Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 332529 (CVE-2010-1172) - <dev-libs/dbus-glib-0.88: Improper property access vulnerability (CVE-2010-1172)
Summary: <dev-libs/dbus-glib-0.88: Improper property access vulnerability (CVE-2010-1172)
Status: RESOLVED FIXED
Alias: CVE-2010-1172
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A4 [noglsa]
Keywords:
Depends on: CVE-2010-4352
Blocks:
  Show dependency tree
 
Reported: 2010-08-12 19:37 UTC by Tim Sammut (RETIRED)
Modified: 2011-02-23 22:15 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Tim Sammut (RETIRED) gentoo-dev 2010-08-12 19:37:50 UTC
From: https://bugzilla.redhat.com/show_bug.cgi?id=585394

The [Red Hat] desktop team recently discovered a flaw in dbus-glib where it didn't respect the  "access" flag on properties specified.  Basically, core OS
services like NetworkManager which use dbus-glib were specifying e.g. the
"Ip4Address" as read-only for remote access, but in fact any process could
modify it.

I have a patch for dbus-glib (attached).  However, due to the nature of the way
dbus-glib works where at build time services generate a C data structure from
XML and embed it into their binary, affected services will need to be rebuilt
(though not patched).

This affected list is for F-12; I think for RHEL5 we just need dbus-glib and
NetworkManager.

KNOWN AFFECTED SERVICES:
* DeviceKit-Power
* NetworkManager
* ModemManager

KNOWN NOT AFFECTED that claim to handle org.freedesktop.DBus.Properties:
* ConsoleKit (it denies all Properties access using dbus policy)
* gdm (ditto)
* PackageKit (all of the properties on exposed GObjects are G_PARAM_READONLY)

KNOWN NOT AFFECTED (because I audited them)
* gnome-panel (no dbus properties)
* gnome-system-monitor (ditto)

PROBABLY NOT AFFECTED
* hal (doesn't claim to handle org.freedesktop.DBus.Properties)
* polkit (uses eggdbus)
* rtkit (doesn't use dbus-glib)
* DeviceKit-disks (all its properties appear to be readonly)
* wpa_supplicant (doesn't implement Properties)
* upstart (doesn't use dbus-glib)
Comment 1 Stefan Behte (RETIRED) gentoo-dev Security 2010-09-01 23:14:16 UTC
CVE-2010-1172 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1172):
  DBus-GLib 0.73 disregards the access flag of exported GObject
  properties, which allows local users to bypass intended access
  restrictions and possibly cause a denial of service by modifying
  properties, as demonstrated by properties of the (1) DeviceKit-Power,
  (2) NetworkManager, and (3) ModemManager services.

Comment 2 Tim Sammut (RETIRED) gentoo-dev 2010-11-22 03:51:30 UTC
=dev-libs/dbus-glib-0.88 contains the fix for this issue and is now in the tree. Bug 343323 seems relevant however...

steev and cardoe, are we ok to stabilize =dev-libs/dbus-glib-0.88?
Comment 3 Tim Sammut (RETIRED) gentoo-dev 2011-01-02 16:27:44 UTC
(In reply to comment #2)
> =dev-libs/dbus-glib-0.88 contains the fix for this issue and is now in the
> tree. Bug 343323 seems relevant however...
> 
> steev and cardoe, are we ok to stabilize =dev-libs/dbus-glib-0.88?
> 

=dev-libs/dbus-glib-0.88 stabilization is taking place in bug 348766.
Comment 4 Tim Sammut (RETIRED) gentoo-dev 2011-01-11 16:02:54 UTC
Stabilization completed in bug 348766.

GLSA Vote: No.
Comment 5 Stefan Behte (RETIRED) gentoo-dev Security 2011-02-23 22:15:00 UTC
Vote: no, closing noglsa.