Executive Summary

Summary
Titledbus-glib security update
Informations
NameRHSA-2010:0616First vendor Publication2010-08-10
VendorRedHatLast vendor Modification2010-08-10
Severity (Vendor) ModerateRevision01

Security-Database Scoring CVSS v2

Cvss vector : (AV:L/AC:L/Au:N/C:N/I:P/A:P)
Cvss Base Score3.6Attack RangeLocal
Cvss Impact Score4.9Attack ComplexityLow
Cvss Expoit Score3.9AuthenticationNone Required
Calculate full CVSS 2.0 Vectors scores

Detail

Problem Description:

Updated dbus-glib packages that fix one security issue are now available
for Red Hat Enterprise Linux 5.

The Red Hat Security Response Team has rated this update as having moderate
security impact. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available from the CVE link in
the References section.

2. Relevant releases/architectures:

RHEL Desktop Workstation (v. 5 client) - i386, x86_64
Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64
Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64

3. Description:

dbus-glib is an add-on library to integrate the standard D-Bus library with
the GLib main loop and threading model. NetworkManager is a network link
manager that attempts to keep a wired or wireless network connection active
at all times.

It was discovered that dbus-glib did not enforce the "access" flag on
exported GObject properties. If such a property were read/write internally
but specified as read-only externally, a malicious, local user could use
this flaw to modify that property of an application. Such a change could
impact the application's behavior (for example, if an IP address were
changed the network may not come up properly after reboot) and possibly
lead to a denial of service. (CVE-2010-1172)

Due to the way dbus-glib translates an application's XML definitions of
service interfaces and properties into C code at application build time,
applications built against dbus-glib that use read-only properties needed
to be rebuilt to fully fix the flaw. As such, this update provides
NetworkManager packages that have been rebuilt against the updated
dbus-glib packages. No other applications shipped with Red Hat Enterprise
Linux 5 were affected.

All dbus-glib and NetworkManager users are advised to upgrade to these
updated packages, which contain a backported patch to correct this issue.
Running instances of NetworkManager must be restarted (service
NetworkManager restart) for this update to take effect.

4. Solution:

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259

5. Bugs fixed (http://bugzilla.redhat.com/):

585394 - CVE-2010-1172 dbus-glib: property access not validated

Original Source

Url : https://rhn.redhat.com/errata/RHSA-2010-0616.html

CWE : Common Weakness Enumeration

idName
CWE-264Permissions, Privileges, and Access Controls

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:21617
 
Oval ID: oval:org.mitre.oval:def:21617
Title: RHSA-2010:0616: dbus-glib security update (Moderate)
Description: DBus-GLib 0.73 disregards the access flag of exported GObject properties, which allows local users to bypass intended access restrictions and possibly cause a denial of service by modifying properties, as demonstrated by properties of the (1) DeviceKit-Power, (2) NetworkManager, and (3) ModemManager services.
Family: unix Class: patch
Reference(s): RHSA-2010:0616-01
CESA-2010:0616
CVE-2010-1172
Version: 4
Platform(s): Red Hat Enterprise Linux 5
CentOS Linux 5
Product(s): NetworkManager
dbus-glib
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:22928
 
Oval ID: oval:org.mitre.oval:def:22928
Title: ELSA-2010:0616: dbus-glib security update (Moderate)
Description: DBus-GLib 0.73 disregards the access flag of exported GObject properties, which allows local users to bypass intended access restrictions and possibly cause a denial of service by modifying properties, as demonstrated by properties of the (1) DeviceKit-Power, (2) NetworkManager, and (3) ModemManager services.
Family: unix Class: patch
Reference(s): ELSA-2010:0616-01
CVE-2010-1172
Version: 3
Platform(s): Oracle Linux 5
Product(s):
Definition Synopsis:

CPE : Common Platform Enumeration

TypeDescriptionCount
Application1

OpenVAS Exploits

DateDescription
2011-08-09Name : CentOS Update for NetworkManager CESA-2010:0616 centos5 i386
File : nvt/gb_CESA-2010_0616_NetworkManager_centos5_i386.nasl
2011-08-09Name : CentOS Update for dbus-glib CESA-2010:0616 centos5 i386
File : nvt/gb_CESA-2010_0616_dbus-glib_centos5_i386.nasl
2011-06-03Name : Ubuntu Update for dbus-glib USN-1138-1
File : nvt/gb_ubuntu_USN_1138_1.nasl
2010-08-24Name : Fedora Update for DeviceKit-power FEDORA-2010-12863
File : nvt/gb_fedora_2010_12863_DeviceKit-power_fc13.nasl
2010-08-24Name : Fedora Update for dbus-glib FEDORA-2010-12863
File : nvt/gb_fedora_2010_12863_dbus-glib_fc13.nasl
2010-08-24Name : Fedora Update for DeviceKit-power FEDORA-2010-12911
File : nvt/gb_fedora_2010_12911_DeviceKit-power_fc12.nasl
2010-08-24Name : Fedora Update for ModemManager FEDORA-2010-12911
File : nvt/gb_fedora_2010_12911_ModemManager_fc12.nasl
2010-08-24Name : Fedora Update for NetworkManager FEDORA-2010-12911
File : nvt/gb_fedora_2010_12911_NetworkManager_fc12.nasl
2010-08-24Name : Fedora Update for dbus-glib FEDORA-2010-12911
File : nvt/gb_fedora_2010_12911_dbus-glib_fc12.nasl
2010-08-13Name : RedHat Update for dbus-glib RHSA-2010:0616-01
File : nvt/gb_RHSA-2010_0616-01_dbus-glib.nasl

Open Source Vulnerability Database (OSVDB)

idDescription
67026dbus-glib D-Bus GLib Bindings Property Local Access Restriction Bypass

Nessus® Vulnerability Scanner

DateDescription
2013-07-12Name : The remote Oracle Linux host is missing one or more security updates.
File : oraclelinux_ELSA-2010-0616.nasl - Type : ACT_GATHER_INFO
2012-08-01Name : The remote Scientific Linux host is missing one or more security updates.
File : sl_20100810_dbus_glib_on_SL5_x.nasl - Type : ACT_GATHER_INFO
2011-06-13Name : The remote Ubuntu host is missing a security-related patch.
File : ubuntu_USN-1138-1.nasl - Type : ACT_GATHER_INFO
2011-05-05Name : The remote SuSE system is missing a security patch for gdm
File : suse_11_1_gdm-100915.nasl - Type : ACT_GATHER_INFO
2011-05-05Name : The remote SuSE system is missing a security patch for NetworkManager
File : suse_11_2_NetworkManager-110325.nasl - Type : ACT_GATHER_INFO
2011-05-05Name : The remote SuSE system is missing a security patch for dbus-1-glib
File : suse_11_2_dbus-1-glib-110325.nasl - Type : ACT_GATHER_INFO
2011-05-05Name : The remote SuSE system is missing a security patch for gdm
File : suse_11_2_gdm-100915.nasl - Type : ACT_GATHER_INFO
2011-01-21Name : The remote SuSE 11 host is missing one or more security updates.
File : suse_11_gdm-100930.nasl - Type : ACT_GATHER_INFO
2011-01-21Name : The remote SuSE 11 host is missing one or more security updates.
File : suse_11_NetworkManager-100916.nasl - Type : ACT_GATHER_INFO
2010-12-02Name : The remote SuSE 11 host is missing one or more security updates.
File : suse_11_gdm-101006.nasl - Type : ACT_GATHER_INFO
2010-12-02Name : The remote SuSE 11 host is missing one or more security updates.
File : suse_11_dbus-1-glib-100901.nasl - Type : ACT_GATHER_INFO
2010-12-02Name : The remote SuSE 11 host is missing one or more security updates.
File : suse_11_NetworkManager-100901.nasl - Type : ACT_GATHER_INFO
2010-08-23Name : The remote Fedora host is missing one or more security updates.
File : fedora_2010-12863.nasl - Type : ACT_GATHER_INFO
2010-08-23Name : The remote Fedora host is missing one or more security updates.
File : fedora_2010-12911.nasl - Type : ACT_GATHER_INFO
2010-08-12Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2010-0616.nasl - Type : ACT_GATHER_INFO
2010-08-12Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2010-0616.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
DateInformations
2014-02-17 11:53:43
  • Multiple Updates