Package: libdbus-glib-1-dev Version: 0.86-1 Severity: grave Tags: security Justification: security hole in packages that use it
See <https://bugzilla.redhat.com/show_bug.cgi?id=585394>. Quoting Colin Walters: > The desktop team recently discovered a flaw in dbus-glib where it didn't > respect the "access" flag on properties specified. Basically, core OS > services like NetworkManager which use dbus-glib were specifying e.g. the > "Ip4Address" as read-only for remote access, but in fact any process could > modify it. > > I have a patch for dbus-glib (attached). However, due to the nature of the > way > dbus-glib works where at build time services generate a C data structure from > XML and embed it into their binary, affected services will need to be rebuilt > (though not patched). > > This affected list is for F-12; I think for RHEL5 we just need dbus-glib and > NetworkManager. > > KNOWN AFFECTED SERVICES: > * DeviceKit-Power > * NetworkManager > * ModemManager > > KNOWN NOT AFFECTED that claim to handle org.freedesktop.DBus.Properties: > * ConsoleKit (it denies all Properties access using dbus policy) > * gdm (ditto) > * PackageKit (all of the properties on exposed GObjects are G_PARAM_READONLY) > > KNOWN NOT AFFECTED (because I audited them) > * gnome-panel (no dbus properties) > * gnome-system-monitor (ditto) > > PROBABLY NOT AFFECTED > * hal (doesn't claim to handle org.freedesktop.DBus.Properties) > * polkit (uses eggdbus) > * rtkit (doesn't use dbus-glib) > * DeviceKit-disks (all its properties appear to be readonly) > * wpa_supplicant (doesn't implement Properties) > * upstart (doesn't use dbus-glib)
signature.asc
Description: Digital signature
