From ${URL} : Sebastian Krahmer discovered and published an authentication bypass vulnerability in pam_fprintd, caused by a bug in dbus-glib. It is possible that other users of dbus-glib can be exploited in the same way. CVE-2013-0292 has been allocated for this vulnerability. This vulnerability is fixed in dbus-glib version 0.100.1 by git commit 166978a. All users of dbus-glib should upgrade. <http://dbus.freedesktop.org/releases/dbus-glib/dbus-glib-0.100.1.tar.gz> <http://dbus.freedesktop.org/releases/dbus-glib/dbus-glib-0.100.1.tar.gz.asc> <http://cgit.freedesktop.org/dbus/dbus-glib/commit/?id=166978a09cf5edff4028e670b6074215a4c75eca> The D-Bus maintainers consider use of dbus-glib to be deprecated. We encourage GLib application and library authors to switch to GDBus, which has been part of GLib since 2.26.
*** Bug 458144 has been marked as a duplicate of this bug. ***
Thanks, fixed by dbus-glib-0.100.1, which now needs to be stabilized everywhere. +*dbus-glib-0.100.1 (19 Feb 2013) + + 19 Feb 2013; Alexandre Rostovtsev <tetromino@gentoo.org> + +dbus-glib-0.100.1.ebuild: + Bump, fixes authentication bypass (CVE-2013-0292, bug #457792).
Test and mark stable: =dev-libs/dbus-glib-0.100.2
amd64 stable
x86 stable
(In reply to comment #4) > amd64 stable (In reply to comment #5) > x86 stable You got wrong version, read Comment #3. Version .1 is buggy so we jump to .2.
(In reply to comment #6) > (In reply to comment #4) > > amd64 stable > > (In reply to comment #5) > > x86 stable > > You got wrong version, read Comment #3. Version .1 is buggy so we jump to .2. my bad, will be fixed asap.
ppc stable
ppc64 stable
Stable for HPPA.
ia64 stable
arm stable
alpha stable
s390 stable
sparc stable
sh stable
CVE-2013-0292 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0292): The dbus_g_proxy_manager_filter function in dbus-gproxy in Dbus-glib before 0.100.1 does not properly verify the sender of NameOwnerChanged signals, which allows local users to gain privileges via a spoofed signal.
Ready for vote. I vote NO, due to deprecation.
m68k: continued in bug 473190
GLSA vote: no Closing as noglsa