Bug 33239

Summary: gnome-remote-desktop new security issue CVE-2024-5148
Product: Mageia Reporter: Nicolas Salguero <nicolas.salguero>
Component: SecurityAssignee: GNOME maintainers <gnome>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: geiger.david68210
Version: Cauldron   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Source RPM: gnome-remote-desktop-46.0-1.mga10.src.rpm CVE: CVE-2024-5148
Status comment: Bugfixes in release 46.2

Description Nicolas Salguero 2024-05-24 16:57:15 CEST 
That CVE was announced here:
https://www.openwall.com/lists/oss-security/2024/05/24/1

It only affects version 46 so only Cauldron is affected.
Nicolas Salguero 2024-05-24 16:57:30 CEST

CVE: (none) => CVE-2024-5148
Source RPM: (none) => gnome-remote-desktop-46.0-1.mga10.src.rpm

Comment 1 Lewis Smith 2024-05-24 20:42:56 CEST 
From the CVE, which is excellent and worth a read:

"A) Unauthenticated Handover D-Bus Interface (CVE-2024-5148)
===========================================================
Only the "org.gnome.RemoteDesktop.Rdp.Server" D-Bus interface is
protected by Polkit. `auth_admin` authorization is required on this
interface for all methods. The other two interfaces "Dispatcher" and
"Handover" are not authorized and are accessible to all local users in
the system. This leads to a number of local security issues described in
the following subsections.
 Local Private Key Leak
 System Credentials Leak
 The Socket Connection can be Obtained via TakeClient()
The bugfix is available starting from version 46.2 and is found in commit 9fbaae1a [4]

B) `find_cr_lf()` Suffers from a one Byte Overread
==================================================
The bugfix is found starting in release 46.2 in commit 663ad63172 [5].

Assignee: bugsquad => gnome
Status comment: (none) => Bugfixes in release 46.2

Comment 2 David GEIGER 2024-06-02 10:11:48 CEST 
Fixed!

CC: (none) => geiger.david68210
Status: NEW => RESOLVED
Resolution: (none) => FIXED