registry team mailing list archive

Thread
Date

[Bug 616517] [NEW] CVE-2010-1172 dbus-glib: property access not validated

To: registry@xxxxxxxxxxxxxxxxxxx
From: Mathieu Trudel <mathieu.tl@xxxxxxxxx>
Date: Wed, 11 Aug 2010 21:08:38 -0000
Reply-to: Bug 616517 <616517@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

*** This bug is a security vulnerability ***

Public security bug reported:

As also reported in RedHat:
https://bugzilla.redhat.com/show_bug.cgi?id=585394

A flaw was recently discovered in dbus-glib where it didn't
respect the  "access" flag on properties specified.  Basically, core OS
services like NetworkManager which use dbus-glib were specifying e.g. the
"Ip4Address" as read-only for remote access, but in fact any process could
modify it.

A patch is available.  However, due to the nature of the way
dbus-glib works where at build time services generate a C data structure from
XML and embed it into their binary, affected services will need to be rebuilt
(though not patched).

KNOWN AFFECTED SERVICES:
* DeviceKit-Power
* NetworkManager
* ModemManager

KNOWN NOT AFFECTED that claim to handle org.freedesktop.DBus.Properties:
* ConsoleKit (it denies all Properties access using dbus policy)
* gdm (ditto)
* PackageKit (all of the properties on exposed GObjects are G_PARAM_READONLY)

KNOWN NOT AFFECTED (because I audited them)
* gnome-panel (no dbus properties)
* gnome-system-monitor (ditto)

PROBABLY NOT AFFECTED
* hal (doesn't claim to handle org.freedesktop.DBus.Properties)
* polkit (uses eggdbus)
* rtkit (doesn't use dbus-glib)
* DeviceKit-disks (all its properties appear to be readonly)
* wpa_supplicant (doesn't implement Properties)
* upstart (doesn't use dbus-glib)

** Affects: dbus-glib (Ubuntu)
     Importance: Medium
         Status: Confirmed

** Affects: dbus-glib (Fedora)
     Importance: Unknown
         Status: Unknown

** Bug watch added: Red Hat Bugzilla #585394
   https://bugzilla.redhat.com/show_bug.cgi?id=585394

** Also affects: dbus-glib (Fedora) via
   https://bugzilla.redhat.com/show_bug.cgi?id=585394
   Importance: Unknown
       Status: Unknown

** Visibility changed to: Public

-- 
CVE-2010-1172 dbus-glib: property access not validated
https://bugs.launchpad.net/bugs/616517
You received this bug notification because you are a member of Registry
Administrators, which is the registrant for Fedora.

Follow ups

[Bug 616517] Re: CVE-2010-1172 dbus-glib: property access not validated
From: Launchpad Bug Tracker, 2010-11-22
[Bug 616517] Re: CVE-2010-1172 dbus-glib: property access not validated
From: Launchpad Bug Tracker, 2010-09-15
[Bug 616517] Re: CVE-2010-1172 dbus-glib: property access not validated
From: Launchpad Bug Tracker, 2010-08-17
[Bug 616517] Re: CVE-2010-1172 dbus-glib: property access not validated
From: Sebastien Bacher, 2010-08-17
[Bug 616517] Re: CVE-2010-1172 dbus-glib: property access not validated
From: Sebastien Bacher, 2010-08-17
[Bug 616517] Re: CVE-2010-1172 dbus-glib: property access not validated
From: Simon McVittie, 2010-08-16
[Bug 616517] Re: CVE-2010-1172 dbus-glib: property access not validated
From: Marc Deslauriers, 2010-08-11
[Bug 616517] [NEW] CVE-2010-1172 dbus-glib: property access not validated
From: Mathieu Trudel, 2010-08-11

References

[Bug 616517] [NEW] CVE-2010-1172 dbus-glib: property access not validated
From: Mathieu Trudel, 2010-08-11