Debian Bug report logs -
#592753
libdbus-glib-1-dev: CVE-2010-1172 property access not validated
Reported by: Simon McVittie <smcv@debian.org>
Date: Thu, 12 Aug 2010 15:54:02 UTC
Severity: grave
Tags: security
Found in version dbus-glib/0.86-1
Fixed in version dbus-glib/0.88-1
Done: Simon McVittie <smcv@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>:
Bug#592753; Package libdbus-glib-1-dev.
(Thu, 12 Aug 2010 15:54:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Simon McVittie <smcv@debian.org>:
New Bug report received and forwarded. Copy sent to Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>.
(Thu, 12 Aug 2010 15:54:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: libdbus-glib-1-dev
Version: 0.86-1
Severity: grave
Tags: security
Justification: security hole in packages that use it
See <https://bugzilla.redhat.com/show_bug.cgi?id=585394>. Quoting Colin
Walters:
> The desktop team recently discovered a flaw in dbus-glib where it didn't
> respect the "access" flag on properties specified. Basically, core OS
> services like NetworkManager which use dbus-glib were specifying e.g. the
> "Ip4Address" as read-only for remote access, but in fact any process could
> modify it.
>
> I have a patch for dbus-glib (attached). However, due to the nature of the way
> dbus-glib works where at build time services generate a C data structure from
> XML and embed it into their binary, affected services will need to be rebuilt
> (though not patched).
>
> This affected list is for F-12; I think for RHEL5 we just need dbus-glib and
> NetworkManager.
>
> KNOWN AFFECTED SERVICES:
> * DeviceKit-Power
> * NetworkManager
> * ModemManager
>
> KNOWN NOT AFFECTED that claim to handle org.freedesktop.DBus.Properties:
> * ConsoleKit (it denies all Properties access using dbus policy)
> * gdm (ditto)
> * PackageKit (all of the properties on exposed GObjects are G_PARAM_READONLY)
>
> KNOWN NOT AFFECTED (because I audited them)
> * gnome-panel (no dbus properties)
> * gnome-system-monitor (ditto)
>
> PROBABLY NOT AFFECTED
> * hal (doesn't claim to handle org.freedesktop.DBus.Properties)
> * polkit (uses eggdbus)
> * rtkit (doesn't use dbus-glib)
> * DeviceKit-disks (all its properties appear to be readonly)
> * wpa_supplicant (doesn't implement Properties)
> * upstart (doesn't use dbus-glib)
[signature.asc (application/pgp-signature, inline)]
Reply sent
to Simon McVittie <smcv@debian.org>:
You have taken responsibility.
(Mon, 16 Aug 2010 17:06:03 GMT) (full text, mbox, link).
Notification sent
to Simon McVittie <smcv@debian.org>:
Bug acknowledged by developer.
(Mon, 16 Aug 2010 17:06:03 GMT) (full text, mbox, link).
Message #10 received at 592753-close@bugs.debian.org (full text, mbox, reply):
Source: dbus-glib
Source-Version: 0.88-1
We believe that the bug you reported is fixed in the latest version of
dbus-glib, which is due to be installed in the Debian FTP archive:
dbus-glib_0.88-1.diff.gz
to main/d/dbus-glib/dbus-glib_0.88-1.diff.gz
dbus-glib_0.88-1.dsc
to main/d/dbus-glib/dbus-glib_0.88-1.dsc
dbus-glib_0.88.orig.tar.gz
to main/d/dbus-glib/dbus-glib_0.88.orig.tar.gz
libdbus-glib-1-2-dbg_0.88-1_amd64.deb
to main/d/dbus-glib/libdbus-glib-1-2-dbg_0.88-1_amd64.deb
libdbus-glib-1-2_0.88-1_amd64.deb
to main/d/dbus-glib/libdbus-glib-1-2_0.88-1_amd64.deb
libdbus-glib-1-dev_0.88-1_amd64.deb
to main/d/dbus-glib/libdbus-glib-1-dev_0.88-1_amd64.deb
libdbus-glib-1-doc_0.88-1_all.deb
to main/d/dbus-glib/libdbus-glib-1-doc_0.88-1_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 592753@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Simon McVittie <smcv@debian.org> (supplier of updated dbus-glib package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 16 Aug 2010 17:39:43 +0100
Source: dbus-glib
Binary: libdbus-glib-1-dev libdbus-glib-1-2 libdbus-glib-1-doc libdbus-glib-1-2-dbg
Architecture: source all amd64
Version: 0.88-1
Distribution: experimental
Urgency: low
Maintainer: Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>
Changed-By: Simon McVittie <smcv@debian.org>
Description:
libdbus-glib-1-2 - simple interprocess messaging system (GLib-based shared library)
libdbus-glib-1-2-dbg - simple interprocess messaging system (GLib library debug symbols)
libdbus-glib-1-dev - simple interprocess messaging system (GLib interface)
libdbus-glib-1-doc - simple interprocess messaging system (GLib library documentation)
Closes: 592753
Changes:
dbus-glib (0.88-1) experimental; urgency=low
.
[ Sjoerd Simons ]
* debian/control: Move packaging from svn to git
* debian/rules, debian/libdbus-glib-1-2-dbg.links:
- Don't symlink the dbg doc directory to the main packages one, it's too
brittle and doesn't win much
* debian/control, debian/update-patches.mk
- Copy patch updating script from pkg-telepathy
* debian/patches/0001-Fix-lookup-of-regular-properties-when-shadow-propert.patch
- Fix crash when using shadow properties (from upstream git)
.
[ Simon McVittie ]
* New upstream version
- fixes CVE-2010-1172, unvalidated property access (Closes: #592753,
LP: #616517)
- drop the patch Sjoerd added, which is included in the upstream release
- update symbols file for new ABI (some of which is part of the security
bugfix)
- mark dbus_g_object_type_install_info as requiring a dependency on this
version, because it will be "version 1" instead of "version 0" object
info for anything compiled against this version
Checksums-Sha1:
57a4ecbe5bb904bc2996a7d86b01a9d5aa0e42d6 2127 dbus-glib_0.88-1.dsc
5e1d4a38acb38441a4708127522aa5223bf17842 688611 dbus-glib_0.88.orig.tar.gz
d75f215932a17f3f8dfb068c9a442c63b90872e2 18254 dbus-glib_0.88-1.diff.gz
c7e6bf30928aecfe9397d0d36a929d71ab3c31b7 150660 libdbus-glib-1-doc_0.88-1_all.deb
4774b6ee208ee7f04e898e8c710c1120d34d830b 225232 libdbus-glib-1-dev_0.88-1_amd64.deb
6926d0aab89933d19589d77366c2ea0277d54fbf 172516 libdbus-glib-1-2_0.88-1_amd64.deb
a6bcdaa3ce98c53aac935485ecbd6f55ab353904 277112 libdbus-glib-1-2-dbg_0.88-1_amd64.deb
Checksums-Sha256:
7713effdb8ae854d49d0ea8b47db484cace873d0f67fa248cc52e4a22c16a75a 2127 dbus-glib_0.88-1.dsc
57939e2b567940beb23a52b5f3075743bd25ab203428e1c86f8c773330565737 688611 dbus-glib_0.88.orig.tar.gz
8fb9aa5c1b7e3b01798ba18f5eebcd0bc2bf587de9089c520c2fd9680255dbe1 18254 dbus-glib_0.88-1.diff.gz
9f91a6b567529feedf5237441a641a602be9450b41933abcab7747bb29f76cb6 150660 libdbus-glib-1-doc_0.88-1_all.deb
176f527672e9f5f795e2ba9233ac43efd994f803dba8fada44e467361bbc8fe5 225232 libdbus-glib-1-dev_0.88-1_amd64.deb
b99cd6999e7e48b7ca395e294ae4d92f3baa077e8b0d14fe2325a030190d72e6 172516 libdbus-glib-1-2_0.88-1_amd64.deb
662184f321a275f1f98519c1c3c0cea3cb0d9f72f8672bb8ff55cbcd3a80de9a 277112 libdbus-glib-1-2-dbg_0.88-1_amd64.deb
Files:
1a6bfa7c15a9937c32bb217fd7f242b7 2127 devel optional dbus-glib_0.88-1.dsc
7c04ba01df6130c2c4e62f73bea0d0d5 688611 devel optional dbus-glib_0.88.orig.tar.gz
0f59f6156246b64c7ff634e8a4096910 18254 devel optional dbus-glib_0.88-1.diff.gz
89a12d8fcbaf9eacc36d4f0722dd8bb6 150660 doc optional libdbus-glib-1-doc_0.88-1_all.deb
44bcf065408311039dc61254c589a3be 225232 libdevel optional libdbus-glib-1-dev_0.88-1_amd64.deb
8d6b7117650f79266b04a00425d82281 172516 libs optional libdbus-glib-1-2_0.88-1_amd64.deb
f66c438d9d7f4d784ed51a57b658b697 277112 debug extra libdbus-glib-1-2-dbg_0.88-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQIVAwUBTGlr6E3o/ypjx8yQAQik7xAAhXI0YJ2iJxw0XMLeqzK/AhRI3l14c2Op
DJNXwWGFkT7Wa4EByJiO6KPJexlyMK9UblYB3E043+5rTJY0GzDzBsdQq+M3Wz6G
kPSJ5hcew/4hxMEJsi0zZ0nrm0X16ge+8ngZhPIKxMXi3vHmRUJya09aRd5QqC32
QcQmXvv/ujLtcv+cjOrCWB7FIVNClC2YeHUQyrl/Ah4rlMbXKwYMQM3W8jYZ8m4R
oEM3LDrBRJOynuLWJwGxsVB3yfmrKJOAEukFBaRE9TqszotWyVUK9NIPfQVRIuQp
gzpnsb3pAyQ/eRbtL9LPKuKmiBHr+RIvxgdyKbPm2okIZjbWRC8erS0k3ZLGobZW
2sHRYXRlIpcpyHzREmIGAmRL4MHNxX8bQDtC9PbWdfQAfT69S50p2VQSUZS8TUib
pijt3dRn6O8IkSISCFllG5Qo8jMxeIkr6wp/6e5i6ZtBqjbcKII9UKJWeUBQ6iUb
Q/EUwDF5+ILJDKl5fIjSBEAhcnJeLeO32uMehqZw1REBdO+FP0FhbFgyj8sSWF1Z
PwxG6gWdxmg21U0+IndtuGgSOB0fBkHmDsbBVE5QicyFTS/STZxOmuK2QW02FRPj
4zD/zxgIg6Qo+O2lluFXy5F3G6nGvC5UTTTuIqzZtEQ56Ffmp608Mrh4GSobB1Ir
13OAWc9G9lU=
=M0s/
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Tue, 21 Sep 2010 07:33:25 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:08:57 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon