CVE-2013-4324

Description

spice-gtk 0.14, and possibly other versions, invokes the polkit authority using the insecure polkit_unix_process_new API function, which allows local users to bypass intended access restrictions by leveraging a PolkitUnixProcess PolkitSubject race condition via a (1) setuid process or (2) pkexec process, a related issue to CVE-2013-4288.

How to fix CVE-2013-4324

To remediate CVE-2013-4324, upgrade the affected package to a fixed version below.

• Debian/spice-gtk—upgrade to 0.21-0nocelt1 or later

Is CVE-2013-4324 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• from 0, < 0.21-0nocelt1

References (1)

• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2013-4324