Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 931507 (CVE-2024-34397) - <dev-libs/glib-2.78.6: Signal subscription vulnerabilities
Summary: <dev-libs/glib-2.78.6: Signal subscription vulnerabilities
Status: IN_PROGRESS
Alias: CVE-2024-34397
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL: https://discourse.gnome.org/t/securit...
Whiteboard: A1 [cleanup glsa+]
Keywords:
Depends on: 931633
Blocks:
  Show dependency tree
 
Reported: 2024-05-07 18:51 UTC by Sam James
Modified: 2024-07-09 06:50 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2024-05-07 18:51:22 UTC
"""
A series of related security fixes for how signal subscriptions are handled in GDBus have just landed in GLib. They have been assigned CVE-2024-34397:

    gdbusconnection: Don’t deliver signals if the sender doesn’t match (!4038) 11 (changes on main)
    Backport !4038 “gdbusconnection: Don’t deliver signals if the sender doesn’t match” to glib-2-80 (!4039) 2 (trivial backport to glib-2-80)
    Backport !4038 “gdbusconnection: Don’t deliver signals if the sender doesn’t match” to glib-2-78 (!4040) (non-trivial backport to glib-2-78)

There is a related fix in gnome-shell which distributions should cherry-pick at the same time, to avoid a regression in screen recording support in gnome-shell 3.38 and newer:

    screencast: Correct expected bus name for streams 4 (changes on main)
    Backports to older versions of gnome-shell are not available yet

When a GDBus-based client subscribes to signals from a trusted system service such as NetworkManager or logind on a shared computer, other users of the same computer can send spoofed D-Bus signals that the GDBus-based client will wrongly interpret as having been sent by the trusted system service. This could lead to the GDBus-based client behaving incorrectly, with an application-dependent impact. Distributors are advised to cherry-pick these changes into their GLib packages ASAP.

Per GLib’s support policy, the fixes have not been backported to glib-2-76 or earlier.
"""
Comment 1 Hans de Graaff gentoo-dev Security 2024-05-08 05:20:44 UTC
The impact of this issue is unclear and application-specific, but let's assume the worst, which I believe is local privilege escalation.
Comment 2 Larry the Git Cow gentoo-dev 2024-05-09 14:10:48 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c5408df9920f1a3abb1489915dad45b705e8fcee

commit c5408df9920f1a3abb1489915dad45b705e8fcee
Author:     Mart Raudsepp <leio@gentoo.org>
AuthorDate: 2024-05-09 13:27:56 +0000
Commit:     Mart Raudsepp <leio@gentoo.org>
CommitDate: 2024-05-09 14:10:27 +0000

    dev-libs/glib: add 2.78.6
    
    Bug: https://bugs.gentoo.org/931507
    Signed-off-by: Mart Raudsepp <leio@gentoo.org>

 dev-libs/glib/Manifest           |   1 +
 dev-libs/glib/glib-2.78.6.ebuild | 320 +++++++++++++++++++++++++++++++++++++++
 2 files changed, 321 insertions(+)
Comment 3 Hans de Graaff gentoo-dev Security 2024-06-09 08:45:18 UTC
Make this a glsa? candidate given the severity and the fact that we are only waiting on hppa.
Comment 4 Mathieu Tortuyaux 2024-06-12 07:50:09 UTC
Hey folks,

The CVE number is: CVE-2024-34397 (and not CVE-2024-3439 which refers to another issue).

> A series of related security fixes
> for how signal subscriptions are handled
> in GDBus have just landed in GLib.
> They have been assigned CVE-2024-34397 [^1]

[^1]: https://discourse.gnome.org/t/security-fixes-for-signal-handling-in-gdbus-in-glib/20882/1
Comment 5 Hans de Graaff gentoo-dev Security 2024-06-17 11:25:02 UTC
(In reply to Mathieu Tortuyaux from comment #4)
> Hey folks,
> 
> The CVE number is: CVE-2024-34397 (and not CVE-2024-3439 which refers to
> another issue).

Fixed (also in the GLSA draft). Thanks for reporting.
Comment 6 Larry the Git Cow gentoo-dev 2024-06-22 06:46:21 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=8c083312a2dae707ce0ba895fb49fc848bfaa83f

commit 8c083312a2dae707ce0ba895fb49fc848bfaa83f
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2024-06-22 06:44:35 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2024-06-22 06:45:43 +0000

    [ GLSA 202406-01 ] GLib: Privilege Escalation
    
    Bug: https://bugs.gentoo.org/931507
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 glsa-202406-01.xml | 42 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 42 insertions(+)