libdbus 1.5.x and earlier, when used in setuid or other privileged programs
in X.org and possibly other products, allows local users to gain privileges
and execute arbitrary code via the DBUS_SYSTEM_BUS_ADDRESS environment
variable. NOTE: libdbus maintainers state that this is a vulnerability in
the applications that do not cleanse environment variables, not in libdbus
itself: "we do not support use of libdbus in setuid binaries that do not
sanitize their environment before their first call into libdbus."
Who sets the whiteboard as [ebuild]? what is for you the fixed version?
Upstream has not yes fixed this issue.
dbus-1.6.4 has the patch for this CVE and is for stabilization (as in, -r0 is for stabilization)
dbus-1.6.4-r1 has the patch for this CVE but is for ~arch because of it's systemd dependency (repoman issues)
futhermore if you dig up the Fedora bug for this issue, they disagree it's even a dbus bug and a problem with apps like 'spice'
anyway, nothing for freedesktop-bugs@ to do here, happy hunting security@ for those buggy setuid apps down (like spice)
i'm dropping the patch from next dbus version since it will never land upstream, so you have until then to deal with the buggy apps (like spice :-)
I would just point out that upstream has rejected that patch.
(In reply to comment #4)
> I would just point out that upstream has rejected that patch.
that's why I said in Comment #3 this is only temporary until the setuid reverse dependencies have been fixed...
1.6.8 in Portage with...
The another part of the fix is in dev-libs/glib-2.34.0 here:
CCing gnome@ for above ^^ to get it backported into 2.32 series and for stabilization.
This is the patch for glib-2.32... but I don't have time to apply and commit it, Samuli, if you have time now for that feel free to commit:
Patch imported to =dev-libs/glib-2.32.4-r1.
Please test and stabilize:
=dev-util/gdbus-codegen-2.32.4 (from bug
(In reply to comment #8)
> Patch imported to =dev-libs/glib-2.32.4-r1.
> Please test and stabilize:
=dev-util/gdbus-codegen-2.32.4 (from bug 427544)
and new dbus-glib and dbus-python from bug 416725
Stable for HPPA.
x86 stable (systemd code rolled to -r1)
Is there a reason that the 1.6.8 ebuild has systemd support missing while 1.6.2 and 1,6,8-r1 have the use flag set up for it?
I'd rather not have to unmask the -r1 just for systemd support on amd64 since 1.6.2 was already stable with it.
stable ppc ppc64
Filing a new GLSA request.
This issue was resolved and addressed in
GLSA 201406-01 at http://security.gentoo.org/glsa/glsa-201406-01.xml
by GLSA coordinator Chris Reffett (creffett).