Executive Summary
Summary | |
---|---|
Title | dbus-glib security update |
Informations | |||
---|---|---|---|
Name | RHSA-2010:0616 | First vendor Publication | 2010-08-10 |
Vendor | RedHat | Last vendor Modification | 2010-08-10 |
Severity (Vendor) | Moderate | Revision | 01 |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:L/AC:L/Au:N/C:N/I:P/A:P) | |||
---|---|---|---|
Cvss Base Score | 3.6 | Attack Range | Local |
Cvss Impact Score | 4.9 | Attack Complexity | Low |
Cvss Expoit Score | 3.9 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Problem Description: Updated dbus-glib packages that fix one security issue are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: RHEL Desktop Workstation (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 3. Description: dbus-glib is an add-on library to integrate the standard D-Bus library with the GLib main loop and threading model. NetworkManager is a network link manager that attempts to keep a wired or wireless network connection active at all times. It was discovered that dbus-glib did not enforce the "access" flag on exported GObject properties. If such a property were read/write internally but specified as read-only externally, a malicious, local user could use this flaw to modify that property of an application. Such a change could impact the application's behavior (for example, if an IP address were changed the network may not come up properly after reboot) and possibly lead to a denial of service. (CVE-2010-1172) Due to the way dbus-glib translates an application's XML definitions of service interfaces and properties into C code at application build time, applications built against dbus-glib that use read-only properties needed to be rebuilt to fully fix the flaw. As such, this update provides NetworkManager packages that have been rebuilt against the updated dbus-glib packages. No other applications shipped with Red Hat Enterprise Linux 5 were affected. All dbus-glib and NetworkManager users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. Running instances of NetworkManager must be restarted (service NetworkManager restart) for this update to take effect. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 585394 - CVE-2010-1172 dbus-glib: property access not validated |
Original Source
Url : https://rhn.redhat.com/errata/RHSA-2010-0616.html |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
100 % | CWE-264 | Permissions, Privileges, and Access Controls |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:21016 | |||
Oval ID: | oval:org.mitre.oval:def:21016 | ||
Title: | USN-1138-1 -- dbus-glib vulnerability | ||
Description: | An attacker could send crafted input to applications using DBus-GLib and cause them to crash. | ||
Family: | unix | Class: | patch |
Reference(s): | USN-1138-1 CVE-2010-1172 | Version: | 5 |
Platform(s): | Ubuntu 10.04 Ubuntu 8.04 | Product(s): | dbus-glib |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:21617 | |||
Oval ID: | oval:org.mitre.oval:def:21617 | ||
Title: | RHSA-2010:0616: dbus-glib security update (Moderate) | ||
Description: | DBus-GLib 0.73 disregards the access flag of exported GObject properties, which allows local users to bypass intended access restrictions and possibly cause a denial of service by modifying properties, as demonstrated by properties of the (1) DeviceKit-Power, (2) NetworkManager, and (3) ModemManager services. | ||
Family: | unix | Class: | patch |
Reference(s): | RHSA-2010:0616-01 CESA-2010:0616 CVE-2010-1172 | Version: | 4 |
Platform(s): | Red Hat Enterprise Linux 5 CentOS Linux 5 | Product(s): | NetworkManager dbus-glib |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:22928 | |||
Oval ID: | oval:org.mitre.oval:def:22928 | ||
Title: | ELSA-2010:0616: dbus-glib security update (Moderate) | ||
Description: | DBus-GLib 0.73 disregards the access flag of exported GObject properties, which allows local users to bypass intended access restrictions and possibly cause a denial of service by modifying properties, as demonstrated by properties of the (1) DeviceKit-Power, (2) NetworkManager, and (3) ModemManager services. | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2010:0616-01 CVE-2010-1172 | Version: | 6 |
Platform(s): | Oracle Linux 5 | Product(s): | NetworkManager dbus-glib |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:28089 | |||
Oval ID: | oval:org.mitre.oval:def:28089 | ||
Title: | DEPRECATED: ELSA-2010-0616 -- dbus-glib security update (moderate) | ||
Description: | NetworkManager: [1:0.7.0-10.el5_5.1] - Rebuild to fix D-Bus property access (for dbus-glib CVE-2010-1172) dbus-glib: [0.73-10] - Add patch to fix CVE-2010-1172 Drop broken-xml.patch which this one now incorporates Resolves: #588397 (and #585395) | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2010-0616 CVE-2010-1172 | Version: | 4 |
Platform(s): | Oracle Linux 5 | Product(s): | NetworkManager dbus-glib |
Definition Synopsis: | |||
|
CPE : Common Platform Enumeration
Type | Description | Count |
---|---|---|
Application | 1 |
OpenVAS Exploits
Date | Description |
---|---|
2011-08-09 | Name : CentOS Update for NetworkManager CESA-2010:0616 centos5 i386 File : nvt/gb_CESA-2010_0616_NetworkManager_centos5_i386.nasl |
2011-08-09 | Name : CentOS Update for dbus-glib CESA-2010:0616 centos5 i386 File : nvt/gb_CESA-2010_0616_dbus-glib_centos5_i386.nasl |
2011-06-03 | Name : Ubuntu Update for dbus-glib USN-1138-1 File : nvt/gb_ubuntu_USN_1138_1.nasl |
2010-08-24 | Name : Fedora Update for DeviceKit-power FEDORA-2010-12863 File : nvt/gb_fedora_2010_12863_DeviceKit-power_fc13.nasl |
2010-08-24 | Name : Fedora Update for dbus-glib FEDORA-2010-12863 File : nvt/gb_fedora_2010_12863_dbus-glib_fc13.nasl |
2010-08-24 | Name : Fedora Update for DeviceKit-power FEDORA-2010-12911 File : nvt/gb_fedora_2010_12911_DeviceKit-power_fc12.nasl |
2010-08-24 | Name : Fedora Update for ModemManager FEDORA-2010-12911 File : nvt/gb_fedora_2010_12911_ModemManager_fc12.nasl |
2010-08-24 | Name : Fedora Update for NetworkManager FEDORA-2010-12911 File : nvt/gb_fedora_2010_12911_NetworkManager_fc12.nasl |
2010-08-24 | Name : Fedora Update for dbus-glib FEDORA-2010-12911 File : nvt/gb_fedora_2010_12911_dbus-glib_fc12.nasl |
2010-08-13 | Name : RedHat Update for dbus-glib RHSA-2010:0616-01 File : nvt/gb_RHSA-2010_0616-01_dbus-glib.nasl |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
67026 | dbus-glib D-Bus GLib Bindings Property Local Access Restriction Bypass |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2014-06-13 | Name : The remote openSUSE host is missing a security update. File : suse_11_3_gdm-100915.nasl - Type : ACT_GATHER_INFO |
2014-06-13 | Name : The remote openSUSE host is missing a security update. File : suse_11_3_dbus-1-glib-110325.nasl - Type : ACT_GATHER_INFO |
2014-06-13 | Name : The remote openSUSE host is missing a security update. File : suse_11_3_NetworkManager-110325.nasl - Type : ACT_GATHER_INFO |
2013-07-12 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2010-0616.nasl - Type : ACT_GATHER_INFO |
2012-08-01 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20100810_dbus_glib_on_SL5_x.nasl - Type : ACT_GATHER_INFO |
2011-06-13 | Name : The remote Ubuntu host is missing a security-related patch. File : ubuntu_USN-1138-1.nasl - Type : ACT_GATHER_INFO |
2011-05-05 | Name : The remote openSUSE host is missing a security update. File : suse_11_2_gdm-100915.nasl - Type : ACT_GATHER_INFO |
2011-05-05 | Name : The remote openSUSE host is missing a security update. File : suse_11_2_dbus-1-glib-110325.nasl - Type : ACT_GATHER_INFO |
2011-05-05 | Name : The remote openSUSE host is missing a security update. File : suse_11_2_NetworkManager-110325.nasl - Type : ACT_GATHER_INFO |
2011-05-05 | Name : The remote openSUSE host is missing a security update. File : suse_11_1_gdm-100915.nasl - Type : ACT_GATHER_INFO |
2011-01-21 | Name : The remote SuSE 11 host is missing one or more security updates. File : suse_11_NetworkManager-100916.nasl - Type : ACT_GATHER_INFO |
2011-01-21 | Name : The remote SuSE 11 host is missing one or more security updates. File : suse_11_gdm-100930.nasl - Type : ACT_GATHER_INFO |
2010-12-02 | Name : The remote SuSE 11 host is missing one or more security updates. File : suse_11_NetworkManager-100901.nasl - Type : ACT_GATHER_INFO |
2010-12-02 | Name : The remote SuSE 11 host is missing one or more security updates. File : suse_11_dbus-1-glib-100901.nasl - Type : ACT_GATHER_INFO |
2010-12-02 | Name : The remote SuSE 11 host is missing one or more security updates. File : suse_11_gdm-101006.nasl - Type : ACT_GATHER_INFO |
2010-08-23 | Name : The remote Fedora host is missing one or more security updates. File : fedora_2010-12911.nasl - Type : ACT_GATHER_INFO |
2010-08-23 | Name : The remote Fedora host is missing one or more security updates. File : fedora_2010-12863.nasl - Type : ACT_GATHER_INFO |
2010-08-12 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2010-0616.nasl - Type : ACT_GATHER_INFO |
2010-08-12 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2010-0616.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2014-02-17 11:53:43 |
|