|Title||dbus-glib security update|
|Name||RHSA-2010:0616||First vendor Publication||2010-08-10|
|Vendor||RedHat||Last vendor Modification||2010-08-10|
Security-Database Scoring CVSS v2
|Cvss vector : (AV:L/AC:L/Au:N/C:N/I:P/A:P)|
|Cvss Base Score||3.6||Attack Range||Local|
|Cvss Impact Score||4.9||Attack Complexity||Low|
|Cvss Expoit Score||3.9||Authentification||None Required|
|Calculate full CVSS 2.0 Vectors scores|
Updated dbus-glib packages that fix one security issue are now available
for Red Hat Enterprise Linux 5.
The Red Hat Security Response Team has rated this update as having moderate
security impact. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available from the CVE link in
the References section.
2. Relevant releases/architectures:
RHEL Desktop Workstation (v. 5 client) - i386, x86_64
Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64
Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64
dbus-glib is an add-on library to integrate the standard D-Bus library with
the GLib main loop and threading model. NetworkManager is a network link
manager that attempts to keep a wired or wireless network connection active
at all times.
It was discovered that dbus-glib did not enforce the "access" flag on
exported GObject properties. If such a property were read/write internally
but specified as read-only externally, a malicious, local user could use
this flaw to modify that property of an application. Such a change could
impact the application's behavior (for example, if an IP address were
changed the network may not come up properly after reboot) and possibly
lead to a denial of service. (CVE-2010-1172)
Due to the way dbus-glib translates an application's XML definitions of
service interfaces and properties into C code at application build time,
applications built against dbus-glib that use read-only properties needed
to be rebuilt to fully fix the flaw. As such, this update provides
NetworkManager packages that have been rebuilt against the updated
dbus-glib packages. No other applications shipped with Red Hat Enterprise
Linux 5 were affected.
All dbus-glib and NetworkManager users are advised to upgrade to these
updated packages, which contain a backported patch to correct this issue.
Running instances of NetworkManager must be restarted (service
NetworkManager restart) for this update to take effect.
Before applying this update, make sure all previously-released errata
relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
5. Bugs fixed (http://bugzilla.redhat.com/):
585394 - CVE-2010-1172 dbus-glib: property access not validated
|Url : https://rhn.redhat.com/errata/RHSA-2010-0616.html|
CWE : Common Weakness Enumeration
|CWE-264||Permissions, Privileges, and Access Controls|
CPE : Common Platform Enumeration
Open Source Vulnerability Database (OSVDB)
|67026||dbus-glib D-Bus GLib Bindings Property Local Access Restriction Bypass|