Executive Summary

Summary
Title dbus-glib security update
Informations
Name RHSA-2010:0616 First vendor Publication 2010-08-10
Vendor RedHat Last vendor Modification 2010-08-10
Severity (Vendor) Moderate Revision 01

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:L/AC:L/Au:N/C:N/I:P/A:P)
Cvss Base Score 3.6 Attack Range Local
Cvss Impact Score 4.9 Attack Complexity Low
Cvss Expoit Score 3.9 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Problem Description:

Updated dbus-glib packages that fix one security issue are now available for Red Hat Enterprise Linux 5.

The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.

2. Relevant releases/architectures:

RHEL Desktop Workstation (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64

3. Description:

dbus-glib is an add-on library to integrate the standard D-Bus library with the GLib main loop and threading model. NetworkManager is a network link manager that attempts to keep a wired or wireless network connection active at all times.

It was discovered that dbus-glib did not enforce the "access" flag on exported GObject properties. If such a property were read/write internally but specified as read-only externally, a malicious, local user could use this flaw to modify that property of an application. Such a change could impact the application's behavior (for example, if an IP address were changed the network may not come up properly after reboot) and possibly lead to a denial of service. (CVE-2010-1172)

Due to the way dbus-glib translates an application's XML definitions of service interfaces and properties into C code at application build time, applications built against dbus-glib that use read-only properties needed to be rebuilt to fully fix the flaw. As such, this update provides NetworkManager packages that have been rebuilt against the updated dbus-glib packages. No other applications shipped with Red Hat Enterprise Linux 5 were affected.

All dbus-glib and NetworkManager users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. Running instances of NetworkManager must be restarted (service NetworkManager restart) for this update to take effect.

4. Solution:

Before applying this update, make sure all previously-released errata relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/docs/DOC-11259

5. Bugs fixed (http://bugzilla.redhat.com/):

585394 - CVE-2010-1172 dbus-glib: property access not validated

Original Source

Url : https://rhn.redhat.com/errata/RHSA-2010-0616.html

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-264 Permissions, Privileges, and Access Controls

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:21016
 
Oval ID: oval:org.mitre.oval:def:21016
Title: USN-1138-1 -- dbus-glib vulnerability
Description: An attacker could send crafted input to applications using DBus-GLib and cause them to crash.
Family: unix Class: patch
Reference(s): USN-1138-1
CVE-2010-1172
 Version: 5
Platform(s): Ubuntu 10.04
Ubuntu 8.04
 Product(s): dbus-glib
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:21617
 
Oval ID: oval:org.mitre.oval:def:21617
Title: RHSA-2010:0616: dbus-glib security update (Moderate)
Description: DBus-GLib 0.73 disregards the access flag of exported GObject properties, which allows local users to bypass intended access restrictions and possibly cause a denial of service by modifying properties, as demonstrated by properties of the (1) DeviceKit-Power, (2) NetworkManager, and (3) ModemManager services.
Family: unix Class: patch
Reference(s): RHSA-2010:0616-01
CESA-2010:0616
CVE-2010-1172
 Version: 4
Platform(s): Red Hat Enterprise Linux 5
CentOS Linux 5
 Product(s): NetworkManager
dbus-glib
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:22928
 
Oval ID: oval:org.mitre.oval:def:22928
Title: ELSA-2010:0616: dbus-glib security update (Moderate)
Description: DBus-GLib 0.73 disregards the access flag of exported GObject properties, which allows local users to bypass intended access restrictions and possibly cause a denial of service by modifying properties, as demonstrated by properties of the (1) DeviceKit-Power, (2) NetworkManager, and (3) ModemManager services.
Family: unix Class: patch
Reference(s): ELSA-2010:0616-01
CVE-2010-1172
 Version: 6
Platform(s): Oracle Linux 5
 Product(s): NetworkManager
dbus-glib
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:28089
 
Oval ID: oval:org.mitre.oval:def:28089
Title: DEPRECATED: ELSA-2010-0616 -- dbus-glib security update (moderate)
Description: NetworkManager: [1:0.7.0-10.el5_5.1] - Rebuild to fix D-Bus property access (for dbus-glib CVE-2010-1172) dbus-glib: [0.73-10] - Add patch to fix CVE-2010-1172 Drop broken-xml.patch which this one now incorporates Resolves: #588397 (and #585395)
Family: unix Class: patch
Reference(s): ELSA-2010-0616
CVE-2010-1172
 Version: 4
Platform(s): Oracle Linux 5
 Product(s): NetworkManager
dbus-glib
Definition Synopsis:

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 1

OpenVAS Exploits

Date Description
2011-08-09 Name : CentOS Update for NetworkManager CESA-2010:0616 centos5 i386
File : nvt/gb_CESA-2010_0616_NetworkManager_centos5_i386.nasl
2011-08-09 Name : CentOS Update for dbus-glib CESA-2010:0616 centos5 i386
File : nvt/gb_CESA-2010_0616_dbus-glib_centos5_i386.nasl
2011-06-03 Name : Ubuntu Update for dbus-glib USN-1138-1
File : nvt/gb_ubuntu_USN_1138_1.nasl
2010-08-24 Name : Fedora Update for DeviceKit-power FEDORA-2010-12863
File : nvt/gb_fedora_2010_12863_DeviceKit-power_fc13.nasl
2010-08-24 Name : Fedora Update for dbus-glib FEDORA-2010-12863
File : nvt/gb_fedora_2010_12863_dbus-glib_fc13.nasl
2010-08-24 Name : Fedora Update for DeviceKit-power FEDORA-2010-12911
File : nvt/gb_fedora_2010_12911_DeviceKit-power_fc12.nasl
2010-08-24 Name : Fedora Update for ModemManager FEDORA-2010-12911
File : nvt/gb_fedora_2010_12911_ModemManager_fc12.nasl
2010-08-24 Name : Fedora Update for NetworkManager FEDORA-2010-12911
File : nvt/gb_fedora_2010_12911_NetworkManager_fc12.nasl
2010-08-24 Name : Fedora Update for dbus-glib FEDORA-2010-12911
File : nvt/gb_fedora_2010_12911_dbus-glib_fc12.nasl
2010-08-13 Name : RedHat Update for dbus-glib RHSA-2010:0616-01
File : nvt/gb_RHSA-2010_0616-01_dbus-glib.nasl

Open Source Vulnerability Database (OSVDB)

Id Description
67026 dbus-glib D-Bus GLib Bindings Property Local Access Restriction Bypass

Nessus® Vulnerability Scanner

Date Description
2014-06-13 Name : The remote openSUSE host is missing a security update.
File : suse_11_3_gdm-100915.nasl - Type : ACT_GATHER_INFO
2014-06-13 Name : The remote openSUSE host is missing a security update.
File : suse_11_3_dbus-1-glib-110325.nasl - Type : ACT_GATHER_INFO
2014-06-13 Name : The remote openSUSE host is missing a security update.
File : suse_11_3_NetworkManager-110325.nasl - Type : ACT_GATHER_INFO
2013-07-12 Name : The remote Oracle Linux host is missing one or more security updates.
File : oraclelinux_ELSA-2010-0616.nasl - Type : ACT_GATHER_INFO
2012-08-01 Name : The remote Scientific Linux host is missing one or more security updates.
File : sl_20100810_dbus_glib_on_SL5_x.nasl - Type : ACT_GATHER_INFO
2011-06-13 Name : The remote Ubuntu host is missing a security-related patch.
File : ubuntu_USN-1138-1.nasl - Type : ACT_GATHER_INFO
2011-05-05 Name : The remote openSUSE host is missing a security update.
File : suse_11_2_gdm-100915.nasl - Type : ACT_GATHER_INFO
2011-05-05 Name : The remote openSUSE host is missing a security update.
File : suse_11_2_dbus-1-glib-110325.nasl - Type : ACT_GATHER_INFO
2011-05-05 Name : The remote openSUSE host is missing a security update.
File : suse_11_2_NetworkManager-110325.nasl - Type : ACT_GATHER_INFO
2011-05-05 Name : The remote openSUSE host is missing a security update.
File : suse_11_1_gdm-100915.nasl - Type : ACT_GATHER_INFO
2011-01-21 Name : The remote SuSE 11 host is missing one or more security updates.
File : suse_11_NetworkManager-100916.nasl - Type : ACT_GATHER_INFO
2011-01-21 Name : The remote SuSE 11 host is missing one or more security updates.
File : suse_11_gdm-100930.nasl - Type : ACT_GATHER_INFO
2010-12-02 Name : The remote SuSE 11 host is missing one or more security updates.
File : suse_11_NetworkManager-100901.nasl - Type : ACT_GATHER_INFO
2010-12-02 Name : The remote SuSE 11 host is missing one or more security updates.
File : suse_11_dbus-1-glib-100901.nasl - Type : ACT_GATHER_INFO
2010-12-02 Name : The remote SuSE 11 host is missing one or more security updates.
File : suse_11_gdm-101006.nasl - Type : ACT_GATHER_INFO
2010-08-23 Name : The remote Fedora host is missing one or more security updates.
File : fedora_2010-12911.nasl - Type : ACT_GATHER_INFO
2010-08-23 Name : The remote Fedora host is missing one or more security updates.
File : fedora_2010-12863.nasl - Type : ACT_GATHER_INFO
2010-08-12 Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2010-0616.nasl - Type : ACT_GATHER_INFO
2010-08-12 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2010-0616.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
Date Informations
2014-02-17 11:53:43
  • Multiple Updates