Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 21 Mar 2017 20:34:17 +0100
From: Cedric Buissart <cbuissar@...hat.com>
To: oss-security@...ts.openwall.com
Subject: subscription-manager: CVE-2017-2663 unsafe dbus interface

Hi,

CVE-2017-2663 has been assigned for the following issue :

Subscription-manager's new DBus interface provides methods that can be used
for malicious usage. It allows an unprivileged local user to have access to
information known to root only, and/or to modify subscription-manager
configuration file, allowing, for example, privilege escalation.

-> Upstream patch :
 * Lock down Facts object to be accessible to root only.
https://github.com/candlepin/subscription-manager/commit/882bb587a
-> Followed by this one :
 * 1434094: Deny D-BUS Config.Set from non-root
https://github.com/candlepin/subscription-manager/commit/afa0f7afee

Affected versions : from subscription-manager-1.19.0-1 (information
disclosure) & subscription-manager-1.19.3-1 (configuration modification)

Fixed version : subscription-manager-1.19.4-1


Thanks,

-- 
Cedric Buissart,
Product Security

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ