Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: pu
Moritz asked me to upload dbus-glib to squeeze for #700638 (CVE-2013-0292).
I've already uploaded it, with permission from adsb, since the 6.0.7 point
release is imminent. Debdiff below.
Regards,
S
diffstat for dbus-glib_0.88-2.1 dbus-glib_0.88-2.1+squeeze1
dbus-glib-0.88/debian/changelog
| 8 +
debian/patches/0001-CVE-2013-0292-dbus-gproxy-Verify-sender-of-NameOwner.patch
| 52 ++++++++++
2 files changed, 60 insertions(+)
diff -u dbus-glib-0.88/debian/changelog dbus-glib-0.88/debian/changelog
--- dbus-glib-0.88/debian/changelog
+++ dbus-glib-0.88/debian/changelog
@@ -1,3 +1,11 @@
+dbus-glib (0.88-2.1+squeeze1) stable; urgency=low
+
+ * Apply patch from upstream 0.100.1 to fix insufficient checking
+ leading to authentication bypass in pam_fprintd (CVE-2013-0292)
+ (Closes: #700638)
+
+ -- Simon McVittie <s...@debian.org> Fri, 15 Feb 2013 17:58:34 +0000
+
dbus-glib (0.88-2.1) unstable; urgency=high
* Non-maintainer upload.
only in patch2:
unchanged:
---
dbus-glib-0.88.orig/debian/patches/0001-CVE-2013-0292-dbus-gproxy-Verify-sender-of-NameOwner.patch
+++
dbus-glib-0.88/debian/patches/0001-CVE-2013-0292-dbus-gproxy-Verify-sender-of-NameOwner.patch
@@ -0,0 +1,52 @@
+From 166978a09cf5edff4028e670b6074215a4c75eca Mon Sep 17 00:00:00 2001
+From: Colin Walters <walt...@verbum.org>
+Date: Thu, 14 Feb 2013 10:19:34 -0500
+Subject: [PATCH] CVE-2013-0292: dbus-gproxy: Verify sender of
+ NameOwnerChanged signals to be o.f.DBus
+
+Anyone can hop on the bus and emit a signal whose interface is
+o.f.DBus; it's expected at the moments that clients (and notably DBus
+libraries) check the sender.
+
+This could previously be used to trick a system service using dbus-glib
+into thinking a malicious signal came from a privileged source, by
+claiming that ownership of the privileged source's well-known name had
+changed from the privileged source's real unique name to the attacker's
+unique name.
+
+[altered to be NULL-safe so it won't crash on peer connections -smcv]
+Signed-off-by: Simon McVittie <simon.mcvit...@collabora.co.uk>
+Reviewed-by: Simon McVittie <simon.mcvit...@collabora.co.uk>
+---
+ dbus/dbus-gproxy.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/dbus/dbus-gproxy.c b/dbus/dbus-gproxy.c
+index 2fc52f9..c3ae9ec 100644
+--- a/dbus/dbus-gproxy.c
++++ b/dbus/dbus-gproxy.c
+@@ -1250,8 +1250,11 @@ dbus_g_proxy_manager_filter (DBusConnection
*connection,
+ GSList *tmp;
+ const char *sender;
+
++ sender = dbus_message_get_sender (message);
++
+ /* First we handle NameOwnerChanged internally */
+- if (dbus_message_is_signal (message,
++ if (g_strcmp0 (sender, DBUS_SERVICE_DBUS) == 0 &&
++ dbus_message_is_signal (message,
+ DBUS_INTERFACE_DBUS,
+ "NameOwnerChanged"))
+ {
+@@ -1280,8 +1283,6 @@ dbus_g_proxy_manager_filter (DBusConnection
*connection,
+ }
+ }
+
+- sender = dbus_message_get_sender (message);
+-
+ /* dbus spec requires these, libdbus validates */
+ g_assert (dbus_message_get_path (message) != NULL);
+ g_assert (dbus_message_get_interface (message) != NULL);
+--
+1.7.10.4
+
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
