected

Vendor Product Version
spice-gtk_project spice-gtk *