Description Sam James 2024-05-07 18:51:22 UTC

"""
A series of related security fixes for how signal subscriptions are handled in GDBus have just landed in GLib. They have been assigned CVE-2024-34397:

    gdbusconnection: Don’t deliver signals if the sender doesn’t match (!4038) 11 (changes on main)
    Backport !4038 “gdbusconnection: Don’t deliver signals if the sender doesn’t match” to glib-2-80 (!4039) 2 (trivial backport to glib-2-80)
    Backport !4038 “gdbusconnection: Don’t deliver signals if the sender doesn’t match” to glib-2-78 (!4040) (non-trivial backport to glib-2-78)

There is a related fix in gnome-shell which distributions should cherry-pick at the same time, to avoid a regression in screen recording support in gnome-shell 3.38 and newer:

    screencast: Correct expected bus name for streams 4 (changes on main)
    Backports to older versions of gnome-shell are not available yet

When a GDBus-based client subscribes to signals from a trusted system service such as NetworkManager or logind on a shared computer, other users of the same computer can send spoofed D-Bus signals that the GDBus-based client will wrongly interpret as having been sent by the trusted system service. This could lead to the GDBus-based client behaving incorrectly, with an application-dependent impact. Distributors are advised to cherry-pick these changes into their GLib packages ASAP.

Per GLib’s support policy, the fixes have not been backported to glib-2-76 or earlier.
"""