Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

accountsservice: CVE-2012-2737 local file disclosure

Related Vulnerabilities: CVE-2012-2737  

Source

Debian Bug report logs - #679429
accountsservice: CVE-2012-2737 local file disclosure

version graph

Package: accountsservice; Maintainer for accountsservice is Debian freedesktop.org maintainers <pkg-freedesktop-maintainers@lists.alioth.debian.org>; Source for accountsservice is src:accountsservice (PTS, buildd, popcon).

Reported by: Simon McVittie <smcv@debian.org>

Date: Thu, 28 Jun 2012 15:45:05 UTC

Severity: critical

Tags: fixed-upstream, patch, security, upstream

Merged with 681008

Found in version accountsservice/0.6.21-5

Fixed in version accountsservice/0.6.21-6

Done: Alessio Treglia <alessio@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, Alessio Treglia <alessio@debian.org>:
Bug#679429; Package accountsservice. (Thu, 28 Jun 2012 15:45:08 GMT) (full text, mbox, link).

Acknowledgement sent to Simon McVittie <smcv@debian.org>:
New Bug report received and forwarded. Copy sent to Alessio Treglia <alessio@debian.org>. (Thu, 28 Jun 2012 15:45:08 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Simon McVittie <smcv@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: accountsservice: CVE-2012-2737 local file disclosure
Date: Thu, 28 Jun 2012 16:42:25 +0100
Package: accountsservice
Version: 0.6.21-5
Severity: important
Tags: upstream security

Please see <https://bugzilla.redhat.com/show_bug.cgi?id=832532>.
(I have not confirmed that our accountsservice is actually affected,
but it seems highly likely, since it was uploaded before the embargo date.)

    S

-- System Information:
Debian Release: wheezy/sid
  APT prefers testing-proposed-updates
  APT policy: (500, 'testing-proposed-updates'), (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.2.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages accountsservice depends on:
ii  dbus                   1.6.2-1
ii  libaccountsservice0    0.6.21-5
ii  libc6                  2.13-33
ii  libglib2.0-0           2.32.3-1
ii  libpolkit-gobject-1-0  0.105-1

accountsservice recommends no packages.

Versions of packages accountsservice suggests:
ii  gnome-control-center  1:3.4.2-2

-- no debconf information

Added tag(s) patch. Request was from Alessio Treglia <alessio@debian.org> to control@bugs.debian.org. (Tue, 10 Jul 2012 14:21:25 GMT) (full text, mbox, link).

Merged 679429 681008 Request was from Alessio Treglia <alessio@debian.org> to control@bugs.debian.org. (Tue, 10 Jul 2012 14:21:28 GMT) (full text, mbox, link).

Severity set to 'critical' from 'important' Request was from Alessio Treglia <alessio@debian.org> to control@bugs.debian.org. (Tue, 10 Jul 2012 14:21:32 GMT) (full text, mbox, link).

Added tag(s) fixed-upstream. Request was from Alessio Treglia <alessio@debian.org> to control@bugs.debian.org. (Tue, 10 Jul 2012 14:21:34 GMT) (full text, mbox, link).

Added tag(s) pending. Request was from Alessio Treglia <alessio@debian.org> to control@bugs.debian.org. (Tue, 10 Jul 2012 15:27:19 GMT) (full text, mbox, link).

Reply sent to Alessio Treglia <alessio@debian.org>:
You have taken responsibility. (Tue, 10 Jul 2012 16:03:15 GMT) (full text, mbox, link).

Notification sent to Simon McVittie <smcv@debian.org>:
Bug acknowledged by developer. (Tue, 10 Jul 2012 16:03:15 GMT) (full text, mbox, link).

Message #20 received at 679429-close@bugs.debian.org (full text, mbox, reply):

From: Alessio Treglia <alessio@debian.org>
To: 679429-close@bugs.debian.org
Subject: Bug#679429: fixed in accountsservice 0.6.21-6
Date: Tue, 10 Jul 2012 16:02:11 +0000
Source: accountsservice
Source-Version: 0.6.21-6

We believe that the bug you reported is fixed in the latest version of
accountsservice, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 679429@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Alessio Treglia <alessio@debian.org> (supplier of updated accountsservice package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 10 Jul 2012 17:04:54 +0200
Source: accountsservice
Binary: accountsservice libaccountsservice0 libaccountsservice-dev gir1.2-accountsservice-1.0 libaccountsservice-dbg
Architecture: source amd64
Version: 0.6.21-6
Distribution: unstable
Urgency: high
Maintainer: Alessio Treglia <alessio@debian.org>
Changed-By: Alessio Treglia <alessio@debian.org>
Description: 
 accountsservice - query and manipulate user account information
 gir1.2-accountsservice-1.0 - GObject introspection data for AccountService
 libaccountsservice-dbg - query and manipulate user account information - debug
 libaccountsservice-dev - query and manipulate user account information - header files
 libaccountsservice0 - query and manipulate user account information - shared libraries
Closes: 679429
Changes: 
 accountsservice (0.6.21-6) unstable; urgency=high
 .
   * CVE-2012-2737: Add patch to prevent race condition with UID
     lookup (Closes: #679429):
     - src/u{ser,til}.c: Use bus daemon to query peer credentials.
Checksums-Sha1: 
 fe9bedd119b2a6320376f3da04b785cc5256da86 2419 accountsservice_0.6.21-6.dsc
 62b13b1289c111504ca5f7bc34ab12d467e3adc9 38824 accountsservice_0.6.21-6.debian.tar.gz
 59c886bca578b155cb108e5ae12184a837d0aaec 73208 accountsservice_0.6.21-6_amd64.deb
 b76e8a32d5bb88c6d32b5427498135be3a0ffbc4 86872 libaccountsservice0_0.6.21-6_amd64.deb
 fed6e07a36bca3665a2cf0424199afaef2d4ece1 15190 libaccountsservice-dev_0.6.21-6_amd64.deb
 847a66cb85ebe9e713eb6637937fa82f549ca75c 11290 gir1.2-accountsservice-1.0_0.6.21-6_amd64.deb
 6385f55c19d4dfbab1a79c07fbac5c6ac25fa469 226054 libaccountsservice-dbg_0.6.21-6_amd64.deb
Checksums-Sha256: 
 b79ce2fdcb28ff71d6d9791d19eac4191aea6fd81851bc3a187be92faa7d6473 2419 accountsservice_0.6.21-6.dsc
 59c5dd2f641de0368e720bb6d570af554d7defc8f59eb9392b7ac0d820b85848 38824 accountsservice_0.6.21-6.debian.tar.gz
 5c7309213d333339ae11769955eb6076e29ea143bac99ecdab4b54c7cee82c28 73208 accountsservice_0.6.21-6_amd64.deb
 851aa2a7e61d665eff83b883f8714f08753d48168c7c35cda01673acbf78ba76 86872 libaccountsservice0_0.6.21-6_amd64.deb
 5ce97459503187e75162496cd2f25fe819798ad3ae43376896bc5b734e503ea9 15190 libaccountsservice-dev_0.6.21-6_amd64.deb
 a53ec4c7e69a691a1b99fcfff2cc516f6b0d3c5af1fb90f5dbe4493b7dffc3c4 11290 gir1.2-accountsservice-1.0_0.6.21-6_amd64.deb
 2186725b2f94dbad37f4237e65f1308ee21181a44b3c4507928469f257bd4384 226054 libaccountsservice-dbg_0.6.21-6_amd64.deb
Files: 
 059ad6866aa4917cb62c4cbe834caa19 2419 admin optional accountsservice_0.6.21-6.dsc
 ac5af86227e7da8c3d9f976a6a603f1c 38824 admin optional accountsservice_0.6.21-6.debian.tar.gz
 8dd6b0b5f4bb837775b2cb8b2b7e38fe 73208 admin optional accountsservice_0.6.21-6_amd64.deb
 004e1a08653088b15bac867ae1639f8f 86872 libs optional libaccountsservice0_0.6.21-6_amd64.deb
 86789bb7c72bcb137487709b09e6aca8 15190 libdevel optional libaccountsservice-dev_0.6.21-6_amd64.deb
 482a45e2a9c6641087d63eb62b877951 11290 introspection optional gir1.2-accountsservice-1.0_0.6.21-6_amd64.deb
 f3e69953f9ca3aac0c9ce1a7f6461839 226054 debug extra libaccountsservice-dbg_0.6.21-6_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCgAGBQJP/E3kAAoJEOikiuUxHXZaIAoP+gP8LobFXK9dE587JUkCzQ71
+Gx/O01Q4EBYbO4zpKQuDR1vYExtDVbo0tnTIHTlUNDtOe6/anCOzzO/aOATAkWb
m/MYs6fBUP+izkdmncZMOI6t1weNK4ioqBPTo/06ucMToaPub2c+NYxsc5+nIe2B
0runFzMSbA8cRDJmz2KqKCvn4qAC0zZuN5PerbrgtOqun3N+kiqOG7cnJPkhWExU
UqBf/miTwr2QstPBdrZAg/h4KuHL0AlFftCYRSWBY4bGEWL6ziykfcEE6z4Iodoe
B3NYuw80aY/RLp2ufxnzFaGhmpn4JxsYRbArSZvF87koMM0Nvdcskhc1/n7uQXWP
O56M/DybdCWsCjVIb/DxqVQmjk1RHxbSTkSWi++/Ao0ATKmL8yQ5LZVmZFIBOvaD
xFfrY9+FlrYMmuAWt5dKQosXz2wlzSuHb+sXQ0yUadukwNTvinUomJ85XnpHVe/n
4sWQk89QWbnsSA+5Lp8jN0tXpxf/6MwG0MB9Rt1UQ4aWvTGKT1Q6sY9B4x9rewWO
pu0YoyDzrp4aLpxv/UrO9JOwjUmWBD0sip2hHu39NKkMKrNn+XDo1hls1m4G11ui
JKJmtnfy4nshqFQxAd8oDlYzZBVyxqCC4p7K8aNJvwViOeAChWx4VcGtdRct5ggt
90iSZW+dutTV2l6+lYWF
=1BSw
-----END PGP SIGNATURE-----

Reply sent to Alessio Treglia <alessio@debian.org>:
You have taken responsibility. (Tue, 10 Jul 2012 16:03:16 GMT) (full text, mbox, link).

Notification sent to Josselin Mouette <joss@debian.org>:
Bug acknowledged by developer. (Tue, 10 Jul 2012 16:03:16 GMT) (full text, mbox, link).

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Wed, 22 Aug 2012 07:27:11 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 19:03:25 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started