Fluid Attacks Database

Description

The user_change_icon_file_authorized_cb function in /usr/libexec/accounts-daemon in AccountsService before 0.6.22 does not properly check the UID when copying an icon file to the system cache directory, which allows local users to read arbitrary files via a race condition.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 11	accountsservice	>=0 <0.6.21-6	0.6.21-6
debian 13	accountsservice	>=0 <0.6.21-6	0.6.21-6
debian 14	accountsservice	>=0 <0.6.21-6	0.6.21-6
debian 12	accountsservice	>=0 <0.6.21-6	0.6.21-6

Aliases

1. CVE-2012-27372. NVD-2012-27373. OSV-DEBIAN-2012-27374. OSV-2012-27375. SECURITY-TRACKER-CVE-2012-2737

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.