CVE-2012-3524 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3524): libdbus 1.5.x and earlier, when used in setuid or other privileged programs in X.org and possibly other products, allows local users to gain privileges and execute arbitrary code via the DBUS_SYSTEM_BUS_ADDRESS environment variable. NOTE: libdbus maintainers state that this is a vulnerability in the applications that do not cleanse environment variables, not in libdbus itself: "we do not support use of libdbus in setuid binaries that do not sanitize their environment before their first call into libdbus."
Who sets the whiteboard as [ebuild]? what is for you the fixed version? Upstream has not yes fixed this issue.
dbus-1.6.4 has the patch for this CVE and is for stabilization (as in, -r0 is for stabilization) dbus-1.6.4-r1 has the patch for this CVE but is for ~arch because of it's systemd dependency (repoman issues) futhermore if you dig up the Fedora bug for this issue, they disagree it's even a dbus bug and a problem with apps like 'spice' anyway, nothing for freedesktop-bugs@ to do here, happy hunting security@ for those buggy setuid apps down (like spice)
i'm dropping the patch from next dbus version since it will never land upstream, so you have until then to deal with the buggy apps (like spice :-)
I would just point out that upstream has rejected that patch.
(In reply to comment #4) > I would just point out that upstream has rejected that patch. that's why I said in Comment #3 this is only temporary until the setuid reverse dependencies have been fixed...
1.6.8 in Portage with... http://cgit.freedesktop.org/dbus/dbus/commit/?id=23fe78ceefb6cefcd58a49c77d1154b68478c8d2 The another part of the fix is in dev-libs/glib-2.34.0 here: http://git.gnome.org/browse/glib/commit/?id=d6cbb29f598d677d5fc1c974cba6d9f646cff491 CCing gnome@ for above ^^ to get it backported into 2.32 series and for stabilization.
This is the patch for glib-2.32... but I don't have time to apply and commit it, Samuli, if you have time now for that feel free to commit: http://git.gnome.org/browse/glib/commit/?h=glib-2-32&id=4c2928a54482913cf236bff0e66650a8f47e17ea
Patch imported to =dev-libs/glib-2.32.4-r1. Please test and stabilize: =sys-apps/dbus-1.6.8 =dev-libs/glib-2.32.4-r1 =dev-util/gdbus-codegen-2.32.4 (from bug
(In reply to comment #8) > Patch imported to =dev-libs/glib-2.32.4-r1. > > Please test and stabilize: > > =sys-apps/dbus-1.6.8 > =dev-libs/glib-2.32.4-r1 =dev-util/gdbus-codegen-2.32.4 (from bug 427544) and new dbus-glib and dbus-python from bug 416725
Stable for HPPA.
x86 stable (systemd code rolled to -r1)
amd64 stable
Is there a reason that the 1.6.8 ebuild has systemd support missing while 1.6.2 and 1,6,8-r1 have the use flag set up for it? I'd rather not have to unmask the -r1 just for systemd support on amd64 since 1.6.2 was already stable with it.
arm stable
stable ppc ppc64
alpha stable
ia64/m68k/s390/sh/sparc stable
Thanks, everyone. Filing a new GLSA request.
This issue was resolved and addressed in GLSA 201406-01 at http://security.gentoo.org/glsa/glsa-201406-01.xml by GLSA coordinator Chris Reffett (creffett).