spice security update

CentOS Errata and Security Advisory CESA-2012:1284

The spice-gtk packages provide a GIMP Toolkit (GTK+) widget for SPICE
(Simple Protocol for Independent Computing Environments) clients. Both
Virtual Machine Manager and Virtual Machine Viewer can make use of this
widget to access virtual machines using the SPICE protocol.

It was discovered that the spice-gtk setuid helper application,
spice-client-glib-usb-acl-helper, did not clear the environment variables
read by the libraries it uses. A local attacker could possibly use this
flaw to escalate their privileges by setting specific environment variables
before running the helper application. (CVE-2012-4425)

Red Hat would like to thank Sebastian Krahmer of the SUSE Security Team for
reporting this issue.

All users of spice-gtk are advised to upgrade to these updated packages,
which contain a backported patch to correct this issue.

Merged security bulletin from advisories:
https://lists.centos.org/pipermail/centos-announce/2012-September/081048.html

Affected packages:
spice-glib
spice-glib-devel
spice-gtk
spice-gtk-devel
spice-gtk-python
spice-gtk-tools

Upstream details at:
https://access.redhat.com/errata/RHSA-2012:1284