[Pkg-utopia-maintainers] Bug#592753: libdbus-glib-1-dev: CVE-2010-1172 property access not validated

[Simon McVittie]

Package: libdbus-glib-1-dev
Version: 0.86-1
Severity: grave
Tags: security
Justification: security hole in packages that use it

See <https://bugzilla.redhat.com/show_bug.cgi?id=585394>. Quoting Colin
Walters:

> The desktop team recently discovered a flaw in dbus-glib where it didn't
> respect the  "access" flag on properties specified.  Basically, core OS
> services like NetworkManager which use dbus-glib were specifying e.g. the
> "Ip4Address" as read-only for remote access, but in fact any process could
> modify it.
> 
> I have a patch for dbus-glib (attached).  However, due to the nature of the way
> dbus-glib works where at build time services generate a C data structure from
> XML and embed it into their binary, affected services will need to be rebuilt
> (though not patched).
> 
> This affected list is for F-12; I think for RHEL5 we just need dbus-glib and
> NetworkManager.
> 
> KNOWN AFFECTED SERVICES:
> * DeviceKit-Power
> * NetworkManager
> * ModemManager
> 
> KNOWN NOT AFFECTED that claim to handle org.freedesktop.DBus.Properties:
> * ConsoleKit (it denies all Properties access using dbus policy)
> * gdm (ditto)
> * PackageKit (all of the properties on exposed GObjects are G_PARAM_READONLY)
> 
> KNOWN NOT AFFECTED (because I audited them)
> * gnome-panel (no dbus properties)
> * gnome-system-monitor (ditto)
> 
> PROBABLY NOT AFFECTED
> * hal (doesn't claim to handle org.freedesktop.DBus.Properties)
> * polkit (uses eggdbus)
> * rtkit (doesn't use dbus-glib)
> * DeviceKit-disks (all its properties appear to be readonly)
> * wpa_supplicant (doesn't implement Properties)
> * upstart (doesn't use dbus-glib)    
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 793 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-utopia-maintainers/attachments/20100812/421be96d/attachment.pgp>