""" A series of related security fixes for how signal subscriptions are handled in GDBus have just landed in GLib. They have been assigned CVE-2024-34397: gdbusconnection: Don’t deliver signals if the sender doesn’t match (!4038) 11 (changes on main) Backport !4038 “gdbusconnection: Don’t deliver signals if the sender doesn’t match” to glib-2-80 (!4039) 2 (trivial backport to glib-2-80) Backport !4038 “gdbusconnection: Don’t deliver signals if the sender doesn’t match” to glib-2-78 (!4040) (non-trivial backport to glib-2-78) There is a related fix in gnome-shell which distributions should cherry-pick at the same time, to avoid a regression in screen recording support in gnome-shell 3.38 and newer: screencast: Correct expected bus name for streams 4 (changes on main) Backports to older versions of gnome-shell are not available yet When a GDBus-based client subscribes to signals from a trusted system service such as NetworkManager or logind on a shared computer, other users of the same computer can send spoofed D-Bus signals that the GDBus-based client will wrongly interpret as having been sent by the trusted system service. This could lead to the GDBus-based client behaving incorrectly, with an application-dependent impact. Distributors are advised to cherry-pick these changes into their GLib packages ASAP. Per GLib’s support policy, the fixes have not been backported to glib-2-76 or earlier. """
The impact of this issue is unclear and application-specific, but let's assume the worst, which I believe is local privilege escalation.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c5408df9920f1a3abb1489915dad45b705e8fcee commit c5408df9920f1a3abb1489915dad45b705e8fcee Author: Mart Raudsepp <leio@gentoo.org> AuthorDate: 2024-05-09 13:27:56 +0000 Commit: Mart Raudsepp <leio@gentoo.org> CommitDate: 2024-05-09 14:10:27 +0000 dev-libs/glib: add 2.78.6 Bug: https://bugs.gentoo.org/931507 Signed-off-by: Mart Raudsepp <leio@gentoo.org> dev-libs/glib/Manifest | 1 + dev-libs/glib/glib-2.78.6.ebuild | 320 +++++++++++++++++++++++++++++++++++++++ 2 files changed, 321 insertions(+)
Make this a glsa? candidate given the severity and the fact that we are only waiting on hppa.
Hey folks, The CVE number is: CVE-2024-34397 (and not CVE-2024-3439 which refers to another issue). > A series of related security fixes > for how signal subscriptions are handled > in GDBus have just landed in GLib. > They have been assigned CVE-2024-34397 [^1] [^1]: https://discourse.gnome.org/t/security-fixes-for-signal-handling-in-gdbus-in-glib/20882/1
(In reply to Mathieu Tortuyaux from comment #4) > Hey folks, > > The CVE number is: CVE-2024-34397 (and not CVE-2024-3439 which refers to > another issue). Fixed (also in the GLSA draft). Thanks for reporting.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=8c083312a2dae707ce0ba895fb49fc848bfaa83f commit 8c083312a2dae707ce0ba895fb49fc848bfaa83f Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2024-06-22 06:44:35 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2024-06-22 06:45:43 +0000 [ GLSA 202406-01 ] GLib: Privilege Escalation Bug: https://bugs.gentoo.org/931507 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Hans de Graaff <graaff@gentoo.org> glsa-202406-01.xml | 42 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+)