CVE-2010-1172 dbus-glib: property access not validated
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
dbus-glib (Debian) |
Fix Released
|
Unknown
|
|||
dbus-glib (Fedora) |
Fix Released
|
Medium
|
|||
dbus-glib (Ubuntu) |
Fix Released
|
Medium
|
Unassigned | ||
Hardy |
Fix Released
|
Medium
|
Jamie Strandboge | ||
Karmic |
Won't Fix
|
Medium
|
Unassigned | ||
Lucid |
Fix Released
|
Medium
|
Jamie Strandboge | ||
modemmanager (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Hardy |
Invalid
|
Undecided
|
Unassigned | ||
Karmic |
Won't Fix
|
Undecided
|
Unassigned | ||
Lucid |
Fix Released
|
Undecided
|
Jamie Strandboge | ||
network-manager (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Hardy |
Fix Released
|
Undecided
|
Jamie Strandboge | ||
Karmic |
Won't Fix
|
Undecided
|
Unassigned | ||
Lucid |
Fix Released
|
Undecided
|
Jamie Strandboge |
Bug Description
As also reported in RedHat: https:/
A flaw was recently discovered in dbus-glib where it didn't
respect the "access" flag on properties specified. Basically, core OS
services like NetworkManager which use dbus-glib were specifying e.g. the
"Ip4Address" as read-only for remote access, but in fact any process could
modify it.
A patch is available. However, due to the nature of the way
dbus-glib works where at build time services generate a C data structure from
XML and embed it into their binary, affected services will need to be rebuilt
(though not patched).
KNOWN AFFECTED SERVICES:
* DeviceKit-Power
* NetworkManager
* ModemManager
KNOWN NOT AFFECTED that claim to handle org.freedesktop
* ConsoleKit (it denies all Properties access using dbus policy)
* gdm (ditto)
* PackageKit (all of the properties on exposed GObjects are G_PARAM_READONLY)
KNOWN NOT AFFECTED (because I audited them)
* gnome-panel (no dbus properties)
* gnome-system-
PROBABLY NOT AFFECTED
* hal (doesn't claim to handle org.freedesktop
* polkit (uses eggdbus)
* rtkit (doesn't use dbus-glib)
* DeviceKit-disks (all its properties appear to be readonly)
* wpa_supplicant (doesn't implement Properties)
* upstart (doesn't use dbus-glib)
CVE References
visibility: | private → public |
Changed in dbus-glib (Ubuntu): | |
status: | New → Confirmed |
importance: | Undecided → Medium |
Changed in dbus-glib (Ubuntu): | |
status: | Confirmed → Fix Committed |
Changed in dbus-glib (Ubuntu Lucid): | |
status: | New → In Progress |
importance: | Undecided → Medium |
assignee: | nobody → Jamie Strandboge (jdstrand) |
Changed in dbus-glib (Ubuntu Hardy): | |
status: | New → In Progress |
importance: | Undecided → Medium |
assignee: | nobody → Jamie Strandboge (jdstrand) |
Changed in dbus-glib (Ubuntu Karmic): | |
status: | New → In Progress |
importance: | Undecided → Medium |
assignee: | nobody → Jamie Strandboge (jdstrand) |
Changed in dbus-glib (Ubuntu Lucid): | |
status: | In Progress → Fix Committed |
Changed in dbus-glib (Ubuntu Hardy): | |
status: | In Progress → Fix Committed |
Changed in dbus-glib (Ubuntu Karmic): | |
assignee: | Jamie Strandboge (jdstrand) → nobody |
Changed in dbus-glib (Debian): | |
status: | Unknown → Fix Released |
Changed in dbus-glib (Fedora): | |
importance: | Unknown → Medium |
status: | Unknown → Fix Released |
The desktop team recently discovered a flaw in dbus-glib where it didn't respect the "access" flag on properties specified. Basically, core OS services like NetworkManager which use dbus-glib were specifying e.g. the "Ip4Address" as read-only for remote access, but in fact any process could modify it.
I have a patch for dbus-glib (attached). However, due to the nature of the way
dbus-glib works where at build time services generate a C data structure from
XML and embed it into their binary, affected services will need to be rebuilt
(though not patched).
This affected list is for F-12; I think for RHEL5 we just need dbus-glib and NetworkManager.
KNOWN AFFECTED SERVICES:
* DeviceKit-Power
* NetworkManager
* ModemManager
KNOWN NOT AFFECTED that claim to handle org.freedesktop .DBus.Propertie s:
* ConsoleKit (it denies all Properties access using dbus policy)
* gdm (ditto)
* PackageKit (all of the properties on exposed GObjects are G_PARAM_READONLY)
KNOWN NOT AFFECTED (because I audited them) monitor (ditto)
* gnome-panel (no dbus properties)
* gnome-system-
PROBABLY NOT AFFECTED .DBus.Propertie s)
* hal (doesn't claim to handle org.freedesktop
* polkit (uses eggdbus)
* rtkit (doesn't use dbus-glib)
* DeviceKit-disks (all its properties appear to be readonly)
* wpa_supplicant (doesn't implement Properties)
* upstart (doesn't use dbus-glib)