Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 457792 (CVE-2013-0292) - <dev-libs/dbus-glib-0.100.2 : authentication bypass due to insufficient checks (CVE-2013-0292)
Summary: <dev-libs/dbus-glib-0.100.2 : authentication bypass due to insufficient check...
Status: RESOLVED FIXED
Alias: CVE-2013-0292
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: ?? [noglsa]
Keywords:
: 458144 (view as bug list)
Depends on:
Blocks:
 
Reported: 2013-02-16 07:44 UTC by Agostino Sarubbo
Modified: 2013-08-22 10:53 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-02-16 07:44:33 UTC
From ${URL} :

Sebastian Krahmer discovered and published an authentication bypass
vulnerability in pam_fprintd, caused by a bug in dbus-glib. It is
possible that other users of dbus-glib can be exploited in the same
way. CVE-2013-0292 has been allocated for this vulnerability.

This vulnerability is fixed in dbus-glib version 0.100.1 by git commit
166978a. All users of dbus-glib should upgrade.

<http://dbus.freedesktop.org/releases/dbus-glib/dbus-glib-0.100.1.tar.gz>
<http://dbus.freedesktop.org/releases/dbus-glib/dbus-glib-0.100.1.tar.gz.asc>
<http://cgit.freedesktop.org/dbus/dbus-glib/commit/?id=166978a09cf5edff4028e670b6074215a4c75eca>

The D-Bus maintainers consider use of dbus-glib to be deprecated. We
encourage GLib application and library authors to switch to GDBus, which
has been part of GLib since 2.26.
Comment 1 Agostino Sarubbo gentoo-dev 2013-02-18 17:57:48 UTC
*** Bug 458144 has been marked as a duplicate of this bug. ***
Comment 2 Alexandre Rostovtsev (RETIRED) gentoo-dev 2013-02-19 00:50:28 UTC
Thanks, fixed by dbus-glib-0.100.1, which now needs to be stabilized everywhere.

+*dbus-glib-0.100.1 (19 Feb 2013)
+
+  19 Feb 2013; Alexandre Rostovtsev <tetromino@gentoo.org>
+  +dbus-glib-0.100.1.ebuild:
+  Bump, fixes authentication bypass (CVE-2013-0292, bug #457792).
Comment 3 Samuli Suominen (RETIRED) gentoo-dev 2013-02-26 19:35:25 UTC
Test and mark stable:

=dev-libs/dbus-glib-0.100.2
Comment 4 Agostino Sarubbo gentoo-dev 2013-02-27 13:38:18 UTC
amd64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2013-02-27 13:45:32 UTC
x86 stable
Comment 6 Samuli Suominen (RETIRED) gentoo-dev 2013-02-27 13:49:22 UTC
(In reply to comment #4)
> amd64 stable

(In reply to comment #5)
> x86 stable

You got wrong version, read Comment #3. Version .1 is buggy so we jump to .2.
Comment 7 Agostino Sarubbo gentoo-dev 2013-02-27 15:11:28 UTC
(In reply to comment #6)
> (In reply to comment #4)
> > amd64 stable
> 
> (In reply to comment #5)
> > x86 stable
> 
> You got wrong version, read Comment #3. Version .1 is buggy so we jump to .2.

my bad, will be fixed asap.
Comment 8 Agostino Sarubbo gentoo-dev 2013-02-27 15:12:24 UTC
x86 stable
Comment 9 Agostino Sarubbo gentoo-dev 2013-02-27 15:12:41 UTC
amd64 stable
Comment 10 Agostino Sarubbo gentoo-dev 2013-02-28 10:08:38 UTC
ppc stable
Comment 11 Agostino Sarubbo gentoo-dev 2013-02-28 10:11:52 UTC
ppc64 stable
Comment 12 Jeroen Roovers (RETIRED) gentoo-dev 2013-02-28 13:45:27 UTC
Stable for HPPA.
Comment 13 Agostino Sarubbo gentoo-dev 2013-03-01 11:07:21 UTC
ia64 stable
Comment 14 Agostino Sarubbo gentoo-dev 2013-03-01 11:08:58 UTC
arm stable
Comment 15 Agostino Sarubbo gentoo-dev 2013-03-01 11:16:53 UTC
alpha stable
Comment 16 Agostino Sarubbo gentoo-dev 2013-03-01 11:54:26 UTC
s390 stable
Comment 17 Agostino Sarubbo gentoo-dev 2013-03-03 16:12:38 UTC
sparc stable
Comment 18 Agostino Sarubbo gentoo-dev 2013-03-05 09:12:21 UTC
sh stable
Comment 19 GLSAMaker/CVETool Bot gentoo-dev 2013-03-06 23:48:46 UTC
CVE-2013-0292 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0292):
  The dbus_g_proxy_manager_filter function in dbus-gproxy in Dbus-glib before
  0.100.1 does not properly verify the sender of NameOwnerChanged signals,
  which allows local users to gain privileges via a spoofed signal.
Comment 20 Tobias Heinlein (RETIRED) gentoo-dev 2013-03-24 19:40:02 UTC
Ready for vote. I vote NO, due to deprecation.
Comment 21 Samuli Suominen (RETIRED) gentoo-dev 2013-06-18 12:53:56 UTC
m68k: continued in bug 473190
Comment 22 Sergey Popov gentoo-dev 2013-08-22 10:53:41 UTC
GLSA vote: no

Closing as noglsa