From: https://bugzilla.redhat.com/show_bug.cgi?id=585394 The [Red Hat] desktop team recently discovered a flaw in dbus-glib where it didn't respect the "access" flag on properties specified. Basically, core OS services like NetworkManager which use dbus-glib were specifying e.g. the "Ip4Address" as read-only for remote access, but in fact any process could modify it. I have a patch for dbus-glib (attached). However, due to the nature of the way dbus-glib works where at build time services generate a C data structure from XML and embed it into their binary, affected services will need to be rebuilt (though not patched). This affected list is for F-12; I think for RHEL5 we just need dbus-glib and NetworkManager. KNOWN AFFECTED SERVICES: * DeviceKit-Power * NetworkManager * ModemManager KNOWN NOT AFFECTED that claim to handle org.freedesktop.DBus.Properties: * ConsoleKit (it denies all Properties access using dbus policy) * gdm (ditto) * PackageKit (all of the properties on exposed GObjects are G_PARAM_READONLY) KNOWN NOT AFFECTED (because I audited them) * gnome-panel (no dbus properties) * gnome-system-monitor (ditto) PROBABLY NOT AFFECTED * hal (doesn't claim to handle org.freedesktop.DBus.Properties) * polkit (uses eggdbus) * rtkit (doesn't use dbus-glib) * DeviceKit-disks (all its properties appear to be readonly) * wpa_supplicant (doesn't implement Properties) * upstart (doesn't use dbus-glib)
CVE-2010-1172 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1172): DBus-GLib 0.73 disregards the access flag of exported GObject properties, which allows local users to bypass intended access restrictions and possibly cause a denial of service by modifying properties, as demonstrated by properties of the (1) DeviceKit-Power, (2) NetworkManager, and (3) ModemManager services.
=dev-libs/dbus-glib-0.88 contains the fix for this issue and is now in the tree. Bug 343323 seems relevant however... steev and cardoe, are we ok to stabilize =dev-libs/dbus-glib-0.88?
(In reply to comment #2) > =dev-libs/dbus-glib-0.88 contains the fix for this issue and is now in the > tree. Bug 343323 seems relevant however... > > steev and cardoe, are we ok to stabilize =dev-libs/dbus-glib-0.88? > =dev-libs/dbus-glib-0.88 stabilization is taking place in bug 348766.
Stabilization completed in bug 348766. GLSA Vote: No.
Vote: no, closing noglsa.