Bug 9087 - dbus-glib new security issue CVE-2013-0292
: dbus-glib new security issue CVE-2013-0292
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: i586 Linux
: Normal Severity: critical
: ---
Assigned To: QA Team
:
:
: has_procedure mga2-32-ok MGA2-64-OK
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2013-02-16 18:23 CET by David Walser
Modified: 2013-02-17 01:59 CET (History)
3 users (show)

See Also:
Source RPM: dbus-glib-0.96-1.mga2.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2013-02-16 18:23:30 CET
dbus-glib 0.100.1 was released on February 15 to fix a security issue:
http://cgit.freedesktop.org/dbus/dbus-glib/commit/?id=166978a09cf5edff4028e670b6074215a4c75eca

Updated package uploaded for Cauldron.

Patched package uploaded for Mageia 2.

Patch checked into Mageia 1 SVN.

Advisory:
========================

Updated dbus-glib packages fix security vulnerability:

A privilege escalation flaw was found in the way dbus-glib, the D-Bus add-on
library to integrate the standard D-Bus library with the GLib thread
abstraction and main loop, performed filtering of the message sender (message
source subject), when the NameOwnerChanged signal was received. A local
attacker could use this flaw to escalate their privileges (CVE-2013-0292).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0292
https://bugzilla.redhat.com/show_bug.cgi?id=911658
========================

Updated packages in core/updates_testing:
========================
libdbus-glib1_2-0.96-1.1.mga2
libdbus-glib-0.96-1.1.mga2

from dbus-glib-0.96-1.1.mga2.src.rpm
Comment 1 claire robinson 2013-02-16 23:21:45 CET
Testing complete mga2 32

No PoC

Just checking for regressions in gtk apps that require it such as firefox

# urpmq --whatrequires libdbus-glib1_2

Shows a list

List of files in the lib package..
# urpmf libdbus-glib1_2
libdbus-glib1_2:/usr/lib/libdbus-glib-1.so.2
libdbus-glib1_2:/usr/lib/libdbus-glib-1.so.2.2.1


$ strace -e open firefox 2>&1 | grep libdbus-glib-1.so.2
open("/usr/lib/libdbus-glib-1.so.2", O_RDONLY) = 4

Showing firefox loading the library
Comment 2 Dave Hodgins 2013-02-17 00:08:21 CET
Testing complete on Mageia 2 x86_64.

Could someone from the sysadmin team push the srpm
dbus-glib-0.96-1.1.mga2.src.rpm
from Mageia 2 Core Updates Testing to Core Updates.

Advisory: Updated dbus-glib packages fix security vulnerability:

A privilege escalation flaw was found in the way dbus-glib, the D-Bus add-on
library to integrate the standard D-Bus library with the GLib thread
abstraction and main loop, performed filtering of the message sender (message
source subject), when the NameOwnerChanged signal was received. A local
attacker could use this flaw to escalate their privileges (CVE-2013-0292).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0292
https://bugzilla.redhat.com/show_bug.cgi?id=911658

https://bugs.mageia.org/show_bug.cgi?id=9087
Comment 3 Thomas Backlund 2013-02-17 01:59:34 CET
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0057

Note You need to log in before you can comment on or make changes to this bug.