Your message dated Mon, 16 Aug 2010 17:02:48 +0000
with message-id <e1ol35e-0007q0...@franck.debian.org>
and subject line Bug#592753: fixed in dbus-glib 0.88-1
has caused the Debian Bug report #592753,
regarding libdbus-glib-1-dev: CVE-2010-1172 property access not validated
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
592753: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=592753
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: libdbus-glib-1-dev
Version: 0.86-1
Severity: grave
Tags: security
Justification: security hole in packages that use it
See <https://bugzilla.redhat.com/show_bug.cgi?id=585394>. Quoting Colin
Walters:
> The desktop team recently discovered a flaw in dbus-glib where it didn't
> respect the "access" flag on properties specified. Basically, core OS
> services like NetworkManager which use dbus-glib were specifying e.g. the
> "Ip4Address" as read-only for remote access, but in fact any process could
> modify it.
>
> I have a patch for dbus-glib (attached). However, due to the nature of the
> way
> dbus-glib works where at build time services generate a C data structure from
> XML and embed it into their binary, affected services will need to be rebuilt
> (though not patched).
>
> This affected list is for F-12; I think for RHEL5 we just need dbus-glib and
> NetworkManager.
>
> KNOWN AFFECTED SERVICES:
> * DeviceKit-Power
> * NetworkManager
> * ModemManager
>
> KNOWN NOT AFFECTED that claim to handle org.freedesktop.DBus.Properties:
> * ConsoleKit (it denies all Properties access using dbus policy)
> * gdm (ditto)
> * PackageKit (all of the properties on exposed GObjects are G_PARAM_READONLY)
>
> KNOWN NOT AFFECTED (because I audited them)
> * gnome-panel (no dbus properties)
> * gnome-system-monitor (ditto)
>
> PROBABLY NOT AFFECTED
> * hal (doesn't claim to handle org.freedesktop.DBus.Properties)
> * polkit (uses eggdbus)
> * rtkit (doesn't use dbus-glib)
> * DeviceKit-disks (all its properties appear to be readonly)
> * wpa_supplicant (doesn't implement Properties)
> * upstart (doesn't use dbus-glib)
signature.asc
Description: Digital signature
--- End Message ---
--- Begin Message ---
Source: dbus-glib
Source-Version: 0.88-1
We believe that the bug you reported is fixed in the latest version of
dbus-glib, which is due to be installed in the Debian FTP archive:
dbus-glib_0.88-1.diff.gz
to main/d/dbus-glib/dbus-glib_0.88-1.diff.gz
dbus-glib_0.88-1.dsc
to main/d/dbus-glib/dbus-glib_0.88-1.dsc
dbus-glib_0.88.orig.tar.gz
to main/d/dbus-glib/dbus-glib_0.88.orig.tar.gz
libdbus-glib-1-2-dbg_0.88-1_amd64.deb
to main/d/dbus-glib/libdbus-glib-1-2-dbg_0.88-1_amd64.deb
libdbus-glib-1-2_0.88-1_amd64.deb
to main/d/dbus-glib/libdbus-glib-1-2_0.88-1_amd64.deb
libdbus-glib-1-dev_0.88-1_amd64.deb
to main/d/dbus-glib/libdbus-glib-1-dev_0.88-1_amd64.deb
libdbus-glib-1-doc_0.88-1_all.deb
to main/d/dbus-glib/libdbus-glib-1-doc_0.88-1_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 592...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Simon McVittie <s...@debian.org> (supplier of updated dbus-glib package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 16 Aug 2010 17:39:43 +0100
Source: dbus-glib
Binary: libdbus-glib-1-dev libdbus-glib-1-2 libdbus-glib-1-doc
libdbus-glib-1-2-dbg
Architecture: source all amd64
Version: 0.88-1
Distribution: experimental
Urgency: low
Maintainer: Utopia Maintenance Team
<pkg-utopia-maintain...@lists.alioth.debian.org>
Changed-By: Simon McVittie <s...@debian.org>
Description:
libdbus-glib-1-2 - simple interprocess messaging system (GLib-based shared
library)
libdbus-glib-1-2-dbg - simple interprocess messaging system (GLib library
debug symbols)
libdbus-glib-1-dev - simple interprocess messaging system (GLib interface)
libdbus-glib-1-doc - simple interprocess messaging system (GLib library
documentation)
Closes: 592753
Changes:
dbus-glib (0.88-1) experimental; urgency=low
.
[ Sjoerd Simons ]
* debian/control: Move packaging from svn to git
* debian/rules, debian/libdbus-glib-1-2-dbg.links:
- Don't symlink the dbg doc directory to the main packages one, it's too
brittle and doesn't win much
* debian/control, debian/update-patches.mk
- Copy patch updating script from pkg-telepathy
*
debian/patches/0001-Fix-lookup-of-regular-properties-when-shadow-propert.patch
- Fix crash when using shadow properties (from upstream git)
.
[ Simon McVittie ]
* New upstream version
- fixes CVE-2010-1172, unvalidated property access (Closes: #592753,
LP: #616517)
- drop the patch Sjoerd added, which is included in the upstream release
- update symbols file for new ABI (some of which is part of the security
bugfix)
- mark dbus_g_object_type_install_info as requiring a dependency on this
version, because it will be "version 1" instead of "version 0" object
info for anything compiled against this version
Checksums-Sha1:
57a4ecbe5bb904bc2996a7d86b01a9d5aa0e42d6 2127 dbus-glib_0.88-1.dsc
5e1d4a38acb38441a4708127522aa5223bf17842 688611 dbus-glib_0.88.orig.tar.gz
d75f215932a17f3f8dfb068c9a442c63b90872e2 18254 dbus-glib_0.88-1.diff.gz
c7e6bf30928aecfe9397d0d36a929d71ab3c31b7 150660
libdbus-glib-1-doc_0.88-1_all.deb
4774b6ee208ee7f04e898e8c710c1120d34d830b 225232
libdbus-glib-1-dev_0.88-1_amd64.deb
6926d0aab89933d19589d77366c2ea0277d54fbf 172516
libdbus-glib-1-2_0.88-1_amd64.deb
a6bcdaa3ce98c53aac935485ecbd6f55ab353904 277112
libdbus-glib-1-2-dbg_0.88-1_amd64.deb
Checksums-Sha256:
7713effdb8ae854d49d0ea8b47db484cace873d0f67fa248cc52e4a22c16a75a 2127
dbus-glib_0.88-1.dsc
57939e2b567940beb23a52b5f3075743bd25ab203428e1c86f8c773330565737 688611
dbus-glib_0.88.orig.tar.gz
8fb9aa5c1b7e3b01798ba18f5eebcd0bc2bf587de9089c520c2fd9680255dbe1 18254
dbus-glib_0.88-1.diff.gz
9f91a6b567529feedf5237441a641a602be9450b41933abcab7747bb29f76cb6 150660
libdbus-glib-1-doc_0.88-1_all.deb
176f527672e9f5f795e2ba9233ac43efd994f803dba8fada44e467361bbc8fe5 225232
libdbus-glib-1-dev_0.88-1_amd64.deb
b99cd6999e7e48b7ca395e294ae4d92f3baa077e8b0d14fe2325a030190d72e6 172516
libdbus-glib-1-2_0.88-1_amd64.deb
662184f321a275f1f98519c1c3c0cea3cb0d9f72f8672bb8ff55cbcd3a80de9a 277112
libdbus-glib-1-2-dbg_0.88-1_amd64.deb
Files:
1a6bfa7c15a9937c32bb217fd7f242b7 2127 devel optional dbus-glib_0.88-1.dsc
7c04ba01df6130c2c4e62f73bea0d0d5 688611 devel optional
dbus-glib_0.88.orig.tar.gz
0f59f6156246b64c7ff634e8a4096910 18254 devel optional dbus-glib_0.88-1.diff.gz
89a12d8fcbaf9eacc36d4f0722dd8bb6 150660 doc optional
libdbus-glib-1-doc_0.88-1_all.deb
44bcf065408311039dc61254c589a3be 225232 libdevel optional
libdbus-glib-1-dev_0.88-1_amd64.deb
8d6b7117650f79266b04a00425d82281 172516 libs optional
libdbus-glib-1-2_0.88-1_amd64.deb
f66c438d9d7f4d784ed51a57b658b697 277112 debug extra
libdbus-glib-1-2-dbg_0.88-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQIVAwUBTGlr6E3o/ypjx8yQAQik7xAAhXI0YJ2iJxw0XMLeqzK/AhRI3l14c2Op
DJNXwWGFkT7Wa4EByJiO6KPJexlyMK9UblYB3E043+5rTJY0GzDzBsdQq+M3Wz6G
kPSJ5hcew/4hxMEJsi0zZ0nrm0X16ge+8ngZhPIKxMXi3vHmRUJya09aRd5QqC32
QcQmXvv/ujLtcv+cjOrCWB7FIVNClC2YeHUQyrl/Ah3rlMbXKwYMQM3W8jYZ8m4R
oEM3LDrBRJOynuLWJwGxsVB3yfmrKJOAEukFBaRE9TqszotWyVUK9NIPfQVRIuQp
gzpnsb3pAyQ/eRbtL9LPKuKmiBHr+RIvxgdyKbPm2okIZjbWRC8erS0k3ZLGobZW
2sHRYXRlIpcpyHzREmIGAmRL4MHNxX8bQDtC9PbWdfQAfT69S50p2VQSUZS8TUib
pijt3dRn6O8IkSISCFllG5Qo8jMxeIkr6wp/6e5i6ZtBqjbcKII9UKJWeUBQ6iUb
Q/EUwDF5+ILJDKl5fIjSBEAhcnJeLeO32uMehqZw1REBdO+FP0FhbFgyj8sSWF1Z
PwxG6gWdxmg21U0+IndtuGgSOB0fBkHmDsbBVE5QicyFTS/STZxOmuK2QW02FRPj
4zD/zxgIg6Qo+O2lluFXy5F3G6nGvC5UTTTuIqzZtEQ56Ffmp608Mrh3GSobB1Ir
13OAWc9G9lU=
=M0s/
-----END PGP SIGNATURE-----
--- End Message ---
