[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#700864: pu: package dbus-glib/0.88-2.1+squeeze1

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: pu

Moritz asked me to upload dbus-glib to squeeze for #700638 (CVE-2013-0292).
I've already uploaded it, with permission from adsb, since the 6.0.7 point
release is imminent. Debdiff below.

Regards,
    S

diffstat for dbus-glib_0.88-2.1 dbus-glib_0.88-2.1+squeeze1

 dbus-glib-0.88/debian/changelog                                                |    8 +
 debian/patches/0001-CVE-2013-0292-dbus-gproxy-Verify-sender-of-NameOwner.patch |   52 ++++++++++
 2 files changed, 60 insertions(+)

diff -u dbus-glib-0.88/debian/changelog dbus-glib-0.88/debian/changelog
--- dbus-glib-0.88/debian/changelog
+++ dbus-glib-0.88/debian/changelog
@@ -1,3 +1,11 @@
+dbus-glib (0.88-2.1+squeeze1) stable; urgency=low
+
+  * Apply patch from upstream 0.100.1 to fix insufficient checking
+    leading to authentication bypass in pam_fprintd (CVE-2013-0292)
+    (Closes: #700638)
+
+ -- Simon McVittie <smcv@debian.org>  Fri, 15 Feb 2013 17:58:34 +0000
+
 dbus-glib (0.88-2.1) unstable; urgency=high
 
   * Non-maintainer upload.
only in patch2:
unchanged:
--- dbus-glib-0.88.orig/debian/patches/0001-CVE-2013-0292-dbus-gproxy-Verify-sender-of-NameOwner.patch
+++ dbus-glib-0.88/debian/patches/0001-CVE-2013-0292-dbus-gproxy-Verify-sender-of-NameOwner.patch
@@ -0,0 +1,52 @@
+From 166978a09cf5edff4028e670b6074215a4c75eca Mon Sep 17 00:00:00 2001
+From: Colin Walters <walters@verbum.org>
+Date: Thu, 14 Feb 2013 10:19:34 -0500
+Subject: [PATCH] CVE-2013-0292: dbus-gproxy: Verify sender of
+ NameOwnerChanged signals to be o.f.DBus
+
+Anyone can hop on the bus and emit a signal whose interface is
+o.f.DBus; it's expected at the moments that clients (and notably DBus
+libraries) check the sender.
+
+This could previously be used to trick a system service using dbus-glib
+into thinking a malicious signal came from a privileged source, by
+claiming that ownership of the privileged source's well-known name had
+changed from the privileged source's real unique name to the attacker's
+unique name.
+
+[altered to be NULL-safe so it won't crash on peer connections -smcv]
+Signed-off-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
+Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
+---
+ dbus/dbus-gproxy.c |    7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/dbus/dbus-gproxy.c b/dbus/dbus-gproxy.c
+index 2fc52f9..c3ae9ec 100644
+--- a/dbus/dbus-gproxy.c
++++ b/dbus/dbus-gproxy.c
+@@ -1250,8 +1250,11 @@ dbus_g_proxy_manager_filter (DBusConnection    *connection,
+       GSList *tmp;
+       const char *sender;
+ 
++      sender = dbus_message_get_sender (message);
++
+       /* First we handle NameOwnerChanged internally */
+-      if (dbus_message_is_signal (message,
++      if (g_strcmp0 (sender, DBUS_SERVICE_DBUS) == 0 &&
++	  dbus_message_is_signal (message,
+ 				  DBUS_INTERFACE_DBUS,
+ 				  "NameOwnerChanged"))
+ 	{
+@@ -1280,8 +1283,6 @@ dbus_g_proxy_manager_filter (DBusConnection    *connection,
+ 	    }
+ 	}
+ 
+-      sender = dbus_message_get_sender (message);
+-
+       /* dbus spec requires these, libdbus validates */
+       g_assert (dbus_message_get_path (message) != NULL);
+       g_assert (dbus_message_get_interface (message) != NULL);
+-- 
+1.7.10.4
+
Reply to: