dbus-glib 0.100.1 was released on February 15 to fix a security issue: http://cgit.freedesktop.org/dbus/dbus-glib/commit/?id=166978a09cf5edff4028e670b6074215a4c75eca Updated package uploaded for Cauldron. Patched package uploaded for Mageia 2. Patch checked into Mageia 1 SVN. Advisory: ======================== Updated dbus-glib packages fix security vulnerability: A privilege escalation flaw was found in the way dbus-glib, the D-Bus add-on library to integrate the standard D-Bus library with the GLib thread abstraction and main loop, performed filtering of the message sender (message source subject), when the NameOwnerChanged signal was received. A local attacker could use this flaw to escalate their privileges (CVE-2013-0292). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0292 https://bugzilla.redhat.com/show_bug.cgi?id=911658 ======================== Updated packages in core/updates_testing: ======================== libdbus-glib1_2-0.96-1.1.mga2 libdbus-glib-0.96-1.1.mga2 from dbus-glib-0.96-1.1.mga2.src.rpm
Testing complete mga2 32 No PoC Just checking for regressions in gtk apps that require it such as firefox # urpmq --whatrequires libdbus-glib1_2 Shows a list List of files in the lib package.. # urpmf libdbus-glib1_2 libdbus-glib1_2:/usr/lib/libdbus-glib-1.so.2 libdbus-glib1_2:/usr/lib/libdbus-glib-1.so.2.2.1 $ strace -e open firefox 2>&1 | grep libdbus-glib-1.so.2 open("/usr/lib/libdbus-glib-1.so.2", O_RDONLY) = 4 Showing firefox loading the library
Whiteboard: (none) => has_procedure mga2-32-ok
Testing complete on Mageia 2 x86_64. Could someone from the sysadmin team push the srpm dbus-glib-0.96-1.1.mga2.src.rpm from Mageia 2 Core Updates Testing to Core Updates. Advisory: Updated dbus-glib packages fix security vulnerability: A privilege escalation flaw was found in the way dbus-glib, the D-Bus add-on library to integrate the standard D-Bus library with the GLib thread abstraction and main loop, performed filtering of the message sender (message source subject), when the NameOwnerChanged signal was received. A local attacker could use this flaw to escalate their privileges (CVE-2013-0292). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0292 https://bugzilla.redhat.com/show_bug.cgi?id=911658 https://bugs.mageia.org/show_bug.cgi?id=9087
Keywords: (none) => validated_updateCC: (none) => davidwhodgins, sysadmin-bugsWhiteboard: has_procedure mga2-32-ok => has_procedure mga2-32-ok MGA2-64-OK
Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0057
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED