Unrated severityNVD Advisory· Published Sep 18, 2012· Updated Apr 29, 2026

CVE-2012-4425

Description

libgio, when used in setuid or other privileged programs in spice-gtk and possibly other products, allows local users to gain privileges and execute arbitrary code via the DBUS_SYSTEM_BUS_ADDRESS environment variable. NOTE: it could be argued that this is a vulnerability in the applications that do not cleanse environment variables, not in libgio itself.

Affected products

Gtk/Libgio
cpe:2.3:a:gtk:libgio:-:*:*:*:*:*:*:*
Freedesktop/Spice Gtk
cpe:2.3:a:freedesktop:spice-gtk:-:*:*:*:*:*:*:*

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

permalink.gmane.org/gmane.linux.redhat.fedora.extras.cvs/853051nvdPatch
www.exploit-db.com/exploits/21323nvdExploit
www.spinics.net/lists/spice-devel/msg01940.htmlnvdExploit
rhn.redhat.com/errata/RHSA-2012-1284.htmlnvd
www.openwall.com/lists/oss-security/2012/09/12/6nvd
www.openwall.com/lists/oss-security/2012/09/14/2nvd
www.openwall.com/lists/oss-security/2012/09/17/2nvd
www.securityfocus.com/bid/55555nvd
bugzilla.redhat.com/show_bug.cginvd

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.030
kev	0.000
patch	0.000
ransomware	0.000